Malvertisers Exploit Google Ads for Software-Related Searches

Details have surfaced regarding a sophisticated malvertising campaign utilising Google Ads to redirect users searching for popular software to deceptive landing pages. This campaign, identified by Malwarebytes, is notable for its unique approach to fingerprint users and distribute time-sensitive payloads.

The attack specifically targets users seeking Notepad++ and PDF converters, presenting fake ads on Google search results. If a user clicks on these ads, a decoy site filters out bots and unintended IP addresses. If the user is of interest, they are redirected to a replica website advertising the software while discreetly fingerprinting the system.

Those failing the check are directed to the legitimate Notepad++ website, while potential targets receive a unique ID for tracking purposes and to make each download unique and time-sensitive. The final-stage malware, an HTA payload, establishes a connection to a remote domain ("mybigeye[.]icu") and serves follow-on malware.

Jérôme Segura, Director of Threat Intelligence, notes that threat actors are effectively evading ad verification checks, enabling them to target specific victim profiles. The use of Punycode in a similar campaign targeting KeePass password manager users underscores the increasing sophistication of malvertising via search engines.

Risk and Recommendations

Risk

The malvertising campaign poses a significant threat by successfully evading ad verification checks and targeting specific user profiles. Users searching for popular software are redirected to deceptive sites, leading to the potential installation of malicious payloads. The use of Punycode further enhances the risk by impersonating legitimate sites and increasing the likelihood of malware installation.

Recommendations:

• Immediate Patching: Apply the software updates provided by Cisco to address CVE-2023-20198 and CVE-2023-20273. Prompt patching is crucial to closing the security gaps and preventing further exploitation by threat actors.
  

• Temporary Disabling of HTTP Server: As an interim measure, disable the HTTP server feature on affected devices until the official patch is applied. This can help mitigate the risk of unauthorized access through the exploited vulnerabilities.
  

• Network Monitoring: Implement robust network monitoring to detect and respond to any unusual or suspicious activities. This includes monitoring for unauthorized access attempts, unexpected privilege escalations, and abnormal network traffic.

• Communication with Users: Clearly communicate the urgency of applying the provided updates to all relevant stakeholders. Provide guidance on the steps they need to take to ensure the prompt and effective implementation of the patches.
  

• Review Access Controls: Conduct a thorough review of access controls and user privileges within the affected systems. Limit access to essential personnel and ensure that privileged accounts are properly secured.

‍

Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor

‍

Cisco has issued a warning regarding a new zero-day flaw in IOS XE, actively exploited by an unidentified threat actor to deploy a malicious Lua-based implant on vulnerable devices. Tracked as CVE-2023-20273, the flaw involves a privilege escalation issue in the web UI feature and is part of an exploit chain that includes CVE-2023-20198.

The attacker initially exploited CVE-2023-20198 to gain access, creating a local user with a privilege 15 command. This user was then used to log in with normal user access, allowing the attacker to elevate privileges to root and write the Lua-based implant to the file system (CVE-2023-20273).

Cisco has identified a fix covering both vulnerabilities, set to be available from October 22, 2023. In the interim, disabling the HTTP server feature is recommended. The successful exploitation of these vulnerabilities could grant attackers complete control over the affected system, posing significant risks to routers and switches.

As of the latest data, over 36,000 Cisco devices running the vulnerable IOS XE software have been compromised, emphasizing the urgency of applying the upcoming fixes.

Risk and Recommendations

Risk

The zero-day vulnerability in Cisco's IOS XE presents a critical risk, as an unknown threat actor actively exploits it to deploy a malicious Lua-based backdoor on vulnerable devices. The exploit chain, involving CVE-2023-20198 and CVE-2023-20273, enables unauthorized access, privilege escalation, and the potential compromise of affected systems. The large number of compromised devices emphasizes the widespread impact of this vulnerability.

‍

Recommendations:

• Immediate Patching: Apply the software updates provided by Cisco to address CVE-2023-20198 and CVE-2023-20273. Prompt patching is crucial to closing the security gaps and preventing further exploitation by threat actors.
  

• Temporary Disabling of HTTP Server: As an interim measure, disable the HTTP server feature on affected devices until the official patch is applied. This can help mitigate the risk of unauthorized access through the exploited vulnerabilities.
  

• Network Monitoring: Implement robust network monitoring to detect and respond to any unusual or suspicious activities. This includes monitoring for unauthorized access attempts, unexpected privilege escalations, and abnormal network traffic
  

• Communication with Users: Clearly communicate the urgency of applying the provided updates to all relevant stakeholders. Provide guidance on the steps they need to take to ensure the prompt and effective implementation of the patches.
  

• Review Access Controls: Conduct a thorough review of access controls and user privileges within the affected systems. Limit access to essential personnel and ensure that privileged accounts are properly secured.

‍

Okta's Support System Breach Exposes Customer Data to Unidentified Threat Actors

‍

Okta, the identity services provider, has disclosed a security incident where threat actors exploited stolen credentials to access its support case management system. The breach allowed the threat actor to view files uploaded by certain Okta customers as part of recent support cases. While the support case management system is separate from the production Okta service, it raised concerns due to the potential exposure of sensitive data.

The support system breach involved the use of stolen credentials to access HTTP Archive (HAR) files uploaded by customers for troubleshooting purposes. HAR files may contain sensitive data, including cookies and session tokens, enabling malicious actors to impersonate valid users.

Okta has collaborated with affected customers to revoke embedded session tokens, preventing their misuse. The incident has been characterized as a sophisticated attack, with notable targets including BeyondTrust and Cloudflare.

Risk and Recommendations

Risk

The breach of Okta's support case management system poses a significant risk, allowing threat actors to leverage stolen credentials for unauthorized access. The exposure of uploaded HAR files containing sensitive data, including session tokens, increases the potential for malicious actors to impersonate valid users. The incident's sophistication and the targeting of high-profile entities like BeyondTrust and Cloudflare amplify the severity of the risk.

Recommendations:

• Credential Reset and Monitoring: Initiate a company-wide password reset for all Okta accounts and closely monitor for any suspicious login activities. Implement multi-factor authentication (MFA) to add an extra layer of security to user accounts.

• Enhanced Access Controls: Review and strengthen access controls within Okta's systems, ensuring that only authorized personnel have access to sensitive customer data. Conduct regular audits to identify and revoke unnecessary privileges.

• Customer Communication: Transparently communicate the incident to affected customers, providing details on the scope of the breach and steps they should take to enhance their security. Offer guidance on monitoring for potential misuse of compromised information.

• Review Support System Security: Conduct a comprehensive review of the security measures in place for the support case management system, identifying and addressing vulnerabilities that led to unauthorized access.

• Collaboration with Authorities: Collaborate with relevant cybersecurity authorities and law enforcement agencies to share information and coordinate efforts to identify and apprehend the threat actors.

‍