Daily Brief

Microsoft has released emergency security patches for vulnerabilities in the open-source libraries used by Edge, Teams, and Skype. The first bug, CVE-2023-4863, is a heap buffer overflow flaw in the WebP code library (libwebp) that could cause crashes and enable arbitrary code execution. The second bug, CVE-2023-5217, is a similar flaw in the VP8 encoding of the libvpx video codec library, which could also lead to app crashes or arbitrary code execution. These vulnerabilities only affect a limited number of Microsoft products; the company has patched Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions for CVE-2023-4863, and only Microsoft Edge for CVE-2023-5217. There have been reports of these vulnerabilities being exploited in the wild, including one case where CVE-2023-5217 was used to deploy Cytrox's Predator spyware. While there are automatic updates available for affected Webp Image Extensions users through the Microsoft Store, these will not be installed if automatic updates from the store are disabled. It's worth mentioning that while the exact details on attacks exploiting CVE-2023-4863 are still unknown, both vulnerabilities were reported by reliable sources including Google's Threat Analysis Group and Citizen Lab, which is known for discovering zero-days used in targeted spyware attacks.

Cybercriminals are targeting Microsoft 365 accounts of key executives in US organizations by leveraging open redirects on the job listing site, indeed.com. The threat actor is using the EvilProxy phishing service to collect session cookies, which enables them to bypass multi-factor authentication mechanisms. The phishing campaign is aimed at executives and high-ranking employees from various industries like electronic manufacturing, banking, real estate, insurance, and property management. An open redirect on indeed.com is being used to deceive targets into clicking a seemingly legitimate link which leads them to a phishing site impersonating Microsoft's login page. EvilProxy successfully mimics the official login page, allowing the threat actors to capture authentication cookies once the user logs into their account, therefore gaining full access. Menlo found several artifacts in the attack that point to EvilProxy as the culprit of the campaign. Success rates of phishing campaigns increase when reverse proxy kits are combined with open redirects, shown in the previous EvilProxy campaign in August 2023.

The US's Cybersecurity and Infrastructure Security Agency (CISA) has added a recent zero-day vulnerability in Google Chrome to its Known Exploited Vulnerabilities Catalog. The bug, labelled as CVE-2023-5217, was patched by Google and was assigned a severity rating of 8.8 on the CVSS v3 scale, indicating a significant risk to federal enterprise security. Federal Civilian Executive Branch (FCEB) agencies have been given until October 23 to apply the recommended patches for the vulnerability, which is a heap buffer overflow vulnerability affecting VP8 encoding. CISA indicated that the vulnerability poses a significant risk to the federal enterprise and urged all organizations to implement the recommended fixes in a timely manner. Although Google hasn't released extensive details about the vulnerability, it's known to be exploitable via a specially crafted HTML page and VP8 media stream, potentially leading to crashes or execution of arbitrary code. The vulnerability affects other software beyond Google Chrome, including Microsoft's Chromium-based Edge browser, certain versions of Microsoft Teams and Skype, and 29 open source packages that require libvpx. This is the second similar Chrome vulnerability reported this month, a fact which underscores the widespread risk of these types of vulnerabilities in popular applications. The mitigation deadlines provided by CISA apply only to FCEB agencies, but all organizations are being encouraged to apply the patches as soon as possible.

The article highlights the rising trend of API (Application Programming Interface) breaches, becoming a major concern in the cybersecurity domain due to the increased dependency on APIs. This surge in API breaches is mainly due to inadequate security protocols instituted by developers and organizations with many APIs being left unprotected and susceptible to attacks. The consequences of an API breach are severe for both businesses and their customers. For businesses, they face financial losses due to legal liabilities and reputational damage post a data breach or service disruptions. Customers, on the other hand, risk personal information getting disclosed, leading to identity theft and other forms of fraud. Despite these risks, many organizations rely on their existing infrastructure, such as API gateways and web application firewalls (WAFs), for protection. But relying solely on these technologies leaves gaps in the overall security posture of the organization's APIs. A report titled "API Security Trends 2023" includes survey data from over 600 CIOs, CISOs, CTOs, and security professionals from six industries across the US and UK. The report indicates that 78% of cybersecurity teams have experienced an API-related security incident in the last 12 months. The report also points out that although 72% of respondents have a full inventory of APIs, only 40% have visibility into which return sensitive data. Consequently, 81% consider API security more of a priority now than it was 12 months ago.

Security Configuration Assessments (SCA) are critical to maintaining a secure IT environment and minimizing cyber attack risk. SCAs detect vulnerabilities and misconfigurations that threat actors could exploit by checking IT assets against established benchmarks like the Center for Internet Security (CIS) and standards like NIST, GDPR, and HIPPA. Regular SCAs assist organizations in adhering to regulatory requirements, identifying and correcting exceptions, and improving an organization's reputation by boosting customer and stakeholder trust. SCAs provide valuable insight on current security posture, helping make necessary changes and updates to align systems and configurations with a secure baseline, including adjusting settings, patching vulnerabilities, or disabling unnecessary services. The open-source platform, Wazuh, offers an SCA module, which performs scans to find misconfigurations and recommend remediation actions, helping with effective attack surface management and security posture improvement. Regularly performing SCAs can facilitate faster recovery post-incident by allowing organizations to better comprehend the impact of an incident via well-documented and secure configuration baselines.

Zhu Su, Co-founder of the defunct crypto firm Three Arrows Capital (3AC), was arrested at Singapore’s Changi Airport for failing to comply with investigations into the firm's collapse. The Monetary Authority of Singapore had previously issued a nine-year ban to the 3AC founders for neglecting risk management. The Philippine Health Insurance Corporation (PhilHealth) is back online following a ransomware attack, which Medusa ransomware gang claimed responsibility for. The attackers demanded $100,000 to extend the ransomware's deadline and $300,000 to delete stolen data, but PhilHealth, adhering to the government policy, did not pay. China’s cyberspace regulator is considering relaxing some rules on cross-border data transfers. If approved, companies exporting 'important' or 'personal' data will no longer need a security assessment from the Cyberspace Administration of China, under specific conditions. Taiwanese iPhone assembly factory Pegatron was temporarily shut down due to a fire. The company stated that there was no significant financial or operational impact due to the accident. Taiwan unveiled its first indigenously built submarine in a move to strengthen the Taiwanese navy's "asymmetric warfare." The Singapore-based superapp Grab will close its investment service, GrabInvest, after determining it was not commercially viable. South Korean president, Yoon Suk Yeol warns that the misuse of digital technologies and AI could threaten liberal democracy and announced plans to address this in the nation's forthcoming Digital Bill of Rights.

Arm has issued security patches for a vulnerability in its Mali GPU Kernel Driver, which is currently being actively exploited. The flaw, tracked as CVE-2023-4211, allows a local non-privileged user to exploit improper GPU memory processing operations and access already freed memory. The patch covers Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. Google's Threat Analysis Group and Project Zero first discovered the flaw. The Android Security Bulletin for October 2023 has also indicated targeted exploitation of CVE-2023-4211. The specifics of the attacks are still unclear, but they may have been weaponized as part of a spyware campaign targeting high-risk individuals. Arm also resolved two other flaws within the Mali GPU Kernel Driver that allow for improper GPU memory processing operations. This is not the first time flaws in Arm's Mali GPU Kernel Driver have been exploited earlier this year, a spyware vendor abused a similar vulnerability to penetrate Samsung devices.

Research report from consultancy firm Certitude reveals potential bypass of existing security controls of Cloudflare's Firewall and Distributed Denial of Service (DDoS) protections. This could allow malicious actors to exploit the implicit trust within the service regardless of tenant's legitimacy. The core issue arises from a feature called Authenticated Origin Pulls that uses shared Cloudflare certificates. In this scheme, an adversary with a Cloudflare account can make malicious use of the platform to bypass protections. The abuse of the feature for allowlisting Cloudflare IP addresses is the second issue, which could be exploited to transmit malicious inputs and target other users on the platform. In response to these findings, Cloudflare has added an explicit warning in their documentation recommending users to set up Authenticated Origin Pulls with a custom certificate for better security. The report also highlights the possibility for attackers to leverage 'dangling' DNS records for hijacking subdomains belonging to organizations across sectors. This could lead to malware distribution, disinformation campaigns, and phishing attacks. The incidents demonstrate an increasing use of sophisticated strategies by adversaries, including dynamically seeded domain generation algorithms (DGA), to complicate analysis and avoid detection. This further extends the lifespan of command-and-control (C2) communication channels. Experts recommend robust security measures, including proactive blocklisting of potential botnets and consistent implementation of bailiwick checks in DNS modes, to thwart these evolving threats.

Recent versions of the Tor Browser were wrongly flagged as potential security threats by Microsoft Defender due to the updated tor.exe file it contained. The alert caused uncertainty within the user community as they were notified about a possible trojan, a situation that turned out to be a case of false positives. After Tor reported the issue to Microsoft, it received a response saying, "We've reviewed the submitted files and have determined that they do not fit our definitions of malware or unwanted applications. As such, we've removed the detection." Microsoft provided instructions for users who still saw the false positives to update and clear any previous flags. Some users voiced criticism over the lack of a prior check with VirusTotal.com, which uses third-party security vendors to scan uploaded files. A Tor representative noted that the firm does not have a standing procedure for uploading files to VirusTotal before release. As a security measure, users are advised to verify the signature before installing Tor Browser.

The developers of Exim, a popular open-source mail transfer agent, have released patches for three out of six disclosed zero-day vulnerabilities. These vulnerabilities were made public through Trend Micro's Zero Day Initiative (ZDI). One of the bugs that was patched (CVE-2023-42115) could allow unauthenticated attackers to remotely execute codes due to an Out-of-Bounds Write problem in the SMTP service. The security advisory suggests that this flaw comes from the lack of proper validation of users' data, which can result in a write past the end of a buffer. In addition to this, two more vulnerabilities were patched by the Exim team an RCE bug (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116). The same vulnerabilities, with a severity score of 9.8/10 by ZDI team were regarded by Exim as not being 'world-ending catastrophes'. They claimed that successful exploitation of CVE-2023-42115 (the most severe) is contingent on use of external authentication on targeted servers. According to analysis by watchTowr Labs, these zero-days "require a very specific environment to be accessible". Despite 3.5 million Exim servers being exposed online, the real number of potential vulnerable servers is likely much lower.

The Federal Bureau of Investigations (FBI) issued a security alert on September 27 concerning emerging ransomware trends, which has raised industry eyebrows due to perceived disconnect with current threat landscape. The FBI alert highlights two trends: dual ransomware infections, where a victim suffers two distinct strains of malware usually from the same cybercrime group and data destruction tactics where the malicious software wipes files to increase pressure on victims. Notably, the dual assaults typically occur within 48 hours and have involved ransomware including AvosLocker, Diamond, LockBit, Quantum and Royal. However, cybersecurity professionals in the field contest these 'new' trends. Emsisoft’s team flagged multi-strain ransomware attacks two years ago, and other industry veterans have highlighted recurrent attacks from identical criminals, attributing this partly to the evolution of ransomware-as-a-service operations. The ongoing industry shift towards network disruption and threat of additional network attacks, known as triple extortion attacks, is also seen as a well-trodden path, with cyber security analysts warning of such tactics since 2021. The report suggests the FBI's report might lack currency with the current ransomware threat landscape and its rapid evolution.

Arm has issued a warning about an actively exploited vulnerability in its widely-used Mali GPU drivers, currently known as CVE-2023-4211. Google’s Threat Analysis Group and Project Zero discovered this flaw. The vulnerability is an improper access to freed memory, which could potentially alter or compromise sensitive data. It has been observed to be possibly exploited in controlled, targeted attacks. Midgard, Bifrost, and Valhall series drivers are affected, covering device models introduced between 2013 and 2019. These drivers are used in several popular devices such as Samsung Galaxy S20/S20 FE and OnePlus Nord 2. The vulnerability has been addressed for the Bifrost, Valhall, and Arm 5th Gen GPU architecture with the release of kernel driver version r43p0 on March 24, 2023. The unsupported Midgard version is unlikely to be patched. Patch availability depends on the speed of integration by the device maker and vendor. As supply chains vary, some users will receive the patch before others. Arm has also disclosed two other flaws, CVE-2023-33200 and CVE-2023-34970, that allow a race condition to be exploited for improper GPU operations to access freed memory. The recommended upgrade targets for these are r44p1 and r45p0, released on September 15, 2023. All listed vulnerabilities can be exploited with local access to the device, typically obtained by persuading users to download applications from unofficial sources.

Security researchers have found a severe remote code execution vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server file sharing platform. The flaw, which is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allows attackers to remotely execute commands on the underlying operating system. It is estimated that approximately 2.9k hosts running the WS_FTP Server are potentially vulnerable, many of which belong to large enterprises, governments and educational institutions. Rapid7 reported instances of active exploitation shortly after the proof-of-concept exploit was released. Progress Software has issued a security update to address this critical vulnerability, encouraging all WS_FTP Server customers to apply the patch as quickly as possible. For those unable to immediately install the patch, it is recommended to disable the Ad Hoc Transfer Module to mitigate the risk. The U.S. Health Department's security team (HC3) has also issued a warning to all Healthcare and Public Health sector organizations to update their servers as soon as possible.

Ransomware groups are exploiting a recently patched critical vulnerability in the JetBrains' TeamCity continuous integration and deployment server. The flaw, identified as CVE-2023-42793 with a severity score of 9.8/10, allows unauthenticated attackers to execute remote code without requiring user interaction. TeamCity 2023.05.4 released on September 21 addressed this critical security issue, but the flaw continues to affect all previous versions and systems installed on Windows, Linux, macOS, or those running in Docker. Threat intelligence companies GreyNoise and PRODAFT have confirmed that multiple ransomware operations are using this exploit to breach TeamCity servers. At least 1,240 unpatched TeamCity servers have been identified as vulnerable by the Shadowserver Foundation, a nonprofit internet security organization. JetBrains' TeamCity software building and testing automation platform is utilized by more than 30,000 organizations globally, including Citibank, Ubisoft, HP, Nike, and Ferrari.

A new malware-as-a-service called 'BunnyLoader' has been discovered, which can steal and replace the contents of the system clipboard. BunnyLoader is under rapid development with new features and bug fixes being added regularly. The malware has the ability to download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands. According to researchers at Zscaler, BunnyLoader is becoming popular among cybercriminals due to its rich features and low price. The researchers also note that BunnyLoader has the capability of evading detection and can install, hide and register itself on a victim's device. BunnyLoader can steal data stored on web browsers, including passwords and credit card information, as well as data from cryptocurrency wallets, VPNs, and messaging apps. This stolen data is then compressed into a ZIP archive and sent to the hacker's server. The threat posed by BunnyLoader is increasing due to its low price and rapid development, making it an appealing choice for cybercriminals seeking to exploit new malware projects.