Daily Brief

Discord has become an attractive target for nation-state hackers targeting critical infrastructure, exploiting its content delivery network (CDN) to host malware and siphon sensitive data. Cybersecurity firm Trellix discovered an artifact targeting Ukrainian infrastructures, though no direct link to a known threat group has been found. The discovered sample is a Microsoft OneNote file, disguised as an email from the non-profit dobro.ua and contains a button that, when clicked, triggers a Visual Basic Script (VBS) which subsequently runs a PowerShell script along with another PowerShell script from GitHub. The final stage involves PowerShell leveraging a Discord webhook to exfiltrate system metadata, with the researchers highlighting the potential future threat of a more sophisticated malware delivery. Thus far, loaders like SmokeLoader, PrivateLoader, and GuLoader have been identified among prevalent malware families utilizing Discord's CDN to download next-stage payload, while families like Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT have used Discord webhooks. Discord's abuse streamlines efficiency and adaptability for sophisticated long-term infiltration attempts on networks, posing significant risk to critical infrastructure and sensitive data.

Two security flaws in open-source CasaOS personal cloud software have been identified, allowing attackers to execute arbitrary codes and take control of vulnerable systems. The vulnerabilities, coded as CVE-2023-37265 and CVE-2023-37266 have a high-risk severity score of 9.8 out of a possible 10. Security researcher, Thomas Chauchefoin, noted that the bugs could enable attackers to bypass authentication requirements and gain full access to CasaOS dashboard. CasaOS' support for third-party applications can be misused to run random commands on the system, enabling persistent device access and intrusion into internal networks. The vulnerabilities were responsibly reported and subsequently addressed in version 0.4.4 released by IceWhale on July 14, 2023. Exploit of these flaws would allow attackers to circumvent authentication restrictions and gain administrative privileges on vulnerable systems. The researcher highlighted the risks of relying on identifying IP addresses at the application layer, advising against using them for security decisions due to the potential for manipulation.

The Ponemon Institute reports that 54% of cybersecurity incidents are due to credential theft, making it a significant and continuous threat to organizations. Cybercriminals target credentials as 51% of people reuse their login information across different sites, granting them access to a wider range of information if exploited and potentially leading to more substantial and costly breaches. Despite known risks, people, including 92% of IT leaders according to the HIPPA Journal, continue to reuse passwords, increasing the vulnerability of the systems they use. Specops Software offers a solution with Specops Password Policy with Breached Password Protect, which bars users from utilizing known breached passwords. Specops' solution continuously screens for compromised passwords, alerts users when their password is compromised, and forces a password change at the next login. This allows companies to maintain a rigorous proactive security policy.

Thousands of Cisco IOS XE devices have been exploited and infected with malicious implants arising from a critical zero-day vulnerability (CVE-2023-20198), according to threat intelligence firm VulnCheck. The vulnerability has greatly impacted Cisco IOS XE routers and switches with the Web User Interface (Web UI) (with both the HTTP and HTTPS Server features activated). The successful exploitation could allow attackers to monitor network traffic, pivot into secure networks, and perform various man-in-the-middle attacks, according to VulnCheck. While no patch is available yet, the interim protection measures recommend disabling the web interface and removing all management interfaces from internet access. Cisco disclosed the vulnerability saying it could allow unauthenticated attackers to gain full administrative controls and dictate complete control over affected Cisco routers and switches remotely. Evidence of these attacks first surfaced around September 18, with the creation of locally named user accounts "cisco_tac_admin" and "cisco_support", which hint towards potential signs of malicious activity. Cisco had warned customers about another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software in September which was being targeted by attackers.

US organizations CISA, FBI, and MS-ISAC have urged network administrators to immediately patch a critical vulnerability in Atlassian Confluence Data Center and Server due to ongoing nation-state exploitation attempts. The advisory comes in response to the disclosure of CVE-2023-22515, which has a CVSS score of 10, the highest risk rating. Successful exploitation of this zero-day vulnerability, not limited to account creation, could allow cybercriminals to create new admin accounts and manipulate configuration files. The authorities also emphasized the need to proactively search for intrusions or malicious activity networks, as updating alone won't necessarily remove potential threats. On discovering an instance of compromise, the administrators are advised to assume full administrative access by threat actors, thus requiring comprehensive action including eradicating unauthorized admin accounts and fixing damages. In cases where immediate patch application is impossible, the authorities recommend limited mitigation actions as outlined by Atlassian. Microsoft confirmed that nation-state threat actor Storm-0062, reportedly a Chinese state-backed group, has been actively attempting to exploit this vulnerability since September 2023.

The article announces a webinar called "Locking Down Financial and Accounting Data – Best Data Security Strategies." This webinar will be conducted jointly with the experts from Win Zip. The webinar will focus on digital threats to financial data, which is a prime target for cybercriminals. The authors point out that security breaches can lead to draining company funds, exploiting clients, and jeopardizing customers' data. The threats can arise from both malicious actors with harmful intentions and unintentional errors such as sending confidential emails to wrong recipients. The tactics used to compromise data, such as ransomware attacks and inadvertent leaks in cloud storage, are diverse and constantly evolving. The key to navigating this terrain is knowledge, and the aim of the course is to arm attendees with the right tools and insights.

A significant severity flaw impacting industrial cellular routers from Milesight is suspected to be exploited in real-world attacks according to findings from VulnCheck. This vulnerability can expose log and credential information to remote, unauthorized attackers. Affecting UR5X, UR32L, UR32, UR35, and UR41 routers prior to version 35.3.0.7, this flaw could allow unsanctioned control over VPN servers. Further, it can be used to drop firewall protections rendering the network defenceless. An additional layer of threat is exposed since some routers permit sending and receiving SMS messages – attackers could exploit this for fraudulent activities causing financial damages. There is evidence to suggest small scale, real-world exploitation of this flaw with successful unauthorized access attempts on systems reported in France, Lithuania, and Norway. Attackers were able to extract login credentials from httpd.log, indicating the weaponization of the flaw. Although 95% of approximately 5,500 internet-exposed Milesight routers are not susceptible to this flaw due to non-vulnerable firmware versions, it is advisable to assume a system-wide compromise and to refresh all credentials and limit the internet reachability of interfaces. Concurrently, multiple security flaws have been identified in South River Technologies’ Titan MFT and Titan SFTP servers, potentially granting remote super-user access to the affected hosts. Despite the high risk involved, large scale exploitation is deemed unlikely due to the requirements of non-default configurations and post-authentication environment for the vulnerabilities.

The rise of malicious Generative AI, such as FraudGPT and WormGPT, is posing new challenges to the cybersecurity landscape. FraudGPT uses machine learning algorithms to generate deceptive content, making it a potent tool for cyberattacks. It can craft tailored spear-phishing emails, creat counterfeit invoices, fabricated news articles, and more. WormGPT is another rogue AI model with the capacity to respond to queries about hacking and other illicit activities. These AI tools are being marketed as "starter kits for cyber attackers," offering advanced tools to aspirants for a subscription fee. But they do not offer significantly more than what a cyber criminal could manage using existing generative AI tools. The fear is that these AI systems can be used to produce highly convincing content for phishing emails, fraudulent schemes, and even generating malware. These tools do not represent a significant shift in the cybersecurity domain yet due to their limitations, lack of sophistication, and the fact that advanced AI models are not used in these tools. As these tools evolve, businesses are advised to prepare for highly targeted and personalized attacks. Detailed information regarding the tactics used by malicious actors leveraging these technologies can help in the development of effective countermeasures.

Researchers from the National Centre for Atmospheric Science and the University of Manchester have found that sustainable aviation fuels (SAFs), derived from non-fossil sources, could reduce emissions by up to 80%. SAFs made from wastes and other unconventional sources could replace traditional jet fuel without altering the aircraft's existing hardware. The study indicates potential improvement in air quality near airports due to a decrease in ultrafine black carbon emissions from commercial jets idling at low thrust before takeoff. US aviation regulators are aiming at a net-zero aviation system by 2050, requiring a significant increase in SAF production, though the UK might need to dedicate half of its farmland or double its renewable electricity supply to meet the same goal. Emerging technologies such as hydrogen-fueled and electric aircraft could propel the aviation industry towards sustainability, although these developments are currently in the early stages. Obstacles for these technologies range from generation and supply concerns to the required infrastructure, and there is a lack of data on whether the aviation sector is on course for meeting these targets.

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported interference with at least 11 telecommunications service providers in the country between May and September 2023. The cyberattacks led to service interruptions for customers, with threat actors initiating them with an initial reconnaissance phase to identify potential network entry points at the telecom companies. The threat actors are employing specialized programs called POEMGATE and POSEIDON for credential theft and remote control of infected hosts, and using a utility named WHITECAT to erase the forensic trail. Unauthorized access to the telecom providers' networks is achieved via VPN accounts lacking multi-factor authentication protection and then attempts are made to disable network and server equipment. CERT-UA stated that legitimate compromised email addresses are subsequently used to deliver SmokeLoader malware to PCs, with the intent to steal authentication data or alter financial documents in remote banking systems for unauthorized payments. CERT-UA noted that the reconnaissance and exploitation activities are being carried out from previously compromised servers located within the Ukrainian segment of the internet, using Dante, SOCKS5, and other proxy servers to route traffic. This report follows an earlier statement from CERT-UA about four observed phishing waves conducted by a hacking group it tracks as UAC-0006, also utilizing SmokeLoader malware.

Cisco has alerted about a critical, unpatched zero-day vulnerability (CVE-2023-20198) in the IOS XE software, actively exploited by an unidentified attacker. The flaw is rooted in the web user interface feature and is rated 10.0 in severity on the CVSS scoring system. It affects enterprise networking gear that have the Web UI feature enabled and exposed to the internet or untrusted networks. The flaw allows a remote, unauthenticated attacker to create an account with privileged access and take control of the affected system. It affects both physical and virtual devices with the HTTP or HTTPS server feature enabled. Malicious activity was first detected on a customer device in September 2023 when a local user account was created from a suspicious IP address. More unauthorized activity through a different IP address was noted in October 2023, followed by the deployment of a Lua-based implant. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added the flaw to its Known Exploited Vulnerabilities catalog. As a mitigation measure, Cisco recommends disabling the HTTP server feature on internet-facing systems. While the implanted backdoor is not persistent, the rogue privileged accounts created by the attacker continue to remain active. The threat actor's identity remains undetermined at this stage.

Imminent changes to cyber security regulations in the US and Europe are requiring that both public and private sector organisations ensure compliance. The new Securities Exchange Commission mandate will be enforced from 18 December, making it essential for organisations to report any cyber incidents and present a Cyber Report detailing their cyber health. The US Department of Defense (DoD) 8140.3 directive, which will be enforced by February 2024, specifies that anyone working within the DoD validate their cyber skill set. The European Union NIS II Directive requires Critical Sector Organizations operating in member states to take appropriate security measures and notify relevant national authorities of serious incidents by 17 October 2024. SANS, a security training company, has put together a Cyber Compliance Countdown event to assist organisations in navigating these new regulations. The event will offer advice on incident response plans, training ahead of the new regulations, and analysing new cyber security guidelines.

Discord has become a hub for malicious activity, including distributing malware, data exfiltration, and theft of authentication tokens. A new report by Trellix reveals that Advanced Persistent Threat (APT) hackers have also joined the platform to target critical infrastructure. Malicious actors abuse Discord in three ways: distributing malware through its content delivery network (CDN), modifying the Discord client to steal passwords, and using Discord webhooks to extract data from victims' systems. Over 10,000 malware samples have reportedly used Discord's CDN for delivering second-stage payloads into systems, mainly malware loaders and general loader scripts. Data theft using Discord webhooks has also been noted in 17 malware families. Discord’s features to evade antivirus detection and network monitoring tools, along with its ease of setup and use, have appealed to cybercriminals, making it difficult for the platform to deter misuse. The report also notes that sophisticated threat groups have started using Discord, blending their activities amongst others, making it nearly impossible to track and attribute their actions. One unidentified group has targeted crucial infrastructure in Ukraine through spear-phishing techniques. The challenges posed by the platform's scale, encrypted data exchange, and the legitimate function of abused features make it difficult for Discord to discern malicious activity. Banning suspect accounts doesn't appear to deter the creation of new ones, suggesting the problem may worsen in the future.

The IT systems of state courts across Kansas remain offline following a "security incident." Impacted systems include the eFiling system, electronic payments system, and case management systems. The state's Supreme Court has issued an administrative order confirming that clerk offices in appellate courts and most district courts (except Johnson County) are offline. Despite these disruptions, the courts remain operational with submissions currently being made in paper format or via fax, as electronic filing and payments cannot be accepted. The Kansas Supreme Court has indicated this measure extends filing deadlines under the applicable rules and statutes. The Office of Judicial Administration is working with experts to investigate the security breach and provide a timeline for system recovery soon. This incident follows another recent alleged cyberattack on First Judicial Circuit state courts in Northwest Florida by the ALPHV (BlackCat) ransomware gang. Florida court authorities confirmed operations remain uninterrupted but are yet to verify ALPHV's claims.

Hackers are currently exploiting a critical vulnerability in WordPress' Royal Elementor Addons and Templates, a widely-used website-building kit. The flaw, labelled as CVE-2023-5360 and rated 9.8 "Critical" under the CVSS v3.1, allows unauthenticated attackers to conduct arbitrary file uploads on vulnerable websites. The hackers are also able to manipulate the allowed file upload list, achieving remote code execution and potentially gaining complete control over a website. WordPress security firms Wordfence and WPScan have recorded thousands of attacks targeting Royal Elementor since August 30, 2023. Most attacks originate from two IP addresses, suggesting only a few threat actors are aware of the exploit. The vendor of the add-on was informed about the flaw on October 3, 2023, and subsequently released an update (version 1.3.79) on October 6, 2023, to patch the vulnerability. Vulnerable users are recommended to update to the latest version as soon as possible, and to perform a website cleanup as the patch does not automatically remove or delete malicious files.