Daily Brief

Citrix has warned of active exploitation of a recently disclosed critical security flaw in its NetScaler ADC and Gateway appliances. The vulnerability, identified as CVE-2023-4966 with a CVSS score of 9.4, allows sensitive information exposure and session hijacking, bypassing multi-factor or other strong authentication requirements. Google-owned threat intelligence firm Mandiant has reported zero-day exploitation of the vulnerability in the wild since late August 2023. While patches for the flaw were released in October 2023, session data hijacked before the patch deployment can still be used by threat actors, even after the update. The unidentified threat actor(s) has targeted professional services, technology, and government organizations. Mandiant recommends organizations not only apply the patch but also terminate all active sessions given the active exploitation and critical nature of this vulnerability.

A threat actor, likely from Tunisia, has been linked to a campaign targeting exposed Jupyter Notebooks in an attempt to mine cryptocurrency and breach cloud environments. Termed Qubitstrike by the cloud security firm Cado, the attack involves the use of Telegram API to extract cloud service provider credentials following a successful breach. The attack uses payloads hosted on codeberg.org, a Git hosting platform, with a shell script (mi.sh) executing a cryptocurrency miner, establishing persistence and retrieving and installing the Diamorphine rootkit to hide malicious processes. The malware also captures Amazon Web Services and Google Cloud credentials and sends them back to the attacker via the Telegram bot API. The attack also tries to evade detection by renaming data transfer utilities and blocking competing mining operations, with attempts made to delete Linux log files in an effort to remain undetected. The attackers appear to be based in Tunisia based on the IP address used to access the cloud honeypot with the stolen credentials. Despite the primary objective appearing to be mining the XMRig cryptocurrency, the researchers highlight that in reality, any conceivable attack could be undertaken by these operators after gaining access to the vulnerable hosts.

The article presents 7 real-life scenarios of cybersecurity breach pathways, providing valuable insight into the dynamic nature of cyber threats. The story describes various customer environments from large financial companies to major travel, healthcare, and transportation companies and the specific vulnerabilities they faced. Reports show a staggering reality of 75% of an organization's critical assets being compromised in their current security state. Challenges identified include the inability of security tools to effectively prioritize threats and provide comprehensive context about how various issues interrelate that can be exploited by attackers. Some exploits include routine customer calls, post-merger integration complexities, misconfigured Active Directories, unpatched servers, and man-in-the-middle attacks. The remediation strategies employed involve disabling unnecessary services, patching vulnerable systems, restricting permissions, educating users on security best practices, and implementing comprehensive remediation plans. The key takeaway for organizations is to avoid viewing risks in isolation, gain a deep, context-based understanding of their environment, and utilize the right tools to predict and efficiently combat these threats.

A critical vulnerability, CVE-2023-4966, affecting Citrix NetScaler ADC/Gateway devices has been exploited as a zero-day since late August. Cybersecurity firm Mandiant found the flaw being used in the wild for stealing authentication sessions and account hijacking. The vulnerability allows attackers to gain access to appliances configured as authentication, authorization, and accounting (AAA) virtual servers' gateways. Mandiant warns that the hijacked sessions persist even after the security update is installed and can be used for lateral movement or breaching more accounts. The flaw has been seen being exploited for access on infrastructure belonging to government and tech organizations. This is the second zero-day flaw that Citrix has fixed this year, with the previous one, CVE-2023-3519, having been exploited in the wild in early July.

Threat actors are targeting internet-exposed Jupyter Notebooks to breach servers and deploy a combination of Linux rootkit, crypto miners, and password-stealing scripts in a campaign dubbed "Qubitstrike". The attackers aim to hijack Linux servers for cryptomining and to steal credentials for cloud services such as AWS and Google Cloud. According to Cado Research, these malware payloads are hosted on codeberg.org a first-time occurrence of this platform being used for malware distribution. Qubitstrike starts its attack by scanning for exposed Jupyter Notebooks, evaluating the CPU for mining capabilities, subsequently searching for credential files to steal and then executing a malicious script with a variety of harmful functions. The Qubitstrike scripts also install the open-source Diamorphine rootkit for Linux, used to hide any running scripts and malware payloads. Additionally, Qubitstrike looks for credentials on the compromised end point, sends them to its operators using Telegram Bot API, renaming and deleting any evidence of the breach from system log files. Review of the attacker's repository on Codeberg exposed another script utilizing a Discord bot for command and control operations as well as data extrication.

TetrisPhantom is a long-running cyber espionage campaign targeting government bodies in the Asia-Pacific (APAC) region by exploiting a type of secure USB drive used for secure data storage and transfer, according to Kaspersky's Q3 2023 APT trends report. The Russian cybersecurity firm identified the ongoing activity early in the year and raised concerns that the campaign could expand globally due to the worldwide use of the secure USB drives under attack. The responsible actors behind the campaign remain unknown but the sophistication of the campaign implicates a nation-state group. The attacks are highly targeted and limited in victim numbers. A notable feature of the campaign is the use of several malware modules to launch commands, gather data, and spread the infection through connected secure USB drive networks. Kaspersky warns that the TartisPhantom campaign includes complex tools and approaches, such as injecting code into a legitimate access management program on the USB drive, which acts as a loader for the malware on new machines. The report also disclosed about a new, unknown Advanced Persistent Threat (APT) actor responsible for several attack sets on government entities, military contractors, universities, and hospitals in Russia via spear-phishing emails carrying malware-laden Microsoft Office documents. These attacks have been codenamed as BadRory by Kaspersky.

The FBI warns of widespread phishing attacks targeting plastic surgery offices across the U.S., where cybercriminals spoof emails and phone numbers, spread malware, and subsequently leak sensitive data to extort money from victims. The criminals exploit networks and steal a variety of sensitive data, including personal identifiable information and intimate photographs taken for medical purposes. The attackers further enhance the data with additional information gleaned from social media platforms and use it as leverage for extortion, threatening to share the data widely if a payment in cryptocurrency is not made. The attackers set up public websites displaying the sensitive information and, in some cases, also share it with the victims' contacts to apply additional pressure. Protective measures suggested by FBI include: increasing social media privacy settings, enabling two-factor authentication for logins, creating complex passwords for all accounts, closely monitoring bank accounts and credit reports, setting up credit report fraud alerts or security freezes, and reporting any breaches to the Internet Crime Complaint Center (IC3). The warning follows a similar FBI public service announcement earlier this month about a rise in 'phantom hacker' scams, particularly targeting senior citizens in the U.S.

A flaw has been discovered in Synology's DiskStation Manager (DSM) that could potentially enable an attacker to decipher an administrator's password and remotely take over the account. The vulnerability, tagged as CVE-2023-2729 and rated 5.9 for severity on the CVSS scoring scale, is due to the use of a weak random number generator for creating the admin password for the network-attached storage (NAS) device. The PRNG, JavaScript Math.random() method used by the software, if manipulated can result in predictable values, reducing the encryption strength and compromising sensitive information and systems. True exploitation of this vulnerability, however, would allow an attacker to predict the generated password and gain access to otherwise restricted functions but would first require leaking the GUIDs and brute-forcing the Math.Random state to crack the admin password. While Synology has addressed this flaw as part of the updates released in June 2023, the danger persists under rare conditions, requiring users to stay alert and conscious. Sharon Brizinov from Claroty, the researcher highlighting this vulnerability, recommended using more secure cryptographic random number algorithms like window.crypto.getRandomValues() method instead of Math.random() for security purposes.

Taiwan-based networking equipment manufacturer D-Link has confirmed a data breach that resulted in the exposure of low-sensitivity and semi-public information. The leaked data originated from the company's outdated D-View 6 system, which was decommissioned in 2015, and the data was mainly used for registration purposes. The confirmation comes after an unauthorized party claimed to have stolen personal data of several government officials in Taiwan and D-Link's D-View network management software source code in a forum post on October 1, 2023. Cybersecurity firm Trend Micro, brought in to investigate the incident, found that the breach compromised roughly 700 outdated records, far less than the millions claimed by the unauthorized party. D-Link believes the incident occurred due to an employee falling victim to a phishing attack and the firm has stated its intent to strengthen its operational security. While precise details about the attack are not disclosed, D-Link reassures its active customers are unlikely to be affected by this breach. D-Link alleges that recent login timestamps in the leaked data were tampered with to make the outdated data appear recent.

Over 1.8 million admin credentials were analyzed by security researchers, they found over 40,000 entries using “admin” as the password, increasing vulnerability to potential cyberattacks. The authentication data was gathered between the months of January and September 2021 through Threat Compass, a threat intelligence solution from cybersecurity company Outpost24. The credentials came from data harvested by information-stealing malware and, although not in plain text, the majority of these could be easily decoded and exploited without implementing complex attack strategies. A potential intruder could gain access to confidential company data, customer tracking, and database operations through these admin portals. Outpost24 advises the use of long, strong, and unique passwords for every account, especially those with access to sensitive resources to enhance security. They also recommend the use of an endpoint and detection response solution, disabling password saving and auto-fill options in web browsers, verifying domains when redirection occurs, and avoidance of cracked software to avert potential attacks.

US convenience store chain, Kwik Trip, hinting at a cyberattack leading to its ongoing IT system disruption. Since October 8th, the company has been dealing with an IT outage that impacted their Rewards Program, support systems, phones, and emails. In a recent statement, Kwik Trip said it had hired third-party security experts to investigate the matter but there is no evidence so far that any data has been stolen. The company’s public-facing retail systems appear to be unaffected by the disruption. Given the incident, Kwik Trip is advising its customers and employees to monitor their credit histories and credit card transactions closely for potentially fraudulent activities. Employees have expressed frustration about the company's lack of transparency in regard to the incident. It is critical to guard against potential phishing attempts via emails claiming to be from Kwik Trip but asking for sensitive information.

Attackers have targeted more than 10,000 Cisco IOS XE devices by exploiting a severe zero-day vulnerability, infecting the devices with malicious implants. Cisco's IOS XE software is included in various products such as enterprise switches, aggregation and industrial routers, wireless controllers, access points, among others. The company noted that systems with the Web User Interface feature and the HTTP or HTTPS Server feature activated are particularly at risk. Threat intelligence firm VulnCheck released a scanner to detect these malicious implants on affected Cisco devices. The firm's CTO, Jacob Baines, stated that the exploit likely allows attackers to monitor network traffic and execute man-in-the-middle attacks. Cisco first identified attacks involving the CVE-2023-20198 zero-day in late September; during these attacks, the perpetrators generated local user accounts and deployed malicious implants. Investigation revealed that the same actor likely conducted these attacks, with more recent actions appearing to establish more persistent access via the implants. Cisco advised administrators to deactivate the vulnerable HTTP server feature on all internet-facing systems until a patch is made available, and to look for newly created user accounts as indicators of possible malicious activity.

Threat actors have leveraged Google Ads to promote a malvertising campaign targeting Notepad++ text editor users for several months, undetected. The attack directs users to fake software websites that distribute malware, potentially including Cobalt Strike, which often precedes serious ransomware attacks. The campaign utilises misleading titles in Google Search adverts to attract users and then redirects them to websites based on their IP. Legitimate targets are redirected to a fraudulent Notepad++ site where, if they click on any of the download links, a system fingerprint check is performed to confirm they are valid targets. The suitable victims are then served an HTA script with a unique ID, which is likely used by attackers to track their infections, however, it is served only once and a second visit results in an error. To avoid falling victim to such attacks, users are advised to skip promoted results when searching for software tools and double-check the official domain.

Amazon has discreetly introduced passkeys, a passwordless login option that provides improved protection against malware and phishing attacks. Passkeys are digital credentials allowing users to utilise biometric controls or PINs associated with their devices such as smartphones, computers, and USB security keys, for website logging in. The new security method decreases the risk of network and data breaches and fights against phishing tactics and info-stealing malware, thus preventing compromise of authentication information. Amazon users can generate a passkey in the Account's Login & Security settings. The user will be prompted to use Windows Hello, a security key, or a mobile device to generate the passkey. The new option allows still for traditional password logging in, but passkeys are safer as they reduce the potential risk of entering one's password on a phishing landing page. However, there are limitations including the inability to manage or name passkeys individually on Amazon's platform, and the failure of passkeys to be usable across Amazon's geographic websites. Other companies increasing their usage of passkeys include Google, Microsoft, WhatsApp, BestBuy, eBay, Paypal, and GoDaddy.

Taiwanese networking equipment manufacturer, D-Link, confirmed a data breach earlier this month. Reportedly, an employee fell prey to a phishing attack, allowing an attacker to access the company's network. The attacker claims to have stolen source code for D-Link's network management software, D-View, along with millions of entries containing customers' and employees' personal information, including names, emails, addresses, phone numbers, account registration dates, and last sign-in dates; records span from 2012 to 2013. Despite the attacker’s claim of three million breached lines of information, D-Link stated that the compromised system only contained about 700 inactive, outdated, and fragmented records. According to D-Link, the server infiltrated was an out-of-date "test lab environment" running an end-of-life D-View 6 system. However, reasons for its ongoing operation, potentially granting internet access despite being decommissioned in 2015, remain unknown. D-Link speculates that the attacker intentionally tampered with login timestamps, creating an illusion of more recent data theft. However, it assured that the majority of its present customers are unlikely to be impacted by this incident.