Cyber Briefing 2023.08.03

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

In today’s edition: AWS, Trojans, Salesforce, AI, Meow Attack, Mitel, Burger King, LockBit, Italy, Hot Topic, BlueCharlie, ICS Vulnerabilities, Cyble.

🚨 Cyber Alerts

1. AWS Systems Manager Agent Used as Trojan

Cybersecurity researchers have uncovered an ingenious post-exploitation technique within Amazon Web Services (AWS) that transforms the AWS Systems Manager Agent (SSM Agent) into a remote access trojan, capable of executing malicious actions on both Windows and Linux environments. This innovative manipulation of the SSM agent, a legitimate tool typically used by administrators to manage instances, enables attackers who have gained high privilege access to maintain persistent unauthorized access and conduct various harmful activities on compromised systems. Notably, this technique allows threat actors to utilize trusted infrastructure, evade detection, and control the SSM Agent without relying on AWS infrastructure.

2. Phishing Exploits Salesforce’s Email

Guardio Labs researchers have uncovered a sophisticated phishing campaign that exploits a zero-day vulnerability in Salesforce’s email services. The attackers craft convincing phishing messages using Salesforce’s domain and infrastructure, masquerading as legitimate communication from Meta. These emails prompt recipients to click on a link, leading to a rogue landing page aimed at stealing account credentials and two-factor authentication codes, all hosted within the Facebook apps platform. This ingenious approach bypasses traditional anti-spam and anti-phishing measures, highlighting the challenges of combating evolving phishing tactics that exploit seemingly legitimate services.

3. New Adversarial Attacks on AI Language Models

Researchers from various universities have demonstrated how a seemingly innocuous prompt addition can undermine the defenses of widely-used chatbots. Despite efforts to fine-tune models like ChatGPT to avoid objectionable content, the study revealed that a single universal adversarial prompt can breach the defenses of non-adversarially aligned Large Language Models (LLMs), including commercial ones. This discovery raises concerns about the fundamental weaknesses in advanced AI deployment, as even minor adjustments can lead to the generation of harmful and disallowed content. The findings have prompted a call for a broader focus on safeguarding AI systems from potential misuse and disinformation rather than solely relying on alignment methods.

4. Meow Attacks Exploit Unsecured Databases

Researchers at Aquasec have revealed a resurgence of the notorious “Meow” attack, which is now targeting unsecured Jupyter notebooks in an automated campaign. This attack, characterized by its ‘meow’ signature, is actively focusing on numerous publicly accessible databases on the internet, highlighting the potential risks of unsecured online data repositories.

5. Mitel Addresses Product Vulnerabilities

Mitel, a prominent communication solutions provider, has issued critical security advisories on August 2, 2023, focusing on vulnerabilities affecting their MiVoice Office 400 SMB Controller, specifically versions 1.2.5.23 and earlier. The Cyber Centre, recognizing the severity of the situation, emphasizes the importance for both users and administrators to carefully assess the provided web links and promptly apply the required updates. Taking swift action is imperative to safeguard systems and networks against potential threats arising from these identified vulnerabilities.

💥 Cyber Incidents

6. Sensitive Data Exposed in Burger King Breach

Burger King, a renowned international fast food giant, has once again put its systems at risk by inadvertently exposing sensitive credentials publicly. A research team recently discovered a misconfiguration on Burger King’s French website, leading to the exposure of credentials that could potentially be used in cyberattacks. These leaked credentials, found in a publicly accessible environment file, included database access details, Google Tag Manager IDs, and Google Analytics IDs. While the exposed data might not grant complete control, it could simplify the process of a potential attack on the chain’s systems, posing risks to both job applicants and the website’s performance analysis. This incident highlights the need for robust cybersecurity measures to safeguard sensitive information.

7. Russian Cybercriminals Target UK School

In a disturbing incident, the notorious LockBit ransomware group has set its sights on West Oaks School, a specialized institution for children with special educational needs in Leeds, England. The cybercriminals have threatened to release stolen data if a ransom payment is not made within two weeks. As the school grapples with this extortion attempt during its summer break, concerns are mounting about the potential exposure of sensitive information and the impact on the institution’s operations.

8. Cyber Attacks on Italian Banks

The Italian National Authority for Cybersecurity (ACN) reported that at least five major Italian banks fell victim to distributed denial of service (DDoS) attacks orchestrated by the pro-Russian hacker group NoName057(16). The targeted banks, including Intesa Sanpaolo, Monte dei Paschi di Siena, and BPER Banca, experienced temporary website outages, leaving customers unable to access banking services. The attacks, which began at 5 am ET, continued for nearly 8 hours, demonstrating the severity of the cyber threat faced by the nation’s financial institutions amid geopolitical tensions.

9. Cyber Attacks Hit Hot Topic

American retailer Hot Topic is grappling with the aftermath of multiple “credential-stuffing” cyberattacks, leaving customer accounts compromised and sensitive information exposed to hackers. The attacks occurred between Feb. 7 and June 21, targeting Hot Topic Rewards accounts through automated scripts using stolen credentials from the Dark Web. The breached data includes names, email addresses, order histories, phone numbers, mailing addresses, birthdays, and potentially the last four digits of payment cards. Urgent measures are being taken, as Hot Topic works closely with cybersecurity experts to bolster its defenses against such attacks and has already emailed users with instructions to reset their credentials and adopt strong, unique passwords to prevent future breaches.

10. British Columbia Healthcare Cyber Breach

The Health Employers Association of BC revealed a major cyber-security breach affecting organizations that employ healthcare workers in the province, potentially exposing the personal information of nearly 240,000 individuals. The attack targeted servers associated with Health Match BC, the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC program, with data accessed potentially including birthdates, social insurance numbers, passport details, driver’s licenses, education credentials, investigative reports, and other sensitive information related to employees’ interactions with the affected programs. While wider healthcare records for British Columbians remain unaffected, the breach has raised concerns, prompting the organization to collaborate with cybersecurity and privacy experts to address the incident.

📢 Cyber News

11. Surge in OT & IoT Threats

In the first half of 2023, the landscape of operational technology (OT) and Internet of Things (IoT) faced an alarming surge of malware-related cyber-threats, marking a tenfold increase compared to the preceding six months, according to the latest Nozomi Networks Labs OT & IoT Security Report. The report draws on data collected from industrial control systems (ICS) vulnerabilities, IoT honeypots, and attack trends in OT environments. Denial-of-service (DoS) attacks and remote access trojans (RATs) emerged as dominant threats in the OT sector, while malicious IoT botnets, driven by default credentials, posed substantial risks in IoT networks. Trojans, ransomware, and phishing attacks were commonly detected across both realms, underlining the pressing need for enhanced security measures.

12. Russian Group BlueCharlie: Evolving Threat

Insikt Group tracks the Russia-linked threat activity group BlueCharlie, known for espionage and hack-and-leak operations. BlueCharlie has recently built 94 new domains, potentially for phishing campaigns and credential harvesting, indicating sophistication in adapting to public disclosures and improving their operations security. Network defenders are advised to enhance phishing defenses and implement multi-factor authentication to counter BlueCharlie’s evolving threat.

13. Growing Threats to Industrial Control Systems

In the realm of Industrial Control Systems (ICSs), a concerning trend has emerged as approximately 34% of reported security vulnerabilities in the first half of 2023 lack patches or remediation, marking a significant escalation from the previous year’s 13%. SynSaber’s compiled data highlights 670 ICS product flaws reported through the U.S. Cybersecurity and Infrastructure Security Agency (CISA) during the first half of the year, revealing the critical manufacturing and energy sectors as the most vulnerable. Furthermore, prominent vendors such as Mitsubishi Electric, Siemens, and Rockwell Automation have faced significant impact, while the prevalence of “Forever-Day vulnerabilities” underscores the persistent challenges in securing ICS environments.

14. Cado Security’s Cloud Threat Findings

Cado Security Labs releases 2023 Cloud Threat Findings Report, exposing novel cloud-based malware, and emphasizes the need for increased cloud security measures. The report highlights dominant botnet agents, SSH as the most targeted service, and opportunistic attackers exploiting known weaknesses. Cado Security predicts an increase in serverless function attacks and advises organizations to comprehend the AWS shared responsibility model and implement least privilege principles to counter emerging cloud threats.

15. Cyble Raises $24M in Series B Funding

In a recent Series B funding round, Cyble, a leading threat intelligence company, has successfully raised $24 million, pushing its total funding to over $38 million. Co-led by Blackbird Ventures and King River Capital, with participation from other prominent investors, this funding will enable Cyble to further enhance its AI-powered cybersecurity solutions and extend its global reach. The Atlanta-based firm specializes in using artificial intelligence to provide proactive cyber risk management and threat analysis, catering to a wide range of clients from government entities to Fortune 50 companies.