New CVSS v4.0 vulnerability score announced

The Forum of Incident Response and Security Teams (FIRST) has announced CVSS v4.0, the next generation of the Common Vulnerability Scoring System standard.

According to the FIRST, “the revised standard offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls. In addition, several supplemental metrics for vulnerability assessment have been added including Automatable (wormable), Recovery (resilience), Value Density, Vulnerability Response Effort and Provider Urgency. A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups.”

Critical Apache ActiveMQ bug exploited by the HelloKitty ransomware

Cybersecurity researchers have warned that threat actors are exploiting a critical Apache ActiveMQ vulnerability to deploy ransomware. The bug (CVE-2023-46604) is a deserialization of untrusted data issue that could be used to achieve remote code execution on the target system.

The vendor released security patches addressing CVE-2023-46604 on October 25, 2023. It’s worth noting, that proof-of-concept exploit code and vulnerability details are both publicly available. Rapid7 researchers said they observed two instances where a threat actor exploited the flaw to deliver the HelloKitty ransomware.

According to the data from threat monitoring service ShadowServer, currently, there are 7249 accessible ActiveMQ services, 3329 of which are vulnerable to CVE-2023-46604.

Citrix NetScaler flaw exploited in attacks on multiple verticals worldwide

Google’s Mandiant shared a technical analysis of four ongoing campaigns involving the Citrix NetScaler CVE-2023-4966 vulnerability (aka CitrixBleed) targeting government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region.

Atlassian urges customers to patch a high-risk Confluence bug

Australian software firm Atlassian has released security patches to address a high-risk vulnerability affecting all versions of its Confluence Data Center and Server software.

Tracked as CVE-2023-22518, the flaw is described as an improper authorization issue that can be exploited remotely to bypass the authorization process or perform denial of service (DoS) attacks by sending specially crafted requests to the server.

Atlassian said it is not aware of exploitation attempts, however, the vendor urged customers to update their systems to fixed versions of the software. On November 2, the company updated its advisory to warn customers about the availability of a public exploit for the flaw.

A ‘kill switch’ shuts down notorious Mozi IoT botnet

ESET researchers found a ‘kill switch’ that unexpectedly shut down one of the major cyber threats out there - the Mozi malware botnet. Mozi was dismantled via a malicious update that shut down the original Mozi malware, disabled some system services, replaced the original Mozi file with itself, executed some router/device configuration commands, disabled access to various ports, and established the same foothold as the replaced original Mozi file.

The researchers theorize that Mozi’s takedown was orchestrated either by its creators or by Chinese law enforcement forcing the cooperation of the botnet’s operators.

Prolific Puma provides a link shortening-service to criminals

A threat actor known as Prolific Puma has been operating an underground link-shortening service for over four years, primarily catering to other malicious actors. Prolific Puma's service involves creating domain names with an RDGA and shortening links, making it challenging to determine the final landing page, which is often used for distributing phishing, scams, and malware.

The service primarily delivers malicious links through text messages but could use other methods. Since April 2022, the threat actor has registered between 35,000 and 75,000 unique domain names.

Thousands of Okta employees affected in a third-party data breach

Almost 5,000 current and former Okta employees have been affected by a data breach at Rightway Healthcare, a third-party provider used by the company for healthcare services. The breach that took place in September of this year exposed names, Social Security numbers, and health or medical insurance plan numbers. Okta said that the incident did not affect its services and customer data.

SEC charges SolarWinds over misleading cybersecurity practices

The US Securities and Exchange Commission (SEC) has accused Texas-based software company SolarWinds and its chief information security officer, Timothy Brown of misleading investors about its cybersecurity practices and known risks before the massive 2020 SolarWinds supply chain hack. The company is charged with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

The SEC alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and lied to them by “disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

Threat actors caught using MSIX packages to distribute Ghostpulse malware loader

Researchers at Elastic Security Labs discovered a new malware campaign that leverages MSIX application packages to infect Windows machines with a stealthy malware loader called ‘Ghostpulse.’ The loader uses defense evasion techniques to decrypt and inject its final payload into the system.

Two Russian cybercriminals accused of JFK taxi dispatch hack

The US DoJ charged two Russian nationals, Aleksandr Derebenetc, also known as “Sasha Novgorod,” and Kirill Shipulin, known as “Kirill Russia,” over the hack of the electronic taxi dispatch system at John F. Kennedy International Airport (JFK).

Between November 2019 and November 2020, the hackers compromised the dispatch system and used the access to move specific taxis to the front of the line, allowing taxi drivers to move up the queue. The criminals charged taxi drivers $10 each time they were advanced to the front of the line. Throughout the scheme, they enabled as many as 1,000 fraudulently expedited taxi trips a day.

New DoubleAlienRat APT targets private and government entities in China

Chinese security firm NSFOCUS shared details on a cyberespionage campaign by a previously unknown threat actor dubbed ‘DoubleAlienRat.’ The group, which is said to have a high level of hacking skills and extremely high attack and destruction capabilities, is currently focused on targeting Chinese private and state-owned companies, as well as research institutes and government agencies.

The group gains initial access to target networks by exploiting known vulnerabilities. Upon infiltrating the victim network, the attackers perform reconnaissance to assess targets. The threat actor is using third-party tools, as well as developing custom-made malware, borrowing ideas from other known nation-state actors.

EleKtra-Leak operation abuses exposed AWS IAM credentials for cryptojacking

A new report from Palo Alto Networks’ threat intelligence team Unit 42 revealed how cybercriminals are exploiting exposed Identity and Access Management (IAM) keys to launch cryptojacking attacks on cloud infrastructure.

Dubbed ‘EleKtra-Leak,’ the campaign performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. The operation, which has been running since at least 2020, uses automated tools to clone public GitHub code repositories, scanning for exposed AWS IAM credentials.

Pro-Hamas hackers target Israeli orgs with new BiBi-Linux wiper malware

A new wiper malware has been observed targeting Israeli organizations amid the armed conflict between Israel and Hamas. Dubbed “BiBi-Linux,” the new data wiper is an x64 ELF executable that has no obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if executed with root permissions.

Iranian MuddyWater APT targets Israel, updates TTPs

Cybersecurity firm Deep Instincts has a report on the recent activities of an Iran-linked threat actor tracked as MuddyWater (Static Kitten, UNC3313, Mercury), known for conducting social engineering campaigns.

The group has been observed targeting two Israeli entities with spear-phishing emails designed to deploy malware onto the victim systems. In this campaign MuddyWater reused previously known remote administration tools, utilizing a new file-sharing service called “Storyblok” to host the malicious archives.

In related news, Check Point released a report detailing a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year. The campaign has been attributed to an Iran-associated threat actor known as Scarred Manticore linked to the prolific Iranian actor OilRig (aka APT34, EUROPIUM, Hazel Sandstorm). The group’s attacks rely on LIONTAIL, an advanced passive malware framework installed on Windows servers.

Multiple observed variants of LIONTAIL-associated malware suggest Scarred Manticore generates a tailor-made implant for each compromised server, allowing the malicious activities to blend into and be undiscernible from legitimate network traffic.

North Korean hackers target crypto experts with novel macOS malware

North Korea-linked threat actors have been observed targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN. The activity, traced back to April 2023, overlaps with a well-known North Korean hacker collective Lazarus Group.

KANDYKORN is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes reflective loading, a direct-memory form of execution that may bypass detections.

Turla's Kazuar backdoor updated with advanced anti-analysis techniques

The Russia-linked state-sponsored hacker group Turla has updated its second-stage backdoor referred to as Kazuar. It is an advanced and stealthy .NET backdoor that Turla (aka Pensive Ursa, Uroburos) usually uses as a second-stage payload.

The most recent Kazuar variant comes with significant improvements to its code structure and functionality such as extensive data collection, the ability to steal credentials from the cloud and other sensitive apps, an extended set of commands (a total of 45 supported commands), enhanced task automation, implementation of different encryption algorithms and schemes, and multiple injection modes, allowing the malware to run from different processes and execute different features. Notably, this version only targets the Windows operating system.