Commit 10_17_2023: The scourge of untrustworthy browser updates

Denny Müller / Unsplash

Welcome to Commit 10_17_2023! README senior editor Nathaniel Mott here with the top infosec news.

Proofpoint: Threat actors turn to fake browser updates

Aside from “use a password manager,” perhaps the most oft-repeated security-related advice is to make sure you keep the software you rely on updated. Proofpoint said today it’s “currently tracking at least four distinct threat clusters” taking advantage of this maxim to deliver malware via fake browser update notifications that appear when people visit seemingly trustworthy websites.

“The fake browser update lures are effective because threat actors are using an end-user's security training against them,” Proofpoint said. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly [overwrite the existing website] with a browser update lure.”

VulnCheck: Cisco IOS XE vulns see mass exploitation

The cat’s out of the bag: VulnCheck said a vulnerability in Cisco IOS XE that was revealed on Oct. 16—which according to Cisco “allows a remote, unauthenticated attacker to create an account on an affected system,” then “use that account to gain control of the affected system”—already “appears to have been widely exploited to install implants” on systems running the networking-focused operating system.

“Cisco buried the lede by not mentioning thousands of internet-facing IOS XE systems have been implanted,” VulnCheck said, adding that compromising a system running IOS XE “likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.” Now’s a good time to make sure these systems can’t be accessed from the public internet.

The Record: Ampersand gets ransomwared

We interrupt your regularly scheduled broadcast to inform you that Ampersand, which The Record said “provides viewership data to advertisers about 85 million households and has existed since 1981,” has been hit by a ransomware attack. (Though a company spokesperson declined to tell the outlet how it plans to respond to the incident, if it’s negotiating with the attackers or if any of its data was compromised.)

Black Basta has reportedly taken credit for the attack. BlackBerry described the group as a “ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world, racking up 19 prominent enterprise victims and more than 100 confirmed victims in its first few months of operation.”

Trellix: How hackers are abusing Discord

As someone who’s been using Discord since 2017, it’s weird to consider the platform in a professional capacity, despite the Discord Leaks saga from earlier this year. Yet here I am, thanks to Trellix reporting on Oct. 16 that it found one malware sample “targeting Ukrainian critical infrastructures” via a malicious OneNote file that kicks off a sequence of multiple VBScript and PowerShell scripts that culminate in a final script that uses Discord to exfiltrate data gathered from compromised systems.

“The usage of Discord to evade detection was already a thing, but the fact that APT actors have started to use it is a new reality that security researchers must take on” Trellix said. “To ensure proper detection of these nefarious activities and protect systems, Discord communications should be monitored and controlled, blocking them if necessary.” (Which, I mean, yeah? I suspect a vanishingly small number of organizations need to afford their employees unfettered access to Discord in the first place.)

TechCrunch: Amazon rolls out limited passkeys support

Amazon’s rolling out passkeys support… kind of. TechCrunch reported that the company will now allow users to sign in to its website using passkeys—the first “password killer” that’s actually catching on, thanks to buy-in from Apple, Google, Microsoft and other tech juggernauts—but with some limitations. Amazon’s native apps don’t support passkeys, for example, which limits the utility of this feature.

Still, this is the latest sign that passkeys are going to be A Thing, and I suspect Amazon’s implementation will improve over time. Maybe in another decade a combination of passkeys and other authentication mechanisms will make password-based systems obsolete. (Although I’m sure companies will still find ways to incorporate hard-coded credentials into their products for threat actors to exploit.)