Daily Brief

The Forum of Incident Response and Security Teams (FIRST) has launched the Common Vulnerability Scoring System (CVSS) v4.0, eight years after CVSS v3.0. CVSS v4.0 aims to provide accurate vulnerability assessment for industries and the public, implementing a system to capture key technical features of a security vulnerability and give it a numerical score denoting its severity. The scoring can be translated into different levels such as low, medium, high, and critical, helping organisations prioritise their vulnerability management processes. FIRST emphasises CVSS v4.0 does not merely measure the severity of vulnerability and should not be the sole system to assess risk. Criticisms toward former version, CVSS v3.1, included a lack of granularity in the scoring system and insufficient representation of health, human safety, and industrial control systems. CVSS v4.0 addresses these issues by providing supplemental metrics for vulnerability assessment, including Safety, Automatable, Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency. FIRST introduces a new nomenclature for enumerating CVSS scores using a variety of severity ratings.

The HelloKitty ransomware group has been spotted exploiting a critical vulnerability in the Apache ActiveMQ open-source message broker service, according to cybersecurity firm Rapid7. The exploited flaw is called CVE-2023-46604; a remote code execution vulnerability allowing threat actors to run arbitrary shell commands. The vulnerability carries a maximum severity CVSS score of 10.0 As of November 1, 2023, the Shadowserver Foundation found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604, the majority of which are located in China, the U.S., Germany, South Korea, and India. Successful exploitation allows adversaries to load remote binaries that function akin to ransomware, searching and terminating a specific set of processes before starting the encryption process. The encrypted files are appended with the ".locked" extension. ActiveMQ updated versions addressing the vulnerability were released last month, and users are urged to apply the updates. Rapid7 is emphasizing the importance of scanning networks for indicators of compromise due to the active exploitation of the flaw.

Boeing, the aerospace defence contractor, has reported a cyber incident affecting its parts and distribution business, which it is currently investigating alongside authorities. The attack follows claims by ransomware group LockBit that it had exfiltrated sensitive data from Boeing, however, the source of the cyber incident remains unconfirmed. Boeing's parts and distribution website was temporarily unavailable due to the attack, which may disrupt the lucrative aftermarket sales of spare parts. Screenshots showed that LockBit had added Boeing to its victims list, with administrators stating they had used a 0-day exploit to gain access to the company's systems. The LockBit ransom note gave Boeing a six-day window to begin negotiations. By Monday, Boeing had been removed from the group's website, implying that discussions may have begun. Boeing has not released a formal statement on the matter. The US Cybersecurity and Infrastructure Security Agency (CISA) lists LockBit as 2022’s most prolific ransomware operator. The group is known for high-profile attacks and is believed to have generated over $90 million from ransomware activities between 2020 and mid-2023.

FBI Director Christopher Wray warned a US Senate committee about the potential negative impact of allowing the Federal Section 702 surveillance powers to lapse. He stated that if this was to occur, it may lead to failure to prevent major cyberattacks from adversaries like Iran or China. Wray cited that 97% of the FBI's technical intelligence on malicious "cyber actors" in the first half of this year was acquired via Section 702 searches. Section 702 of America's Foreign Intelligence Surveillance Act (FISA) permits US intelligence agencies to monitor foreigners' electronic communication outside the US. The rule is set to expire at the end of 2023 unless renewed or reformed. Advocacy groups and some lawmakers seek to reform Section 702 to strengthen protections for US residents. Proposed changes include limiting the scope of permissible targeting, strengthening the role of FISA Court amici, and outlawing "about" collections that allow more surveillance than usually permitted. The Biden administration called for the reauthorisation of Section 702 without new and operationally damaging restrictions", and suggested that letting the law expire would ranks among "the worst intelligence failures". Critics argue that requiring a warrant for US person queries and other reforms would not undermine the value of Section 702. They also question the FBI's objection to these proposed changes.

The notorious cybergang, Alphv also known as BlackCat, claims to have stolen data from Advarra, a company that aids medical trials, via a SIM swap on an executive's phone. The criminals reportedly have access to over 120GB of confidential data relating to employees, customers and patients. If no ransom is paid, the gang have said they may sell or leak the information. Evidence of the breach was shared on Alphv's dark-web site, including personal details of some individuals. However, these details have since been removed, and Advarra doubts that some of the claimed interactions between the company and the gang actually occurred. In response to the claims, a spokesperson for Advarra revealed a colleague's phone number was compromised and used to access their professional accounts. The company is investigating with the help of cyber experts, and has reportedly taken containment actions and notified federal law enforcement. Despite these allegations, the spokesperson claims its operations have not been disrupted and there's no evidence that clients' or partners' systems were compromised or accessed. The report follows the recent activities of Alphv which leaked 8.6TB of data from Morrison Community Hospital in Illinois. The healthcare sector's vulnerability to cybercrime is well-known, and recent figures from Sophos show that encrypting data remains the criminal's preference, with encryption occurring in nearly 75 percent of successful attacks.

The Toronto Public Library (TPL), Canada's largest public library system, has been targeted in a ransomware attack by the Black Basta ransomware operation. The attack, which has disrupted various online services and caused technical outages, is currently being investigated by law enforcement and third-party cybersecurity experts. Affected services include the tpl.ca website, accounts access, map passes and digital collections. Public computers and printing services are also currently unavailable. No evidence suggested that personal data of staff or users were affected and it’s unclear whether the ransomeware infiltrated sensitive data servers. TPL announced it had engaged third-party cybersecurity experts to resolve the situation, with the acknowledgement that a full restoration might take several days. The origins of Black Basta are somewhat disputed. Some believe they are a splinter group from the cybercrime operation Conti whereas others identify a link with the Fin7 cybercrime operation, also known as Carbanak.

Security researchers at ESET have found a kill switch that has sharply slowed and possibly ended activity of the Mozi botnet, which accounted for nearly 90% of malicious internet of things (IoT) network traffic. It exploited hundreds of thousands of devices each year. The activity of the botnet started slowing down in India on 8 August and in China on 16 August. By the end of September, researchers discovered a control payload within a user datagram protocol (UDP) message that acted as the kill switch. The control payload was deployed eight times, requiring the bot to download and install an update via HTTP. This stopped the Mozi malware, disabled some features and commands, and shut down access to various ports. Despite the kill switch, the Mozi bots maintained persistence but were stripped of their malicious capabilities. ESET researchers are proposing two possible theories about who disabled the botnet: the original creator or Chinese law enforcement, possibly through coercion of the original team. The investigation is ongoing, and a more detailed analysis is expected in the coming months. The question about whether the botnet will stay inactive still remains.

The Forum of Incident Response and Security Teams (FIRST) has released its updated Common Vulnerability Scoring System (CVSS) standard, eight years after its last major version. CVSS is a standardized system for evaluating the severity of software security vulnerabilities, informing threat prioritization and response strategies. The new standard, CVSS 4.0, offers enhanced granularity in metrics, clearer scoring, simpler threat metrics, and better ability to assess environment-specific security requirements and controls. New metrics under CVSS 4.0 include Automatable (indicating vulnerability to worms), Recovery (resilience), Value Density, Vulnerability Response Effort, and Provider Urgency. CVSS 4.0 has expanded its applicability to operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT), adding safety metrics to its Supplemental and Environmental metric groups. FIRST also introduced a new nomenclature under CVSS 4.0, which includes Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings. FIRST aims to empower its members and the sector, improving cybersecurity defenses and responses to cyberattacks. It also released Traffic Light Protocol (TLP) 2.0 in 2021, a standard for sharing sensitive information in the CSIRT community.

Three Russian nationals have been apprehended in New York on charges related to smuggling electronic components—valued at over $10m—to sanctioned entities in Russia, some of which were recovered from Ukrainian battlefields. The individuals charged are Nikolay Goltsev, a Russian-Tajikistani dual citizen, and Salimdzhon Nasriddinov and Kristina Puzyreva, both Russian-Canadians. They are accused of wire fraud, smuggling, and conspiring to violate the Export Control Reform Act. The accused trio utilised front companies SH Brothers Inc. and SN Electronics Inc. to ship around 300 consignments of semiconductors, integrated circuits, and other dual-use electronics components, all in just over a year. Packages were initially sent to countries such as Turkey, Hong Kong, India, China, and the UAE before being rerouted to Russia, according to law enforcement officials. The electronic parts shipped were used in various Russian military equipment like radio reconnaissance tools, electronic warfare kits, missiles, and tanks. The sides receiving these goods included sanctioned entities such as Radioavtomtika, a Moscow defense procurement company specialising in procuring imported parts for the Russian army. The indictments indicate that the prosecuted individuals were aware their activities were illegal, and that the parts they were smuggling had military uses. This arrest is among several similar cases reported recently, especially since the imposition of sanctions on Russia following its invasion of Ukraine.

Hackers are leveraging a vulnerability, known as 'Citrix Bleed' and identified as CVE-2023-4966, to launch attacks on government, technical, and legal organizations globally, with campaigns occurring since late August 2023. The flaw, which impacts Citrix NetScaler ADC and NetScaler Gateway devices, was disclosed in October and allows access to sensitive information. It was active as a zero-day vulnerability, enabling attackers to hijack authenticated sessions and bypass multifactor protection. Cybersecurity company Mandiant has observed post-exploitation related to credential theft and lateral movement. The attacks are stealthy, leaving limited forensic evidence. Efforts to investigate these exploits are challenging due to the lack of logging on the targeted appliances, requiring specialized network monitoring to determine if a device was exploited. According to Mandiant, the threat actors engaging in these activities are using recognizable administrative tools and streamlining into daily operations, making detection even more difficult. Once the vulnerability is exploited, attackers engage in network reconnaissance, credential theft, and lateral movement using RDP among other tactics. Mandiant has suggested that addressing the vulnerability alone will not solve current breaches. A comprehensive incident response and system restoration strategy is required.

Over 3,000 internet-exposed Apache ActiveMQ servers are susceptible to a recently disclosed critical remote code execution (RCE) vulnerability (CVE-2023-46604) that scores a full 10.0 on the severity scale (CVSS v3). Apache ActiveMQ is an open-source message broker that facilitates secure communication between clients and servers using diverse secure authentication and authorization mechanisms, making it a popular choice in enterprise environments. Attackers can exploit this flaw to execute arbitrary shell commands by capitalizing on the serialized class types in the OpenWire protocol. Apache issued a fix for these vulnerabilities on October 27, 2023, however, approximately 3,329 servers running the vulnerable ActiveMQ version out of 7,249 discovered remain unpatched. Exploitation of this vulnerability can result in message interception, workflow disruption, data theft, and possible lateral movement in the network. Mainly due to its significant implications and public availability, it is essential to prioritize the application of the recommended security updates.

The Mozi malware botnet was deactivated after an unknown party sent a payload that triggered a deactivation on 27th September 2023. The botnet, which targeted IoT devices for DDoS attacks, suddenly saw a drop in activity in August 2023, starting with operations in India being halted. This cessation of activity was followed by a similar halt in China, where the botnet originates. On 27th September 2023, a UDP message was sent to all Mozi bots instructing them to download an update via HTTP, which deactivated the network. Analysis of the code used in the deactivation indicates it was similar to the original Mozi code and included the correct private keys for signing the payload, suggesting involvement of either the original botnet creators or Chinese law enforcement in the takedown. Despite one of the most prolific botnets becoming inactive, there are still many other DDoS malware botnets actively seeking vulnerable IoTs, therefore users are urged to protect their devices with the most recent software updates, strong passwords, and by isolating them from critical networks.

Evidence of active exploitation of vulnerabilities in F5's BIG-IP suite has been confirmed. These weaknesses caught attention after an Apache JServ Protocol (AJP) smuggling vulnerability was detected in F5's BIG-IP configuration utility, and were subsequently part of a large advisory featuring several other CVEs affecting the product line. Exploitations are suspected to harness both the AJP smuggling flaw and an SQL injection vulnerability (CVE-2023-46748) together. F5 is believed to have suspected a significant exploit chain on the verge of happening based on a report provided by another researcher before the vulnerabilities were made public. Researchers routinely delay or withhold vital parts of vulnerability research from becoming public to prevent attackers from creating an exploit before patches can be applied. Detection of a single exposed CISA server sparked the taking down of the server, but many more in the telecoms sector are still reportedly susceptible.

A threat actor known as Prolific Puma operates an underground link shortening service utilized by other malicious actors to distribute phishing scams and malware, according to Infoblox. The actor has been creating domain names with a registered domain-generation algorithm (RDGA) and using these to provide its service, helping other cybercriminals evade detection. Prolific Puma has been estimated to have registered between 35,000-75,000 unique domain names since April 2022. The actor leverages an American domain registrar and web hosting company called NameSilo for registration and name servers, and ages domains for a few weeks before moving them to anonymous providers. The real identity and origins of Prolific Puma are currently unknown, however multiple threat actors are known to be using its service for leading victims to phishing and scam sites, CAPTCHA challenges, and other shortened links. Prolific Puma poses as a DNS threat actor, leveraging DNS infrastructure for malicious purposes. Also reported by Trend Micro, another tool named Kopeechka used by less experienced cybercriminals to automate the creation of hundreds of fake social media accounts in seconds. The operation allows for the creation of two types of email addresses for account registration: ones hosted in domains owned by the threat actor and those on popular email hosting services. Kopeechka also enables users to select from 16 different online SMS services, mainly from Russia to complete the registration process, adding to the layer anonymity for the threat actors.

Hackers are exploiting two recent vulnerabilities in F5 BIG-IP products to stealthily gain access and erase signs of intrusion. F5 BIG-IP is a suite of services used for load balancing, security, and managing the performance of networked applications. It is used widely by government organizations and large enterprises. The vulnerabilities, known as CVE-2023-46747 and CVE-2023-46748, have prompted F5 to urge admins to apply necessary security updates due to active exploitation. These vulnerabilities allow skilled attackers to erase traces of their activities, making it impossible to prove if a device has not been compromised. The Cybersecurity & Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, recommending that federal agencies apply the updates by November 21, 2023. F5 has also released a mitigation script for the RCE flaw and is encouraging admins of exposed BIG-IP devices to move directly to the clean-up and restoration phase.