Daily Brief

A fake proof-of-concept exploit for a recently disclosed WinRAR software vulnerability has been released on the platform GitHub, with the intent to infect users who download the code with Venom RAT malware. The faux proof-of-concept was initially based on a public script that exploited a SQL injection vulnerability in another application named GeoServer. The rogue proof-of-concept was committed on August 21, 2023, four days after the WinRAR vulnerability was announced publicly. The proof-of-concept downloaded from the now-inoperative GitHub repository points to a remote server to execute a variant of Venom RAT that lists running processes and receives commands from an actor-controlled server. An examination of the attack's infrastructure revealed that the threat actor created the domain linked to by the proof-of-concept at least ten days prior to the public disclosure of the flaw, in order to take advantage of its critical nature. This is an example of hackers opportunistically targeting other malicious actors who seek to exploit the latest vulnerabilities.

Gold Melody, a cybercrime group known as an initial access broker (IAB) since 2017, has been selling access to compromised organizations to other hackers to launch ransomware attacks. The group is financially motivated, exploiting vulnerabilities in unpatched internet-facing servers for initial access, and prefers opportunistic attacks for financial benefits than state-sponsored threat activities. Gold Melody exploits security flaws in servers like JBoss Messaging, Citrix ADC, Oracle WebLogic, GitLab, Citrix ShareFile Storage Zones Controller, Atlassian Confluence, ForgeRock AM, and Apache Log4j. It has broadened its scope to target retail, healthcare, energy, financial, and high-tech organizations in North America, Northern Europe, and Western Asia starting mid-2020. The cybercrime group has been associated with five intrusions between July 2020 and July 2022, exploiting different sets of flaws in Oracle E-Business Suite, Apache Struts, Sitecore XP, and Flexera FlexNet for initial access. However, all these attacks were ultimately unsuccessful. Relying heavily on exploiting vulnerabilities in unpatched internet-facing servers, Gold Melody's activities underline the significance of robust patch management. Selling the access to other threat actors for monetization primarily through ransomware deployment, Gold Melody is a financially motivated IAB.

China's Ministry of State Security (MSS) has accused the U.S. of carrying out a decade-long cyber espionage campaign against Huawei involving data theft and the implanting of backdoors since 2009. MSS alleges that the U.S. National Security Agency's (NSA) Computer Network Operations has repeatedly attacked China's vital data resources, and claims the unit hacked Huawei's servers in 2009. The MSS also says the U.S. has carried out tens of thousands of malicious network attacks on domestic Chinese entities, including Northwestern Polytechnical University, to steal important data. The National Computer Virus Emergency Response Centre in China is reported to have identified NSA-developed spyware called Second Date running on thousands of network devices worldwide, capable of monitoring and hijacking network traffic and injecting malicious software. The MSS also accuses the U.S. of forcing tech companies like X-Mode Social and Anomaly Six to install backdoors in their software and hardware for the purpose of cyber espionage and data theft. The Chinese organization argues that the U.S. is portraying itself as a victim of cyber-attacks while inciting and forcing other nations to join its 'clean network' program to keep out Chinese companies from the international network market. China and the U.S. have been exchanging allegations regarding large-scale cyber-espionage activities, with both countries being in the middle of an escalating geopolitical confrontation.

A Sysadmin and his partner have pleaded guilty to being part of an international group that sold pirated Avaya business telephone system software licenses worth $88m for significantly below the wholesale price. The couple, Brad and Dusti Pearce, admitted one count of conspiracy to commit wire fraud and face a maximum penalty of 20 years in prison each. After agreeing to a plea deal, the Pearces must also forfeit at least $4m, gold, silver, collectible coins, cryptocurrency, a vehicle, and "make full restitution to their victims," the US Department of Justice said. The pirated software licenses were used to unlock features of the popular Avaya telephone system, used by companies around the globe. The couple funnelled their illicit gains through PayPal to multiple bank accounts, reshuffling the money to numerous accounts and buying large quantities of gold bullion and other valuable items. Some parts of the case are still being investigated by the FBI.

The CyberThreat 2023 conference will be held on 20-21 November, hosted by the UK's National Cyber Security Centre (NCSC) and the SANS Institute at The Novotel London West in Hammersmith, London. The event aims to provide attendees with current and relevant insight from industry experts in various areas of cyber security. Attendees will gain knowledge from keynote presentations by experts in offensive, defensive, and forensic cyber security practices and tactics, including the newly appointed CTO at the NCSC, Ollie Whitehouse. Representatives from cyber security firms such as CrowdStrike, Palo Alto Networks, Google Cloud Mandiant, Microsoft, Accenture, BAE Systems Digital Intelligence, Darktrace, EclecticIQ, VMRay, and PwC will be sharing their knowledge and experiences at the event. In addition to the presentations, the conference will offer networking opportunities, technical challenges, and an in-person Capture The Flag (CTF) competition. The conference can also be attended virtually for those unable to travel to London.

Two Indian nationals, Arushobike Mitra and Garbita Mitra, living in the U.S, have been sentenced to 41-month prison terms for their roles in robocall scams that swindled $1.2m from the elderly. They had earlier pleaded guilty to one count of conspiracy to commit wire fraud prior to receiving their sentences in Newark federal court, and have been ordered to pay restitution of $835,324, as well as undergo three years of supervised release. The accused were part of a larger network, primarily based in India, that used automated robocalls to contact and scam U.S. residents, many of whom were elderly. These robocallers impersonated government or law enforcement officials and utilized intimidation tactics to coerce and deceive their victims into sending large sums of money. They would also pretend to be tech support agents to gain remote access to victims’ computers and bank accounts. The Mitras functioned as "money mules," collecting and transporting cash shipments in Florida and New Jersey, and also opened bank accounts to receive fraudulent payments. 48 victims were identified as having fallen for this scam, remitting amounts between $9,500 and $50,000 each. Despite a decline in the number of robocalls, financial losses from these scams are still expected to be in the region of 2022's $65 billion total, according to a report by call blocking firm Robokiller.

Modern web applications rely upon dozens of third-party components, frameworks and open-source tools, creating a chain of dependencies that can also be highly vulnerable to cyberattacks. No matter the level of security or testing done on their own code, companies may have vulnerabilities in third-party components they use. Third-party software, libraries, and IoT devices can provide attackers access to privileged systems, enabling a range of malicious activities from Magecart and web skimming attacks to ransomware and espionage. The SolarWinds attack in December 2020 was a high-profile example of a supply chain attack, where attackers used updates to infiltrate systems. The recent Log4j vulnerability exposed millions of computers worldwide to potential attacks, indicating the urgency for a proactive, continuous monitoring solution for web application supply chains to prevent future compromises. Web security company Reflectiz provides one such solution, which identified the Log4J vulnerability and aids companies in ongoing risk mitigation, epitomizing the pivotal role of third-party cybersecurity firms in helping organizations secure their web application supply chains.

Cybersecurity researchers have identified 14 malicious packages within the npm package registry designed to retrieve Kubernetes configurations and SSH keys from compromised machines. These packages impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools. However, they run obfuscated code upon installation to gather and siphon sensitive files from the target machine. System metadata including username, IP address, and hostname are also collected by the modules, which then transmit this information to a previously unknown domain. The packages are part of an ongoing trend of threat actors targeting open-source registries, like npm and PyPI, with cryptojackers, infostealers, and other malicious programs to compromise the software supply chain. A case this month highlighted one npm module that remained benign for over eight months before being updated to include malicious JavaScript capable of exfiltrating Ethereum private keys. Another example involved a deceptive package hiding a cryptocurrency miner. Such campaigns have expanded to target the Javascript (npm), Python (PyPI) and Ruby (RubyGems) ecosystems, with Apple macOS users specifically targeted in this case. The ultimate aim of these campaigns is still unknown.

Four security vulnerabilities were found in versions of Nagios XI network monitor software 5.11.1 and below, with patches released in September 2023. Three of the vulnerabilities pertain to SQL Injections that enable users of varying privileges to access database fields. The data collected from these vulnerabilities could be employed to escalate privileges within the product, thereby accessing sensitive data like password hashes and API tokens. The fourth vulnerability is a cross-site scripting (XSS) flaw present in the Custom Logo component, potentially allowing hackers to read sensitive data, including login page passwords. Successful exploitation of these vulnerabilities could allow an authenticated attacker to execute random SQL commands and insert arbitrary JavaScript while reading and modifying page data. This isn't the first time Nagios XI has had security issues. In 2021, Skylight Cyber and Claroty discovered about two dozen flaws that could potentially facilitate remote code execution and infrastructure hijacking.

Finnish authorities, alongside partners from Germany and Lithuania and organisations including Europol and Eurojust, have shut down dark web marketplace PIILOPUOTI, which has been facilitating illegal drug trade since May 2022. The services of Romanian cybersecurity firm Bitdefender were enlisted in the operation. The arrested parties smuggled drugs into Finland from abroad for sale on PIILOPUOTI, but it is currently unclear if arrests have been made. Alaxandru Catalin Cosoi, senior investigator at Bitdefender, applauded the operation, stating it was an excellent example of the effectiveness of public and private sector cooperation in disruption of criminal activities online. This crackdown is part of an increased commitment from international law enforcement agencies to dismantle illegal dark web marketplaces, as illustrated with the closure of Genesis Market and Lolek bulletproof hosting, as well as the arrest of 288 vendors operating on the Monopoly market in May 2023.

Signal has upgraded its communication protocol to use quantum-resistant encryption keys, defending its users from future potential threats posed by quantum computers. Quantum computers, which use qubits for computations, show potential to weaken current encryption schemes by decrypting protected data quickly. Predictions for the emergence of quantum computers powerful enough to perform such tasks fluctuate, leading to a "harvest now, decrypt later" risk that necessitates the adoption of quantum-resistant algorithms now. Signal uses a key agreement protocol called PQXDH (Post-Quantum Extended Diffie-Hellman) to generate quantum-resistant secret keys, replacing its earlier X3DH (Extended Triple Diffie-Hellman) protocol. PQXDH uses both X3DH's elliptic curve key agreement protocol as well as a post-quantum key encapsulation mechanism called CRYSTALS-Kyber. This change is the first in a series of adaptations from Signal to ensure quantum-resistant End-to-End encryption (E2EE) as the tech environment evolves. Future upgrades will aim to fill data security gaps or address emerging challenges from ongoing research.

IBM’s annual Cost of a Data Breach Report reveals an increase in data breach costs to $4.45 million on average in 2023. One key contributor to escalating costs is the rising expense of incident investigations, referred to as 'detection and escalation'. The report shows that detection and escalation costs averaged $1.58 million per breach, representing over 35% of the total average cost. Mitigation strategies to reduce data breach investigation costs include robust information governance, ongoing employee security training, continuous vulnerability management, simulated cyberattacks, and the use of Cyber Threat Intelligence (CTI) to expedite response to breaches. Despite the demonstrated effectiveness of CTI, 79% of security professionals report making decisions without the use of threat intelligence. This is due to factors such as the time-consuming nature of gathering CTI and ongoing labor market shortages in this field. Outpost 24 recommends utilizing modular Cyber Threat Intelligence such as its Threat Compass to navigate swiftly and efficiently through data breaches. This approach enables prioritization of intelligence types most relevant to a company's specific business, sector, and areas of cyber risk.

A hacker utilised a fake proof-of-concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub to infect users with the VenomRAT malware; the malicious code was posted on Github in August 2023. The fake PoC was linked to a vulnerability that allowed arbitrary code execution when special RAR files were opened on older versions of WinRAR. A threat actor known as 'whalersplonk' capitalised on this vulnerability quickly, spreading malware under cover of exploit code for the new WinRAR vulnerability. When executed, the fake PoC created a batch script, which then downloaded and executed an encoded PowerShell script and the VenomRAT malware onto the host device. Once active, VenomRAT runs a keylogger that records keystrokes and writes them into a local text file, and makes contact with a C2 server which issues commands for execution on the infected device. The actor likely prepared well ahead of the public disclosure of the WinRAR flaw, suggesting a similar pattern may be deployed in future for other vulnerabilities. In recent years, crooks have increasingly exploited the GitHub platform to promote fraudulent PoCs for a variety of vulnerabilities, often deploying malware, malicious PowerShell scripts and Cobalt Strike droppers.

Hackers have been employing two new types of malware HTTPSnoop and PipeSnoop to attack telecom service providers in the Middle East and remotely execute commands on the compromised devices. Cisco Talos' report identifies that these malware belong to an intrusion set named 'ShroudedSnooper'. While both serve different operational aims related to their level of infiltration, they've been concealed as security components of the Palo Alto Networks Cortex XDR product to avoid detection. HTTPSnoop utilizes low-level Windows APIs to scrutinize HTTP(S) traffic on the infected device for specific URLs. The malware decodes base64-encoded data from these URLs and runs it as a shellcode on the affected host. Cisco discovered three variants of HTTPSnoop, each with different URL listening patterns and appeared to imitate legitimate URL patterns from Microsoft Exchange Web Services. Detected in May 2023, PipeSnoop behaves as a backdoor that performs shellcode payloads on violated endpoints through Windows IPC (Inter-Process Communication) pipes. Notably, it seems more applicable for operations deep within compromised networks. Telecom service providers become targets for state-supported threat actors due to their critical roles in managing significant infrastructure and transferring highly sensitive information. This highlights the increasing necessity for improved security measures and international collaboration to protect them.

Threat intelligence provider, VulnCheck, has found that 79% of public-facing Juniper SRX firewalls are vulnerable to a security flaw allowing unauthenticated remote code execution. Juniper identified and addressed five security flaws affecting all versions of Junos OS on SRX firewalls and EX series switches in an out-of-cycle security bulletin on August 17. The five flaws consist of two PHP external variable modification vulnerabilities and three "missing authentication for critical function" vulnerabilities. These flaws rate as 5.3 on the ten-point CVSS severity scale, however, when combined they achieve a critical 9.8 CVSS score. Juniper attempted to resolve the issues and updated their advisories on 7th September following the publication of a proof-of-concept exploit by security researches. Despite Juniper's action, VulnCheck believes that approximately 15,000 internet-facing firewalls remain unpatched and vulnerable. VulnCheck has released a free scanning tool able to identify vulnerable firewalls and advises all affected to apply patches as soon as possible.