<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2023 3600 <![CDATA[Time-to-Exploit: What It Means and Why It’s Going Down]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/attackers-are-getting-faster-at-exploiting-flaws https://duo.com/decipher/attackers-are-getting-faster-at-exploiting-flaws

Researchers say that they are continuing to observe the average time that it takes threat actors to exploit vulnerabilities - either prior to or after their public disclosure - go down.

Mandiant researchers analyzed 246 vulnerabilities that were disclosed in 2021 and 2022 and that were tracked as exploited in the wild, and found that the overall average times-to-exploit (TTE) are decreasing, with exploitation likely to occur before the end of the first month after a patch has been released. This marks a trend that has continued over the past few years; for instance, between 2018 to 2019 the average TTE was 63 days, and in 2020 to early 2021 it went down to 44 days.

“For 2021 and 2022, we saw a continued, notable decrease in TTE to 32 days, about 75% of the previous two years,” said Casey Charrier and Jared Semrau, researchers with Mandiant, in a Thursday analysis. “Given that the proportion of n-days to zero-days was practically identical (38:62 as opposed to 39:61), the time between disclosure and exploitation is consistently trending downward.”

This timeframe has been closely studied by many researchers across the security community as a way to get a sense of how quickly attackers are able to exploit flaws once they discover them. Understanding these trends helps organizations better develop effective strategies around patching and remediation. In a report released earlier this year, for example, Rapid7 researchers looked specifically at instances of exploitation after public disclosure and found that half of the flaws that they analyzed were exploited within seven days of public disclosure in 2022, marking a 12 percent increase over 2021.

Behind the Numbers

There are many factors that could potentially impact these figures. Mandiant’s TTE accounted for both exploitation prior to or after public disclosure, but it's important to note that in many cases first exploitation dates are not publicly disclosed or are given vague timeframes.

One big factor is zero-day versus n-day exploitation: Researchers said that zero-day usage has driven the decrease in TTE averages, but continued exploitation of n-day vulnerabilities has also had an impact on this timeframe. For instance, Mandiant researchers noted that between 2020 and into early 2021, they saw that 41 percent of n-day flaws were exploited within weeks of disclosure, while in 2021 to 2022, they found 44 percent of n-day bugs were exploited within two months.

“This suggests that n-day exploitation timelines may have grown slightly, but the high proportion of zero-days seen across the last two years, especially in 2021, skewed the total TTE average,” said researchers. “This TTE average also accounts for seven unpatched vulnerabilities, for which we capped TTE timelines at the end of their respective years. If we had not capped the TTE timelines for those seven unpatched vulnerabilities, the average TTE would drop from 32 to 20 days.”

When looking at zero-day timeframes, researchers also took into account how quickly patches are deployed. Researchers found that most of the 153 zero days in 2021 and 2022 were remediated in a timely manner, with 101 of them being patched within the first week of the first known exploitation. Conversely, only 23 percent of flaws received patches after the first month following first known exploitation.

“This reinforces the need for organizations to utilize multiple strategies when trying to protect against zero-day exploitation, as a well-rounded, defense-in-depth strategy is often needed when remediations do not yet exist,” said researchers. “It is also important to acknowledge that a vulnerability’s first exploitation is not necessarily its last… Mandiant has identified many vulnerabilities that are still not only used long after initial exploitation, but also after patches were made available. This demonstrates the importance of patching vulnerable systems, even when well after the initial patch was released.”

Applying Patches

Mandiant researchers said that exploitation is most likely to occur within the first month after an initial patch for a flaw has been released, with a total of 29 n-day vulnerabilities being exploited within the first month of being disclosed (versus 23 flaws being first exploited after the first six months).

Researchers said that though vulnerabilities are less likely to be exploited after the first several months following the issuance of a patch, attackers still do exploit known flaws long after their discovery and disclosure. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August highlighted that many of the flaws that were routinely exploited last year were disclosed in 2021 or earlier, including the Log4j flaw from 2021, the ProxyShell bugs from 2021 and a Fortinet SSL VPN flaw from 2018.

“A key takeaway from this is that while threat actors generally prefer newer vulnerabilities, they will not completely shy away from vulnerabilities due to age and public knowledge; threat actors still value using already known and documented vulnerabilities as opposed to discovering new ones,” said Mandiant researchers. “While it may be tempting to ignore patches that haven’t been implemented within their first year, there are actors ready to target unpatched systems.”

<![CDATA[FBI: Ransomware Actors Launching 'Dual' Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/fbi-dual-attacks-adding-significant-harm-to-ransomware-victims https://duo.com/decipher/fbi-dual-attacks-adding-significant-harm-to-ransomware-victims

The FBI is warning of dual ransomware attacks, where victim organizations are hit with two different types of ransomware variants in quick succession - sometimes within 48 hours of each other.

Several factors are enabling these types of dual attacks. Attackers are getting quicker when it comes to exploiting zero day vulnerabilities. At the same time, the ransomware threat landscape is becoming both more crowded, and initial access brokers are reselling access to victim systems. For victims, these dual ransomware attacks result in data being encrypted or exfiltrated multiple times, making incident response even more complex and difficult. This could potentially "significantly harm" impacted organizations, said the FBI.

“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal,” said the FBI this week in a Private Industry Notification, which it releases to help keep organizations aware of the latest cybersecurity threats. “Variants were deployed in various combinations. This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments.”

What’s not clear is how prevalent these types of attacks actually are. Though the FBI noted that it has seen this method trending since July, this tactic is also not completely new. Last year, researchers with Sophos noted an uptick in organizations being hit by two or more threat actors. In one incident, researchers observed an organization’s data encrypted by three separate ransomware variants - Hive, LockBit and ALPHV/BlackCat - with the first two attacks happening within two hours and the third happening weeks later. In this incident, all three ransomware groups left their own ransom demand and the organization’s files were encrypted two, or in some cases three, times.

Ransomware actors in general are deploying several other tactics to put further pressure on victims during attacks. The FBI said that in early 2022, many groups increasingly started to use custom data theft, wiper tools and malware in their attacks.

“In some cases, new code was added to known data theft tools to prevent detection,” said the FBI. “In other cases in 2022, malware containing data wipers remained dormant until a set time, then executed to corrupt data in alternating intervals.”

Overall, the FBI recommends that enterprises take several steps to protect themselves against these specific types of tactics. That includes maintaining offline data backups, making sure all backup data is encrypted and making sure that all connections between third-party vendors or software are monitored for suspicious activity. Other mitigations include keeping all operating systems and software up to date, aligning with NIST’s password policy standards, implementing MFA and reviewing domain controllers, servers and active directories for new or unrecognized accounts.

<![CDATA[Critical Flaw Patched in Progress File Transfer Server]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/critical-flaw-patched-in-progress-file-transfer-server https://duo.com/decipher/critical-flaw-patched-in-progress-file-transfer-server

Progress Software, the maker of the MOVEit Transfer app that has been targeted by attackers for several months, is warning customers about a critical vulnerability in its WS_FTP Server product that can allow arbitrary remote code execution.

The vulnerability (CVE-2023-40044) is a deserialization bug in the Ad Hoc Transfer module in WS_FTP Server, a secure file transfer product. The flaw affects all versions of the server and can be exploited without authentication.

“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,” the advisory says.

The Ad Hoc Transfer module is part of the default installation for the WS_FTP Server, so unless it is explicitly disabled by the customer, the installation is vulnerable to this bug.

Progress has released updates to fix this vulnerability, along with several others that have been discovered in the WS_FTP Server. Among the other bugs fixed in the new release is a critical directory traversal vulnerability (CVE-2023-42657).

“An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder path. Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system,” the advisory says.

There are three high-severity and three medium-severity bugs also fixed in this new release, including a reflected XSS vulnerability in the Ad Hoc Transfer module.

“In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results in the execution of malicious JavaScript within the context of the victim's browser,” the advisory says.

All organizations running a vulnerable version of the WS_FTP Server product should update as soon as possible.

Progress customers are still dealing with the fallout of attacks on a vulnerability in the MOVEit file transfer app that was disclosed in June. That vulnerability was exploited as a zero day, and the Cl0p ransomware group was among the actors targeting it. Thousands of companies have been affected by attacks on the vulnerability (CVE-2023-34362), and there likely will be further downstream effects in the coming months.

<![CDATA[Decipher Podcast: Source Code 9/29]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-29 https://duo.com/decipher/decipher-podcast-source-code-9-29

<![CDATA[Google Issues Fix For High-Severity Chrome Zero Day]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/google-fixes-high-severity-chrome-zero-day https://duo.com/decipher/google-fixes-high-severity-chrome-zero-day

As part of a security update on Wednesday, Google fixed a heap buffer overflow issue in its Chrome browser that is being exploited in the wild.

The high-severity flaw (CVE-2023-5217) exists in the vp8 encoding in libvpx, a free software video codec library developed by Google and the Alliance for Open Media. While details for the flaw - which was reported by Clement Lecigne with Google’s Threat Analysis Group (TAG) - have not been disclosed, Google TAG security researcher Maddie Stone on Wednesday said that the zero day is in use by a commercial surveillance vendor.

Google did not provide further information about these exploits, other than to say in its Wednesday release that it “is aware that an exploit for CVE-2023-5217 exists in the wild.”

There were also no further details mentioned on the specific spyware vendor using the Chrome flaw. Google TAG researchers, who often dig into zero day attacks from commercial spyware companies, also led the charge earlier this month in the discovery of Apple zero days that they said were used to deliver NSO Group's Pegasus spyware, as well as ones that were part of an exploit chain developed by commercial surveillance vendor Intellexa.

The heap overflow bug, meanwhile, is the second Chrome zero day fixed by Google this month. Earlier in September, Google warned of a heap buffer overflow bug that exists in WebP, which is an image file format developed by Google. The company has also fixed a high-severity type confusion error zero day (CVE-2023-3079) in June and a high-severity integer overflow flaw (CVE-2023-2136) in April. Though the number of actively exploited flaws being disclosed is ticking up over the year, the good news is that Google appears to be staying on top of these zero days; a patch for CVE-2023-5217 was developed within two days of Sept. 25, when it was first reported.

On Wednesday, Google also released nine other security fixes, including a high-severity use-after-free flaw (CVE-2023-5186) in Passwords and a high-severity use-after-free error (CVE-2023-5187) in Extensions. Google said its updates in version 117.0.5938.132 for Windows, Mac and Linux will roll out over the coming days/weeks.

<![CDATA[MOVEit Bug’s Ripple Effect Still Unfolding]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/companies-still-seeing-moveit-bug-s-ripple-effect https://duo.com/decipher/companies-still-seeing-moveit-bug-s-ripple-effect

Almost four months after the MOVEit Transfer flaw was uncovered, companies are still unearthing details about data that was compromised in the ensuing exploits, painting a more complete picture of the bug’s impact.

Last week, a U.S. educational nonprofit for North American colleges, National Student Clearinghouse, said that its previously disclosed breach stemming from the MOVEit Transfer flaw had led to the compromise of student record information at almost 900 schools in its database. Meanwhile, a Canadian healthcare organization called the Better Outcomes Registry & Network (BORN) Ontario this month announced the results of an investigation into its MOVEit-related breach, which showed that the personal health information of 3.4 million newborns and pregnancy patients had been compromised. And, while compliance firm Sovos first disclosed in July that the data from several of its customers was breached via the MOVEit Transfer flaw, a data breach disclosure from last week showed the company was still discovering additional victims.

A looming layer of complexity in the MOVEit Transfer saga has been that attacks on companies that actually use Progress Software’s MOVEit managed file transfer software may also impact data related to their downstream customers, partners and other third-party organizations. For instance, the Hospital for Sick Children, a healthcare provider in Canada, said on Monday that it was impacted by BORN Ontario’s MOVEit-related data breach because it shares patients’ personal health data with BORN.

“It’s easy to see that multiple victims have been affected only because they rely on a third-party provider that uses MOVEit Transfer - not strictly using the software themselves,” said John Hammond, senior security researcher with Huntress. “This is a sort of trickle-down effect, like a set of falling dominos, as you would expect in a supply chain attack. This effect can come from simply having data used in other locations, or software integrations or connected applications that bridge technologies. Any technical way that organizations rely on another could be used and abused by threat actors.”

While Progress Software disclosed the flaw and issued a patch on May 31, the full impact of the flaw is still being mapped out. Antivirus company Emsisoft scoured data sourced from state breach notifications, SEC filings and public disclosures and found that since Progress Software first disclosed the vulnerability in May, 2,120 organizations have been impacted by MoveIT Transfer-related attacks - resulting in the data of over 62 million individuals being compromised (as of Sept. 27). Making matters worse, out of the 2,120 affected organizations, only 188 actually issued disclosures that specified how many individuals were impacted - so the total number of impacted individuals may be higher.

“It’s having a cascading impact, and some of these incidents are three or four levels deep, with organizations being compromised because they contracted with a vendor or supplier,” said Brett Callow, threat analyst with Emsisoft. “I’m sure organizations have been impacted that don’t know yet simply because the news hasn’t gone down the channel.”

“Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream."

While zero-day vulnerabilities typically make headlines when they are first disclosed, they have lasting long-term impacts in the ensuing weeks, months and years, as threat actors continue to target unpatched instances. In fact, an August report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) found that the majority of the flaws that attackers routinely exploited over the last year were disclosed in 2021 or earlier, including the Log4Shell flaw from 2021, the ProxyShell bugs in Exchange from 2021 and a Fortinet SSL VPN bug from 2018.

For MOVEit, many of the attacks occurred during an initial rampage on vulnerable MOVEit Transfer servers by the threat actors linked to the Clop ransomware. Some researchers said that they first saw this exploit activity on May 27, while others saw scanning for the MOVEit Transfer logging page as early as March 3 (months before the bug became public on May 31). While victim disclosures are still steadily continuing, many disclosures are stemming from this initial surge. For instance, though it only recently disclosed details on the impact of its breach, National Student Clearinghouse first learned on June 20 that the unauthorized actor had accessed files on May 30.

“It’s still very successful [for threat actors] as far as we know, it’s having a continued impact on a variety of industries and we’re nowhere near to seeing the total impact of that,” said Glenn Thorpe, senior director of Security Research and Detection Engineering with GreyNoise. “We know MOVEit is not over yet - actors haven’t moved away from it and it hasn’t stopped being fruitful for them.”

The obvious lesson here, both with the MOVEit Transfer bug and with other actively exploited flaws, is to patch vulnerabilities that are serious or under active exploitation as soon as possible. In a new survey looking at top exploited vulnerabilities of this year, Qualys researchers calculated that the flaw had a mean time to response/remediate (MTTR) of seven days. This data point, which shows the average time taken to address the vulnerability after detection, is low in comparison to other vulnerabilities like the PaperCut NG/MF bug (CVE-2023-27350), which had an MTTR of 23 days, and the Fortra GoAnywhere MFT remote code execution flaw (CVE-2023-0669) that had one of 31 days. However, Qualys researchers found that the flaw had a patch rate of just over 51 percent, showing that many systems are still exposed.

Beyond patching, however, part of the complexity of the MOVEit bug is that many of the impacted organizations don’t use the software themselves, but instead are part of this “trickle-down” data breach effect. These impacted organizations and individuals should be on alert for phishing emails that may use their stolen data or fraud-related attacks.

“During the early days of June, while our industry was first chasing indicators of compromise and looking for signs of exploitation, this certainly widened the pool of potential victims,” said Hammond. “Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream.”

Overall, flaws like the ones in MOVEIt Transfer highlight a need for better security practices from manufacturers themselves, particularly for those behind file transfer services that handle a rich bank of data that’s attractive to cybercriminals. The MOVEit bug has left questions about software liability in its wake, and several lawsuits have cropped up over the past months - including ones against Progress Software itself, but also several against companies using the MOVEit Transfer platform.

“The CVE-2023-34362 flaw in MOVEit Transfer signals potential long-term shifts in cybersecurity,” Saeed Abbasi, manager of vulnerability and threat research at Qualys. “Much like the repercussions from Heartbleed on open-source security, this vulnerability highlights the imperative for strengthened secure development practices. It's a definite call for organizations to intensify their vulnerability assessments, engage in rigorous penetration testing, transition towards zero-trust models, and accelerate a surge in cybersecurity investment. Such high-profile vulnerabilities can spur re-evaluations of vendor trust and catalyze stricter regulatory oversight.”

<![CDATA['Marriages of Convenience' Between State Actors and Cybercriminals Provide Cover for Both]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/marriages-of-convenience-between-state-actors-and-cybercriminals-provide-cover-for https://duo.com/decipher/marriages-of-convenience-between-state-actors-and-cybercriminals-provide-cover-for

For some time now, intelligence services in countries such as Russia, North Korea, and China have used ad hoc relationships with cybercrime groups inside their borders to insulate their organizations from the repercussions of their actions, but some recent successes by authorities in the United States and elsewhere have shown that even that tactic doesn’t put actors out of reach.

“One thing that we’re seeing is this blended threat between state actors and cyber criminals forming marriages of convenience. The intelligence services use those criminal groups for deniability,” said Deputy Attorney General Lisa Monaco during an online forum sponsored by The Washington Post Tuesday.

Those relationships aren’t necessarily formal or well-defined, but they can be quite important for both parties. Using cybercrime groups as fronts or cooperating partners in, say, a massive cryptocurrency theft, provides foreign intelligence services with a modicum of deniability while also allowing them to direct the operation and benefit from it. On the other side of the coin, the cybercrime groups get to do their thing with the blessing, whether tacit or explicit, of the national authorities in their country.

In general, most of these countries where this happens have less than zero interest in cooperating with Western authorities, so the cybercriminals essentially work with impunity. One of the few exceptions to this rule is the FSB’s arrest in 2022 of several members of the REvil ransomware gang, a group that was based in Russia. The group had become quite a nuisance, even to Russian authorities, and had drawn intense scrutiny from international law enforcement after conducting a number of high-profile intrusions, including attacks on software maker Kaseya and food producer JBS.

The REvil arrests came after months of pressure and lobbying from U.S. law enforcement and government officials, but at the time of the operation the REvil group had been inactive for some time. Still, the takedown showed the general approach that U.S. officials want to take in going after ransomware groups.

Monaco has led the effort by the Department of Justice in recent years to target cybercrime groups–and specifically ransomware gangs–by disrupting the payment and financial ecosystem that underpins the cybercrime operations. That effort has had some notable successes, reclaiming ransom payments in some high-profile cases such as the Colonial Pipeline attack, indicting alleged members of several ransomware groups, and distributing decryption keys to victims, obviating the need for them to pay ransoms. The Department of the Treasury also has sanctioned a number of foreign individuals and entities that have been involved in the processing of ransomware payments, preventing U.S. organizations and people from sending any payments to them.

It’s all part of a strategy to attack the roots of cybercrime and ransomware.

"Unfortunately, it's cybercrime that’s the threat that faces every single organization. If you're connected at all as an organization or individual, you’re on the playing field."

“We had to pivot to a focus on prevention and disruption, putting victims at the center of our approach. Yes we want to continue to arrest and extradite those behind the keyboard, but also we are constantly looking for ways to disrupt the next attack. So we can go and claw back ransom payments. So we can get into and literally hack the hackers, and as we did with the Hive group, swipe those decryption keys and give them out to victims,” Monaco said.

The Hive ransomware takedown in January is one of the bigger successes of the Biden administration’s efforts, and involved authorities gaining access to the group’s backend control panel for several months. That access allowed them to find the decryption keys and distribute them to affected organizations.

While the successes have become more frequent in recent years, the threat from cybercrime and ransomware groups has in no way diminished. The risks for those groups are relatively low and the rewards can be astronomically high.

“We talk a lot about the APTs, we talk about Russia and China. Unfortunately, it's cybercrime that’s the threat that faces every single organization. If you're connected at all as an organization or individual, you’re on the playing field,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency and a partner at the Krebs Stamos Group, said during the online forum Tuesday.

“You’re an opportunistic target. The reason ransomware exists is threefold. We have vulnerable, misconfigured systems. The second is they have figured out how to monetize those vulnerabilities and extract value in the form of Bitcoins, and third generally they work from safe harbors like Russia. And until we address all three of those factors, cybercrime is here to stay.”

<![CDATA[TeamCity Users Urged to Apply Fix For Critical Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/teamcity-users-urged-to-apply-fix-for-critical-flaw https://duo.com/decipher/teamcity-users-urged-to-apply-fix-for-critical-flaw

Software development tool company JetBrains is urging customers to apply updates that fix a critical-severity authentication bypass flaw in certain instances of its continuous integration and continuous deployment tool, TeamCity CI/CD.

JetBrains released version 2023.05.4 to fix the flaw (CVE-2023-42793) on Sept. 18, and said that on-premises instances of the TeamCity CI/CD server are impacted. TeamCity is a tool that helps automate the processes for building, testing and deploying software applications. Because these types of servers have access to source code and the data related to building and deploying this source code, they are considered a “high-value target for attackers,” according to researchers with Sonar’s vulnerability research team, which discovered the flaw.

“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server,” according to JetBrains’ security advisory released last week.

Researchers with Sonar said that TeamCity is a “widely used” CI/CD server that is deployed by more than 30,000 customers globally - however, of note, that number includes both on-premises and cloud-hosted servers, and the issue does not impact TeamCity Cloud. According to Shodan, at least 3,000 on-premises servers are directly exposed to the internet.

If attackers were able to successfully exploit the flaw and launch a remote code execution attack, they would potentially be able to leverage their access to carry out further malicious activities, including stealing source code or private keys and taking control of attached build agents. Stefan Schiller, vulnerability researcher with Sonar, said that the flaw could also be used as a potential supply-chain attack vector.

“With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” said Schiller.

Caitlin Condon, senior manager of vulnerability research for Rapid7, said on Sept. 25 that Rapid7 researchers are not aware of any in-the-wild exploitation for the flaw, and no public exploit code is currently available. Meanwhile, Sonar researchers said they would not be disclosing technical details for the flaw at this time.

Both Sonar and Rapid7 researchers recommended that TeamCity customers upgrade to the fixed version immediately, and Rapid7 researchers said that customers unable to upgrade or apply fixes “should consider taking the server offline until the vulnerability can be mitigated.”

“Because this vulnerability does not require a valid account on the target instance and is trivial to exploit, it is likely that this vulnerability will be exploited in the wild,” according to Schiller. “We strongly advise all TeamCity users to apply the latest patch provided by JetBrains as soon as possible.”

<![CDATA[Pair of Serious Flaws Patched in BIND 9]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/pair-of-serious-flaws-patched-in-bind-9 https://duo.com/decipher/pair-of-serious-flaws-patched-in-bind-9

There are two serious vulnerabilities in several versions of the widely deployed BIND DNS server that can allow an attacker to kill the main name server process remotely.

Although both bugs affect the named process in BIND, they lie in different places in the code base. The first vulnerability (CVE-2023-3341) is in the portion of BIND that processes control channel messages. In some cases, that code can exhaust all of the available stack memory, which would force named to exit.

“The code that processes control channel messages sent to named calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly,” the BIND advisory says.

“Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.”

That bug affects versions 9.2.0-9.16.43, 9.18.0-9.18.18, and 9.19.0-9.19.16 of BIND.

The second flaw (CVE-2023-4236) also affects the named process, but it’s in the code that handles DNS-over-TLS requests.

“A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.” the advisory says.

“A named instance vulnerable to this flaw may terminate unexpectedly when subjected to significant DNS-over-TLS query load.”

The Internet Systems Consortium. Which maintains BIND, has released updated versions that fix both of these issues.

<![CDATA[Apple Fixes Trio of Actively Exploited Bugs]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/apple-fixes-trio-of-actively-exploited-bugs https://duo.com/decipher/apple-fixes-trio-of-actively-exploited-bugs

UPDATE - Two weeks after fixing a pair of zero day flaws, Apple has issued more patches addressing actively exploited vulnerabilities that impact various versions of macOS, iOS, iPadOS and watchOS.

On Thursday, the company fixed a trio of bugs, which each exist in different Apple components. One flaw (CVE-2023-41992) stems from Apple’s kernel framework, and could enable a local attacker to gain elevated privileges. Apple said this issue was addressed with improved checks. The second flaw (CVE-2023-41991) exists in Apple's security framework and could allow a malicious app to bypass signature validation. Meanwhile, the third flaw in Apple’s WebKit web browser engine (CVE-2023-41993) could lead to arbitrary code execution when certain web content is processed. The latter flaw was addressed through improved checks, according to Apple.

Apple said it "is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7,” according to its security update for all three flaws on Thursday.

The three flaws impact various versions of Apple products, including Phone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later; iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later; as well as macOS Ventura. Additionally, CVE-2023-41992 and CVE-2023-41991 impact the Apple Watch Series 4 and later, and CVE-2023-41992 impacts macOS Monterey.

The flaws have been fixed in iOS and iPadOS 16.7 and iOS and iPadOS 17.0.1, as well as watchOS 10.0.1 and 9.6.3, macOS Ventura 13.6 and macOS Monterey 12.7. Apple also pushed out a fix for CVE-2023-41993 in Safari 16.6.1 for macOS Big Sur and Monterey.

All three bugs were discovered by Bill Marczak of the Citizen Lab and Maddie Stone of Google's Threat Analysis Group (TAG). Citizen Lab researchers, who often dig into attacks from commercial spyware companies, also led the charge in the discovery of the two Apple zero days earlier this month (CVE-2023-41064 and CVE-2023-41061), which they said are part of an exploit chain that was being used to deliver NSO Group’s Pegasus spyware.

On Friday, researchers said that the flaws were part of an exploit chain that was developed by commercial surveillance vendor Intellexa and was used to target individuals in Egypt. According to Google TAG's Stone, the exploit chain was delivered via a man-in-the-middle attack.

"In the case of this campaign, if the target went to any ‘http’ site, the attackers injected traffic to silently redirect them to an Intellexa site," said Stone. "If the user was the expected targeted user, the site would then redirect the target to the exploit server... While there’s a spotlight on '0-click' vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls."

In addition to these flaws, Apple has rolled out fixes for other actively exploited bugs over the past year, including through an update addressing a WebKit flaw (CVE-2023-37450) impacting iOS, macOS and iPadOS in July and ones being used in targeted attacks in June.

This article was updated on Sept. 22 with further information about the zero-day exploit chain.

<![CDATA[Decipher Podcast: Source Code 9/22]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-22 https://duo.com/decipher/decipher-podcast-source-code-9-22

<![CDATA[DHS Wants to Simplify Mishmash of Cyber Incident Reporting Guidelines]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/dhs-tries-to-unify-mishmash-of-cyber-incident-reporting-guidelines https://duo.com/decipher/dhs-tries-to-unify-mishmash-of-cyber-incident-reporting-guidelines

The Department of Homeland Security (DHS) is proposing a new model for cyber incident reporting, which aims to overhaul the existing complex patchwork of reporting requirements across the U.S. and make it easier in the long run for organizations to disclose cyberattacks.

The U.S. government has been trying to encourage companies to disclose cyber incidents in an effort to both offer support and resources to victim companies and to collect more valuable incident-related data, which could help the industry better understand the tools and tactics that cybercriminals are using.

But it hasn’t been easy. Companies may be hesitant due to the perceived stigma of being a victim of a breach or cyberattack, but even organizations that want to report an incident face overlapping regulations and disparate complex processes. As part of its report, the DHS assessed 52 in-effect or proposed cyber incident reporting requirements, all with different authoritative agencies and varying requirements about the scope of reporting, timelines to disclosure and even definitions of what a cyber incident actually is. Based on this assessment, the DHS outlined a series of recommendations promoting a more unified and easier process for organizations.

“These recommendations provide a clear path forward for reducing burden on critical infrastructure partners and enabling the federal government to better identify trends in malicious cyber incidents, as well as helping organizations to prevent, respond to, and recover from attacks,” according to the DHS in a Tuesday release.

As part of this, the DHS developed a simple reporting form model to make the process easier for organizations, and a model of a definition for reportable cyber incidents that takes into account factors like a substantial loss of confidentiality, integrity or availability of systems, networks or operational technology, operational disruption, or unauthorized access of non-public personal data. The DHS also created model timelines and triggers for reporting, which give entities a timeframe to “submit an initial written report to the required agency or agencies within 72 hours of when the covered entity reasonably believes that a reportable cyber incident has occurred.”

“These recommendations provide a clear path forward for reducing burden on critical infrastructure partners and enabling the federal government to better identify trends in malicious cyber incidents, as well as helping organizations to prevent, respond to, and recover from attacks.”

One important aspect of these proposed models is the acknowledgement that there’s no one size fits all when it comes to cyber incidents. For instance, the reporting timeframe may be different for agencies with requirements related to national and economic security, said the DHS.

Moving the needle on cyber incident reporting is important, but just as valuable are the backend processes needed for government agencies to receive, analyze and respond to that data. To that end, the federal government needs to better streamline how reported cyber incident reports are processed and shared with relevant reporting entities, according to the DHS. As part of this, the government will need to make potential improvements for existing reporting systems or even create a single portal, the department said.

Finally, the DHS recommended that Congress block any “legal or statutory barriers to harmonization,” in an effort to help agencies overcome budgetary or resource limitations for adopting new cyber incident reporting processes, or to help agencies that may lack the authority needed to collect data elements included in a cyber incident reporting form.

While cyber incident reporting challenges have been on the U.S. government’s radar for years, after the Colonial Pipeline ransomware attack, the Cyber Incident Reporting for Critical Infrastructure Act in 2022 (CIRCIA) brought with it a renewed focus not just on reporting requirements for critical infrastructure sectors (along with liability protections), but also an overall effort by the governments to better improve and standardize federal incident reporting.

CIRCIA instructed the development of the Cyber Incident Reporting Council (CIRC) in leading the charge for developing and implementing the DHS cyber incident reporting recommendations. The next steps here will be the implementation phase, according to the DHS.

“On behalf of the Secretary, the DHS Office of Strategy, Policy, and Plans will coordinate closely with agencies participating in the CIRC to keep Congress apprised of developments in the whole-of-government approach to reduce complexity, diminish regulatory overlap, and eliminate unnecessary duplication with respect to cyber incident reporting,” according to the DHS report.

<![CDATA[New Threat Group Targets Middle Eastern Telcos]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-threat-group-targets-middle-eastern-telcos https://duo.com/decipher/new-threat-group-targets-middle-eastern-telcos

A previously unknown attack group has been targeting telecommunications providers in Middle Eastern countries with a custom backdoor that in some cases is disguised as a legitimate security application.

The new threat group appears to have been operating for several years at least and researchers with Cisco Talos have named the group ShroudedSnooper. The group uses at least two separate implants, known as HTTPSnoop and PipeSnoop, and likely is gaining initial access to its targets by compromising Internet-facing servers. Telcos have been a prime target for many APT groups for some time as they can give attackers a key leverage point from which to steal sensitive information and gather intelligence on a wide range of organizations. In many countries telcos are government-operated entities, which makes them even more attractive targets.

The Talos researchers identified multiple variants of HTTPSnoop and PipeSnoop, including one that masquerades as the Palo Alto Networks Cortex XDR app. Those variants were disguised as a version of the XDR app that was released in August 2022 and eliminated in April 2023.

“HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint,” the Talos researchers said.

“The DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get activated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023, so that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are then executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services (EWS) API, a product that enables applications to access mailbox items.”

PipeSnoop is a companion implant to HTTPSnoop that the researchers believe is an upgraded version of HTTPSnoop and is designed to work in a different way. PipeSnoop executes arbitrary shellcode and likely works in conjunction with a separate component that the researchers have not yet discovered.

“As indicated by the name, PipeSnoop will simply attempt to connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process Communication (IPC) on the Windows operating system. The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it,” the researchers said.

“This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain arbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.”

The Talos researchers did not specify which countries ShroudedSnooper has targeted with its implants, but said that it has disclosed the findings to Palo Alto Networks and Microsoft.

<![CDATA[The Emergence of Security Flaws as a ‘National Resource’ in China]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/how-security-flaws-became-a-national-resource-in-china https://duo.com/decipher/how-security-flaws-became-a-national-resource-in-china

A two-year-old regulation, which requires organizations doing business in China to alert the government of software vulnerabilities within 48 hours of discovery, reflects the Chinese government’s growing treatment of security flaws as strategic resources over the years.

While previously, few details had been publicly disclosed about China's “Regulations on the Management of Network Product Security Vulnerabilities" (RMSV) law since its 2021 implementation, a report by the Atlantic Council this month shed light on how companies are complying with it, and the mandate’s impact on the broader vulnerability disclosure landscape and China’s offensive hacking capabilities.

“It’s a bit of a sea change from a systems standpoint,” said Dakota Cary, a non-resident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group, and one of the co-authors of the Atlantic Council report along with Kristin Del Rosso, product manager at Sophos. “Companies still have bug bounties, they still have public facing programs where people are compensated to submit… so the incentive for the researcher still exists, but now the government has inserted itself into that process, and in doing so it’s weaponizing that entire vulnerability research system, and it’s piggybacking on the incentives that private companies are providing for researchers to discover these vulnerabilities.”

China’s regulation requires companies to report vulnerabilities to a database managed by the Ministry of Industry and Information Technology (MIIT). At the same time, security researchers cannot publish information about vulnerabilities before a patch is available and are prohibited from publishing PoC code or “exaggerating the severity” of a flaw.

“In effect, the regulations push all software-vulnerability reports to the MIIT before a patch is available,” said the researchers.

“We find that the 2021 RMSV allows the PRC government, and subsequently the Ministry of State Security, to access vulnerabilities previously uncaptured by past regulatory regimes and policies.”

When reports first emerged of China’s disclosure mandates, researchers voiced concerns that such a regulation would provide a pipeline for Chinese nation states to access company zero-day flaws before they issued patches. In the Cyber Safety Review Board’s (CSRB) assessment in 2021 of the Log4j flaw, for instance, the board highlighted press reports that China-based Alibaba was sanctioned after it violated the regulation in its reporting of Log4j to the Apache Software Foundation.

“This line of inquiry raised Board concerns around the mandatory vulnerability disclosure laws in the PRC and whether their enforcement may afford the PRC government early access to serious, exploitable vulnerabilities before they are patched,” according to the CSRB report. “The Board raised similar concerns about whether these laws and reports of the PRC’s alleged decision to sanction Alibaba for responsibly reporting a vulnerability to ASF will create a chilling effect that deters researchers from using coordinated vulnerability disclosure best practices.”

Upon further investigation into the structure of the database and the companies participating in these systems, researchers also found that the MIIT’s database of vulnerability and threat data is shared with the National Computer Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), which could give various partners access to the reports, including known offensive hacking entities in China.

Outside of the Atlantic Council's research, other reports have demonstrated “a decrease in software vulnerabilities being reported to foreign firms and the potential for these vulnerabilities to feed into offensive operations.” In its Digital Defense report in 2022, Microsoft explicitly attributed the increase in zero-days deployed by PRC-based groups as a “likely” result of the mandate. And in 2017, Recorded Future found that critical flaws reported to China’s National Information Security Vulnerability database were being withheld from publication for offensive operations.

In the Atlantic Council report, researchers found that “at least some” foreign firms that do business in China were complying with the regulations (though they had limited visibility into the specific numbers). Interestingly, researchers said that at least one foreign firm that was submitting to the MIIT database was not seeing any benefits, claiming it was not receiving reciprocal reports of flaws in its products found by other researchers, and saw a “significant decrease” in flaws reported from China.

“We find that the 2021 RMSV allows the PRC government, and subsequently the Ministry of State Security, to access vulnerabilities previously uncaptured by past regulatory regimes and policies,” according to researchers. “In some cases, the regulations also facilitate access to some companies’ internal code repositories.”

“The early twenty-teens are the golden years of Chinese hacking operations - we saw Marriott, Anthem Insurance, OPM - all huge collections.”

Microsoft in its 2022 Digital Defense Report called the regulation “a major step in the use of zero-day exploits as a state priority.” However, China for years now has been treating vulnerabilities as what the Qihoo360 CEO has called a “national resource” for the country.

Over the past few years, for instance, China has introduced a number of measures aimed at keeping the discovery and reporting of vulnerabilities in-house, according to the Atlantic Council report. This has included prohibiting security researchers from traveling to software security competitions in other countries and creating its own series of security competitions to promote the development of tools for automating how flaws are discovered and exploited.

At the same time, Cary said that the professionalization of the Chinese intelligence service over the last decade has also played a role in how bugs have been discovered and exploited. In Mandiant’s M-Trends report released last year, researchers said in 2021 the number of Chinese espionage groups in the landscape dropped from at least 244 separate Chinese actor sets, tracked over the last five years, to 36 active groups, pointing to a “more focused, professionalized, and sophisticated attacks conducted by a smaller set of actors.”

“The early twenty-teens are the golden years of Chinese hacking operations - we saw Marriott, Anthem Insurance, OPM - all huge collections,” said Cary. “That was before they implemented policies to standardize their education system, to centralize toolkits, they’ve done so much to professionalize what they do."

Overall, researchers said that China's regulation is creating a "near total collection of software vulnerabilities discovered in China," increasing "the aperture of China's vulnerability collection."

"China’s system for collecting software vulnerabilities is now all encompassing. The PRC system has evolved from incentivizing voluntary disclosure to security services and encouraging disclosure to private-sector firms into mandating vulnerability disclosure to the state," according to the Atlantic Council report.

<![CDATA[Iranian Threat Group Targets Cloud With Password Spraying Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/iranian-threat-group-targets-cloud-with-password-spraying-attacks https://duo.com/decipher/iranian-threat-group-targets-cloud-with-password-spraying-attacks

An Iranian state-backed attack group is targeting organizations in several industries, including satellite, defense, and government, with cloud-based password spraying attacks, aiming to gain access to target environments and in some cases steal sensitive data.

The group is referred to as Peach Sandstorm by Microsoft researchers who have been tracking its activities since the beginning of the year, and it has used a number of different tactics in its operations, which have targeted victims in several countries. In most cases, the group uses password spraying as its initial access vector, a technique that involves trying one or a list of passwords against a large number of target accounts. This isn’t the most sophisticated technique, but it can be effective given enough time and a large enough target set.

Peach Sandstorm has been active for many years and has been known to target companies across a wide range of industries, as well as government agencies. The group’s activities typically center on intelligence gathering and it has targeted organizations in many countries. Microsoft’s researchers have observed the group using a couple of different intrusion chains recently, the first of which begins with password spraying.

“In a small subset of instances where Peach Sandstorm successfully authenticated to an account in a targeted environment, Microsoft observed the threat actor using AzureHound or Roadtools to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory). In this campaign, Peach Sandstorm used AzureHound, a Go binary that collects data from Microsoft Entra ID and Azure Resource Manager through the Microsoft Graph and Azure REST APIs, as a means of gathering information on a system of interest. Similarly, Roadtools, a framework to access Microsoft Entra ID, allowed Peach Sandstorm to access data in a target’s cloud environment and conveniently dump data of interest to a single database,” Microsoft’s researchers said.

In these intrusions, the Peach Sandstorm attackers maintained persistence by either creating a new Azure subscription that they controlled or using a previously compromised Azure resource. In other operations, the attackers have shown the ability to exploit some known vulnerabilities, including bugs in the Zoho ManageEngine apps and the Confluence Server product. Once inside a target environment, the Peach Sandstorm attackers sometimes installed the AnyDesk RMM tool for remote access, while in other cases they used a custom tool called EagleRelay, hosted on a virtual machine they created in the environment, to tunnel traffic back to their C2 infrastructure.

“The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments,” Microsoft said.

<![CDATA[DBatLoader Leverages OneDrive to Deliver Commodity Malware]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/dbatloader-leverages-onedrive-to-deploy-commodity-malware https://duo.com/decipher/dbatloader-leverages-onedrive-to-deploy-commodity-malware

Researchers have observed almost two dozen email campaigns since late June that use a combination of a known malware loader, lures related to shipping orders and purchase requests, and various legitimate services like OneDrive, in order to deliver an array of commodity malware families.

The loader malware, DBatLoader, has been in use since 2020, and has been used in malspam campaigns to deliver various RATs and infostealers. In these latest campaigns, the malware used several new techniques to deploy Remcos, which is used to provide backdoor access to Windows operating systems; Warzone, a remote access trojan; and the Formbook and AgentTesla information stealers. The attackers leveraged OneDrive, as well as new or compromised domains, for staging and retrieving additional payloads.

Researchers warned businesses that these recent campaigns signal a heightened risk of infection from commodity malware families associated with the loader’s activity.

“Due to the sophistication of DBatLoader phishing techniques and improvements to the malware itself, it is likely that infections with DBatLoader and follow-on payloads will rise,” said Ole Villadsen, Golo Mühr and Kat Metrick with the IBM X-Force team in an analysis this week.

The malware’s capabilities include UAC bypass and persistence tactics, various process injection techniques and process hollowing. DBatLoader also supports the injection of shellcode payloads. Additionally, in several attacks, researchers said the threat actors also used “sufficient control over the email infrastructure to enable malicious emails to pass SPF, DKIM, and DMARC email authentication methods.”

The malware is still under active development, said researchers, pointing to its latest version’s failed attempts at DLL hooking in attacks.

“DLL hooking is commonly used to bypass AMSI, however, most of DBatLoader’s current hooking implementations are flawed, rendering it ineffective,” said researchers. “The experimental coding style and frequent implementation changes suggest that some of the loader’s functionality is still a work in progress.”

While DBatLoader campaigns targeted organizations in Europe and Eastern Europe Europe earlier this year, researchers said that in this recent campaign, most of the email content appeared to be targeting English speakers (although some emails were in Spanish and Turkish). The malicious emails used either ISO images or several archive file formats (like .tar, .zip or .rar) to deliver DBatLoader. The lures of these emails, meanwhile, were related to shipping orders and billing, invoice and purchase requests or inquiries.

“To combat this, security teams are encouraged to renew vigilance around TTPs associated with DBatLoader campaigns, such as abuse of public cloud infrastructure, and characteristics of the new variants of the malware observed by X-Force,” said researchers.

<![CDATA[Caesars Says Cyberattack Stemmed From Third-Party Vendor Compromise]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/caesars-says-cyberattack-stemmed-from-third-party-vendor-compromise https://duo.com/decipher/caesars-says-cyberattack-stemmed-from-third-party-vendor-compromise

Hotel and casino company Caesars Entertainment this week confirmed that it was victim to a cyberattack that stemmed from a social engineering attack on a third-party IT support vendor that the company uses.

Attackers were able to access a copy of Caesars’ loyalty program database, which included driver’s license numbers and social security numbers for “a significant number” of program members. Caesars, which determined the unauthorized access on Sept 7, said that it is investigating if any further personal information was included in the files acquired by the unauthorized actor, and said it has “no evidence to date that any member passwords/PINs, bank account, or payment card information (PCI) were acquired by the unauthorized actor.”

While Caesars did not outwardly label the hack as a ransomware attack, a Bloomberg report on Wednesday said that the organization made a ransom payment to the attackers of tens of millions of dollars.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” according to Caesars in a Form 8-K filed for the U.S. Securities and Exchange Commission (SEC) detailing the incident.

Caesars did not disclose the name of the third-party IT support contractor. Cybercriminals in the past have found success in targeting third-party vendors, and then using that compromise to subsequently gain unauthorized access to downstream client data. The 2022 cyberattack on Okta, for instance, stemmed from a breach by the Lapsus$ group of a third-party contractor, managed support service provider Sitel. In an ensuing investigation into the incident, Okta said that it had cut ties with Sitel and was re-evaluating how it works with outside service providers.

Part of the challenge in protecting against these third party risks is that they are happening outside of companies’ purview. Organizations need to carefully vet their contractors and other types of third-party organizations, assess the different risks posed by various third parties, set up monitoring for any changes in that risk and create formal processes for when contracts end to ensure that all related data is permanently deleted.

Caesars is still investigating and has yet to address several details of the attack, including when the incident started, how long that attackers had access to the database for and the number of loyalty program customers impacted. The Bloomberg report said that attackers started targeting Caesars as early as Aug. 27.

The Caesars loyalty program, Caesars Rewards, allows members to earn credits that can be redeemed for gaming, hospitality and entertainment. The program is used for more than 50 destinations and through the Caesars Sportsbook app across the U.S. The company has claimed that the program has 65 million members and that it is the largest program in the gaming industry.

In its Form 8-K, Caesars said it has "incurred certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter."

“The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by our cybersecurity insurance or potential indemnification claims against third parties, has not been determined," said Caesars.

Public disclosure of the Caesars cyberattack comes as another gaming and hospitality giant, MGM Resorts, continues to face disruption across its hotels and casinos due to a separate cyber incident. As of Thursday, MGM Resorts’ website was still down, and in a brief Thursday update posted on Twitter, the company said that it is working to resolve the “cybersecurity issue.”

These incidents "should serve as a wake-up call for the industry," said Geoff Haydon, CEO at Ontinue. He urged hospitality and gaming organizations "to fortify their defenses and foster a culture of cybersecurity awareness."

"To safeguard against such vulnerabilities, companies must adopt a multi-faceted approach to cybersecurity," said Haydon. "This includes regular security audits, employee training, and the implementation of robust security protocols. Furthermore, businesses should appropriately segment their networks, thus isolating critical systems from potential breaches and ensuring continuity in case of an attack."

<![CDATA[Decipher Podcast: Source Code 9/15]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-9-15 https://duo.com/decipher/decipher-podcast-source-code-9-15

<![CDATA[Microsoft Warns of Teams-Based Phishing Campaign]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-warns-of-teams-based-phishing-campaign https://duo.com/decipher/microsoft-warns-of-teams-based-phishing-campaign

A threat actor that has historically used a variety of malware strains and email-based phishing lures in its campaigns has now moved on to delivering lures through Microsoft Teams, potentially leading to ransomware deployments in compromised networks.

The activity is the work of a group that Microsoft calls Storm-0324, a developing threat group that has used a variety of known malware tools in the past, including IcedID, Gozi, Dridex, and others. Storm-0324 is closely associated with a ransomware group that Microsoft calls Sangria Tempest, and in many intrusions, Storm-0324 gains initial access to a target network and then hands off that access to the ransomware gang for further exploitation.

“Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures,” MIcrosoft said in a new analysis.

“The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.”

In the past, Storm-0324 has used typical email phishing lures, usually with some financial theme. But more recently, the group has shifted to a newer tactic, sending malicious links to victims through Microsoft Teams. In those operations, the group uses a freely available tool called TeamsPhisher and directs victims to malicious external SharePoint files.

“TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft said.

Other groups have targeted Microsoft Teams with this tactic recently, as well, including a group Microsoft refers to as Midnight Blizzard. That Russian-based group executed some separate social engineering campaigns against Teams users earlier this year.

Microsoft recommends that organizations using Teams deploy phishing-resistant MFA methods such as hardware security keys in order to mitigate the risk of this type of attack.

<![CDATA[Microsoft Warns of Two Zero Day Flaws]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/microsoft-warns-of-two-zero-day-flaws https://duo.com/decipher/microsoft-warns-of-two-zero-day-flaws

Microsoft has issued fixes for two important-severity zero day vulnerabilities, which impact Microsoft Word and the Microsoft streaming service proxy.

The updates were released as part of Microsoft’s regularly scheduled patches, which overall addressed flaws tied to 65 CVEs. One of these is an elevation-of-privilege flaw (CVE-2023-36802) in Microsoft's streaming service proxy, which is related to Microsoft’s Stream video service. If exploited successfully, the flaw could give an attacker SYSTEM privileges. The other, an information-disclosure flaw in Microsoft Word (CVE-2023-36761), could allow the disclosure of NTLM hashes. For the latter flaw, Microsoft noted that Preview Pane is an attack vector. In a Tuesday analysis, Dustin Childs, with Trend Micro’s Zero Day Initiative, said this attack vector indicates that no user interaction is required, and that security teams should “definitely put this one on the top of your test-and-deploy list.”

“This is the bug currently under active attack, but I wouldn’t classify it as ‘information disclosure,’” said Childs. “An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack.”

In addition to these flaws, Microsoft also addressed five critical-severity flaws. These include a remote code execution flaw (CVE-2023-38148) in the Internet Connection Sharing Windows service, three remote code execution flaws (CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796) in Microsoft Visual Studio and an elevation-of-privilege bug (CVE-2023-29332) in the Azure Kubernetes service.

Childs said the latter flaw could enable remote, unauthenticated attackers to gain Cluster Administration privileges.

“We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity,” said Childs. “Microsoft gives this an ‘Exploitation Less Likely’ rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.”

The Microsoft flaws are part of a rash of zero days fixed over the past week by various vendors, including a heap buffer overflow bug in Google Chrome, an Adobe vulnerability in the Acrobat and Reader products that has been used in some targeted attacks, and two Apple zero days in various versions of macOS, iOS, watchOS and iPadOS.