NokNok Backdoor

Summary: A new report by Proofpoint reveals that the Iranian-linked APT group known as Charming Kitten launched a campaign in May 2023 targeting macOS operating systems. The group was detected impersonating a fellow at the Royal United Services Institute (RUSI) and then contacting a nuclear security expert at a US-based think tank. The email solicited a review for a project supposedly worked by RUSI. Upon the acceptance of the review, a Google Macro attachment that redirects users to Dropbox wherein a .rar file containing a .lnk file is downloaded. The files will then launch PowerShell commands that allow threat actors to gain access to the user’s device. However, this attack is specifically for Windows devices, and so the group has created a new malware specifically targeting macOS devices.

The new malware, named “NokNok”, targets the operating system if the initial Windows exploit fails to come to fruition. A new email consisting of instructions to download a password-protected ZIP file masquerading as a RUSI VPN solution is sent. Upon completion, the zip file will launch a binary file which in turn will use a curl command to download the NokNok malware from “library-store.camdvr[.]org”. Similar to the Windows malware, NokNok will allow the attackers backdoor access to the user’s device.

Why it matters: Mac OS users in general are less targeted by malware. Its minority share of the marketplace combined with its different code-base and its own unique chip architecture, makes it a less attractive target for malicious actors. However, they are still vulnerable to many threats. While “NokNok” itself is a different file and uses a different architecture compared to the initial Windows malware sent by the group, the purpose of the file remains the same. No system is truly secure as specified targeting can bypass built-in security. This threat is best seen in the latest malware campaign by Charming Kitten. It is a reminder for macOS users to remain vigilant for both obvious malware and suspicious emails.

WormGPT, an Evil ChatGPT

Summary: A hacker has released an alternate version of the popular AI-chatbot ChatGPT. The altered version, known as WormGPT, is designed without the safeguards of the regular ChatGPT and Google Bard AI and is available for €60 a month. Without them, criminals can use the malicious version of the software to help themselves perform different crimes such as phishing and business email compromise.

The new AI tool was publicly released in an underground hacker forum and can easily be accessed by different malicious actors. While these attackers work independently from each other, the underlying system of WormGPT uses robust language training data sets of GPT-J allowing it to create convincing and realistic emails. These emails can even be done in the attacker’s native language and can be further enhanced using ChatGPT. This new product is a combination of malicious attack tools, Artificial Intelligence, and Phishing-as-a-Service. It is another step in an arms race between defenders and attackers using these new, growing technologies.

Why it matters: Generative AI is one of the largest trends in today’s world and one of the main concerns in the security field. The large usage increase of AI chatbots popularized by ChatGPT and Google Bard has helped to improve their development. To combat this, AI chatbots have been provided safeguards to limit their answers. However, it has not stopped people from trying to bypass the safety rules. However, now with the release of WormGPT, malicious actors will have an easier time in planning and creating malicious attacks. More concerningly, the release of the product democratizes malicious activity and can be used to generate not only complex and persuasive phishing and business email compromise but doing so in a way that is faster, more realistic, and more automated than before. Applying generative AI to malicious tools allows for the enhancement and proliferation of malicious attacks.

Google Analytics and GDPR in Sweden and the Wider European Union

Summary: The Swedish watchdog group, Swedish Authority for Privacy Protection, released a warning for companies that use Google Analytics due to US government surveillance. The warning came after an audit of four Swedish companies: CDON, Coop, Dagens Industri, and Tele2. Regulators say that the four companies violated the European Union’s General Data Protection Regulation (GDPR) law by using Google Analytics to transfer data of EU residents to the United States. The concern is that the transfer of EU citizens data to servers based in the United States are accessed for surveillance by US intelligence agencies.

Data transfer of European Union citizens information must follow certain standards and practices to ensure the protection of personal data of European citizens. The former Privacy Shield data transfer framework between the EU and the US was ruled to be illegal in 2020. The change in data transfer standards comes on the heels of the growing data protection laws and their enforcement. One of the clearest examples is Meta’s $1.3 billion fine by Ireland’s Data Protection Commission for moving data containing EU-citizens information to the United States. The impact EU laws can severely affect business strategies such as Meta’s Threads app’s inavailability in the European Union as it violates the GDPR and Digital Markets Act.

Why it matters: Google Analytics is one of the most popular analytics tool in the market. On the other hand, GDPR is one of the most important laws governing data protection and privacy globally. As companies grow and reach global consumers, their operations come under several jurisdictions, most particularly the European Union’s GDPR. The law regulates how data of EU citizens are managed everywhere in the world. Although the companies that violated the law are based in the European Union, it is important to note that the European Union is the second largest consumer market in the world and thus more likely to have consumers in international markets. While Google Analytics itself was not designed to violate the law, it is important for companies who use the product to follow compliance. It serves as a reminder that companies collecting data using third-party products, even those outside the European Union, still need to remain compliant and follow ethical principles.

Threat Actors Exploiting NetScaler (Citrix) CVE-2023-3519

Summary: The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation. The web shell enables actors to perform discovery on a victim’s active directory (AD) and collect and exfiltrate AD data.

Why it matters: Citrix released security updates on July 18th to address vulnerabilities detailed in CVE-2023-3519, as exploitation has been observed, and as many as at least 15,000 appliances are vulnerable and need to be patched immediately. In the event of compromise, these actors deploy a script that (when successful) removes any trace that they exfiltrated any data outside of the affected organization. The threat actors also attempt to obtain encrypted passwords from NetScaler ADC configuration files when the decryption key is stored on the ADC appliance. A strong defense-in-depth policy/program is necessary to thwart advanced threat actors such as these, as firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity, which is ultimately how data loss was prevented.

Microsoft Hack Exposes More Than Just Government Emails

Summary: On July 11, the Redmond-based tech giant disclosed that a threat actor linked to the Chinese government (which Microsoft calls Storm-0558) had — through an acquired Microsoft private encryption key — forged authentication tokens that gave them access to Exchange Online Outlook email accounts for more than 25 organizations, including government agencies. In a blog post published Friday, Shir Tamari, head of research at Wiz, said further investigation has revealed the compromised key would have given the hacking group, access to far more than Outlook, spanning many other Microsoft services that uses the same authentication process.

Microsoft revealed on July 12th that the attackers had breached the Exchange Online and Azure Active Directory (AD) accounts of around two dozen organizations. This attack was achieved by exploiting a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, allowing them to forge signed access tokens and impersonate accounts within the targeted organizations.

Wiz security researcher Shir Tamari said that the impact extended to all Azure AD applications operating with Microsoft’s OpenID v2.0. This was due to the stolen key’s ability to sign any OpenID v2.0 access token for personal accounts (e.g., Xbox, Skype) and multi-tenant AAD apps. Microsoft clarified that it only impacted those that accepted personal accounts and had the validation error.

Why it matters: “Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access,” Wiz CTO and Cofounder Ami Luttwak also told BleepingComputer. “An attacker with an AAD signing key is the most powerful attacker you can imagine, because they can access almost any app – as any user. This is the ultimate cyber intelligence’ shape shifter’ superpower.” ​In response to the security breach, Microsoft revoked all valid MSA signing keys to ensure that the threat actors didn’t have access to other compromised keys. This measure also thwarted any attempts to generate new access tokens, as well as relocating the newly generated access tokens to the key store for the company’s enterprise systems.

Microsoft also recently stated that it still doesn’t know how the Chinese hackers stole their consumer signing key. However, after pressure from CISA, they agreed to expand access to cloud logging data for free to help defenders detect similar breach attempts in the future. Before this, these logging capabilities were only available to Microsoft customers who paid for Purview Audit (Premium) logging license. As a result, Microsoft faced considerable criticism for impeding organizations from promptly detecting Storm-0558 attacks.

Security Tip of the Month – CVSS v4.0

Summary: Common Vulnerability Scoring System (CVSS) Version 4.0 provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity,” per FIRST’s definition. Essentially, CVSS is used to assign a common score to a discovered vulnerability to let people know, at a glance, how technically severe the vulnerability is and to provide vendors a starting point for assessing the risk of a vulnerability towards their product.

Major changes from v3.1 to v4.0 include the introduction of additional supplemental metrics, an increased focus on safety’s effect on a vulnerability, and increased clarity and granularity for many of the existing metrics and overall score.

Why it matters: The current version, CVSS v3.0, has been operational for over a decade but has been criticized for its complexity and inflexibility. In response, FIRST has introduced CVSS v4.0, a significant revision that offers simpler, more flexible, and more accurate scoring. This version aims to mitigate previous limitations, providing a more realistic representation of risks and aiding organizations to prioritize vulnerabilities and allocate remediation resources more effectively. Security practitioners should stay informed about the latest developments in CVSS v4.0 and be prepared to embrace the new features and improvements, as this will be crucial to their continued success in identifying, assessing, and addressing the latest vulnerabilities in an ever-evolving threat landscape.