Details have surfaced regarding a sophisticated malvertising campaign utilising Google Ads to redirect users searching for popular software to deceptive landing pages. This campaign, identified by Malwarebytes, is notable for its unique approach to fingerprint users and distribute time-sensitive payloads.
The attack specifically targets users seeking Notepad++ and PDF converters, presenting fake ads on Google search results. If a user clicks on these ads, a decoy site filters out bots and unintended IP addresses. If the user is of interest, they are redirected to a replica website advertising the software while discreetly fingerprinting the system.
Those failing the check are directed to the legitimate Notepad++ website, while potential targets receive a unique ID for tracking purposes and to make each download unique and time-sensitive. The final-stage malware, an HTA payload, establishes a connection to a remote domain ("mybigeye[.]icu") and serves follow-on malware.
Jérôme Segura, Director of Threat Intelligence, notes that threat actors are effectively evading ad verification checks, enabling them to target specific victim profiles. The use of Punycode in a similar campaign targeting KeePass password manager users underscores the increasing sophistication of malvertising via search engines.
The malvertising campaign poses a significant threat by successfully evading ad verification checks and targeting specific user profiles. Users searching for popular software are redirected to deceptive sites, leading to the potential installation of malicious payloads. The use of Punycode further enhances the risk by impersonating legitimate sites and increasing the likelihood of malware installation.
Cisco has issued a warning regarding a new zero-day flaw in IOS XE, actively exploited by an unidentified threat actor to deploy a malicious Lua-based implant on vulnerable devices. Tracked as CVE-2023-20273, the flaw involves a privilege escalation issue in the web UI feature and is part of an exploit chain that includes CVE-2023-20198.
The attacker initially exploited CVE-2023-20198 to gain access, creating a local user with a privilege 15 command. This user was then used to log in with normal user access, allowing the attacker to elevate privileges to root and write the Lua-based implant to the file system (CVE-2023-20273).
Cisco has identified a fix covering both vulnerabilities, set to be available from October 22, 2023. In the interim, disabling the HTTP server feature is recommended. The successful exploitation of these vulnerabilities could grant attackers complete control over the affected system, posing significant risks to routers and switches.
As of the latest data, over 36,000 Cisco devices running the vulnerable IOS XE software have been compromised, emphasizing the urgency of applying the upcoming fixes.
The zero-day vulnerability in Cisco's IOS XE presents a critical risk, as an unknown threat actor actively exploits it to deploy a malicious Lua-based backdoor on vulnerable devices. The exploit chain, involving CVE-2023-20198 and CVE-2023-20273, enables unauthorized access, privilege escalation, and the potential compromise of affected systems. The large number of compromised devices emphasizes the widespread impact of this vulnerability.
Recommendations:
Okta, the identity services provider, has disclosed a security incident where threat actors exploited stolen credentials to access its support case management system. The breach allowed the threat actor to view files uploaded by certain Okta customers as part of recent support cases. While the support case management system is separate from the production Okta service, it raised concerns due to the potential exposure of sensitive data.
The support system breach involved the use of stolen credentials to access HTTP Archive (HAR) files uploaded by customers for troubleshooting purposes. HAR files may contain sensitive data, including cookies and session tokens, enabling malicious actors to impersonate valid users.
Okta has collaborated with affected customers to revoke embedded session tokens, preventing their misuse. The incident has been characterized as a sophisticated attack, with notable targets including BeyondTrust and Cloudflare.
The breach of Okta's support case management system poses a significant risk, allowing threat actors to leverage stolen credentials for unauthorized access. The exposure of uploaded HAR files containing sensitive data, including session tokens, increases the potential for malicious actors to impersonate valid users. The incident's sophistication and the targeting of high-profile entities like BeyondTrust and Cloudflare amplify the severity of the risk.
Recommendations: