This report was generated by Scot Terban and ChatGPT4 using the Threat Intel Analyst Agent Icebreaker Intel Analyst

The weekly threat intelligence report for the week of December 8, 2023, presents a detailed analysis of recent cyber threats, vulnerabilities, attacks, and significant patches:

Cyber Attacks:

Infosys Data Breach: The Infosys Data Breach, reported in November 2023, involved a significant “security event” that impacted Infosys McCamish Systems, the US unit of the Indian IT services company, Infosys. The breach resulted in several of the firm’s applications becoming unavailable. Infosys has been actively investigating the scope and impact of the attack on its systems. As of the reporting time, further details regarding the exact nature of the data compromised or the method of the attack had not been disclosed​​.

Boeing Cyber Incident: The Boeing Cyber Incident, which occurred in November 2023, was described as a “cyber incident” affecting several different elements of the aircraft manufacturer’s business. The specifics of the attack, including the nature of the compromised systems and data, were not fully disclosed. Boeing confirmed that the incident did not impact flight safety. The company was actively working with law enforcement to investigate the attack, indicating the seriousness of the breach. This event highlights the growing concerns around cybersecurity in critical infrastructure and manufacturing sectors​​.

Okta Data Breach: The Okta Data Breach involved unauthorized access to Okta’s support case management system by a threat actor using stolen credentials. Okta, a major provider of identity services and authentication management, acknowledged the breach but did not disclose the extent of the data compromise or the specific details of the stolen credentials. The incident highlighted the risks associated with credential theft and the potential vulnerabilities in systems handling sensitive access management information​​.

Air Europa Data Breach: The Air Europa Data Breach involved the unauthorized access of financial information of the airline’s customers. During the breach, hackers managed to extract sensitive data including card numbers, expiration dates, and the 3-digit CVV numbers found on the back of credit and debit cards. Following the breach, Air Europa advised their customers to cancel all their credit cards as a precautionary measure. The airline reported that it had notified the relevant authorities and confirmed that its systems were fully operational again. This incident underscores the significant risks associated with the security of financial information in the airline industry​​.

23andMe Data Breach: The 23andMe Data Breach involved a credential-stuffing attack that compromised customer accounts. This biotech company, known for its genetic testing services, reported that genetic data and personal information of its users were stolen. The compromised data included names, email addresses, birth dates, and information related to users’ genetic ancestry and history. It was reported that the attackers specifically targeted data pertaining to individuals of Ashkenazi Jewish and Chinese descent. The breach highlights the sensitivity of genetic data and the risks associated with credential stuffing attacks in the healthcare and biotech sectors​​.

CISA Vulnerability Catalog Update: In December 2023, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog by adding four new vulnerabilities. These additions were based on evidence of active exploitation in the wild. All four vulnerabilities were associated with Qualcomm chipsets and included issues like use of out-of-range pointer offset, use-after-free, and integer overflow vulnerabilities. This update from CISA underscores the ongoing need for vigilance and timely patching of known vulnerabilities to mitigate the risk of cyber exploitation​

Reflectiz Cyber Attacks Overview:

• LCBO Web Skimmer Attack: Payment details were compromised due to a web skimmer attack on the Liquor Control Board of Ontario (LCBO)​​.
• iOttie Data Breach: A Magecart-type attack on iOttie’s shopping site led to stolen customer data​​.
• Shields Healthcare Group Data Breach: Personal information of 2.3 million patients was stolen in a data breach​​.
• Jimbos Protocol Crypto Platform Breach: A logical vulnerability allowed hackers to steal $7.5 million in cryptocurrency​​.
• Latitude Financial Data Breach: A hack resulted in the theft of 14 million customer records​​.
• Shopify Web-Skimming Campaign: Ongoing web-skimming campaign targeted Shopify and other e-commerce platforms​​.
• PayPal Credential Stuffing Attack: Personal data of nearly 35,000 users was compromised​​.
• US Hospitals DDoS Attacks by Killnet: 14 US hospitals were targeted in DDoS attacks by the Russian activist group Killnet​​.
• ICMR Data Breach: A breach exposed personal data from 815 million patient records​​.
• Cloudflare DDoS Attack: An unprecedented HTTP DDoS attack targeted gaming platforms, cryptocurrency companies, and hosting providers​​.

DPRK Software Supply Chain Attacks: The National Intelligence Service (NIS) of the Republic of Korea and the UK’s National Cyber Security Centre identified North Korean state-linked cyber actors targeting software supply chain products. These attacks were aimed at government organizations, financial institutions, and defense industry companies globally​​.

SysJoker Windows Malware:

Overview

Introduction: SysJoker is a sophisticated multi-platform backdoor malware initially identified in 2021 targeting Israel’s educational sector. It was later discovered to be part of a broader campaign by an Advanced Persistent Threat (APT) group, dubbed “WildCard.” The malware is notable for its ability to target Windows, macOS, and Linux systems and for its evolution over time, including variants written in C++ and a more recent iteration developed in Rust, known as RustDown.

WildCard APT Group: The WildCard APT group is responsible for the SysJoker malware and its variants. This group has demonstrated a focus on critical sectors within Israel and possesses advanced capabilities, including the creation of sophisticated malware disguised as legitimate software​​.

Technical Analysis

Original SysJoker Malware (January 2022):

• Functionality: SysJoker masqueraded as a system update and utilized a dead drop resolver method, decoding a string from a text file hosted on GDrive for its command-and-control (C2) operations.
• Unusual Nature: The development of C++ multi-platform backdoors is rare in the Middle East, raising suspicions about the nature of the unidentified malware developers​​.

Evolution of SysJoker:

• New Variants: Subsequent variants discovered in 2022, named ‘DMAdevice’ and ‘AppMessagingRegistrar’, were also written in C++. These shared code and behavioral patterns with the original SysJoker malware.
• RustDown (October 2023): A new malware variant written in Rust, named RustDown, was discovered. It is a 32-bit Windows executable masquerading as a PHP framework component and shares tactics, techniques, and procedures (TTPs) with SysJoker​​.

Functionality of RustDown:

• Characteristics: RustDown implements multiple calls to the Sleep API with randomly chosen durations, a tactic seen in SysJoker.
• Persistence Mechanisms: The malware establishes persistence by copying itself to a location on the system and using a PowerShell command for registry manipulation.
• C2 Communication: It uses OneDrive as a dead drop resolver, sending HTTP Get requests to a resolved URL for C2 communications​​​​​​.

Infection and Delivery:

• Infection Vector: Initially, SysJoker was suspected to be delivered via an infected npm package. Later versions continued the pattern of masquerading as legitimate software, suggesting phishing campaigns as a probable delivery mechanism.
• Targeting Developer Communities: The newest iteration, RustDown, disguised as a PHP CGI component, suggests possible targeting of developer communities in Israel with trojanized applications​​.

Operational Tactics:

• Use of Benign Web Services: WildCard consistently abuses benign web services like GDrive or OneDrive as dead drop resolvers or C2 hosting. The C2 infrastructure is possibly geofenced to respond only to IP addresses from Israel​​

Diamond Sleet Supply Chain Attack: North Korea-based threat actor Diamond Sleet (ZINC) carried out a supply chain attack involving a malicious variant of an application developed by CyberLink Corp. The attack included a modified installer with a malicious code that downloads, decrypts, and loads a second-stage payload​​.

LockBit 3.0 Ransomware Exploiting Citrix Bleed Vulnerability: CISA, FBI, MS-ISAC, and the ASDs ACSC issued a joint Cybersecurity Advisory on the LockBit 3.0 ransomware. This ransomware exploited the CVE-2023-4966 vulnerability, also known as Citrix Bleed, affecting Citrix NetScaler web application delivery control and Gateway appliances​​.

Vulnerabilities and Patches:

Android Security Updates: Google released patches for 94 vulnerabilities in Android, including several critical-severity bugs. Notably, the CVE-2023-40088 RCE flaw impacts multiple Android versions​​​​​​.

Google Chrome Security Updates: Google addressed seven vulnerabilities in Google Chrome, with CVE-2023-6345 identified as a critical integer overflow vulnerability in the Skia 2D graphics library​​.

Atlassian Security Advisories: Critical-severity RCE vulnerabilities were addressed in Confluence and other Atlassian products. The Confluence flaw, CVE-2023-22522, was described as a template injection bug​​​​.

Apple Security Updates: Apple released updates to address vulnerabilities in Safari, macOS Sonoma, iOS, and iPadOS, mitigating the risk of system control by cyber threat actors​​.

Microsoft Security Updates: Microsoft fixed 63 security bugs, including three actively exploited vulnerabilities. Among them were CVE-2023-36025 (Windows SmartScreen Security Feature Bypass) and CVE-2023-36033 (Windows DWM Core Library Elevation of Privilege)​​.

Trends in Criminal and Nation State Activities

Increase in Digital Supply Chain Attacks: There has been a noticeable rise in attacks targeting the digital supply chain. With supply chains becoming more interconnected and digitized, they present new security risks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021​​.

Rise in Mobile-Specific Cyber Threats: The use of smartphones in the workplace has led to an increase in mobile device targeting by cyber-attackers. Cyber-crimes involving mobile devices have increased by 22% in the last year. This trend is expected to continue, demonstrating the need for enhanced mobile security measures​​.

Emphasis on Cloud Security:

Increasing Cloud Adoption: The adoption of cloud services has accelerated due to the flexibility, scalability, and efficiency they offer. Companies are opting for cloud-based activities ranging from data storage and processing to hosting critical applications and services.

Rise in Cloud-Related Threats: Parallel to this adoption, there’s a notable increase in cyber threats targeting cloud environments. These include data breaches, compromised credentials, hijacked accounts, insecure interfaces, and API vulnerabilities.

Complexity of Cloud Environments: The complexity of cloud environments can make security challenging. Multi-cloud and hybrid environments, which combine on-premises infrastructure with various cloud services, add layers of complexity that can create security gaps.

Key Security Concerns

Data Privacy and Compliance: Ensuring data privacy and meeting regulatory compliance standards (like GDPR, HIPAA) in the cloud is crucial. The shared responsibility model in cloud computing requires both providers and users to play a part in securing cloud environments.

Identity and Access Management (IAM): As cloud environments become more integral to operations, managing who has access to what information becomes increasingly important. IAM systems must be robust and sophisticated to prevent unauthorized access and data breaches.

Advanced Persistent Threats (APTs): Cloud services are attractive targets for APTs due to the valuable data stored on these platforms. These threats are often sophisticated, involving long-term campaigns to gain access to sensitive data.

API Security: APIs are essential for cloud services, but they also present a significant security risk. Unsecured APIs can be exploited by attackers to access sensitive information or disrupt service operations.

Strategies for Enhanced Cloud Security

Comprehensive Risk Management: Organizations must conduct regular risk assessments to identify vulnerabilities within their cloud environments and implement strategies to mitigate these risks.

Encryption and Data Protection: Data encryption both at rest and in transit is vital. Implementing robust encryption standards ensures data protection, even in the event of a breach.

Security by Design: Integrating security into the design of cloud services and architecture, rather than as an afterthought, helps in creating a more secure environment.

Regular Audits and Compliance Checks: Continuous monitoring and regular audits help in maintaining compliance and identifying potential security issues.

Employee Training and Awareness: Educating employees about cloud security best practices is essential to prevent inadvertent breaches or vulnerabilities.

Collaboration with Cloud Providers: Leveraging the security expertise and tools provided by cloud service providers can enhance an organization’s security posture.

Persistence of Ransomware-as-a-Service: Ransomware attacks continue to increase, with a 13% year-over-year rise in ransomware breaches. These attacks have become more targeted, with sectors like healthcare and food and agriculture becoming recent victims. The continuation of Ransomware-as-a-Service models indicates that these types of attacks will remain a significant threat​​.

Targeting of IoT Devices: Internet of Things (IoT) devices, due to their autonomous functioning and data processing capabilities, are becoming prime targets in cybercrimes. Devices like GPS trackers and smart wearables that hold valuable data but lack robust security are particularly vulnerable​​.

Human Element in Cyber Breaches: Human error and social engineering remain critical vulnerabilities in cybersecurity. Phishing attacks, which often serve as a gateway for more damaging attacks like ransomware, are the most common cyber threats. This highlights the need for continuous awareness and training in cybersecurity best practices​​.

Cybercrime on Social Media: The growth of social media has opened new avenues for cybercrime. For example, Meta uncovered over 400 malicious iOS and Android apps in 2022 designed to steal Facebook login credentials. These apps often masquerade as legitimate applications, such as photo editors or business utilities, to deceive users into entering their login details​​.

Growing Costs of Cybercrime: The sophistication of cyber-attacks necessitates increased investment in advanced security measures and training. The average cost of a cyber breach in 2022 was $4.35 million, and the global economic impact of cybercrime is expected to rise to $10.5 trillion by 2025. This underscores the escalating financial impact of cybercrime on businesses and the global economy​​.

LINKS:

• The Hacker News: Cybercrime (and Security) Predictions for 2023
• Supply Chain Attacks, IoT Devices, The Human Element, Cyber Crime on Social Media, The Growing Cost of Cyber Crime:
  • AAG IT Support: The Latest Cyber Crime Statistics (updated December 2023)
  • Cyber Attacks 2023: The Full Countdown – Reflectiz
  • CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
  • Data Breaches That Have Happened in 2023 So Far – Updated List | Tech.co
  • Cybercrime (and Security) Predictions for 2023 | The Hacker News
  • The Latest Cyber Crime Statistics (updated December 2023) | AAG IT Support
  • 94 Vulnerabilities Patched in Android With December 2023 Security Updates – SecurityWeek
  • Apple Releases Security Updates for Multiple Products | CISA
  • Alert: Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities | The Hacker News
  • Cyber Threat Breakdown November 2023 – Cymulate