Daily Brief

North Korean threat actors impersonated job recruiters and seekers to distribute malware and infiltrate organizations globally. The campaigns, codenamed Contagious Interview and Wagemole by Palo Alto Networks' Unit 42, involve cryptocurrency theft, espionage, and financial gain. The first campaign uses fake job interviews to infect software developers with malware aimed at cryptocurrency theft and staging further attacks. Attackers also pose as job candidates, using GitHub to host resumes with forged identities to gain employment and conduct espionage. Two new cross-platform malware, BeaverTail and InvisibleFerret, can target Windows, Linux, and macOS, stealing information and facilitating remote control. Overlaps with previous North Korean operations, including Operation Dream Job and Sapphire Sleet, indicate a consistent pattern of strategic social engineering. The activities tie into broader North Korean strategies to bypass sanctions by deploying skilled IT workers who redirect their earnings to state weapons programs. The U.S. government advisory acknowledges North Korea's tactic of using IT worker employment to fund weapons programs, further highlighting the risks to global businesses.

Employees are adopting AI tools such as ChatGPT rapidly, with little oversight, which may increase productivity but poses security risks. Cybersecurity teams are under pressure to quickly adopt AI without proper security assessments, potentially leading to data breaches. Indie AI apps, favored for their freemium models, typically have less robust security measures, making them attractive targets for hackers. Connections between AI tools and enterprise SaaS systems can allow threat actors to access sensitive company data. The article cites the CircleCI data breach incident as an example, where a delay in noticing suspicious activity led to a significant data breach. Security researchers recommend that companies should enforce due diligence, revise application and data policies, and provide regular employee training. Vendor assessments of indie AI tools should include a rigorous look at their security posture and data privacy compliance. Building open communication and accessibility between cybersecurity teams and business units is vital for maintaining SaaS security in the face of AI adoption.

Microsoft's bug bounty program marks a decade, disbursing $63 million to researchers, with substantial growth in the last five years. Aanchal Gupta, Microsoft's deputy CISO, underscores early resistance but stresses the program's importance in pre-release bug detection. The initiative's recent expansion includes increased rewards, with $13 million awarded to researchers in one year and new categories for serious risks. Katie Moussouris, a key advocate for Microsoft's program inception, reflects on implementing bug bounties amidst initial corporate reluctance. Moussouris emphasizes that while bug bounties are financially incentivizing, they should not replace secure software development processes. Moussouris calls for "concrete feedback loop" integration into secure development life cycles and setting meaningful metrics beyond cash payouts. The article challenges the efficacy of bug bounty programs, suggesting that more attention should be given to preventative measures and rapid vulnerability response.

The UK Information Commissioner's Office (ICO) demands website operators make rejecting cookies as simple as accepting them. The ICO targets advertising cookies, requiring clear consent choices for users and non-personalized ads if cookies are rejected. ICO issued guidance to prevent design strategies that trick users into providing more personal data than they intend. Companies have a 30-day deadline to comply with data protection regulations or face enforcement action and potential financial penalties. Non-compliant organizations could incur fines of up to £17.5 million or 4% of the annual worldwide turnover. The ICO critiques cookie consent banners, emphasizing the ease of opting out should match opting in. The ICO's stance aligns with EU directives on clear consent options for cookies, despite UK proposals in 2022 for an opt-out system.

The Atomic Stealer malware, typically targeting Windows systems, has now expanded its reach to macOS. Malwarebytes reports the use of a fake web browser update scheme, known as ClearFake, to deliver Atomic Stealer to Mac users. ClearFake, a relatively new malware distribution operation, employs compromised WordPress sites to issue fraudulent update alerts. Atomic Stealer is a stealer malware family sold for $1,000 per month, capable of extracting information from web browsers and cryptocurrency wallets. Malware distributors have been leveraging themes related to fake browser updates to spread various malware, including the ClearFake campaign targeting Mac systems. The method of propagation for this stealer malware includes malicious ads, search engine redirects, and drive-by downloads, among others. Updates to LummaC2 stealer include a unique anti-sandbox technique and claims of a persistent method to extract Google Account cookies that remain active even after password changes.

The LockBit ransomware group is exploiting a critical vulnerability in Citrix NetScaler ADC and Gateway appliances. U.S. and Australian agencies, including CISA, FBI, and ACSC, issued a joint advisory about the exploitation of the Citrix Bleed flaw. This vulnerability, identified as CVE-2023-4966, bypasses passwords and MFA, allowing session hijacking and elevated permissions for attackers. Despite a fix by Citrix last month, the flaw was weaponized as a zero-day exploit since August 2023. Mandiant reported that multiple groups are exploiting the vulnerability across various regions and industry verticals. LockBit utilizes the flaw for initial access, then deploys remote management tools for subsequent malicious activities. A comparative study of ransomware on Windows and Linux underscores the growing Linux ransomware threat to medium-to-large organizations, with a trend towards minimalism and stealth in attack execution.

Binance and CEO Changpeng Zhao plead guilty to financial crimes involving money laundering and sanctions evasion. The cryptocurrency exchange will pay $10 billion in fines and settlements to the US government. Binance failed to register as a money service business, violated anti-money laundering laws, and transacted with individuals in sanctioned countries. US Attorney General Merrick Garland stated that Binance chose profits over compliance with US laws to gain market share. The company knowingly allowed US users access to its platform even after the supposed cut-off in 2019. Binance must now implement robust anti-money laundering measures and report to US agencies for three years. Zhao resigns as CEO but will remain a majority shareholder; he faces personal fines amounting to $150 million, payable to the CFTC. Binance still confronts potential charges from the Securities and Exchange Commission, which was not part of the settlement.

The Idaho National Laboratory (INL), crucial for U.S. atomic energy and national security research, was targeted by a cyberattack from 'SiegedSec' hacktivist group. SiegedSec claims to have accessed and leaked extensive human resources data, which includes information on a vast number of personnel and associates. The leaked data were posted on hacker forums and Telegram, demonstrating SiegedSec's pattern of bypassing ransom negotiations in favor of public disclosure. Screenshots disseminated by the hackers suggested they had infiltrated INL systems to an extent that allowed them to create internal announcements about the breach. The INL spokesperson has confirmed the cyberattack without specifying details, stating that immediate measures were taken to safeguard affected data and federal law enforcement is investigating the incident. The compromised server supported INL’s Oracle HCM system, used for Human Resources applications, but there is no indication that any nuclear research information was accessed or disclosed. The attack on INL, a component of the U.S.'s critical infrastructure, is expected to result in increased attention and pursuit of SiegedSec by law enforcement agencies.

The Lumma information-stealer malware claims it can restore expired Google authentication cookies. Restored session cookies can lead to account hijacking, posing significant security risks. The alleged feature was announced on a cybercriminal forum and is exclusive to the malware's "Corporate" plan subscribers at $1,000/month. The functionality, which is designed to work once per key, allows unauthorized access to Google accounts even after sessions have expired. There is skepticism in the security community as the feature has not been independently verified, and Google has not commented on the potential exploit. Lumma's developers issued another update purportedly circumventing Google's defenses against cookie restoration. The similar feature is also found in another malware, Rhadamanthys, suggesting a potential common vulnerability exploited by cybercriminals. Users are advised to take precautions to avoid malware infections, as no definitive countermeasure by Google has been confirmed.

Microsoft has introduced a new bug bounty program targeting their Microsoft Defender platform, offering rewards ranging from $500 to $20,000. In certain cases, rewards could be higher at Microsoft's discretion, depending on the severity and quality of the reported security vulnerabilities. Top rewards will be given for critical severity reports that expose remote code execution vulnerabilities in the Microsoft Defender for Endpoint APIs. This program is part of Microsoft's effort to engage with the global security research community to enhance the security of their products. Microsoft also announced that over the past year, it has awarded nearly $59 million for eligible vulnerability reports across various bug bounty programs. The Microsoft Defender Bounty Program is currently focused on the Defender for Endpoint APIs but may expand to other Defender products and services in the future. Details and guidelines for the program, including a list of eligible vulnerabilities and information on reward distribution, are available on Microsoft's FAQ page.

AutoZone, a major automotive parts retailer and distributor, reported a data breach impacting 184,995 individuals. The breach was linked to the broader Clop ransomware gang exploiting a MOVEit file transfer zero-day vulnerability. Breach notification indicates personal data was exfiltrated, including full names and social security numbers. AutoZone is offering identity theft protection services and advises affected individuals to stay vigilant for the next 24 months. The leaked data attributed to the breach includes employee details, tax information, payroll documents, and more, but no customer data was present. Clop ransomware gang earlier claimed responsibility for the attack and published the stolen AutoZone data, which is being verified for authenticity. The MOVEit attacks are connected to an international cybercrime pattern, with expectations that Clop could gain $75 million in ransom payments.

CISA ordered US federal agencies to patch the 'Looney Tunables' Linux bug, an actively exploited vulnerability allowing root access. Qualys researchers discovered a buffer overflow in GNU C Library's dynamic loader, affecting Fedora, Ubuntu, and Debian distributions. Administrators urged to patch systems due to publicly available PoC exploits and active exploitation of the CVE-2023-4911 vulnerability. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, with a deadline for federal agencies to patch by December 12. The Kinsing malware campaign is exploiting the flaw to achieve root access in cloud environments, leading to further attacks and data theft. Attackers exploit vulnerabilities in PHPUnit to install a JavaScript web shell for persistent access and reconnaissance in cloud services. Kinsing attackers aim to harvest cloud service provider credentials and deploy crypto mining malware in cloud systems like Kubernetes, Docker APIs, Redis, and Jenkins.

Sumo Logic, a SaaS log analytics company, detected unauthorized access on one of its AWS accounts due to a compromised credential. No customer data was ultimately compromised during the incident, which was first detected on November 3. Immediate actions were taken, including securing the infrastructure and rotating potentially exposed customer credentials. Sumo Logic advised all customers to rotate their credentials, especially API access keys, even if they were not directly impacted. Third-party forensic specialists were involved in the investigation to confirm the integrity of customer data and closure of the incident. The company plans to undertake additional evaluations to identify measures to prevent future incidents and strengthen overall security. The response to the incident was timely and transparent, with frequent updates to customers and praised by cybersecurity experts. Experts view this incident as a reminder of the importance of proactive security measures, such as regularly rotating API keys.

Citrix has reiterated to administrators the importance of invalidating all user sessions after applying patches for the CVE-2023-4966 vulnerability, known as 'Citrix Bleed'. The company previously patched the flaw in early October but active exploitation has occurred since at least late August 2023. Attackers have been stealing authentication tokens through this vulnerability, allowing them access to devices even after patches are applied. Mandiant revealed that exploited NetScaler sessions continue to pose a risk after patching, enabling network lateral movement or further account compromises. The warning follows reports that the LockBit ransomware group is leveraging the Citrix Bleed flaw, as highlighted by a joint advisory from CISA, the FBI, and others. Boeing disclosed an instance where LockBit 3.0 affiliates exploited CVE-2023-4966, leading to a significant data breach and subsequent leak on the dark web. CISA's malware analysis report indicates that the exploit has been used for malicious activities including saving registry hives and dumping LSASS process memory. It's reported that over 10,000 Citrix servers exposed to the internet were vulnerable to attacks a week prior to the advisory.

DarkGate and Pikabot malware have surged as successors to the dismantled Qakbot botnet, posing significant risks to enterprises. A complex phishing campaign, initially distributing DarkGate, added Pikabot as its main payload, showcasing advanced tactics reminiscent of Qakbot's methods. The phishing campaign exploits email trust by replying to or forwarding ongoing discussion threads, enticing users to download a ZIP file containing malware. The attackers have been trialing various droppers to infect systems; the campaign's primary payload shifted from DarkGate to Pikabot in October 2023. DarkGate supports multiple malicious functions, including remote access, cryptocurrency mining, and data theft, while PikaBot features robust anti-analysis measures and versatile payload delivery. Cofense emphasizes the sophistication of the threat actors behind these campaigns, advising organizations to acclimate to their Tactics, Techniques, and Procedures (TTPs).