Daily Brief

A proxy botnet coined 'Socks5Systemz' has infected approximately 10,000 systems internationally via malware loaders 'PrivateLoader' and 'Amadey'. This malware converts the infected computers into traffic-forwarding proxies for malevolent or anonymous traffic. BitSight detailed the Socks5Systemz bot in a report, revealing that the botnet has been active since at least 2016 but has recently increased in prevalence. The payload of the proxy bot is a 300 KB 32-bit DLL, and it relies on a domain generation algorithm (DGA) system to communicate with its command and control (C2) server, sending profiling information about the infected system. BitSight discovered an extensive control infrastructure of servers primarily situated in Europe, which help to distribute the botnet. 10,000 separate communication attempts with these servers have been recorded since October 2021, which indicates an estimable number of victims. Affected countries are globally distributed, but most infections have been found in India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria. The proxying services provided by Socks5Systemz are sold through 'Standard' and 'VIP' subscriptions, with customers paying anonymously via crypto gateway 'Cryptomus'. These illicit residential proxy botnets have a significant influence on internet security and unauthorized bandwidth hijacking, and their services are widely used for shopping bots and bypassing geographic restrictions, elevating their popularity.

Discord plans to implement temporary CDN links by the end of the year to hinder the use of its network for malware distribution. The approach will enhance user safety and restrict access to flagged content. After the implementation, links to files uploaded on Discord servers will expire after 24 hours, effectively reducing Discord's CDN as a permanent file hosting platform. Three new parameters—expiration timestamps and unique signatures—will be added to CDN URLs, remaining valid until the links expire. Post link expiry, apps will need to fetch a new CDN URL. The API will automatically return valid, unexpired URLs when attempting to access resources containing an attachment CDN URL. This change is seen as a significant step towards addressing cybercrime activities on the platform. Discord servers have often been used for illegal activities by financially motivated and state-backed hacking groups. Discord's permanent file hosting capabilities have been exploited to distribute malware and data gathered from compromised systems using webhooks. Cybersecurity firm Trellix reports that Discord CDN URLs have been used in around 10,000 malware operations.

Apple's "Find My" service, which locates lost or stolen devices using GPS and Bluetooth data from millions of Apple devices worldwide, can be exploited to stealthily transmit sensitive keylogged information. This potential abuse was first discovered by Positive Security researchers two years ago, who have also created a proof-of-concept device to demonstrate this risk. Researchers integrated a keylogger with an ESP32 Bluetooth transmitter into a keyboard, illustrating that passwords and other data typed on the keyboard can be forwarded via the Find My network through Bluetooth. The keylogger functions without the need for an AirTag or supported chip because Apple devices are designed to respond to any formatted Bluetooth message. If properly formatted, that message prompts the receiving Apple device to create a location report and upload it to the Find My network. While the transmission and reception rates aren't fast, researchers note it wouldn't pose an issue for malicious actors aiming to recover valuable information such as passwords. Apple's anti-tracking protections, which alerts users of tracking Air Tags, do not detect this form of breach, allowing the device to remain concealed. Apple has not responded to this issue at the time of the report.

Russian cybersecurity company, Kaspersky, discovered a crypto-mining malware strain named "StripedFly," which they say infected at least a million devices worldwide while going undetected for over five years. The malware, initially detected in 2017, uses a custom EternalBlue SMBv1 exploit thought to be linked to the Equation Group to infiltrate publicly-accessible systems. Besides the mining application, its features include the ability to collect sensitive data, execute Powershell scripts, disable the SMBv1 protocol on infected hosts, and propagate to other systems through a worming module. StripedFly can also execute a variety of spy activities, such as recording microphone input, capturing screenshots, and gathering user credentials every two hours. The malware communicates with its command-and-control (C2) server using an undisclosed, customized version of a TOR client and uses code repositories as fallback mechanisms for downloading updates if the C2 server becomes unresponsive. Researchers suggest the malware is an advanced persistent threat (APT), with its coding style and certain features resembling something created by the Equation Group.? Despite its extensive capabilities, the true purpose of StripedFly and its origins remain unknown, leading researchers to question the trivial usage of such sophisticated malware.

Natalie Mottram, a former intelligence analyst for the North West Regional Organised Crime Unit, has been sentenced to nearly four years in prison for warning a friend about a breach in the EncroChat encrypted messaging network. She was convicted of misconduct in public office, perverting the course of justice, and unauthorised access to computer material. Mottram was apprehended as part of Operation Venetic, an effort by UK's National Crime Agency (NCA) to disrupt EncroChat, an encrypted messaging service popular among criminals. After discovering the breach in 2020, police in France and the Netherlands infiltrated the network, seizing conversations to make arrests across Britain. To date, over 3,147 suspects have been arrested and 1,240 convicted, based on evidence obtained from EncroChat. Mottram tipped off Jonathan Kay, 39, that his EncroChat conversations were being monitored. Following her alert, Kay's acquaintance warned other EncroChat users about the surveillance, leading to police suspecting a leak. Operation Venetic has also prompted lawsuits arguing that the mass surveillance of the chat network is a breach of European and UK laws and questions legality of the obtained evidence. Kay, who admitted to perverting the course of justice, was sentenced to 30 months in prison.

Okta, an identity and authentication management provider, announced that 134 of its 18,400 customers were affected by a recent customer support system breach. The breach occurred from September 28 to October 17, 2023. The intruder gained unauthorized access through a stolen credential that enabled access to Okta's customer support case management system. The compromised account had the ability to view and update customer support cases. Among the customers affected by session hijacking were 1Password, BeyondTrust, and Cloudflare. The intruders used session tokens to hijack the legitimate sessions of five customers. Okta revealed that the stolen service account credentials were stored in an employee's personal Google account, which was accessed via Chrome on an Okta-managed laptop. It is believed that the exposure likely occurred through the employee's personal Google account or device. Following the breach, Okta revoked the hijacked session tokens, disabled the compromised service account, and blocked the use of personal Google accounts on Okta-managed laptops. It has also enhanced product security with session token binding based on network location, requiring re-authentication upon detection of a network change. The incident comes shortly after Okta disclosed that personal information of 4,961 current and former employees was exposed in a breach of its healthcare coverage vendor, Rightway Healthcare, on September 23, 2023. This compromised data included names, Social Security numbers, and medical insurance information.

Google is introducing an "Independent security review" badge on the Play Store's Data safety section for Android apps that have successfully undergone a Mobile Application Security Assessment (MASA) audit. Initially launched with VPN apps due to their sensitive data handling nature, the security audit will provide more transparency to users about an app's security standards before they download it. MASA allows developers to independently validate their apps against global security standards such as Mobile Application Security Verification Standard (MASVS). By participating in the security evaluation process, developers will get a chance to flag potential security issues in their apps and remediate them. On fulfilling all requirements, a security badge will appear on their data safety form. Google's move forms part of its broader goal to create a unified view of app safety, providing details about what data is being collected by the app, its intended use and whether it is shared with third parties. However, Google cautions that attaining a validation to baseline security standards does not necessarily mean an app is free from vulnerabilities.

Ransomware attacks have been escalating recently with different institutions across several countries reported to have been victimized by different gangs; these institutions include the Toronto Public Library, ACE Hardware and the British Library. The Black Basta ransomware gang was specifically identified as the attacker of the Toronto Public Library. An impending alliance of 40 countries will sign a pledge at the upcoming International Counter-Ransomware Initiative in Washington, D.C. Despite this pledge, it does not prevent local governments from adhering to ransom demands. Seeing the rise in cybersecurity threats, Microsoft plans to boost its security as part of its new 'Secure Future' initiative, aiming to improve security inherent to its products and platforms. In terms of new and returning threats, research has indicated that Hive ransomware may be making a comeback, possibly under a new name, Hunters International. Other new threats include a Linux-targeting malware wiper named BiBi-Linux and new variants of the STOP ransomware. Notably, the Daixin Team has claimed culpability for an attack that has majorly impacted five Canadian hospitals.

Hilb Group, a financial business handling property, casualty, and employee benefits insurance and advisory services, has alerted over 81,000 individuals of a potential data breach. The breach was detected following "suspicious activity" associated with employee email accounts around January 10. An investigation revealed the accounts had been accessed by unauthorized individuals between December 1, 2022 and January 12, 2023. Potentially stolen data includes individuals' first and last names, in addition to sensitive financial data and credentials, including social security numbers and credit or debit card details (along with associated security codes, passwords, or PINs). Following discovery of the breach, Hilb secured compromised accounts, initiated a thorough investigation, and put in place additional technical protections to increase data security and prevent future incidents. Affected individuals have been informed of the breach as of October 9. To mitigate the breach's impact, Hilb is offering free credit monitoring and identity protection services to those affected.

Pepijn Van der Stap, a former Dutch cybersecurity professional, has been sentenced to four years in prison for hacking, blackmailing, and extortion of over a dozen companies worldwide. He was also charged with laundering at least 2.5 million euros in cryptocurrency. Van der Stap and his accomplices used blackmail to extort money from targeted companies, threatening to leak stolen data unless a ransom was paid. Law enforcement found several malicious tools and personal information stolen from millions of individuals when searching his computer. These were acquired via hacking, purchases, or exchanges with other cybercriminals, and on sale in various hacking forums. The suspect also facilitated other criminals by selling or trading the stolen data, resulting in significant damages to the affected organizations. The Dutch Public Prosecution Service initiated Van der Stap's cybercriminal activity investigation in March 2021, prompted by a report from an Amsterdam-based company. Despite ongoing legal processes, not all attacked organizations have reported their losses. The suspect previously worked for Hadrian Security, volunteered at the Dutch Institute for Vulnerability Disclosure, and was part of several hacking forums under multiple aliases. Van der Stap claimed his criminal hacking activities mostly occurred before he started working legally. He mentioned that he wanted to exit illegal activities but found it challenging to do so.

China's Cyberspace Administration (CAC) has fined Quark, a search engine owned by Alibaba, and the livestreaming platform NetEase for content considered inappropriate. The ruling stipulated Quark pay a fine of ¥500,000 (US$68,340) while Netease was ordered to halt updates on a channel focusing on dancing content for a period of seven days. Both entities must also carry out in-depth modifications, and ensure accountable persons are identified in relation to the infringements. The fines follow the regulator's announcement that platforms need to enhance protection measures for minors from questionable content, effective from 1 January 2024. Additionally, social media platforms will now require influencers with more than 500,000 followers to disclose their real names, possibly enhancing content accountability; critics, however, are voicing concerns over privacy rights.

Joshua Bowles, a former software developer for UK's Government Communications Headquarters (GCHQ), has been sentenced for the attempted murder and assault of an NSA official in March. According to police reports, the attack was premeditated and well-planned. Bowles, who pled guilty, was sentenced to a minimum of 13 years. He was said to have committed the crime due to his anger towards women, his resentment towards GCHQ, and to disrupt the work of UK intelligence with the USA. After the attack, Bowles calmly waited for police to arrive, reportedly stating that he had been influenced by terrorist ideology and suggesting the victim's affiliation with GCHQ and the NSA as motivations for his actions. Investigation revealed Bowles’ search history included research into white supremacy, violent attacks on women, and notorious terrorist Theodore Kaczynski, also known as the Unabomber. The victim suffered multiple knife wounds which thoroughly affected her lifestyle and physical health. The effects of the attack are said to be possibly long-lasting. GCHQ and the NSA affirmed their commitment to the safety and wellbeing of their employees and expressed their relief at the conclusion of the court proceedings.

The Allied Pilots Association (APA), a labor union representing 15,000 American Airlines pilots, has experienced a ransomware attack on its systems. APA's IT team, supported by outside experts, has been working on restoring the encrypted systems, with initial efforts focusing on pilot-centric tools and products. An external investigation is underway to assess the full extent of the incident and the data potentially impacted by the encryption. It remains unclear at this time whether pilot personal information was compromised or the exact number of people affected. Earlier this year, American Airlines pilots were notified of a data breach that affected 5745 individuals after a third-party provider managing pilot applications and recruitment portals was hacked. American Airlines revealed additional data breaches impacting 1,708 customers and employees in September, resulting from a phishing attack, and a breach in March 2021 following a hack of the Passenger Service System operated by SITA.

Google Play is now awarding 'independent security reviews' badges to VPN apps that have undergone an independent security audit of their software and platform. The security audits are based on the Mobile App Security Assessment (MASA) standard set by the App Defense Alliance (ADA) primarily focusing on areas such as data storage and privacy practices, cryptography, authentication, session management, network communication, platform interaction, and code quality. The "Independent security review" badge will be displayed in the Data Safety section of the app's listing on the store to highlight the app's compliance with the MASA standard and promote greater transparency and trust. The audits must be carried out by an approved cybersecurity partner, and they include assessments of source code and server configurations look for potential security weaknesses. So far, NordVPN, Google One, and ExpressVPN are among the VPN providers displaying the new Google Play badge. Other providers, such as Private Internet Access VPN and SkyVPN, hold valid MASA certificates but haven't been awarded the badge yet. Google is encouraging more VPN developers to join the initiative and submit their apps for an independent security review. The program will likely be expanded to other types of apps in the future, although no exact timeline for this has been provided.

Microsoft is launching the Secure Future Initiative, an organisation-wide effort aimed at advancing its cybersecurity protection. This step comes after the company received criticism regarding its technology defenses. The three key pillars of the initiative involve harnessing artificial intelligence (AI) to enhance the company's security operations and products, updating its software engineering practices, and encouraging better security practices across the industry. The 'AI-ification' of Microsoft's security portfolio will play a crucial role in improving its security measures. AI will be used to detect threats at internet speeds, secure code analysis, and leverage GitHub Copilot in auditing and testing code. Brad Smith, Microsoft's president, revealed that the strengthening of its software engineering practices would involve adherence to secure-by-design principles, acknowledging critics who have called for such procedures. Microsoft has also pledged to intensify its identity protections, halve cloud vulnerability response and mitigation times, and take a solid stance against nation-state malware attacks. These changes are also reflective of the evolving threat landscape as Smith emphasized the company's urgent need to respond to the rapidly increasing speed, scale, and sophistication of cyber-attacks.