Industry State of the Art

This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world.  And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.

Standards & Advisories

Police Issue “Quishing” Email Warning - Infosecurity Magazine

“Police in Northern Ireland have warned organizations in the province to be on their guard after issuing a new Crime Prevention Notice on “quishing,” or phishing via QR code.

Originally published by the Police Service of Northern Ireland (PSNI) Cyber Crime Centre, the notice urges all local businesses to ensure staff cybersecurity awareness training is updated so employees can spot the threat.

QR phishing, or quishing, has a similar end goal to regular scam emails, which are designed to trick the victim into handing over their credentials/personal information or unwittingly installing malware.

The victim typically receives an unsolicited email, but this time containing a PDF or PNG image of a QR code. The example given in the notice is one branded with Microsoft Authenticator, although other brands may also be spoofed for similar effect.”

CISA and NSA Release New Guidance on Identity and Access Management

“Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.

This publication, which follows ESF's Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.”

NSA and CISA Advise on Top Ten Cybersecurity Misconfigurations

“FORT MEADE, Md. - The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint Cybersecurity Advisory (CSA) highlighting the top ten most common cybersecurity misconfigurations found in large organizations’ networks. The CSA details tactics, techniques, and procedures (TTPs) that cyber actors could use to compromise these networks, as well as mitigations to defend against this threat.

The report includes information from NSA and CISA Red and Blue team assessments, as well as activities of NSA and CISA Hunt and Incident Response teams. These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector.

As indicated in the CSA, these most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise.”

CISA, FBI, NSA, and Treasury Release Guidance on OSS in IT/ICS Environments

“Today, CISA, the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of the Treasury released guidance on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS). In alignment with CISA’s recently released Open Source Security Roadmap, the guidance provides recommendations to OT/ICS organizations on:

• Supporting OSS development and maintenance,
• Managing and patching vulnerabilities in OT/ICS environments, and
• Using the Cross-Sector Cybersecurity Performance Goals (CPGs) as a common framework for adopting key cybersecurity best practices in relation to OSS.

Alongside the guidance, CISA published the Securing OSS in OT web page, which details the Joint Cyber Defense Collaborative (JCDC) OSS planning initiative, a priority within the JCDC 2023 Planning Agenda. The initiative will support collaboration between the public and private sectors—including the OSS community—to better understand and secure OSS use in OT/ICS, which will strengthen defense against OT/ICS cyber threats.   

CISA encourages OT/ICS organizations to review this guidance and implement its recommendations.”

U.S. Cybersecurity Agency Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

“The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user.

A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were credited with discovering and reporting the flaw.”

CISA, FBI, and MS-ISAC Release Joint Advisory on Atlassian Confluence Vulnerability CVE-2023-22515

“Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This critical vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.

CISA strongly encourages upgrading to a fixed version or taking servers offline to apply necessary updates. For upgrade instructions, a complete list of affected product versions, and indicators of compromise, see Atlassian’s security advisory.”

CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance

“Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an update to Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by- Design and -Default with the following international partners:

• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• Germany’s Federal Office for Information Security (BSI)
• Netherland’s National Cyber Security Centre (NCSC-NL)
• Norway's National Cyber Security Center (NCSC-NO)
• Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Korea Internet & Security Agency (KISA)
• Israel’s National Cyber Directorate (INCD)
• Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT)
• Network of Government Cyber Incident Response Teams (CSIRT) Americas
• Cyber Security Agency of Singapore (CSA)
• Czech Republic’s National Cyber and Information Security Agency (NÚKIB)

This update to the original April 2023 guidance provides additional recommendations for software manufacturers—including manufacturers of artificial intelligence software systems and models—to improve the security of their products. Specifically, the update expands upon the following secure-by-design principles for manufacturers:

• Take ownership of customer security outcomes.
• Embrace radical transparency and accountability.
• Lead from the top.

CISA and its partners strongly encourage all software manufacturers read the updated guidance as well as the CISA blog post about the update. For more information and future updates, see Secure by Design.”

Legislation & Regulatory

A Third of Organizations Not Ready to Comply with NIS2 - Infosecurity Magazine

“Just a third (34%) of impacted organizations in the UK, France and Germany are prepared for the EU’s updated Network and Information Security Directive (NIS2) one year before the legislation comes into force, according to a survey of 1500 IT decision makers by cybersecurity firm Sailpoint.

UK organizations, which must comply with the directive if they operate in the EU, are particularly unprepared, with three-quarters yet to fully address the five key requirements for compliance.”

Trends

A large portion of the threat activity this month was centered around using old attack techniques in new and creative ways.  There were a few significant attacks and zero-days, notably Cisco, Sony, Okta, and Atlassian, and we continue to see fallout from the recent MGM hack and attacks against Microsoft Teams and O365.  Bitcoin and other cryptocurrencies are enjoying something of a minor resurgence, but it’s still small enough that it’s difficult to determine if it’s a genuine resurgence or simply a glimmer of raw scrappiness.  Investment and venture capital into cybersecurity continue to thaw and there are indications that the large tech layoffs experienced earlier this year are coming to an end.  This beginning of the fourth quarter is the season of industry annual reports, and also opens into the holiday scam season and early interest in potential additional early exploration into the US election cycle.

Threat reports

DRM Report Q2 2023 - Ransomware threat landscape | SecurityAffairs

Microsoft Digital Defense Report 2023 (MDDR) | Microsoft Security Insider

DDoS threat report for 2023 Q3 | Cloudflare

Q3 Ransomware Report: Global Ransomware Attacks Up More Than 95% Over 2022 | Corvus

Cyber Threat Intelligence Index: Q3 2023 Edition | Flashpoint

ENISA Threat Landscape 2023 | ENISA

Mergers, Acquisitions, Funding, Partnerships

Funding

Censys lands new cash to grow its threat-detecting cybersecurity service | TechCrunch

Conveyor raises $12.5M to automate security reviews using LLMs | TechCrunch

Nexusflow raises $10.6M to build a conversational interface for security tools | TechCrunch

Acquisitions

Arctic Wolf acquires cybersecurity automation platform Revelstoke | TechCrunch

Well Health acquires two cybersecurity businesses, Seekintoo and Proack

RTX, the company formerly known as Raytheon, to sell its cybersecurity business for $1.3B – NBC Boston

Accenture Acquires Cybersecurity Firm MNEMO Mexico By Investing.com

Rockwell Automation Signs Agreement to Acquire Verve Industrial Protection | Business Wire

Arctic Wolf acquires cybersecurity automation platform Revelstoke | TechCrunch

Magna5 has acquired a Virginia-based cybersecurity firm - Technical.ly

KPMG in Canada acquires Calgary-based IMagosoft to expand cybersecurity footprint

Layoffs

IronNet, founded by former NSA director, shuts down and lays off staff | TechCrunch

Headline News

DNSFilter

DNSFilter Named Web Filtering and Control Solution of the Year in the CyberSecurity Breakthrough Awards for Third Consecutive Year

“Washington D.C., - Oct. 5, 2023 – DNSFilter today announced that the company was selected as the Web Filtering and Control Solution of the Year in the annual CyberSecurity Breakthrough Awards. Conducted by CyberSecurity Breakthrough, a leading independent market intelligence organization, the awards recognize the top companies, technologies and products in the global information security market today.

DNSFilter’s protective DNS powered by machine learning (ML) continuously scans billions of domain queries daily to identify anomalies and potential vectors across malware, ransomware, phishing,fraud, and more. DNSFilter catches more zero-day attacks in process than competitors, identifying compromised domains an average of 7 days before they appear on other external threat feeds. Combined with the company’s AI, Webshrinker, DNSFilter helps enterprises categorize domains in real-time and automatically block potentially dangerous domains to enable more businesses to stay safe against today’s sheer volume of internet threats.”

REVISITING THE RISKS AND DANGERS OF USING OPEN HOTEL WI-FI

“As fate would have it, over Labor Day Weekend, I found myself staying in a hotel for a conference. For one reason or another, I’ve spent a higher number of visits in hotels than normal recently. And as a cybersecurity professional, dealing with these network connections is always a source of anxiety. Hotel Wi-Fi networks are renowned for their poor security. But seeing so many different networks in such a short period of time has inspired me to think about the different things that might make that seem less obvious, or soothe some of the concerns when you may think you’re protected.”

Major news

General Industry News

Rules of engagement issued to hacktivists after chaos - BBC News

“The International Committee of the Red Cross (ICRC) has, for the first time, published rules of engagement for civilian hackers involved in conflicts.

The organisation warns unprecedented numbers of people are joining patriotic cyber-gangs since the Ukraine invasion.

The eight rules include bans on attacks on hospitals, hacking tools that spread uncontrollably and threats that engender terror among civilians.

But some cyber-gangs have told BBC News they plan to ignore them.”

Google makes passkeys the default sign-in for personal accounts

“Google announced today that passkeys are now the default sign-in option across all personal Google Accounts across its services and platforms.

After setting up a passkey linked to their device, users can sign into their Google accounts without entering a password or using 2-Step Verification (2SV) when logging in.”

The Fake Browser Update Scam Gets a Makeover

“One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.”

Global Economy Could Lose $3.5trn in Systemic Cyber-Attack - Infosecurity Magazine

“Insurance giant Lloyd’s of London has published a systemic risk scenario of a cyber-attack resulting in global economic losses of $3.5trn.

The scenario involves “a hypothetical but plausible” cyber-attack on a major financial services payment system, leading to widespread disruption to global businesses.

Working with the Cambridge Centre for Risk Studies, the research explored nine hypothetical systemic risk scenarios. The potential economic impact of these scenarios across 107 counties was calculated with an interactive data tool, using GDP as its central measure.

The researchers presented global economic losses across three levels of severity – major, severe and extreme. The damage ranged from $2.2trn in the lowest severity scenario to $16trn in the most extreme scenario, over a five-year period. The weighted average across the three severities modeled was $3.5trn.”

Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes

“Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.

The vulnerabilities are as follows -

• CVE-2022-4886 (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller
• CVE-2023-5043 (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution
• CVE-2023-5044 (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

"These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044.

Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller process, and gain unauthorized access to sensitive data.”

Internet Infrastructure

Understanding DNS Tunneling Traffic in the Wild

“We present a study on why and how domain name system (DNS) tunneling techniques are used in the wild. Motivated by our findings, we present a system to automatically attribute tunneling domains to tools and campaigns.

Attackers adopt DNS tunneling techniques to bypass security policies in enterprise networks because most enterprises implement relatively permissive policies for DNS traffic. Previous research has shown that malware campaigns such as SUNBURST and OilRig use DNS tunneling for command and control (C2).

However, many aspects of how attackers use DNS tunneling in the wild remain unknown. For example, do they use DNS tunneling techniques exclusively for C2? How do they implement and host these techniques? Can we further analyze and provide actionable insights on DNS tunneling traffic?

We answer the above questions through over four years of experience in DNS tunneling traffic investigations and in-the-wild tunneling domain detections. We find that apart from threat actors using DNS tunneling techniques for C2 communication, enterprise employees are using them for censorship circumvention and vehicle passengers are using them to bypass network service charges.”

Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign

“We recently detected a new campaign from the XorDDoS Trojan that led us to conduct an in-depth investigation that unveiled concealed network infrastructure that carries a large amount of command and control (C2) traffic. When we compared the most recent wave of XorDDoS attacks with a campaign from 2022, we found the only difference between the campaigns was in the configuration of the C2 hosts. While the attacking domains remain unchanged, the attackers have migrated their offensive infrastructure to hosts running on legitimate public hosting services.

Even though numerous security vendors have already classified the C2 domains as malicious and barred them, we still detect active malware traffic directed to these new underlying IPs. This underscores the necessity of extending protection beyond the mere blocking of dedicated attacking hosts.

We provide a comprehensive analysis of the XorDDoS Trojan's attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaign's botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone.”

Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers

“A severity flaw impacting industrial cellular routers from Milesight may have been actively exploited in real-world attacks, new findings from VulnCheck reveal.

Tracked as CVE-2023-43261 (CVSS score: 7.5), the vulnerability has been described as a case of information disclosure that affects UR5X, UR32L, UR32, UR35, and UR41 routers before version 35.3.0.7 that could enable attackers to access logs such as httpd.log as well as other sensitive credentials.

As a result, this could permit remote and unauthenticated attackers to gain unauthorized access to the web interface, thereby making it possible to configure VPN servers and even drop firewall protections.”

“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day | Ars Technica

“On Monday, Cisco reported that a critical zero-day vulnerability in devices running IOS XE software was being exploited by an unknown threat actor who was using it to backdoor vulnerable networks. Company researchers described the infections as a "cluster of activity."

On Tuesday, researchers from security firm VulnCheck said that at last count, that cluster comprised more than 10,000 switches, routers, and other Cisco devices. All of them, VulnCheck said, have been infected by an implant that allows the threat actor to remotely execute commands that run at the deepest regions of hacked devices, specifically the system or iOS levels.

"Cisco buried the lede by not mentioning thousands of Internet-facing IOS XE systems have been implanted," VulnCheck CTO Jacob Baines wrote. "VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts. This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks."”

F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

“F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is a control plane issue only."”

IT Army of Ukraine disrupted internet providers in territories occupied by Russia

“Ukrainian hacktivists belonging to the IT Army of Ukraine group have temporarily disabled internet services in some of the territories that have been occupied by the Russian army.

After the invasion of the Crimea and the eastern Ukraine, Ukrainian telecommunications infrastructure was disable by Russian soldiers.

The hacktivists carried out DDoS attacks against the three Russian internet providers “Miranda-media,” “Krimtelekom,” and “MirTelekom.” The IT Army is inviting supporters to joint its operations by installing their software.”

Artificial Intelligence

The Repressive Power of Artificial Intelligence | Freedom House

“Advances in artificial intelligence (AI) are amplifying a crisis for human rights online. While AI technology offers exciting and beneficial uses for science, education, and society at large, its uptake has also increased the scale, speed, and efficiency of digital repression. Automated systems have enabled governments to conduct more precise and subtle forms of online censorship. Purveyors of disinformation are employing AI-generated images, audio, and text, making the truth easier to distort and harder to discern. Sophisticated surveillance systems rapidly trawl social media for signs of dissent, and massive datasets are paired with facial scans to identify and track prodemocracy protesters.

These innovations are reshaping an internet that was already under serious threat. Global internet freedom declined for the 13th consecutive year in 2023. Of the 70 countries covered by Freedom on the Net, conditions for human rights online deteriorated in 29, while only 20 countries registered overall gains. For the ninth consecutive year, China was found to have the worst conditions for internet freedom, though Myanmar came close to surpassing it. The year’s largest decline occurred in Iran, followed first by the Philippines and then by Belarus, Costa Rica, and Nicaragua. In more than three-fourths of the countries covered by the project, people faced arrest for simply expressing themselves online. And governments in a record 41 countries resorted to censoring political, social, or religious content.

Many observers have debated the existential risks posed by future AI advances, but these should not be allowed to overshadow the ways in which the cutting-edge technology is undermining internet freedom today. Democratic policymakers should establish a positive regulatory vision for the design and deployment of AI tools that is grounded in human rights standards, transparency, and accountability. Civil society experts, the drivers of so much progress for human rights in the digital age, should be given a leading role in policy development and the resources they need to keep watch over these systems. AI carries a significant potential for harm, but it can also be made to play a protective role if the democratic community learns the right lessons from the past decade of internet regulation.”

Bing Chat LLM Tricked Into Circumventing CAPTCHA Filter

“This past week, a user on the X platform (formerly known as Twitter) devised and successfully executed a plan that caused Bing Chat to solve a CAPTCHA filter.

CAPTCHA filters are visual puzzles that are easily solved by humans but difficult for automated programs. This is to prevent applications like bots from filling out forms on the Internet. Bing Chat is a public large-language model (LLM), similar to ChatGPT but hosted by Microsoft, which Denis Shiryaev was feeding a CAPTCHA image.”

Cyber Professionals Alarmed by Growing Attacker Use of AI - Infosecurity Magazine

“IT security decision makers are concerned about the use of AI by cyber-criminals, particularly surrounding deepfakes, and many believe AI is increasing the number of cybersecurity attacks.

This according to findings from a recent survey by Integrity360 of 205 cybersecurity professionals. The results found that 68% of respondents expressed concerns about cyber-criminals using deepfakes to target their organizations.”

AI algorithm detects MitM attacks on unmanned military vehicles

“Professors at the University of South Australia and Charles Sturt University have developed an algorithm to detect and intercept man-in-the-middle (MitM) attacks on unmanned military robots.

MitM attacks are a type of cyberattack where the data traffic between two parties, in this case, the robot and its legitimate controllers, is intercepted either to eavesdrop or to inject false data in the stream.

Such malicious attacks aim to interrupt the operation of unmanned vehicles, modify the transmitted instructions, and, in some cases, even assume control, instructing the robots to take dangerous actions.”

Generative AI merges with intelligent malware, threat level rises - Help Net Security

“There has been a 44% increase in organized ID fraud in North America compared to preceding quarters, according to AU10TIX.

This upsurge is believed to be driven by the ongoing economic recovery and inflationary pressures, particularly in the US market, which are emboldening professional ID fraud syndicates.”

Phishing

Phishing campaign targeted US executives exploiting a flaw in Indeed job search platform

“Researchers from the cybersecurity firm Menlo Security reported that threat actors exploited an open redirection vulnerability in the job search platform Indeed in phishing attacks.

The phishing attacks were aimed at senior executives across various industries, primarily in Banking, Financial, Insurance, Property Management and Real Estate, and Manufacturing sectors.

The campaign was observed between July and August, threat actors used the phishing kit ‘EvilProxy.’ EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying victim’s session.

The attackers exploited the open redirection vulnerability on “indeed.com” to redirect victims to phishing pages impersonating Microsoft.”

Phishing, the campaigns that are targeting Italy

“Phishing is a ploy to trick users into revealing personal or financial information through an e-mail, Web site, and even through instant messaging.  Particularly very popular is so-called brand phishing, which occurs when criminals impersonate the official website of a well-known brand of a public or private entity using a domain name, URL, logos and graphics similar to the original website: This is a real threat that can have heavy repercussions on user privacy and device security. Phishing can also be used as a precursor attack to drop malware.”

Rising AI-Fueled Phishing Drives Demand for Password Alternatives - Infosecurity Magazine

“Online phishing scams are becoming more frequent and more sophisticated, according to the Online Authentication Barometer, published by the FIDO Alliance on October 16, 2023.

When asked about phishing attacks, over half (54%) of respondents to the FIDO Alliance survey said they have seen an increase in suspicious messages and scams. Meanwhile, 52% believe phishing techniques have become more sophisticated, likely due to threat actors leveraging AI to create phishing schemes and deploy phishing campaigns.

“Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person,” reads the report.”

Hackers Exploit QR Codes with QRLJacking for Malware Distribution

“Quick Response Codes (aka QR Codes) have made life hassle-free for everyone as these versatile codes offer access to everything. However. according to SaaS-based cloud messaging security firm SlashNext, this versatility of QR codes makes them a potential target of exploitation. And, the company has discovered several ways in which threat actors are exploiting QR codes.

Security experts have noted a spike in QR-code-based phishing attacks, highlighting how easy it is to manipulate them. Since the codes can encode complex data and redirect users to external apps/websites, adversaries try to manipulate them. SlashNext’s research revealed two prominent methods threat actors are relying on to exploit QR codes- Quishing and QRLJacking.

Quishing attack is offered on cybercrime forums to facilitate phishing-for-hire services. In this attack, a QR code embedded with malware download or phishing link is circulated on different platforms/channels such as social media, posters, restaurant menus, ads, and phishing emails. When someone scans it, they are redirected either to a phishing website or malware gets downloaded on their devices.”

Feds Warn Healthcare Sector of AI-Augmented Phishing Threats

“Hospitals, clinics and doctor practices have long fallen victim to cyberattacks and breaches kicked off with phishing emails. But with the advent of AI-augmented phishing, the lures are more convincing and could lead to even more scams targeting healthcare organizations, federal authorities warned.

The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an advisory issued Thursday warned healthcare sector organizations to prepare for the growing threats posed by AI-augmented phishing.

Phishing is a common and lucrative tactic used by hackers to trick users into sharing credentials, downloading malware including ransomware, and stealing the sensitive data of healthcare organizations, HHS HC3 noted.”

Supply Chain Attacks

Upstream Supply Chain Attacks Triple in a Year - Infosecurity Magazine

“Security experts have warned of surging cyber risk in open source ecosystems, having detected three times more malicious packages in 2023 than last year.

Sonatype’s 9th Annual State of the Software Supply Chain Report is compiled from proprietary and public data and analysis including dependency update patterns for more than 400 billion Maven Central downloads.

The vendor detected 245,032 malicious packages in 2023, which amounts to twice as many software supply chain attacks as during the period 2019-2022.

It’s not just deliberate malicious activity that is posing a threat to organizations that download these components to accelerate time-to-value.

The report also revealed that 2.1 billion open source downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available. That amounts to a share of 96% – the same as a year ago.

Nearly a quarter (23%) of Log4j downloads are still of critically vulnerable versions, despite a fix being released for the utility almost two years ago.

Sonatype estimated that over two-thirds (65%) of all vulnerable downloads in 2022 contained a high or critical-severity vulnerability.”

5 Ways APIs Can be the Weak Link in Supply Chain Security - ReversingLabs Blog

“Application programming interfaces (APIs) have become indispensable to the modern enterprise. They're the glue that allows organizations to connect their partners and customers — and the go-to tool that empowers developers to produce innovative applications quickly and efficiently.

However, APIs have also provided threat actors with a new attack surface, and that has significant consequences for managing software supply chain risk. The latest API security report, The API Security Disconnect 2023, released by Noname Security in September, found that API attacks were escalating, with nearly eight in 10 organizations (78%) having experienced a security incident in the last 12 months. More than half of incidents (51%) resulted in the loss of customer goodwill and accounts.

APIs are an essential component of the software supply chain, which means that securing APIs is critical in hardening software supply chains from attack, said Joey Stanford, head of global security and privacy at Platform.sh.”

New One-Click Exploit Is a Supply Chain Risk for Linux OSes

“Researchers have uncovered a vulnerability in a library within the GNOME desktop environment for Linux systems. If embedded in a malicious link, it could enable attackers to perform machine takeover in an instant.

GNOME — short for GNU Object Model Environment — is an open source desktop environment implemented by popular Linux distributions like Ubuntu and Fedora.

According to a new blog from the GitHub Security Lab, within one of GNOME's default applications is a dependency containing a "High" 8.8 out of 10-rated, out-of-bounds array access vulnerability. Because of how the application works, all an attacker would need is one click from a victim in order to execute arbitrary code on a GNOME OS.”

Researchers warn of increased malware delivery via fake browser updates - Help Net Security

“ClearFake, a recently documented threat leveraging compromised WordPress sites to push malicious fake browser updates, is likely operated by the threat group behind the SocGholish “malware delivery via fake browser updates” campaigns, Sekoia researchers have concluded.”

Malvertising and Adware

PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS

“An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.

The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.

"The PEACHPIT botnet's conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS," HUMAN said.

The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the BADBOX malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.”

Malicious Notepad++ Google ads evade detection for months

“A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis.

Threat actors have been increasingly abusing Google Ads in malvertising campaigns to promote fake software websites that distribute malware.

According to Malwarebytes, which spotted the Notepad++ malvertising campaign, it has been live for several months but managed to fly under the radar all this time.

The final payload delivered to victims is unknown, but Malwarebytes says it's most likely Cobalt Strike, which usually precedes highly damaging ransomware deployments.”

Android adware apps on Google Play amass two million installs

“Several malicious Google Play Android apps installed over 2 million times push intrusive ads to users while concealing their presence on the infected devices.

In their latest monthly mobile threat report, Doctor Web's analysts identified trojans on Google Play associated with the 'FakeApp,' 'Joker,' and the 'HiddenAds' malware families.

Dr. Web explains that once victims install these apps on their devices, they hide by replacing their icons with that of Google Chrome or using a transparent icon image to create empty space in the app drawer.

These apps run stealthily in the background upon launch, abusing the browser to launch ads and generate revenue for their operators.”

Clever malvertising attack uses Punycode to look like KeePass's official website

“Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.

The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.

We have reported this incident to Google but would like to warn users that the ad is still currently running.”

Malvertising via Dynamic Search Ads delivers malware bonanza

“Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.”

Ransomware

Rhysida ransomware gang claims attacks on governments in Portugal, Dominican Republic

“A notorious ransomware gang has claimed attacks against two government institutions this week, both of which confirmed they faced a range of issues due to the incidents.

The city of Gondomar – a suburb about 20 minutes away from the Portuguese city of Porto – said on September 27 that it was the target of a cyberattack that forced officials to take systems offline and contact the country’s National Cybersecurity Center and the National Data Protection Commission and local law enforcement.

The government said that some municipal services would be disrupted while experts worked to resolve the situation. On Monday, officials clarified that all online services offered by the government would be out of operation for the week, but residents could come in person to pay bills, get permits and take other actions.”

HelloKitty ransomware source code leaked on hacking forum

“A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor.

The leak was first discovered by cybersecurity researcher 3xp0rt, who spotted a threat actor named 'kapuchin0' releasing the "first branch" of the HelloKitty ransomware encryptor.”

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

“On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by AvosLocker ransomware and how organizations can defend themselves against AvosLocker ransomware attacks.”

Ransomware attacks now target unpatched WS_FTP servers

“Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. 

As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.”

Feds Warn Healthcare Sector of 'NoEscape' RaaS Gang Threats

“Federal authorities are warning the healthcare and public health sector of threats involving NoEscape, a relatively new multi-extortion ransomware-as-a-service group believed to be a successor to the defunct Russian-speaking Avaddon gang.

Since emerging in May 2023, NoEscape is a "formidable adversary" has been targeting a variety of industries with "aggressive" multi-extortion attacks, warned the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center on Thursday.

While the group's primary focus so far appears to be on professional services, manufacturing and information services organizations - it has also launched attacks on private healthcare and public health organizations.

Threat monitoring firm Darkfeed has counted a total of 77 NoEscape attack victims as of Friday.”

Ukrainian activists hack Trigona ransomware gang, wipe servers

“A group of cyber activists under the Ukrainian Cyber Alliance banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.

The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.”

RagnarLocker ransomware dark web site seized in international sting | TechCrunch

“An international group of law enforcement agencies have disrupted the notorious RagnarLocker ransomware operation.

TechCrunch reported Thursday that an international law enforcement operation involving agencies from the U.S., European Union and Japan had seized the RagnarLocker group’s dark web portal. The portal, which the gang used to extort its victims by publishing their stolen data, now reads: “This service has been seized by a part of a coordinated international law enforcement action against the RagnarLocker group.”

Announcing the takedown on Friday, Europol confirmed it took coordinated action against RagnarLocker, which it says was responsible for “numerous high-profile attacks.” The European police agency also confirmed the arrest of a 35-year-old man in Paris on October 16, who the authorities accuse of being the “main perpetrator” of the operation. Authorities searched the alleged RagnarLocker developer’s home in the Czech Republic. Alleged associates of the developer were also interviewed in Spain and Latvia.

RagnarLocker’s infrastructure was also seized in the Netherlands, Germany and Sweden. According to Eurojust, the EU agency that coordinates criminal justice cooperation across the bloc, a total of nine servers were seized: five in the Netherlands, two in Germany and two in Sweden. Eurojust also reports that it seized various cryptocurrencies, though their value is currently unknown.”

New Hunters International ransomware possible rebrand of Hive

“​​A new ransomware-as-a-service brand named Hunters International has emerged using code used by the Hive ransomware operation, leading to the valid assumption that the old gang has resumed activity under a different flag.

This theory is supported by analysis of the new encryptor revealing multiple code overlaps between the two ransomware gangs.”

RansomedVC Ransomware Group Quitting and Selling its Entire Infrastructure

“The infamous RansomedVC ransomware group, responsible for a string of high-profile ransomware attacks, has abruptly announced its dissolution. The group, known for its sophisticated hacking tactics and exploitation of the European Union’s GDPR laws, has decided to sell its entire infrastructure.

RansomedVC, which first emerged in August 2023, targeted a wide array of entities, from major corporations to government bodies and educational institutions. Their modus operandi involved infiltrating networks, exfiltrating sensitive data, and subsequently threatening victims with publication of the stolen information unless a substantial ransom was paid. Notably, they also exploited the threat of reporting victims to GDPR authorities, potentially resulting in severe penalties.

The group’s most prominent alleged victims included well-known names such as Sony Corporation and the Colonial Pipeline, victims of the group’s extortion tactics in September and October 2023, respectively.

However, RansomedVC has taken an unexpected and unprecedented step by putting their entire toolkit up for sale. As seen by Hackread.com, the sale includes a staggering array of assets, such as various domains and forums, a ransomware builder with promised 100% undetectability by antivirus software, access to affiliate groups, social media accounts, Telegram channels, VPN access to multiple companies with a jaw-dropping revenue of $3 billion, databases worth over $10 million each, and more.”

Hacktivism

Russian Hacktivism Takes a Toll on Organizations in Ukraine, EU, US

“Though sometimes they appear to be all bark and no bite, experts say Russian hacktivist groups are in fact having a serious impact on organizations in Ukraine and NATO countries.

Pro-Russian hacktivism has exploded since the beginning of the Ukraine war. Led by the now-infamous KillNet, nationalist hackers have been orchestrating attacks against any government or corporation voicing opposition to Putin's invasion.

Many of them are empty PR stunts — for example, KillNet's takedown of the UK royal family's official website on Sunday — harking back to the days of Anonymous. But experts warn that not only are these groups doing actual harm, they're also planning bigger and badder things to come.”

Hacktivism erupts in Middle East as Israel declares war

“Hacktivism efforts have proliferated rapidly in the Middle East following the official announcement of a war between Palestine and Israel.

The escalation was spurred by a deadly attack on a music festival by Hamas, along with abductions and killings across scores of Israeli towns after a surprise incursion from the Gaza border in the morning of October 7.

About 700 Israelis were killed and more than 150 taken hostage, according to Israeli officials, while deadly counterattacks from Israel have since killed at least 511 people on the densely populated Gaza Strip since Saturday, Gaza's health ministry says.

At least 15 known cybercriminal, ransomware, and hacktivist groups have announced their active participation in disruptive attacks targeting institutions in Israel and Palestine, as well as their supporters.”

Growing Concern Over Role of Hacktivism in Israel-Hamas Conflict - Infosecurity Magazine

“Hacktivists have claimed to hit Israeli websites through DDoS and defacement attacks following the outbreak of conflict between Israel and Hamas. Cybersecurity experts now warn of signs of more impactful attacks being attempted.

Researchers from Radware found that Israel endured 143 DDoS attacks between October 2 and October 10, making it the most targeted nation state during that period. These attacks were all claimed by hacktivists on the messaging service Telegram.”

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

“Security Joes Incident Response team volunteered to assist Israeli companies during the times of war between the state of Israel and the terrorist organization Hamas. During the forensics investigation, we found what appears to be a new Linux Wiper malware we track as BiBi-Linux Wiper.

This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.”

Nation-State / Advanced Persistent Threat

Belgian intelligence service VSSE accused Alibaba of ‘possible espionage’ at European hub in Liege

“The Belgian intelligence service VSSE revealed that is investigating potential cyber espionage activities carried out by Chinese firms, including the Alibaba Group Holding, at a cargo airport in Liege.

According to the Financial Times, Alibaba has located its main European logistics centre at Liege Airport and the VSSE was working to “detect and fight against possible spying and/or interference activities carried out by Chinese entities including Alibaba”.

The Alibaba logistics hub at the cargo airport in Liège, Cainiao, has been active since 2018.

The Belgian intelligence service fears that the Chinese government can force Chinese businesses or individuals to support its intelligence operations in compliance with its National Intelligence Law.”

China Poised to Disrupt US Critical Infrastructure with Cyber-Attacks, Microsoft Warns

“Chinese threat actors are positioning themselves to deploy major cyber-attacks against US critical national infrastructure (CNI) in the event of an escalation of hostilities between the two nations.

Microsoft’s latest Digital Defense Report (MDDR) observed a rise in Chinese state-affiliated actors, such as Circle Typhoon and Volt Typhoon, targeting sectors like transportation, utilities, medical infrastructure and telecommunications.

These campaigns may be intended to enable China to disrupt critical infrastructure and communication between the US and Asia during a geopolitical crisis, the tech giant believes.”

Researchers Uncover Grayling APT's Ongoing Attack Campaign Across Industries

“A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.

The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling. Evidence shows that the campaign began in February 2023 and continued until at least May 2023.

Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S.”

Russian Sandworm hackers breached 11 Ukrainian telcos since May

“The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023.

That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

The agency states that the Russian hackers "interfered" with the communication systems of 11 telcos in the country, leading to service interruptions and potential data breaches.

Sandworm is a very active espionage threat group linked to Russia's GRU (armed forces). The attackers have focused on Ukraine throughout 2023, using phishing lures, Android malware, and data-wipers.”

Crambus: New Campaign Targets Middle Eastern Government | Symantec Enterprise Blogs

“The Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a government in the Middle East between February and September 2023. During the compromise, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results  to the attackers. Malicious activity occurred on at least 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more.

In addition to deploying malware, the attackers made frequent use of the publicly available network administration tool Plink to configure port-forwarding rules on compromised machines, enabling remote access via the Remote Desktop Protocol (RDP). There is also evidence the attackers modified Windows firewall rules in order to enable remote access.”

Iran APT Targets the Mediterranean With Watering-Hole Attacks

“A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.”

Data Breaches / Credential Stuffing

Sony confirms data breach impacting thousands in the U.S.

“Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information.

The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.

The zero-day is CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world.

Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm did not provide a public statement until now.”

Major CRM Provider Really Simple Systems Leaked 3M Customer Records

“A global CRM (customer relationship management) systems provider, Really Simple Systems, has suffered a data security incident in which more than 3 million customer records were exposed to the public without any password or security authentication.

These records were stored in an unprotected database discovered by cybersecurity researcher Jeremiah Fowler of vpnMentor.

Fowler had access to limited sampling, which indicated that a wide range of documents belonging to organizations from different sectors/sizes were part of the leaked database. Most were well-reputed, high-profile organizations, located in EU countries, the USA, the UK, and Australia.

Fowler wrote that most exposed records can be considered ‘highly sensitive’ for exposing PII data (personally identifiable information). These records were publicly accessible to any user with an internet connection.

The exposed data includes internal communications/invoice records and customers’ CRM files containing valuable user data such as names, phone numbers, addresses, email IDs, and payment information.”

X-Force uncovers global NetScaler Gateway credential harvesting campaign

“In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related incident response engagements were associated with the use of stolen credentials.

In response to the widespread exploitation of CVE-2023-3519 CISA released an advisory document containing guidance on detection, incident response, mitigations and validating security controls. However, through multiple incident response investigations, X-Force discovered a new exploitation artifact related to CVE2-2023-3519 and developed additional guidance to be used in conjunction with CISA’s detection and response recommendations.”

D.C. Board of Elections confirms voter data stolen in site hack

“The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC.

DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Its investigation into the claims has revealed that the attackers accessed the information through the web server of DataNet Systems, the hosting provider for Washington D.C.'s election authority. 

Notably, the breach did not involve a direct compromise of DCBOE's servers and internal systems.”

Third Flagstar Bank data breach since 2021 affects 800,000 customers

“Flagstar Bank is warning that over 800,000 US customers had their personal information stolen by cybercriminals due to a breach at a third-party service provider.

Flagstar, now owned by the New York Community Bank, is a Michigan-based financial services provider that, before its acquisition last year, was one of the largest banks in the United States, having total assets of over $31 billion.

A data breach notification sent to impacted customers explains that Flagstar was indirectly impacted by Fiserv, a vendor it uses for payment processing and mobile banking services.

Fiserv was breached in the widespread CLOP MOVEit Transfer data theft attacks that have impacted over 64 million people and two thousand organizations worldwide, according to a report by Emsisoft.”

US Smashes Annual Data Breach Record With Three Months Left - Infosecurity Magazine

“There were 2116 reported US data breaches and leaks in the first nine months of 2023, making it the worst year on record with a whole quarter left to go, according to the Identity Theft Resource Center (ITRC).

The non-profit, which tracks publicly reported breaches in the US, said there were 733 “data compromises” in Q3 2023, a 22% decline from the previous quarter. However, despite the relative slump, this was enough to drag the total for the year past the previous all-time high of 1862 set in 2021.

On a more positive note, the ITRC counted an estimated 234 million victims from these breaches, well short of the 425 million individuals impacted by incidents last year.

Cyber-attacks remained the most common cause of breaches in Q3, with phishing attacks the most popular attack vector, followed by zero-day exploits, ransomware and malware. Zero-day attacks in particular are on the rise, climbing 1620% in the first three quarters of 2023 versus the whole of 2022, the ITRC said.”

1Password also affected by Okta Support System breach - Help Net Security

“Following in the footsteps of BeyondTrust and CloudFlare, 1Password has revealed that it has been affected by the Okta Support System breach.

David Bradbury, Chief Security Officer at Okta, disclosed last Friday that an attacker has “leveraged access to a stolen credential to access Okta’s support case management system” and “view files uploaded by certain Okta customers as part of recent support cases.”

The files in question are HTTP Archive (HAR) files, which are generated by web browsers to log interactions with a website. Okta’s support team asks customers to share these files so they can troubleshoot issues by replicating browser activity.

Bradbury says that the production Okta service and the company’s Auth0/CIC case management system have not been impacted, and that the company notified all customers that were impacted by this.”

Okta Reveals Breach Via Stolen Credential - Infosecurity Magazine

“Identity and access management (IAM) specialist Okta has found itself on the receiving end of another security breach after a threat actor was able to access a stolen credential.

Chief security officer (CSO) for the vendor, David Bradbury, explained in a brief blog post on Friday that an adversary used the credential to access its support case management system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” he added.

However, even access to the case management system may have exposed sensitive customer information, Bradbury admitted.”

Casio discloses data breach impacting customers in 149 countries

“Japanese electronics manufacturer Casio disclosed a data breach impacting customers from 149 countries after hackers gained to the servers of its ClassPad education platform.

Casio detected the incident on Wednesday, October 11, following the failure of a ClassPad database within the company's development environment. Evidence suggests that the attacker accessed customers' personal information a day later, on October 12.

The exposed data includes customer names, email addresses, countries of residence, service usage details, and purchase information such as payment methods, license codes, and order specifics.

Casio says that credit card information was not stored within the compromised database.

As of October 18, the attackers accessed 91,921 items belonging to Japanese customers (including individuals and 1,108 educational institution customers) and 35,049 records belonging to customers from 148 countries and regions outside Japan.”

Other Headlines

Typosquatting campaign delivers r77 rootkit via npm

“ReversingLabs researchers have identified a new, malicious supply chain attack affecting the npm platform. The “typosquatting” campaign first appeared in August and pushed a malicious package, node-hide-console-windows, which downloaded a Discord bot that facilitated the planting of an open source rootkit, r77.

This is the first time ReversingLabs researchers have discovered a malicious open source package delivering rootkit functionality, and suggests that open source projects may increasingly be seen as an avenue by which to distribute malware.”

Record $7 billion in crypto laundered through cross-chain services

“The value of illicit crypto laundered through cross-chain crime has reached $7 billion, new figures published today by Elliptic can reveal. 

Cross-chain crime refers to the swapping of cryptoassets between different tokens or blockchains – often in rapid succession and with no legitimate business purpose – to obfuscate their criminal origin. Known also as “chain-” or “asset-hopping”, cross-chain crime is on course to become the dominant means of laundering cryptoassets.

Our latest figures suggest that it is fast becoming the preferred money laundering method for a range of cybercrimes, including scams and crypto thefts, as enforcement actions continue to target criminals’ traditional means of obfuscating funds.

The news comes from findings revealed in our latest “State of Cross-chain Crime” report, which, since last year, has been able to utilize new research methodologies empowered by Elliptic’s new Holistic-enabled blockchain analytics capabilities. 

This next-generation technology ​​– an industry first – allows the programmatic and at-scale screening, tracing, monitoring and investigation of activity across multiple blockchains and assets concurrently. As a result, we have been able to unearth new insights into the true scale of cross-chain crime.”

“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts | by Guardio | Oct, 2023 | Medium

““EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.

Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.

Dive into our analysis to grasp this game-changing technique that might just transcend standard phishing and malware campaigns.”

Legions of Critical Infrastructure Devices Subject to Cyber Targeting

“There are at least 100,000 industrial control systems (ICS) exposed to the public Internet around the world, controlling a host of critical operational technologies (OT) like power grids, water systems, and building management systems (BMS). While that's a big number, researchers note that quantifying true cyber-risk from that exposure means examining which protocols the gear uses.

In a recent analysis, researchers from cyber-risk handicapper Bitsight reached the 100,000 number by inventorying reachable devices that use the top 10 most popular and widely used ICS protocols (including Modbus, KNX, BACnet, Niagara Fox, and others.)

They determined that the exposed ICS footprint represents a ripe target for cyberattackers, and thus a global risk to physical safety in least 96 countries. The risk is not theoretical, as malware built to subvert power grids and incidents like the Colonial Pipeline hack show.”

Introducing secret scanning validity checks for major cloud services - The GitHub Blog

“At GitHub, we launched secret scanning with the mission of eliminating all credential leaks. In support of this mission, this year we’ve made secret scanning and secret scanning push protection free on public repositories to help open source users detect and prevent secret leaks. We also shipped push protection metrics for GitHub Advanced Security customers to better understand trends across their organization.

But a good security experience isn’t just about reducing noise and delivering high-confidence alerts–it should make your remediation efforts simpler and faster. A key component of remediation is assessing whether a token is active or not. To that end, we introduced validity checks for GitHub tokens earlier this year, which removes manual effort and friction from the process. You can see a token’s status within the UI, saving you time and allowing you to prioritize remediation efforts more efficiently. This is especially useful when you have to comb through hundreds or even thousands of alerts.

Today, we’re excited to announce that we have extended validity checks for select tokens from AWS, Microsoft, Google, and Slack. These account for some of the most common types of secrets detected across repositories on GitHub. This is just the beginning–we’ll continuously expand validation support on more tokens in our secret scanning partner program. You can keep up to date on our progress via our list of supported patterns.”

THREAT ANALYSIS: Taking Shortcuts… Using LNK Files for Initial Infection and Persistence

“Cybereason issues Threat Analysis reports to explore widely used attack techniques, outline how threat actors leverage these techniques, describe how to reproduce an attack, and report how defenders can detect and prevent these attacks. 

In this Threat Analysis report, Cybereason investigates and explores various techniques for abusing the Windows Shortcut file format.”

New WordPress backdoor creates rogue admin to hijack websites

“A new malware has been posing as a legitimate caching plugin to target WordPress sites, allowing threat actors to create an administrator account and control the site's activity.

The malware is a backdoor with a variety of functions that let it manage plugins and hide itself from active ones on the compromised websites, replace content, or redirect certain users to malicious locations.”

Beware Lumma Stealer Distributed via Discord CDN

“Our latest investigation revealed that threat actors are now delivering an information-stealing malware called Lumma Stealer via Discord, a popular chat platform for online gamers, content creators, and streamers. We’ve observed that malicious actors are abusing Discord’s content delivery network (CDN) to host and spread Lumma Stealer, while also using the social platform’s application programming interface (API) to create bots that can communicate with the malware and control it remotely. Some of these bots also send stolen data to private Discord servers or channels. 

Lumma Stealer, which is written in the C programming language and steals user credentials, is one of the latest malware families to have been distributed by threat actors via Discord’s CDN. This infostealer was first detected in August 2022, and earlier this year, it was reported that Lumma Stealer operators targeted YouTube users via spear-phishing emails.

Currently, Lumma Stealer is being sold as a service in underground forums with prices starting at USD$250 per month. The lowest plan allows users to view and upload logs and provides access to log analysis tools, while the professional plan has the same set of features plus access to traffic analysis tools. The corporate plan, which costs four times as much as the cheapest one, includes proactive defense bypass services. Lastly, at US$20,000, the most expensive plan allows users to access the source code and gives them the right to sell the infostealer.”