Daily Brief

Weak password policies are leaving organizations vulnerable to attacks and almost 83% of compromised passwords would meet the password complexity and length requirements of compliance standards. Stolen credentials are traded on the dark web following data breaches, which are then used in 'credential stuffing' attacks; in these, attackers automatically input numerous combinations of usernames and passwords on various websites. The number of stolen credentials available for such attacks has increased due to the growing frequency and scale of data breaches. More than 44 million Microsoft users were found to be reusing passwords in one analysis over a three-month period, a practice that increases vulnerability to account breaches. More than 15 billion stolen credentials are currently on the dark web, including from recently attacked companies like PayPal. Organizations can safeguard their accounts by identifying breached passwords quickly and notifying affected accounts. This can be achieved with paid tools like Specops Password Policy, or free options, such as Specops Password Auditor. Also, a rigorous implementation of stringent password policies that include requirements like password length, complexity, and avoiding common character patterns would go a long way in mitigating credential stuffing threats.

Tibetan, Uyghur, and Taiwanese individuals and organizations have been persistently targeted by a threat actor codenamed EvilBamboo in a bid to gather sensitive information. The attacker has created fake Tibetan websites and social media profiles to deploy browser-based exploits against the targeted users. EvilBamboo has been linked to multiple attack waves since 2019, using watering hole attacks to deliver spyware that targets Android and iOS devices. The group uses Android malware such as ActionSpy and PluginPhantom to gather data from infected devices disguised as dictionary, keyboard, and prayer apps on third-party app stores. The latest findings attribute to EvilBamboo three new Android espionage tools: BADBAZAAR, BADSIGNAL, and BADSOLAR. The attack chains used for malware distribution also include APK sharing forums, bogus social media profiles, and Telegram groups sharing Android apps. Researchers warn that these campaigns highlight the importance of only installing apps from trusted authors and the lack of effective security measures to prevent malicious apps from appearing on official app stores.

T-Mobile US confirmed that a system glitch briefly exposed data of fewer than 100 customers. Though some concluded that another cyber breach had occurred, T-Mobile denied that anything beyond this glitch happened and stressed it has been quickly resolved. Allegations of an additional T-Mobile data leak were raised by malware repository vx-underground on Twitter. However, T-Mobile examined the data and identified independently-owned dealer, Connectivity Source as the source, due to a breach suffered by them in April. Connectivity Source, which exclusively acts as a white-labeled T-Mobile US retailer, was the target of a breach in April that saw approximately 17,835 employee data records across the US stolen. Additional tech security news included the release of GitLab's security update, Atlassian's serious security patches, significant vulnerabilities in OT systems, and Palo Alto Networks' discovery of a fake PoC being used to distribute malware. Cyber insurance firm Coalition reported a 27% YoY increase in ransomware claims in 1H 2023. The severity of these claims has climbed by 61% in the same timeframe and by 117% over the past year. Sophos highlighted a rise in pig butchering scams targeting cryptocurrency liquidity mining, with one particular scam circle making over $1 million in just three months.

An unnamed Southeast Asian government has been subjected to a persistent cyberespionage campaign by multiple China-affiliated threat actors. The campaign spanned from Q2 2021 to Q3 2023. Cybersecurity researchers have identified three distinct clusters of attack, each with their own unique tools and modus operandi. These clusters are referred to as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium. The Mustang Panda cluster focused on stealing sensitive information and maintaining a clandestine foothold. Various notable software including LadonGo, AdFind, Mimikatz, Impacket, China Chopper web shells, Cobalt Strike, ShadowPad, and a new version of the TONESHELL backdoor were deployed for this purpose. The Alloy Taurus intrusion commenced in early 2022, employing undercover techniques and vulnerabilities in Microsoft Exchange Servers for long-term persistence and reconnaissance. Unique .NET backdoors, Zapoa and ReShell, were also used to execute remote commands and harvest sensitive data. The Gelsemium cluster targeted vulnerable IIS servers with the intent to covertly gather intelligence. It utilized tools such as Cobalt Strike, Meterpreter, Earthworm, and SpoolFool for post-exploitation, and other backdoors like OwlProxy and SessionManager. The consistent feature across all the activities was the use of nefarious software tools and techniques to exploit vulnerabilities, steal sensitive documents, and maintain long-term operations. The intention behind these activities appears to be persistently gathering and exfiltrating sensitive documents and intelligence.

An unidentified threat actor, dubbed 'Sandman,' is behind cyberattacks on telecoms providers in the Middle East, Western Europe, and South Asia. The actor employs a Just-In-Time (JIT) compiler (LuaJIT) for the Lua programming language to deploy new malware termed 'LuaDream.' The 'Sandman' activities involve strategic lateral movement and minimal engagement, suggesting a strategic and deliberate approach to minimize detection risk. Researchers noted that the LuaDream operation indicates a large-scale project that is well developed and actively maintained. SentinelOne first observed the attacks in August 2023; analysis of the implant's source code dates the preparatory work back to June 2022. Researchers suspect that LuaDream is a variant of a new malware strain referred to as 'DreamLand' by Kaspersky. LuaDream is a modular, multi-protocol backdoor primarily designed to exfiltrate system and user information and manage attacker-provided plugins for feature expansion. This malware also uses anti-debugging capabilities to evade detection and analysis. Initial methods of access remain unclear; the actor is observed stealing administrative credentials and conducting reconnaissance activities to breach targeted workstations and deliver LuaDream. The discovery of this activity corresponds with reports of sustained strategic intrusions by Chinese threat actors, targeting telecommunication, finance, and government sectors in Africa. SentinelOne detected a compromise of a North African telecommunications entity coinciding with their private discussions for further regional expansion. The Sandman threat actor's cyberattacks and those by Chinese groups indicate concerted efforts by threat actors to shape policies and narratives aligned with geostrategic ambitions, signifying the need for advanced defensive measures and holistic cybersecurity strategies.

Apple has released numerous security patches to fix three actively exploited zero-day vulnerabilities across its iOS, iPadOS, macOS, watchOS, and Safari software, pushing their total zero-day bug find for the year to 16. The tech giant has not provided specifics about the security issues but did note that the vulnerabilities had potentially been exploited against versions of iOS earlier than iOS 16.7. Bill Marczak from the Citizen Lab at the University of Toronto's Munk School and Maddie Stone from Google's Threat Analysis Group (TAG), who both reported the flaws, suggest they may have been used for malicious spyware aimed at civil society individuals at high risk of cyber threats. Two weeks prior, Apple dealt with two other exploited zero-day flaws (CVE-2023-41061 and CVE-2023-41064) used in a zero-click iMessage exploit chain named BLASTPASS to distribute Pegasus, an infamous spyware. An analysis from cybersecurity firm Rezilion highlighted that a flaw in the libwebp library, already patched by Google and Mozilla, exists across various operating systems, software packages, Linux apps, and container images, broadening the potential attack surface.

The exploit chain that utilized three zero-day vulnerabilities in Apple's software in an attempt to deliver the Predator spyware to former Egyptian MP Ahmed Eltantawy has been addressed by Apple on September 21, 2023. Citizen Lab, which attributed this attack to the Egyptian government due to their known usage of the spyware tool, reported that the attack was executed from May till September, after Eltantawy publicly stated his plans for the 2024 Presidential elections. The commercial spying tool was delivered via links sent through SMS and WhatsApp, and when Eltantawy visited certain non-HTTPS websites, he was redirected to a malicious website, hosting the Predator spyware. The exploited vulnerabilities, labelled as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, could bypass certificate validation, escalate privileges, and facilitate remote code execution on the targeted devices. Predator, developed by Cytrox, is comparable to the Pegasus spyware by NSO Group, allowing its users to surveil their targets and extract sensitive data from the compromised devices. The U.S. government blocklisted Cytrox, part of the Intellexa Alliance, in July 2023 for "enabling campaigns of repression and other human rights abuses." Google TAG also discovered an exploit chain that used a remote code execution flaw in the Chrome web browser (CVE-2023-4762), potentially enabling the delivery of Predator on Android devices. In light of these findings, Citizen Lab emphasizes the potential for abuse of surveillance tools to target civil society and highlights the vulnerabilities in the telecom ecosystem that can be exploited to intercept network traffic and inject malware.

Cybersecurity researchers have unearthed an advanced backdoor malware named "Deadglyph" utilized by Stealth Falcon, a threat actor involved in cyber espionage. Unlike typical malware, which is designed using single programming language, Deadglyph is a blend of a native x64 binary and a .NET assembly, potentially to hinder analysis and debug. Actor-controlled servers issue commands to the malware in the form of additional modules, enabling the creation of new processes, reading of files, and extraction of information from compromised systems. Stealth Falcon, first revealed in 2016, was associated with a series of spyware attacks targeted at journalists, activists, and dissidents in the Middle East using spear-phishing tactics. The group is suspected to be the same actor behind Project Raven, an operation involving former U.S. intelligence operatives employed by a cybersecurity firm named DarkMatter and hired to spy on critics of the Arab monarchy. Deadglyph, Stealth Falcon's latest tool, was discovered during an intrusion at an undisclosed governmental entity in the Middle East. ESET revealed that the malware has several counter-detection mechanisms, including the continuous monitoring of system processes, randomized network patterns, and the capability to uninstall itself to minimize detection.

Air Canada reported a cybersecurity incident in which hackers "briefly" gained limited access to its internal systems resulting in the theft of certain employee records. The airline emphasized that its flight operations systems and customer-facing systems were not affected, and customer information was not accessed or compromised during the incident. Air Canada has reached out to the affected employees and relevant law enforcement authorities, and confirmed all its systems are currently fully operational after this brief breach. Following the incident, the airline has implemented additional security measures with the assistance of global cybersecurity experts to prevent such incidents in the future. This is not the first time Air Canada experienced a security breach. In 2018, profile information of 20,000 mobile app users were accessed by unauthorized parties, prompting the airline to temporarily lockout all its 1.7 million mobile app accounts as a safeguard.

U.S. educational nonprofit National Student Clearinghouse (Clearinghouse) has reported a major data breach impacting 890 schools in its U.S.-based network. The breach was caused by cyber attacks that exploited a security flaw in the MOVEit managed file transfer (MFT) platform, compromising files that held personal identifiable information. The data breach exposed a range of personal details such as names, contact information, Social Security numbers, student ID numbers, and school-related records, with exposure varying among individuals. The attack was initiated by the Clop ransomware gang which began extortion operations against the affected organizations starting June 15th, with exposure of victims on the group's dark web data leak site. The potential damage from these attacks could extend to hundreds of organizations globally with many already having notified their affected customers. Despite this, only a small number of victims are expected to acquiesce to ransom demands, but with high ransom demands, the Clop gang is estimated to collect $75-100 million in payments. The Clearinghouse provides reporting, data exchange, verification, and research services to approximately 22,000 high schools and approximately 3,600 colleges and universities that together enroll roughly 97% of U.S. students in public and private institutions.

Gelsemium, an advanced persistent threat (APT) group known for cyberespionage, is conducting an attack on a Southeast Asian government that has been ongoing for six months. The group has been operational since 2014 and typically targets government, educational, and electronics manufacturers in East Asia and the Middle East. The attack was initially carried out by installing web shells, likely through exploiting vulnerabilities in internet-facing servers. Gelsemium then conducted basic network reconnaissance and lateral movement via SMB. The group employs tools like OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm for lateral movement, data collection, and privilege escalation. The attackers adapt their approach as required, introducing new tools and strategies when their initial ones are thwarted by security solutions. Cybersecurity firm Unit 42's report on the attacks observes the group's tenacity and resourcefulness, using rarely seen backdoors linked to the threat actors.

Stealth Falcon APT, a state-sponsored hacking group from the UAE known for targeting activists, journalists, and dissidents, has deployed a sophisticated and modular backdoor malware named 'Deadglyph' in an attack against a Middle Eastern government agency. According to a report from ESET researcher Filip Jurčacko, Deadglyph is a new modular malware that infects Windows devices, though the means of initial infection remain unknown. The malware operates by infecting a system's Windows registry with an executable code. It also uses increasingly sophisticated measures to evade detection, including homoglyph attacks that mimic Microsoft's information using distinct Greek and Cyrillic Unicode characters. Deadglyph employs a modular approach, downloading modules from the command and control server (C2) that contain different shellcodes to carry out the tasks required by the threat actors. The malware's Orchestrator component is responsible for C2 communications and triggers a self-removal mechanism if it fails to establish communication with the C2 server after a certain period to avoid detection and analysis. Currently, ESET has preemptively identified three of Deadglyph's modules: a process creator, an info collector, and a file reader, revealing the highly complex and customized nature of the malware's operations.

TikTok has been taken over by fake videos promising access to leaked celebrity photos, encouraging users to download an online shopping app, Temu, and use a special referral code to supposedly view this content. Created by scammers, these misleading videos are aimed not at distributing malicious content but promoting referral rewards for the Temu online megastore. This online store allows customers to generate personal referral numbers and links, which can be shared on social media platforms to earn store credit or other rewards. Using captions implying the exposure of sensitive celebrity content, these scam videos try to bait viewers into downloading the app and using the mentioned referral number. TikTok users have begun to notice the influx of such scamming videos and are creating responses, questioning their validity. While this current scam only seeks to generate store credit, the same tactics have potential for more sinister purposes in the future, such as the spread of malware. An official response from TikTok and Temu regarding the issue is yet to be received.

Several high-severity security flaws have been discovered in products by Atlassian and the Internet Systems Consortium (ISC), potentially allowing for denial-of-service (DoS) attacks and remote code execution. Atlassian, an Australian software services provider, confirmed the existence of four such vulnerabilities but stated that they have been addressed in the new versions of their software released last month. Separately, ISC has disclosed and issued fixes for two major vulnerabilities in their Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite. These bugs could have permitted a DoS condition. These patches from ISC come three months after they remedied three other flaws in the BIND software, also capable of creating a DoS situation. Both companies' quick response to the discoveries of these flaws and the speedy roll-out of their updates mitigated any potential impacts on their clients. They show the importance of keeping software and systems updated to mitigate security risks.

Apple has issued patches for three CVE-listed flaws in its iOS, macOS systems after Intellexa's Predator spyware was found to have exploited these vulnerabilities to target an iPhone. The vulnerabilities reportedly allowed the spyware to gain execution within the OS kernel, bypass pointer authentication code protections, and steal data and spy on the user for Intellexa's client. Researchers from The Citizen Lab and Google’s Threat Analysis Group identified and reported these exploitations to Apple, following which the patches were released. Sources said that the Predator spyware exploited non-secure HTTP traffic for a man-in-the-middle attack and redirected the target's Safari browser to servers operated by the spyware's vendor. Intellexa, which was added to the US entity list as a national security threat in July, used the holes in the iOS and macOS systems to infect devices without users’ knowledge. Google also noted that Predator was installed "on Android devices in Egypt" using a different exploit chain, one of which was a flaw in Chrome patched on September 5. Apple, Google and Citizen Lab have advised users to promptly install the patches to avoid further exploitation and use secure HTTPS rather than insecure HTTP where possible.