Johnson & Johnson discloses IBM data breach, Microsoft phishing attacks pushes DarkGate malware, and Google fixes another Chrome zero-day bug exploited in attacks

At a Glance

Ransomware, Malware & Phishing

1. Ragnar Locker claims attack on Israel's Mayanei Hayeshua hospital
2. Johnson & Johnson discloses IBM data breach impacting patients
3. Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach
4. Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware
5. New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World
6. Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows
7. Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks
8. Microsoft Teams phishing attack pushes DarkGate malware
9. CISA warns govt agencies to secure iPhones against spyware attacks
10. Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

Vulnerabilities

1. Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack
2. Apple backports BLASTPASS zero-day fix to older iPhones
3. Google fixes another Chrome zero-day bug exploited in attacks
4. ICS Patch Tuesday: Critical CodeMeter Vulnerability Impacts Several Siemens Products
5. Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
6. Adobe Fixed Actively Exploited Zero-Day in Acrobat and Reader

Ransomware, Malware & Phishing

Ragnar Locker claims attack on Israel's Mayanei Hayeshua hospital

Analysis: The Ragnar Locker ransomware group has claimed responsibility for a cyberattack on Israel's Mayanei Hayeshua hospital, which occurred in early August. The attack disrupted the hospital's record-keeping system, causing a halt in new patient care. The threat actors did not encrypt devices to avoid malfunctions but admitted to stealing data from the organization. They have already published 420 GB of allegedly stolen data and have threatened to release more over the next week. The stolen information includes sensitive medical records, procedure details, and drug prescriptions. The attackers also claim to have taken 1 TB of data, including a SQL database and emails, according to a ransom note seen by BleepingComputer. Mayanei Hayeshua has not yet confirmed if the stolen data belongs to their organization.

Access Point recommends the following:

1. Regularly Update and Patch Systems: Healthcare organizations should regurally update and patch systems to address known vulnerabilities and mitigate potential risks.
2. Implement Robust Security Processes: Organizations should implement robust backup and recovery processes to ensure data can be restored in case of a ransomware attack.
3. Security Awareness Training: Organizations should conduct employee training on cybersecurity best practices, including how to recognize and report suspicious activities or emails.
4. Advanced Endpoint Protection: Organizations should utilize solutions to detect and prevent ransomware infections.
5. Employ Network Segmentation: Network segmentation limits lateral movement of threats within your network and monitors network traffic and behavior for any unusual or unauthorized activities.
6. Multi-Factor Authentication: Consider implementing an MFA system to add an extra layer of security to critical systems and accounts.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Data Encrypted for Impact (T1486)
• Data from Local System (T1005)
• Exfiltration Over Command-and-Control Channel (T1041)
• Commonly Used Port (T1043)

Johnson & Johnson discloses IBM data breach impacting patients

Analysis: Johnson & Johnson Health Care Systems, operating through its subsidiary "Janssen," recently disclosed a significant data breach to its CarePath customers, highlighting the potential risks associated with third-party providers. This breach was traced back to IBM, responsible for managing the CarePath application and its underlying database, which serves a critical role in providing access to Janssen medications, offering cost-saving recommendations, prescription discounts, insurance coverage assistance, and medication administration alerts. The breach was discovered when an undisclosed vulnerability allowed unauthorized access to the CarePath database. Janssen promptly reported the issue to IBM, leading to a swift security fix and an internal investigation that confirmed unauthorized access to sensitive user information. This breach impacts CarePath users who registered for Janssen's online services before July 2nd, 2023, raising questions about the breach's timeline or whether it involved a backup database. Fortunately, critical data like social security numbers and financial information were not compromised.

While Pulmonary Hypertension patients remain unaffected, the compromised data poses risks, including potential phishing, scams, and social engineering attacks. The valuable medical data may also find its way to darknet markets. IBM, in a separate statement, claims no evidence of data misuse but strongly advises vigilance among Janssen CarePath users. They are offering one year of free credit monitoring and assistance through toll-free numbers. This incident is separate from previous security issues involving IBM, such as the Clop ransomware attack and the Colorado Department of Health Care Policy & Financing breach, emphasizing the need for robust cybersecurity measures.

Access Point recommends the following:

1. Conduct Regular Security Audits: It’s essential for healthcare organizations to conduct regular audits of sensitive data to identify and rectify vulnerabilities.
2. Implement Access Controls & Monitoring Systems: Enforce stringent access controls, monitoring systems, and authentication mechanisms to safeguard sensitive information and detect unauthorized access and unusual activities promptly.
3. User Education and Awareness: Educating users and employees about the risks associated with downloading and executing unknown files or software, especially from untrusted sources, is paramount. Implement comprehensive cybersecurity training programs to keep personnel informed and vigilant against evolving threats.
4. Dark Web Awareness: Stay informed about developments on the dark web, where malware like Agniane Stealer is sold and distributed. Monitoring these channels can provide insights into potential threats and the evolving cybercriminal landscape.
5. Compliance and Incident Response Plans: Ensure compliance with industry-specific cybersecurity standards and regulations, and have well-defined incident response plans in place. Being prepared to react swiftly to security incidents can help mitigate their impact.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Data from Local System (T1005)
• Exfiltration Over Command-and-Control Channel (T1041)
• Phishing (T1566)

Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach

Analysis: Microsoft recently revealed a concerning security incident involving a China-based threat actor, Storm-0558, who successfully acquired an inactive consumer signing key. This breach enabled the threat actor to forge tokens and gain unauthorized access to Outlook, a widely used email platform. The breach's origins trace back to the compromise of an engineer's corporate account, which granted access to a debugging environment housing data linked to a consumer signing system crash from April 2021. Notably, Microsoft's post-mortem report uncovered a race condition in the crash dump that allowed the signing key to be accessible, a vulnerability initially undetected by their security systems.

The mishandled crash dump was transferred to an internet-connected corporate network's debugging environment, where Storm-0558 is believed to have seized the key. Unfortunately, the exact method used to breach the engineer's account remains elusive due to Microsoft's log retention policies. The report alludes to potential spear-phishing and the use of token-stealing malware, but it lacks comprehensive details regarding the initial compromise, the extent of other affected corporate accounts, and the timeline of events. Security researchers suspect that Storm-0558 might have held the signing key for over two years, assuming the earliest possible timeline assumptions are accurate. Microsoft had previously noted Storm-0558's interest in OAuth applications, token theft, and token replay against Microsoft accounts, dating back to at least August 2021, indicating a long-running campaign.

Storm-0558, the threat actor behind this incident, is connected to breaches in approximately 25 organizations, leveraging the compromised consumer signing key to gain unauthorized access to Outlook Web Access (OWA) and Outlook.com. The breach was attributed to a validation error that mistakenly trusted the key for signing Azure AD tokens. Microsoft has taken corrective measures to ensure that the mail system no longer accepts requests for enterprise email using a security token signed with the compromised consumer key. Importantly, no additional evidence of unauthorized access to applications beyond email inboxes was discovered.

Access Point recommends the following:

1. Thorough Incident Investigations: Organizations should conduct comprehensive investigations into security incidents to determine their scope and impact.
2. Enhance Log Retention Policies: Strengthen log retention policies to capture essential data for forensic analysis.
3. Implement Multi-Factor Authentication (MFA): Deploy multi-factor authentication (MFA) and robust access controls to prevent unauthorized access.
4. Continuous Network Monitoring: Continuously monitor corporate networks for unusual or suspicious activities.
5. Cybersecurity Education: Educate employees about cybersecurity best practices, especially focusing on recognizing and reporting phishing attempts.
6. Regular Software Updates: Consistently update and patch software to mitigate vulnerabilities.
7. Security Assessments and Audits: Conduct routine security assessments and audits to identify and address weaknesses in systems and processes.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Spear Phishing (T1566)
• Token Theft (T1552)
• Initial Access (T1078)
• Exfiltration Over Command-and-Control Channel (T1041)
• Validation Error (T1519)
• Credential Access (T1003)

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

Analysis: A malicious advertising campaign that was originally targeting Windows users has now expanded its scope to include Mac users. The malware in question, known as Atomic Stealer (AMOS), made its debut in April 2023, equipped with the capability to steal crypto assets, passwords, and files from Mac OS systems. The developer behind AMOS continuously updates the malware, with a new version released in late June. To distribute AMOS, cybercriminals primarily rely on cracked software downloads and also employ tactics such as impersonating legitimate websites and using ads on search engines like Google to entice victims.

In this specific campaign, TradingView, a prominent platform for monitoring financial markets, became a target. Threat actors manipulate Google search results by purchasing ads that mimic well-known brands, redirecting victims to a deceptive website closely resembling the official TradingView page. Special font characters are used to disguise the fake domain, potentially allowing it to evade Google's ad quality checks. The compromised advertiser account linked to this campaign can be traced back to Belarus. When users click on the ad, they are redirected to a phishing page hosted at trabingviews[.]com. This fake site convincingly offers downloads for the TradingView app on Windows, Mac, and Linux platforms.

The downloaded file, named "TradingView.dmg," provides instructions on how to bypass GateKeeper. Unlike typical apps, it doesn't need to be copied into the Mac's Apps folder but is executed directly. The malware is bundled within an ad-hoc signed app, making it impervious to Apple's certificate revocation. Once executed, it persistently prompts users for their password until it is provided. The attacker's objective is to run the program, steal data from victims, and quickly exfiltrate it to their server, potentially encompassing various types of sensitive information.

Access Point recommends the following:

1. Exercise Caution When Downloading Applications: Always exercise caution when downloading applications, especially from sources like ads or search engine results.
2. Verify the Legitimacy of the Source: Prioritize verifying the legitimacy of the source before downloading any software or applications.
3. Beware of Phishing Sites: Be vigilant for phishing sites and take the time to ensure that websites are authentic before proceeding with downloads.
4. Utilize Antivirus with Real-Time Protection: Employ an antivirus solution with real-time protection to proactively block malware before it can compromise your system and steal valuable data.
5. Regularly Update and Patch Systems: Consistently update and patch your operating system and applications to mitigate vulnerabilities and enhance your overall cybersecurity posture.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566.001)  

• Drive-by Compromise (T1566.002)  
• Malicious Ads (T1566.003)  
• User Execution (T1204.002)  
• Scripting (T1204.001)  
• Malicious File (T1204.003)  
• Compiled HTML File (T1204.004)  
• Credential Dumping (T1003.001)  
• Steal Web Credentials (T1003.002)  
• Keychain Access (T1003.003)  
• Automated Collection (T1119.001)  
• Exfiltration Over Command-and-Control Channel (T1020.001)  
• Web Service (T1102.001)  
• Impair Defenses (T1562.001)  
• Disable or Modify Tools (T1562.002)  
• System Information Discovery (T1082.001)  
• Account Discovery (T1082.002)  
• Application Discovery (T1082.003)  
• Process Discovery (T1082.004)  
• Remote File Copy (T1570.001)  
• Remote Desktop Protocol (T1570.002)  
• Pass the Hash (T1570.003)  
• Pass the Ticket (T1570.004)  
• Data Destruction (T1485.001)

New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World

Analysis: Zscaler ThreatLabz has identified an increasingly prevalent malware loader known as "HijackLoader." While not particularly sophisticated, it distinguishes itself with its modular framework, facilitating seamless code injection and execution. HijackLoader has been harnessed to distribute a range of malware families, notably Danabot, SystemBC, and RedLine Stealer. It employs evasion techniques such as syscalls to slip past security solutions. Additionally, it identifies specific processes based on a predetermined blocklist and introduces delays during code execution. The initial method of access remains undisclosed. However, upon execution, HijackLoader tweaks a function within the Windows C Runtime (CRT), directing it to the initial stage's entry point. It assesses whether the payload is already embedded in the binary or necessitates retrieval from an external server. For persistence, HijackLoader crafts a shortcut link (LNK) in the Windows Startup folder, linking it to a Background Intelligence Transfer Service (BITS) job directing to the executable file. The first stage incorporates evasion techniques like dynamically loading Windows API functions through a specialized API hashing technique. It also performs an HTTP connectivity test to a legitimate website and introduces delays at various stages of code execution.

Access Point recommends the following:

1. Implement Strong Authentication Mechanisms: Counteract phishing attacks by implementing robust authentication mechanisms, including FIDO v 2.0.
2. Strengthen Access Policies: Enhance access policies by implementing measures such as IP whitelisting and trusted device verification.
3. Continuous Account Monitoring: Continuously monitor account activities for any signs of suspicious behavior or unauthorized access.
4. Employ Additional Email Security Layers: Bolster your email security by adding extra layers to detect and block advanced threats.
5. Phishing Domain Vigilance: Proactively hunt for phishing domains and regularly educate your team on recognizing and reporting such threats.
6. Thorough Incident Response: In cases of suspected compromise, conduct a thorough investigation and promptly report the incident to law enforcement if necessary.
7. Review and Update Security Policies: Regularly review and update your organization's security policies to adapt to evolving threats and vulnerabilities.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566.001)  
• Drive-by Compromise (T1566.002)  
• Malicious Ads (T1566.003)  
• User Execution (T1204.002)  
• Scripting (T1204.001)  
• Malicious File (T1204.003)  
• Compiled HTML File (T1204.004)  
• Credential Dumping (T1003.001)  
• Steal Web Credentials (T1003.002)  
• Keychain Access (T1003.003)
• Automated Collection (T1119.001)  
• Exfiltration Over Command-and-Control Channel (T1020.001)
• Web Service (T1102.001)  
• Impair Defenses (T1562.001)  
• Disable or Modify Tools (T1562.002)  
• System Information Discovery (T1082.001)  
• Account Discovery (T1082.002)  
• Application Discovery (T1082.003)  
• Process Discovery (T1082.004)  
• Remote File Copy (T1570.001)  
• Remote Desktop Protocol (T1570.002)  
• Pass the Hash (T1570.003)  
• Pass the Ticket (T1570.004)  
• Data Destruction (T1485.001)

Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows

Analysis: A recently uncovered cyberattack campaign, dubbed "Steal-It" by Zscaler ThreatLabz, has come to light, exploiting a PowerShell script associated with a legitimate red teaming tool. The campaign's primary aim is to pilfer NTLMv2 hashes from compromised Windows systems, with a particular focus on targets primarily located in Australia, Poland, and Belgium. The attackers leverage customized versions of Nishang's "Start-CaptureServer" PowerShell script for their malicious activities, which not only steal and exfiltrate NTLMv2 hashes but also execute various system commands, sending the retrieved data through Mockbin APIs. Nishang itself is a framework housing a collection of PowerShell scripts and payloads designed for offensive security, penetration testing, and red teaming purposes.

The infection chains within this campaign are as follows:

• A custom version of the "Start-CaptureServer" PowerShell script is employed to harvest NTLMv2 hashes.
• Australian users are targeted with a CMD file disguised as an OnlyFans lure, which extracts system information.
• Polish users are enticed with explicit images of Ukrainian and Russian Fansly models, leading to a CMD file download that exfiltrates the results of the "whoami" command.
• Belgian users are targeted with fake Windows update scripts executing commands like "tasklist" and "systeminfo."

Of notable significance is the fact that the last attack sequence was previously identified by the Computer Emergency Response Team of Ukraine (CERT-UA) in May 2023 as part of an APT28 campaign targeting government institutions in Ukraine. This suggests a potential connection to the Russian state-sponsored threat actor.

Access Point recommends the following:

1. User Education: Educate users on identifying and avoiding phishing emails and suspicious attachments to minimize the risk of falling victim to such campaigns.
2. Advanced Endpoint Security: Implement advanced endpoint security solutions that can detect and prevent malicious PowerShell scripts.
3. Access Controls and Least Privilege: Enforce strict access controls and adhere to least privilege principles to limit the impact of potential breaches.
4. Security Patching: Ensure that systems are regularly updated with the latest security patches to mitigate known vulnerabilities.
5. Network Traffic Monitoring: Continuously monitor network traffic for unusual patterns or connections to suspicious domains or IP addresses, which can help in early detection and response to potential threats.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• PowerShell (T1059.001)
• Phishing (T1566)
• User Execution (T1204)
• Data Exfiltration (T1020)
• Masquerading (T1036)

Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks

Analysis: The emergence of a new information-stealing malware called "MetaStealer" has raised concerns, particularly for Apple macOS users. This development adds to the growing list of stealer families targeting macOS, joining the ranks of Stealer, Pureland, Atomic Stealer, and Realst. MetaStealer is distributed as rogue application bundles in disk image format (DMG), with threat actors posing as potential design clients to persuade victims into launching the malicious payloads. In some instances, the malware disguises itself as Adobe files or installers for Adobe Photoshop.

The first signs of MetaStealer artifacts were detected in March 2023, with the most recent sample appearing on VirusTotal on August 27, 2023. Notably, this malware's targeting of business users diverges from the typical distribution methods of macOS malware, often found on torrent sites or distributed through suspicious third-party software platforms as cracked versions of popular business or productivity software.

The primary payload component of MetaStealer is an obfuscated Go-based executable designed to extract data from iCloud Keychain, saved passwords, and files stored on the compromised host. Some versions of MetaStealer also appear to have functions targeting Telegram and Meta services. Interestingly, MetaStealer variants have been known to impersonate TradingView, a tactic also recently employed by Atomic Stealer. This raises questions about potential connections between these stealer families, either through shared authors or distinct actor groups adopting similar tactics.

The emergence of MetaStealer underscores the growing trend of targeting Mac users for their data, particularly business users. MetaStealer's clear focus on extracting valuable keychain and other information makes it a significant threat. This stolen high-value data can be exploited for various cybercriminal activities or to gain a foothold in larger business networks.

Access Point recommends the following:

1. Exercise Caution with Email Attachments: Be cautious when handling email attachments, especially if they come from unknown or suspicious sources.
2. Download from Official Sources: Download applications and files only from official and trusted sources to reduce the risk of malware infections.
3. Reputable Endpoint Security Solutions: Utilize reputable endpoint security solutions that can detect and prevent malware infections.
4. Keep Software Updated: Ensure that all software, including security tools and applications, is regularly updated to patch known vulnerabilities.
5. User Training: Educate users on recognizing and reporting suspicious emails or activities, emphasizing cybersecurity best practices as a critical defense against evolving threats.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Spearphishing Attachment (T1566.001)
• Obfuscated Files or Information (T1027)
• Data from Local System (T1005)

Microsoft Teams phishing attack pushes DarkGate malware

Analysis: A new and concerning phishing campaign has come to light, exploiting Microsoft Teams messages as a vector for distributing malicious attachments and deploying the DarkGate Loader malware. This campaign, which initiated in late August 2023, involves compromised external Office 365 accounts sending deceptive Microsoft Teams messages to organizations. These messages aim to lure users into downloading a seemingly innocent ZIP file named "Changes to the vacation schedule." However, clicking on this attachment triggers the download of the ZIP file from a SharePoint URL, containing an LNK file cleverly disguised as a PDF document.

Researchers at Truesec have conducted an in-depth analysis of this campaign and identified malicious VBScript within it, leading to an infection chain that ultimately results in the deployment of the DarkGate Loader. To avoid detection, the download process employs Windows cURL to retrieve the malware's executable and script files. The script arrives pre-compiled, concealing its malevolent code within the file, marked by distinctive "magic bytes" linked to AutoIT scripts. Before proceeding, the script checks for the presence of Sophos antivirus software. If it is absent, the script deobfuscates additional code and initiates the shellcode, which utilizes a technique called "stacked strings" to construct the DarkGate Windows executable and load it into memory.

The phishing campaign capitalizes on compromised Microsoft Teams accounts to distribute malicious attachments to other Teams organizations, mirroring a similar report from June 2023 that demonstrated how malicious messages could be sent to other organizations through phishing and social engineering. Despite these potential risks, Microsoft has not directly addressed this issue. Instead, they recommend that administrators implement secure configurations, such as narrow-scoped allow-lists and disabling external access if communication with external tenants is not required.

A tool released by a Red Teamer in July 2023 has streamlined this Microsoft Teams phishing attack, potentially increasing its prevalence. However, it remains unclear if this method is involved in the observed campaign. DarkGate, a potent malware with a history dating back to 2017, is the focal point of this campaign. Although previously limited to specific targets, recent reports indicate an uptick in DarkGate distribution through various channels, including phishing and malvertising. Its versatile capabilities encompass hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard stealing, and information theft. While DarkGate is not yet widespread, its expanding targeting and adoption of multiple infection avenues warrant close monitoring.

Access Point recommends the following:

1. User Education: Educate users about identifying and avoiding phishing emails and suspicious attachments, emphasizing the importance of vigilance.
2. Robust Endpoint Protection: Implement robust endpoint protection solutions to detect and prevent malware infections effectively.
3. Software Updates: Keep all software up-to-date to address known vulnerabilities and reduce the attack surface.
4. Access Controls: Enforce strict access controls to limit the potential impact of security breaches.
5. Network Monitoring: Continuously monitor network traffic for unusual patterns or connections to suspicious domains or IP addresses, enabling early detection and response to potential threats.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Spearphishing Attachment (T1566.001)
• PowerShell (T1059.001)
• Obfuscated Files or Information (T1027)
• Data from Local System (T1005)
• CISA warns govt agencies to secure iPhones against spy

CISA warns govt agencies to secure iPhones against spyware attacks

Analysis: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken swift action by issuing an order for federal agencies to urgently address security vulnerabilities exploited in a zero-click iMessage exploit chain. This chain enabled the installation of NSO Group's Pegasus spyware on iPhones, in response to Citizen Lab's revelation that two critical flaws were used to compromise fully updated iPhones belonging to a Washington DC-based civil society organization.

The exploit chain, known as BLASTPASS, operated through PassKit attachments containing malicious images. In light of this, Citizen Lab has strongly advised Apple customers to immediately apply the emergency updates released on Thursday. Additionally, they have encouraged individuals who may be susceptible to targeted attacks due to their identity or occupation to enable Lockdown Mode.

Apple has acknowledged the report of potential active exploitation and identified the two vulnerabilities as Image I/O and Wallet (CVE-2023-41064 and CVE-2023-41061). These vulnerabilities impact a wide range of devices, including iPhone 8 and later models, various iPad models, Macs running macOS Ventura, and Apple Watch Series 4 and later. Apple has addressed these two zero-days in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. These updates include memory handling improvements and enhanced logic to prevent arbitrary code execution on unpatched devices.

These vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog and are recognized as "frequent attack vectors for malicious cyber actors," posing significant risks. U.S. Federal Civilian Executive Branch Agencies (FCEB) are mandated to patch these vulnerabilities by October 2nd, 2023, in accordance with a binding operational directive (BOD 22-01) issued in November 2022. While this directive primarily targets U.S. federal agencies, CISA strongly advises private companies to prioritize patching these vulnerabilities promptly.

Apple's quick response is notable, as they have addressed a total of 13 zero-days exploited to target various devices since January 2023. This highlights the critical importance of timely security updates.

Access Point recommends the following:

1. Apply Emergency Updates: Immediately apply the emergency updates provided by Apple to address these critical vulnerabilities, especially for individuals at higher risk of targeted attacks due to their identity or occupation.
2. Stay Informed: Keep abreast of security updates and advisories from trusted sources to ensure that your devices and systems are protected.
3. Regular Backups: Ensure that important data is regularly backed up to mitigate the impact of unforeseen security incidents or data loss.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Exploit Public-Facing Application (T1190)    
• Phishing (T1566)

Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

Analysis: A highly sophisticated phishing campaign has recently emerged, utilizing a Microsoft Word document as bait to distribute a combination of malicious threats, including Agent Tesla, OriginBotnet, and RedLine Clipper. The attack commences with a phishing email containing the malicious Word document, which presents a deliberately blurred image alongside a counterfeit reCAPTCHA to entice the recipient into clicking. This action triggers the delivery of a loader from a remote server, tasked with disseminating the mentioned threats.

The loader, crafted in .NET, employs binary padding to inflate its size to 400 MB, a tactic aimed at evading detection by security software. Once activated, the loader initiates a multi-stage process to establish persistence on the host and extract a DLL responsible for deploying the final payloads.

Among the threats involved, RedLine Clipper, a .NET executable, specializes in cryptocurrency theft by altering the user's system clipboard to replace the destination wallet address with one controlled by the attacker. It accomplishes this by monitoring clipboard changes and verifying copied strings.

Agent Tesla, another component of this attack, is a .NET-based remote access trojan (RAT) and data stealer. It is deployed for initial access and the exfiltration of sensitive information, including keystrokes and login credentials. The stolen data is transmitted to a command-and-control (C2) server via the SMTP protocol.

In addition, a new malware variant named OriginBotnet is delivered in this campaign. OriginBotnet possesses various features for data collection, communication with its C2 server, and the ability to download additional plugins. These plugins can be used for keylogging or password recovery functions on compromised endpoints. One such plugin, the PasswordRecovery plugin, retrieves and organizes credentials from various browser and software accounts, reporting them via HTTP POST requests.

This attack campaign is characterized by a complex chain of events, commencing with a malicious Word document distributed through phishing emails and ultimately leading victims to download a loader that executes a series of malware payloads. The campaign employs advanced techniques to evade detection and maintain persistence on compromised systems.

Access Point recommends the following:

1. Phishing Awareness Training: Provide training to employees to recognize and respond to phishing attempts, emphasizing caution when handling email attachments.
2. Software and System Updates: Keep software and systems up-to-date to mitigate known vulnerabilities that could be exploited by attackers.
3. Comprehensive Security Solutions: Utilize a combination of email filtering, endpoint protection, and network security solutions to detect and block threats at various stages of the attack chain.
4. Regular Data Backups: Ensure that critical data is regularly backed up and stored in a secure location to facilitate recovery in case of a security incident.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566)
• Execution (T1059)
• Data Exfiltration (T1020)
• Remote Access Tool (T1219)

Vulnerabilities

Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

Analysis: GitHub has recently come under scrutiny due to a vulnerability that left thousands of repositories susceptible to repojacking attacks. Elad Rapoport, a security researcher from Checkmarx, discovered that attackers could exploit a race condition in GitHub's processes for repository creation and username renaming. If successfully exploited, the flaw would have jeopardized over 4,000 code packages in languages like Go, PHP, and Swift, along with GitHub actions. This issue was responsibly disclosed on March 1, 2023, and subsequently addressed by GitHub on September 1, 2023.

Repojacking, or repository hijacking, refers to the act of a threat actor circumventing the "popular repository namespace retirement" security measure on GitHub. This protection typically prevents users from creating a new repository with the same name as an older repository that had more than 100 clones when its associated user account underwent renaming. Consequently, this means that a combination of a username and repository name gets "retired" or reserved. Without this safeguard, attackers can establish new accounts with retired usernames and then upload malicious repositories, posing potential threats to the software supply chain.

Checkmarx's findings revealed a unique method for achieving repojacking by exploiting a race condition. In the outlined scenario, a victim who owns a namespace "victim_user/repo" might rename their username to "renamed_user", leading to the retirement of the "victim_user/repo" repository. An attacker could then craftily create a repository named "repo" while simultaneously changing their username from "attacker_user" to "victim_user". This dual-action requires an API request for initiating the repository creation, followed by intercepting a request to rename the username. Notably, a similar issue related to repojacking was addressed by GitHub nearly nine months prior to this discovery, emphasizing ongoing risks associated with the repository namespace retirement mechanism.  

Access Point recommends the following:

1. Review Repositories: Users and organizations should review any changes made to their repositories, especially if they have recently renamed their usernames. While GitHub has addressed this specific vulnerability, it is crucial to remain vigilant and monitor repositories for any unexpected modifications or suspicious activities. Adopting a multi-layered security approach, such as using strong authentication methods and regularly auditing repository activities, will further fortify against potential repojacking threats and other security risks.
2. Keep Software Updated: As always, it's recommended to keep all software up-to-date and to stay informed on security updates from platforms like GitHub.

Apple backports BLASTPASS zero-day fix to older iPhones

Analysis: Apple has released security updates for older iPhones to remediate the following zero day which has been used to deploy spyware and execute remote code on apple devices:

• CVE-2023-41061 – a validation issue addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution.

This CVE, used in the zero-click attack chain known as BLASTPASS involved sending specifically crafted images in iMessage PassKit attachments to install spyware. Apples has released fixes for these flaws and CISA has published an alert which requires federal agencies to patch it by October 2nd, 2023.

These updates have now been backported to older iOS version 15.7.9 and iPadOS 15.7.9, macOS Monterey 12.6.9, and macOS Big Sur 11.7.10.

Attacks on macOS is theoretical so applying these updates is strongly recommended even though it has not been actively exploited on macOS.

Access Point recommends the following:

1. Update Apple Devices: Update all applicable apple devices as soon as possible to the latest version. Leave the device plugged in and powered on and ensure that the update has been installed or is queued up to install on any and all apple devices.

Google fixes another Chrome zero-day bug exploited in attacks Analysis

Analysis: Google has released an emergency security update to fix a critical zero-day vulnerability (CVE-2023-4863) which is caused by a WebP heap buffer overflow which can cause arbitrary code execution. This vulnerability was reported by Apple Security Engineering and Architecture and The Citizen Lab at The University of Toronto’s Munk School on 2023-09-06.

Google has stated that this vulnerability has an existing exploit out in the wild, but attack details are not yet available until a majority of users are updated. This is to prevent more threat actors from acting on this active exploit, potentially endangering more users.

It was advised by Google that Chrome users should upgrade their version to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows as soon as possible to patch CVE-2023-4863.

Access Point recommends the following:

1. Update Your Browser: To check for updates, navigate to the triple-dots in the top right corner of the browser, hover over the “Help” icon, and select “About Chrome” to receive the latest update.

ICS Patch Tuesday: Critical CodeMeter Vulnerability Impacts Several Siemens Products

Analysis: Siemens and Schneider Electric have released their Patch Tuesday advisories for September 2023, revealing various vulnerabilities within their products.

Siemens' advisories covered 45 vulnerabilities across its industrial product range. Among these, a critical flaw, CVE-2023-3935, was identified in the Wibu Systems’ CodeMeter software, used in multiple Siemens products such as PSS, SIMATIC, SIMIT, SINEC, and SINEMA. This vulnerability, depending on the CodeMeter Runtime's configuration, can allow remote unauthenticated attackers to execute arbitrary code or permit authenticated local attackers to escalate privileges. Other noteworthy vulnerabilities were found in QMS Automotive, allowing for potential session hijacking, malicious file uploads, information exposure, DoS attacks, and arbitrary code execution. The RUGGEDCOM APE1808 product family presented multiple medium and high-severity vulnerabilities related to the Insyde-provided BIOS. Siemens' Parasolid, Teamcenter Visualization, and JT2Go products have vulnerabilities that can lead to remote code execution through specially crafted files, and several SIMATIC and SIPLUS products contain an ANSI C OPC UA SDK vulnerability, allowing potential DoS conditions. Additionally, Siemens discussed the implications of an Intel CPU vulnerability named Downfall on their SIMATIC industrial PCs and is actively working on solutions.

Schneider Electric, on the other hand, released a single advisory regarding a high-severity vulnerability in its IGSS (Interactive Graphical SCADA System) product. This flaw is related to a missing authentication problem. If exploited, this could enable a local attacker to alter the update source, which might lead to remote code execution if the attacker pushes an update containing malicious content.  

Access Point recommends the following:

1. Review Company Advisories: Customers using Siemens and Schneider Electric products should urgently review the recent advisories released by both companies for September 2023.
2. Prioritize Patching Systems: Prioritize patching systems affected by the vulnerabilities, especially the critical ones such as CVE-2023-3935 in Siemens' Wibu Systems’ CodeMeter software and the high-severity flaw in Schneider Electric's IGSS. Considering the potential risks of remote code execution, session hijacking, privilege escalation, and other malicious activities, it's crucial to implement the provided patches and security measures immediately.
3. Monitor Updates: Companies should monitor for any updates related to the Intel CPU vulnerability named Downfall, especially for Siemens' SIMATIC industrial PCs.

Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws

Analysis: Microsoft's September 2023 Patch Tuesday addressed 59 vulnerabilities, including two zero-day flaws that are being actively exploited. Among these vulnerabilities, 24 were classified as Remote Code Execution (RCE) vulnerabilities, but only five of these were deemed 'Critical'. These critical vulnerabilities include four remote code execution flaws and an elevation of privilege vulnerability in the Azure Kubernetes Service. The two zero-days actively exploited were identified as CVE-2023-36802 and CVE-2023-36761. The former is an elevation of privilege vulnerability in the Microsoft Streaming Service Proxy, allowing attackers to achieve SYSTEM privileges. The latter is an information disclosure vulnerability in Microsoft Word, which could let attackers steal NTLM hashes, potentially leading to NTLM Relay attacks for account access.

In addition to Microsoft's patches, other technology companies rolled out security updates during September 2023. Apple addressed a new zero-day exploit chain called BLASTPASS, which had been used in attacks to install the Pegasus spyware. Atlas VPN patched a zero-day in their Linux client that could disclose a user's true IP address. Asus resolved three critical remote code execution bugs in their routers, and Cisco issued security updates, warning of a zero-day in their ASA devices. Google, MSI, Notepad++, SAP, and VMware also released updates addressing various vulnerabilities.

The complete list of vulnerabilities resolved in Microsoft's September 2023 Patch Tuesday spans a variety of products, including Visual Studio, .NET, 3D Builder, Azure DevOps, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Office Suite, Windows components, and more. These vulnerabilities range from remote code execution, elevation of privilege, and information disclosure to denial of service and security feature bypass issues. Users and organizations utilizing these products should prioritize installing these patches to safeguard their systems against potential threats.  

Access Point recommends the following:

1. Prioritize Microsoft Updates: Access Point Technology recommends that organizations and individual users prioritize updating all Microsoft products, especially those with identified vulnerabilities. This proactive approach helps safeguard systems from potential threats.
2. Focus on Critical Vulnerabilities: Special attention should be given to addressing critical vulnerabilities and the two actively exploited zero-days (CVE-2023-36802 and CVE-2023-36761). Swiftly applying patches for these vulnerabilities is crucial for maintaining security.
3. Apply Vendor Patches: In addition to Microsoft updates, it's essential to apply patches from other technology vendors, including Apple, Atlas VPN, Asus, Cisco, Google, MSI, Notepad++, SAP, and VMware. Ensuring that all software is up to date across various vendors helps mitigate security risks.
4. Stay Informed: Regularly reviewing and staying updated on security advisories is essential. This proactive approach ensures that systems remain protected against newly identified threats. Stay informed about potential vulnerabilities and recommended actions to address them.

Adobe Fixed Actively Exploited Zero-Day in Acrobat and Reader

Analysis: Adobe has recently highlighted a critical security vulnerability in its Acrobat and Reader software, which attackers are actively exploiting. In the company's Patch Tuesday security updates, designated as APSB23-34, they addressed this zero-day vulnerability that impacts both the Acrobat and Reader products. The flaw is recognized under the identifier CVE-2023-26369. This particular vulnerability is an out-of-bounds write memory safety issue, which if successfully exploited, allows attackers to run any code of their choice on systems with vulnerable installations.

The company's security advisory indicates that this update is crucial, as successful exploitation might result in arbitrary code execution. Furthermore, Adobe has verified that the vulnerability, CVE-2023-26369, is currently being exploited in the wild, targeting both Acrobat and Reader.

Affected products and their respective versions include Acrobat DC and Acrobat Reader DC on the Continuous track, both of which are vulnerable in versions 23.003.20284 and earlier for both Windows and macOS. On the Classic 2020 track, Acrobat 2020 and Acrobat Reader 2020 are affected. Their vulnerable versions are 20.005.30516 (for macOS) and 20.005.30514 (for Windows) and any version earlier than these on both platforms.  

Access Point recommends the following:

1. Immediate Version Review: Organizations and individual users utilizing Adobe Acrobat and Reader software are recommended by Access Point Technology to urgently review their installed versions.
2. Update Specific Versions: If they are using Acrobat DC, Acrobat Reader DC (versions 23.003.20284 and earlier), Acrobat 2020, or Acrobat Reader 2020 (versions 20.005.30516 for macOS and 20.005.30514 for Windows or earlier versions) on either Windows or macOS platforms, they should immediately update to the latest versions provided by Adobe.
3. Protection from CVE-2023-26369: This action will protect them from the critical vulnerability CVE-2023-26369, which is actively being exploited. This vulnerability has the potential to lead to arbitrary code execution on compromised systems.

‍

Sources

https://www.bleepingcomputer.com/news/security/ragnar-locker-claims-attack-on-israels-mayanei-hayeshua-hospital/

https://www.bleepingcomputer.com/news/security/johnson-and-johnson-discloses-ibm-data-breach-impacting-patients/

https://thehackernews.com/2023/09/outlook-breach-microsoft-reveals-how.html

https://thehackernews.com/2023/09/mac-users-beware-malvertising-campaign.html

https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html

https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html

https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html

https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/

https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-to-secure-iphones-against-spyware-attacks/

https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html

https://thehackernews.com/2023/09/critical-github-vulnerability-exposes.html

https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zero-day-fix-to-older-iphones/

https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/

https://www.securityweek.com/ics-patch-tuesday-critical-codemeter-vulnerability-impacts-several-siemens-products/

https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/