Daily Brief

GitHub accounts are being breached by hackers who insert malicious code masked as Dependabot contributions, aiming to steal authentication secrets and passwords. Checkmarx discovered the attack in July 2023, when unusual Dependabot commits were found on several public and private repositories. The attackers obtain personal GitHub access tokens to make fake commits, which introduce malicious codes performing secret exfiltration and password stealing. The attackers then used these tokens to add the GitHub action file "hook.yml" which triggers on every code push event in the impacted repository. Checkmarx suggests that the attackers may have stolen these tokens through a malware, potentially through a malicious package delivered to the developers' devices. Most compromised users are from Indonesia, although it is unclear if there was a specific focus on this demographic. Checkmarx advises GitHub users to switch to fine-grained personal access tokens to limit permissions and reduce risks if compromised.

A survey by WinZip Enterprise found increased confidence in data security among industry professionals. 59% reported no security breach in the past year while 64% expect no breaching in the coming year. Though confidence is high, 21% of surveyed professionals felt unconfident about avoiding security breaches in the next year. 41% had experienced a security breach within the last 12 months. Security remains a top priority with 86% of nearly 500 IT professionals stating that security was extremely important to their company. The survey shows that 64% of security professionals identified malware and ransomware attacks as the primary concern. 42% highlighted concerns over vulnerabilities in cloud systems. Other threats include social engineering, phishing attacks, compromised or stolen security credentials, and weak passwords. Severely underestimated concerns compete in the light of accidental email leaks, weak backup and recovery strategies, and insecure removable media (flash drives). Budgets associated with data security are increasing – 78% of those surveyed plan to significantly or moderately increase their security-related spending. Most organizations are spending in the low to mid-six figures on data security – 35% reported a budget between $100,000 and $500,000. The growing importance of data security, and increased adoption of cloud technologies for remote or work-from-anywhere capabilities, are likely contributing to the increased spending on data security.

A new modular remote access trojan (RAT) called ZenRAT is being distributed through false installation packages of Bitwarden password manager, deliberately targeting Windows users. The malware, hosted on fake websites, redirects visitors on non-Windows systems to harmless web pages, while Windows users downloading Linux or macOS links are led to the legitimate Bitwarden website. The payload containing the malware, named 'Bitwarden-Installer-version-2023-7-1.exe', is a trojan version of the typical Bitwarden installation package containing a malicious .NET executable known as ApplicationRuntimeMonitor.exe. The malware gathers extensive data about the host, such as CPU and GPU names, browser credentials, installed applications and security software, and sends it to a command-and-control (C2) server operated by the threat actors. ZenRAT communicates logs, in plaintext, of system checks and module execution statuses to its C2 server, indicating that the malware can be extended with additional modules. Users are advised to mitigate such threats by downloading software only from trusted sources and verifying website authenticity. The revelation of ZenRAT coincides with ongoing campaigns by other malware such as Lumma Stealer and Stealc.

Google has announced a critical security flaw in the libwebp image library with the maximum severity score of 10.0 on the CVSS (Common Vulnerability Scoring System). This issue is currently under active exploitation. The flaw, tracked as CVE-2023-5129, is rooted in the Huffman coding algorithm. It occurs when a specially designed WebP lossless file causes libwebp to write data out of bounds to the heap. The issue appears to be similar to an underlying problem addressed by Apple, Google, and Mozilla in a recent bug fix. This earlier bug, tracked separately as CVE-2023-41064 and CVE-2023-4863, caused arbitrary code execution processing. Citizen Lab purports that CVE-2023-41064 was used conjointly with 2023-41061 for a zero-click iMessage exploit chain named BLASTPASS, which deploys notorious mercenary spyware known as Pegasus. Even though CVE-2023-4863's vulnerability was originally marked as a Google Chrome issue, further analysis shows that it also affects all applications that utilize the libwebp library to process WebP images—thus, its influence is broader than initially thought. Google has broadened its response to CVE-2023-4863 by including both ChromeOS and ChromeOS Flex Stable channel fixes with software version 15572.50.0. There have also been new disclosures regarding the exploitation of CVE-2023-0266 and CVE-2023-26083 by commercial spyware vendors targeting Android devices in December 2022.

A new phishing operation is hacking Microsoft Outlook using a ZeroFont technique, making malicious emails appear as safe. The ZeroFont phishing technique manipulates AI and natural language processing (NLP) systems in email security platforms by inserting hidden words or characters in emails and making them invisible to human targets but readable by NLP algorithms. This technique, first documented in 2018, can skew AI's interpretation of content and the result of security checks. In a recent example, a hacker used the ZeroFont technique to manipulate the message previews in the Microsoft Outlook, displaying a different message in the email list than in the preview pane. The system displays a bogus safety scan, which instills a false sense of legitimacy and security in the recipient. This, in turn, increases the likelihood of the recipient opening and engaging with the email. Additionally, other email clients may also be vulnerable to this type of attack. Outlook is just a known example. Users of all email clients should remain vigilant.

Sony has started investigating allegations of a cyberattack as two different hacker groups claimed responsibility for the same attack. The extortion group RansomedVC initially claimed to have successfully hacked Sony and extracted 260GB of its data, which they are attempting to sell for $2.5 million. A different threat actor named 'MajorNelson', on the other hand, claims it was responsible for the attack and has outright denied RansomedVC's claims. MajorNelson has leaked a 2.4GB compressed archive, containing an array of credentials and data files that it alleges belong to Sony. The shared data does seem to belong to Sony, although the actual authenticity of the claims by either group remains unverified. The situation is complex as both the hacker groups are vying for 'credit' for the hack. Still, it's clear that Sony has experienced a significant data leak and is investigating these claims further. This alleged cyberattack follows Sony's previous encounter with a major breach in 2014 where North Korean hackers targeted Sony Pictures.

Sony is investigating allegations of a cyberattack this week, with claims of responsibility coming in from different hacker groups including RansomedVC and another called MajorNelson. Over 3.14 GB of uncompressed data, purportedly belonging to Sony, has been leaked on hacker forums. RansomedVC initially claimed responsibility for hacking SONY.com, stating it had compromised the company's systems and intended to sell the stolen data. The group claimed to have stolen about 260GB of data and attempted to sell it for around $2.5 million. MajorNelson also claimed responsibility for the attack, stating it had "leaked for free" a 2.4 GB compressed data file containing data allegedly from Sony. MajorNelson also discredited RansomedVC's claims, accusing them of lying to gain influence. The veracity of either hacker group's claim could not be independently verified, and it remains unclear who is responsible for the purported attack.

Engineer Hubert Kario from Red Hat has discovered vulnerabilities in the 25-year-old RSA public-key cryptography naming this attack as Marvin. He found that some software which uses the PKCS#1 v1.5 padding scheme for RSA key exchange — once thought to be safe from Daniel Bleichenbacher's previously identified 'Oracle Threat' — are actually susceptible. Based on measuring the amount of time it takes to process specifically crafted RSA ciphertexts, an attacker can decrypt the target plaintext message and forge digital signatures. Attack times can vary drastically depending on the hardware and software being used, as well as the attacker's access. The vulnerability in the M2Crypto library was reported in October 2020 and partially fixed but is believed to still be susceptible to attacks. Kario's recommendation is to stop using the vulnerable RSA PKCS#1 v1.5 encryption as most modern systems rely on Elliptic Curve Diffie Hellman. Kario's research highlights a wider concern with any implementation that uses general-purpose integer implementation, including OpenSSL's BIGNUM, NSS's MPI, Java's BigInteger, Python's int, Rust's apint, Gnu MP's mpz_t, Go's math/big Int, etc, and may face similar issues.

Microsoft has officially introduced support for passkeys in Windows 11 edition of its desktop operating system. This new feature offers a password-free login to websites and applications using either a device PIN or biometric data. The creation of passkeys, which were first announced in May 2022, is based on the FIDO standards which are both strong and resistant to phishing. It has been adopted by other companies such as Apple and Google. Microsoft initially added passkey management back in June 2023 via the Windows Insider program. General accessibility of this feature has been marked by its recent launch. On Windows, passkeys can be created through the Windows Hello feature and users can manage their saved passkeys via Start > Settings > Accounts > Passkeys. Aside from the launch of passkeys, Microsoft revealed that it is also introducing Windows Hello for Business to enterprise-managed Windows 11 devices. This is designed to protect user profiles by enabling IT teams to establish a policy for Microsoft Entra ID connected machines. Other new features include enhancements to the Windows Firewall, and a new Custom App Control option to ensure only approved and trusted applications are allowed on devices. This aims to protect endpoint devices from malicious code.

Microsoft's new Windows 11 update includes security improvements aimed at increasing online protection for users. A key feature is the Passkeys management dashboard, designed to streamline the process of going passwordless and linked to specific devices to help defend against data breaches. Passkeys provide alternative access using facial recognition, PINs, or fingerprints rather than traditional passwords making them more difficult for threat actors to steal through phishing attacks. The need for stronger security measures is underscored by Microsoft's internal data, which reveals a three-fold increase in phishing attacks targeting user credentials since last year, totalling over 4,000 incidents every second. Also included in the update are tools for IT administrators like a new policy to block passwords across all Azure AD joined enterprise devices, Config Refresh to automatically revert all policies to a secure default state, and App Control for Business to ensure only trusted apps are running. These moves reflect an industry trend towards enhanced digital security, with tech giants such as Apple and Google also expressing support for passkeys and Web Authentication credentials.

A new cybercrime group named ShadowSyndicate, also known as Infra Storm, has emerged, believed to be associated with seven different ransomware families. The group has been active since July 16, 2022. Cybersecurity experts Group-IB and Bridewell issued the findings, noting that the group is linked to ransomware activity connected to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. ShadowSyndicate was identified using a distinct SSH fingerprint found in 85 servers, 52 of which were used for command-and-control of Cobalt Strike. The majority of these servers are located in Panama. The cybercrime group has shown links associated with TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations. German law enforcement conducted a second successful strike against actors connected with the DoppelPaymer ransomware group, arresting two key suspects in Germany and Ukraine. Reports indicate ransomware groups are continuously developing new extortion methods, making 2023 the second most profitable year after 2021. A rise of ransomware attacks has corresponded with an increase in cyber insurance claims by 12% in the first half of the year, with an average loss amount exceeding $365,000.

Google has assigned a critical severity rating of 10/10 to a libwebp security vulnerability (CVE-2023-5129), formerly tagged as a Chrome bug (CVE-2023-4863). The vulnerability was initially reported by Apple Security Engineering and Architecture and the Citizen Lab at the University of Toronto and was promptly patched by Google within a week. The flaw concerns a heap buffer overflow in WebP, impacting Google Chrome versions before 116.0.5845.187, and it allows attackers to execute out-of-bounds memory writes using specially crafted HTML pages. This vulnerability, located within the Huffman coding algorithm used by libwebp for lossless compression, can result in severe consequences, including crashes, arbitrary code execution, and unauthorized access to sensitive information. This reclassification as a libwebp vulnerability is significant as it went initially undetected as a potential security risk for numerous projects using libwebp, including 1Password, Signal, Safari, Mozilla Firefox, Microsoft Edge, Opera, and native Android web browsers. Prompt action to address this vulnerability across these platforms is crucial to ensure user data security.

AtlasCross, a new Advanced Persistent Threat (APT) group, has been discovered launching sophisticated phishing attacks impersonating the American Red Cross to deliver backdoor malware. Cybersecurity firm NSFocus identified two previously unknown trojans, DangerAds and AtlasAgent, associated with AtlasCross attacks. AtlasCross lures victims through phishing emails impersonating the American Red Cross and exploiting a macro-enabled Word document to deliver its malware. The undisclosed origin of the AtlasCross hackers due to their sophisticated and evasive nature has raised concerns among cybersecurity researchers. The DangerAds trojan acts as a loader to deliver AtlasAgent, a custom C++ malware, which executes additional shellcode, controls the launch of programs, downloads files from the attacker's servers, and collects host and process details. Despite NSFocus' report, AtlasCross remains a largely unknown threat with unclear motivations and selective targeting, indicative of a possible longer duration of undetected activity.

The Better Outcomes Registry & Network (BORN) in Canada has reported a data breach of 3.4 million childcare health records, potentially impacting anyone who received pregnancy care or had a child born in Ontario between January 2010 and May 2023. Unauthorized copies of files containing personal health information were copied due to a vulnerability in the MOVEit file transfer platform developed by Progress Software. After discovering the incident on May 31, BORN isolated the affected server, stopped using the MOVEit software, and notified authorities. Over 2,000 organizations and over 60 million individuals have reportedly been affected by unpatched MOVEit installations, with the US being the most impacted (88.8% of known victims), followed by Canada (4.7%), Germany (1.7%), and the UK (1%). The data affected included names, addresses, postal codes, birth data, and health card numbers, however patient financial information, social insurance numbers, health card details, and email addresses were not exposed. The ransomware group Cl0p has claimed responsibility for the attack. BORN is continuing to monitor for fraudulent misuse of the breached data and has taken further security measures to prevent a similar incident in the future.

Hackers are exploiting a high severity vulnerability known as CVE-2023-32315 in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers. The flaw is an authentication bypass that impacts Openfire's administration console and allows unauthenticated attackers to create new admin accounts on vulnerable servers and install malicious Java plugins. This flaw affects Openfire versions from 3.10.0 up to 4.6.7 and from 4.7.0 to 4.7.4 and, despite being fixed in May 2023 with the release of versions 4.6.8, 4.7.5, and 4.8.0, over 3,000 Openfire servers were still running a vulnerable version by mid-August 2023. Hackers have specifically exploited the flaw by creating new admin users, logging in to install a malicious JAR plugin that can execute any command, with Dr. Web seeing the first case of active exploitation in June 2023. The attackers are using the Openfire flaw to run crypto mining operations, backdoor the servers, or extract sensitive information about the compromised server. Unknown ransomware encryptions with the .locked1 extension have also been reported, with ransom demands ranging from .09 to .12 bitcoins ($2,300 to $3,500), Security experts thus encourage administrators to ensure they install all available security updates for their servers promptly.