InfoSec MASHUP - Week 04/2024
Microsoft hacked again; HPE breached too; Apple Issues Patch for Critical Zero-Day in iPhones, Macs; Russian Hackers Suspected of Sweden Cyberattack; Pwn2Own delivers; Firefox and Chrome fix vulns;
Partners and affiliates
Users purchasing the 2-year plan will save a whopping 67%! 🏷️
➤ Breaches & Security Incidents
In other words, for around five months, 23andMe did not detect a series of cyberattacks where hackers were trying — and often succeeding — in brute-forcing access to customers’ accounts, according to a legally required filing 23andMe sent to California’s attorney general.
Months after the hackers started targeting 23andMe customers, the company revealed that hackers had stolen the ancestry and genetic data of 6.9 million users, or about half of its customers.
An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.
News of the Trello data leak came last week when a person using the alias 'emo' attempted to sell the data of 15,115,516 Trello members on a popular hacking forum.
"Contains emails, usernames, full names and other account info. 15,115,516 unique lines," reads the post on the hacking forum.
"Selling one copy to whoever wants it, message on me on-site or on telegram if you're interested."
Lending giant LoanDepot (NYSE: LDI) said Monday that roughly 16.6 million individuals were impacted as a result of a ransomware attack originally disclosed earlier this month.
In a Form 8-K filing with the Securities and Exchange Commission (SEC) on January 4th, the company said it “has determined that the unauthorized third party activity included access to certain company systems and the encryption of data.”
As part of its incident response, the company shut down certain systems and launched an investigation.
Russia-state hackers exploited a weak password to compromise Microsoft’s corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
➤ Cybercrime, Cyber Espionage, APT’s
40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.
The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.
"Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses," DoJ said. "While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants."
In a filing with the U.S. Securities and Exchange Commission, the enterprise tech giant said it was notified on December 12 that Midnight Blizzard, also known as APT29 or Cozy Bear, had breached its cloud-based email environment.
HPE said an internal investigation has since determined that the Russia-backed hacking group “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023. HPE spokesperson Adam R. Bauer told TechCrunch that the “sophisticated” attackers “leveraged a compromised account to access internal HPE email boxes in our Office 365 email environment.”
Online services at some Swedish government agencies and shops have been disrupted in a ransomware attack believed to have been carried out by a Russian hacker group, IT consultancy Tietoevry said.
It said one of its data centers in Sweden was attacked overnight Friday to Saturday, knocking out online purchases at the country’s biggest cinema chain as well as some department stores and shops.
“Considering the nature of the incident and the number of customer-specific systems to be restored, the restoration process may extend over several days, even weeks,” Tietoevry said in a statement issued late Monday.
“120 government agencies and more than 60,000 employees” were affected by the attack, Statens Servicecenter spokeswoman Caroline Johansson Sjowall told AFP.
The intrusion, the company said in a Form 6-K filing with the US Securities and Exchange Commission, occurred on January 17.
“We have full control of all of our IT systems and to date, we have suffered no financial loss related to this incident,” the lessor told the SEC.
AerCap also noted that it had notified law enforcement immediately after identifying the attack and that its investigation into the incident has yet to determine if any data was compromised or exfiltrated.
The U.S. government sanctioned a Russian national for allegedly playing a “pivotal role” in the ransomware attack against Australian health insurance giant Medibank that exposed the sensitive information of almost 10 million patients.
Thirty-three-year-old Alexander Ermakov, who has also been sanctioned in Australia and the United Kingdom, stands accused of infiltrating Medibank’s network in October 2022 to steal personally identifiable information (PII) and sensitive health data linked to approximately 9.7 million customers.
The Securities and Exchange Commission confirmed Monday that a hack of the agency’s account on the social media site X earlier this month was done through an “apparent SIM swap attack” and that the account did not have multifactor authentication enabled.
According to a statement from the agency, an internal investigation following the Jan. 9 account hijacking determined that an unauthorized party had obtained control of a phone number associated with the SEC’s X account through the agency’s telecommunications carrier.
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been attributed to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021.
"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Google-owned Mandiant said in a Friday report.
Conor Fitzpatrick, the creator and administrator of the BreachForums cybercrime website, was sentenced to 20 years of supervised release Friday.
A federal judged deemed that the first two years of the 20-year sentence will be served as home confinement, according to a sentencing document posted Friday. Fitzpatrick will have no access to the internet for the first year of his home confinement and must register with state sex offender registries.
➤ Government, Politics, and Privacy
The United States Secret Service is reestablishing a federal committee to advise the agency on cyber investigations, according to a notice on the Federal Register.
The Cyber Investigations Advisory Board aims to be an industry and expert advisory panel for the Secret Service, according to the notice, which is scheduled to be officially published on Friday.
In a blog post on Wednesday, Ring said it will sunset the “Request for Assistance” tool, which allows police departments and other public safety agencies to request and receive video captured by the doorbell cameras through Ring’s Neighbors app.
The company did not provide a reason for the change, which will be effective starting this week.
France’s data privacy watchdog, the CNIL, has fined Amazon’s logistics subsidiary in France €32 million, or $35 million at today’s exchange rate. The CNIL says that Amazon France Logistique has implemented a “surveillance system” that is “overly intrusive.”
France’s data protection watchdog said Thursday that it had fined Yahoo 10 million euros for not respecting users’ refusals of internet-tracking “cookies” or implying they would lose access to email accounts if they did.
The fine imposed in December, equivalent to $10.9 million, came after the CNIL authority received complaints and carried out investigations in October 2020 and June 2021.
➤ ICS & OT
➤ Malware & Threats
Victims download and execute the malware after following installation instructions to place it in the /Applications/ folder, assuming it is an activator for the cracked app they had downloaded.
This opens a bogus Activator window that asks for the administrator password.
With permission granted, the malware runs a 'tool' executable (Mach-O) via the 'AuthorizationExecuteWithPrivileges' function and then checks for Python 3 on the system, and installs it if not present, making the process appear like "app patching."
Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.
The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024.
The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said, describing VexTrio as the "single largest malicious traffic broker described in security literature."
A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files.
Kasseika abuses the Martini driver (Martini.sys/viragt64.sys), part of TG Soft's VirtIT Agent System, to disable antivirus products protecting the targeted system.
Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.
The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.
The ZIP file contains within it a rogue Windows shortcut file ("Loader GAYve"), which acts as a conduit to deploy a malicious JAR file that first creates a folder called "NS-<11-digit_random_number>" to store the harvested data.
➤ Tech & Tools
Watchtower recommendations can include the option to import your SSH keys into 1Password for safekeeping. Once your SSH keys are imported, you can use the built-in SSH agent to securely create, organize, and use SSH keys wherever they are needed.
X, formerly Twitter, announced today that iOS users in the United States can now log into their accounts using passkeys.
The passkeys will be linked to the iOS device they're generated on and will significantly reduce the risk of breaches by providing protection against phishing attacks and blocking unauthorized access attempts.
They'll also enhance user experience and security by removing the need to memorize complex passwords.
➤ Vulnerabilities, Research, and Threat Intelligence
The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE).
Firefox 122 was released on January 23 with patches for all 15 security defects. Mozilla also pushed out Thunderbird 115.7 and Firefox ESR 115.7 with patches for nine of the bugs.
Mozilla makes no mention of any of these vulnerabilities being exploited in the wild. Additional information on the resolved issues can be found on the browser maker’s security advisories page.
The assessment, from the UK’s Government Communications Headquarters, predicted ransomware will be the biggest threat to get a boost from AI over the next two years. AI will lower barriers to entry, a change that will bring a surge of new entrants into the criminal enterprise. More experienced threat actors—such as nation-states, the commercial firms that serve them, and financially motivated crime groups—will likely also benefit, as AI allows them to identify vulnerabilities and bypass security defenses more efficiently.
“The emergent use of AI in cyber attacks is evolutionary not revolutionary, meaning that it enhances existing threats like ransomware but does not transform the risk landscape in the near term,” Lindly Cameron, CEO of the GCHQ’s National Cyber Security Centre, said. Cameron and other UK intelligence officials said that their country must ramp up defenses to counter the growing threat.
Exploit code is now available for a critical authentication bypass vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software that allows attackers to create new admin users on unpatched instances via the administration portal.
While Fortra silently patched the bug (CVE-2024-0204) on December 7 with the release of GoAnywhere MFT 7.4.1, the company only publicly disclosed it today in an advisory offering limited information (more details are available in a private customer advisory).
However, Fortra also issued private advisories to customers on December 4 before fixing the flaw, urging them to secure their MFT services to keep their data safe.
Due to the identified security defects, which are tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, an attack could be executed using the same level of physical access that a regular customer would have.
The first issue, IOActive explains, is that, during boot, the Douro ATM would allow the user to interact with the underlying operating system’s window manager.
The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector.
In a report shared with The Hacker News, security researcher Ofir Yakobi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)."
Trend Micro’s Zero Day Initiative (ZDI), the organizer of the event taking place January 24-26 alongside the Automotive World conference in Tokyo, Japan, said it awarded a total of $722,500 for 24 unique exploits on the first day.
The biggest reward went to the Synacktiv team, which earned $100,000 for hacking the Tesla modem. The same team earned an additional $195,000 for exploits targeting Ubiquiti Connect, ChargePoint Home Flex, JuiceBox 40 and Autel MaxiCharger EV charging stations.
Splunk on Monday announced patches for multiple vulnerabilities in Splunk Enterprise, including a high-severity bug affecting Windows instances.
Tracked as CVE-2024-23678, the high-severity flaw is described as an issue related to incorrect sanitization of path input data resulting in “the unsafe deserialization of untrusted data from a separate disk partition on the machine”.
Google on Tuesday announced the promotion of Chrome 121 to the stable channel with patches for 17 vulnerabilities, including 11 reported by external researchers.
Of the externally reported security defects, three have a severity rating of ‘high’. Google says it handed out over $30,000 in bug bounty rewards to the reporting researchers.
Hackers suspected of working for the Chinese government are mass exploiting a pair of critical vulnerabilities that give them complete control of virtual private network appliances sold by Ivanti, researchers said.
As of Tuesday morning, security company Censys detected 492 Ivanti VPNs that remained infected out of 26,000 devices exposed to the Internet. More than a quarter of the compromised VPNs—121—resided in the US. The three countries with the next biggest concentrations were Germany, with 26, South Korea, with 24, and China, with 21.
Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure.
Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations.
The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5.
Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.
The issue, tracked as CVE-2024-23222, is a type confusion bug in the WebKit browser engine that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.