InfoSec MASHUP - Week 05/2024
Johnson Controls ransomware attack cost $27 million; 45k Jenkins servers exposed to RCE attacks; Linux glibc flaw lets attackers get root; Ivanti flaws being exploited; Cloudflare breached;
Partners and affiliates
🔐 NordVPN’s 12th Birthday Campaign (February 7 - March 20) 🎂
67% off all our 2-year plans + 3-month coupon of the same plan.
➤ Breaches & Security Incidents
A highly sensitive cache of code, infrastructure diagrams, internal passwords, and other technical information belonging to cryptocurrency giant Binance has been sitting on a publicly accessible GitHub repository for months, 404 Media has learned.
Binance only managed to have GitHub remove the data under a copyright takedown request last week, but not before 404 Media and other people managed to view it. Although there is no public evidence this data was accessed or used by malicious parties, the cache contained a wealth of information that could be useful to hackers looking to compromise Binance’s systems.
“This account is using our client’s internal code which poses significant risk to Binancec. and causes severe financial harm to Binance and user's confusion/harm,” a section of the takedown request, available on GitHub, reads. Another section says the GitHub repository is “hosting and distributing leaks of internal code which poses significant risk to BINANCE.”
The threat actor first gained access to Cloudflare's self-hosted Atlassian server on November 14 and then accessed the company's Confluence and Jira systems following a reconnaissance stage.
"They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil," said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas.
Car rental company Europcar says it has not suffered a data breach and that shared customer data is fake after a threat actor claimed to be selling the personal info of 50 million customers.
On Sunday, a person claimed to be selling the data for 48,606,700 Europcar.com customers on a popular hacking forum.
The post included samples of the stolen data for 31 alleged Europcar customers, including names, addresses, birth dates, driver's license numbers, and other information.
As first reported by BleepingComputer, Johnson Controls suffered a ransomware attack in September after the firm's Asia offices were initially breached, and the attackers spread throughout their network. The attack forced the firm to shut down large portions of its IT infrastructure, which affected customer-facing systems.
The Dark Angels ransomware gang was behind the attack and claimed to have stolen over 27 TB of confidential data from Johnson Controls. The threat actors then demanded a $51 million ransom to delete the data and provide a file decryptor.
On September 29, 2023, researchers at RedHunt Labs discovered a GitHub token in a public repository belonging to a Mercedez employee that gave access to the company's internal GitHub Enterprise Server.
"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the Internal GitHub Enterprise Server," reads RedHunt Labs' report.
"The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included database connection strings, cloud access keys, blueprints, design documents, SSO passwords, API keys, and other critical internal information."
CloudSEK’s analysis of a sample dataset shared by the threat actor revealed that the information impacts the subscribers of all major telecom providers in India. Given its size, the leak is estimated to affect 85% of the Indian population.
Roughly two weeks ago, a threat actor known as Unit8200 offered a similar dataset on Telegram. Both threat actors are known affiliates of the CyboCrew group, which has been active since July 2023, likely being involved in various data breaches.
The incident, the company said in a notification on its website, was discovered on August 27, when disruptions occurred on some of its servers, and was contained within hours.
Keenan’s investigation into the cyberattack revealed that “an unauthorized party gained access to certain Keenan internal systems at various times between approximately August 21, 2023 and August 27, 2023.”
OpenAI officials say that the ChatGPT histories a user reported result from his ChatGPT account being compromised. The unauthorized logins came from Sri Lanka, an Open AI representative said. The user said he logs into his account from Brooklyn, New York.
“From what we discovered, we consider it an account take over in that it’s consistent with activity we see where someone is contributing to a ‘pool’ of identities that an external community or proxy server uses to distribute free access,” the representative wrote. “The investigation observed that conversations were created recently from Sri Lanka. These conversations are in the same time frame as successful logins from Sri Lanka.”
Original story: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated.
➤ Cybercrime, Cyber Espionage, APT’s
The U.S. Treasury Department on Friday announced sanctions against a half dozen Iranian government officials for their role in targeting devices at a Pennsylvania water utility in November 2023.
Working behind a flimsy persona — the “Cyber Av3ngers” — the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) targeted programmable logic controllers manufactured by Unitronics, an Israeli company, including one at a water utility in Aliquippa, Pa., the Treasury Department said in its announcement.
Hacker-for-hire firms like NSO Group and Hacking Team have become notorious for enabling their customers to spy on vulnerable members of civil society. But as far back as a decade ago in India, a startup called Appin Technology and its subsidiaries allegedly played a similar cyber-mercenary role while attracting far less attention. Over the past two years, a collection of people with direct and indirect links to that company have been working to keep it that way, using a campaign of legal threats to silence publishers and anyone else reporting on Appin Technology’s alleged hacking past. Now, a loose coalition of anti-censorship voices is working to make that strategy backfire.
Some 1,300 suspicious IP addresses or URLs have been identified as part of a global INTERPOL operation targeting phishing, malware and ransomware attacks.
Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.
The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices. To date, 70% of the command-and-control (C2) servers identified have been taken down, with the remainder currently under investigation.
Hackers working for Russia’s intelligence services are impersonating researchers and academics in an ongoing campaign to gain access to their colleagues’ email accounts, according to messages and files seen by Recorded Future News and independently analyzed by two cybersecurity companies.
All of the correspondence suggests several of the researchers have been successfully compromised by the hackers, who pretend to solicit feedback on academic articles — including an op-ed about sanctions on Moscow — or a draft version of Ukraine’s maritime security strategy.
The police in Saxony, eastern Germany, have seized 50,000 Bitcoin from the former operator of the pirate site movie2k.to through a voluntary deposit to a state-controlled wallet.
This is a record figure for the country's law enforcement authorities, corresponding to over $2.1 billion at today's Bitcoin-USD exchange rate.
The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.
"The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs)," CSIRT-CTI said.
The sanctioned individuals are both Egyptian nationals. One of them is Mu’min Al-Mawji Mahmud Salim, the creator of a platform named Electronic Horizons Foundation (EHF), which provides cybersecurity training and guidance to ISIS supporters.
The platform offers information on conducting cyber operations, including for evading law enforcement and working with cryptocurrencies.
The second sanctioned individual is Mu’min Al-Mawji’s partner, Sarah Jamal Muhammad Al-Sayyid, who allegedly helped run the EHF platform.
"UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company said in a Tuesday report.
"During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain."
A Chinese government hacking campaign, tracked publicly as “Volt Typhoon,” used privately owned Cisco and NetGear routers infected with “KV Botnet” malware in an attempt to conceal the activity, the agency said in a statement. The DOJ and FBI operation, the agency added, “deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.”
🇺🇸 ⚖️ Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider
On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.
"This Tuesday, January 30, the Federal Police launched Operation Grandoreiro to investigate the activities of a criminal group responsible for electronic banking fraud, using banking malware with victims outside Brazil," the Brazilian police said in a machine-translated press release.
"The criminal structure is suspected of moving at least 3.6 million euros through fraud since 2019."
According to Caixa Bank's records, the malware operators are linked to fraud that has caused roughly $120,000,000 in losses.
Depending on their level of permissions, attackers can exploit the flaw to access sensitive information, including the first few lines of any file or even entire files.
As the software vendor described in the relevant security bulletin, CVE-2024-23897 exposes unpatched instances to several potential attacks, including RCE, by manipulating Resource Root URLs, "Remember me" cookies, or CSRF protection bypass.
➤ Government, Politics, and Privacy
“Joshua Schulte betrayed his country by committing some of the most brazen, heinous crimes of espionage in American history,” US Attorney Damian Williams said.
Schulte, a former CIA employee and software engineer, became infamous for his role in sharing classified information with WikiLeaks.
New York AG Letitia James said individuals in the state have lost millions of dollars as a result of cybercrime schemes that are possible due to Citi’s failure to implement strong data security and anti-breach practices.
“As a result of Citi’s lax security protocols and procedures, ineffective monitoring systems, and failure to respond in real-time and properly investigate fraud claims, New Yorkers have lost millions to scammers,” the AG’s office said in a press release. “Customers have lost their life savings, their children’s college funds, or even money needed to support their day-to-day lives as a result of Citi’s illegal and deceptive acts and practices.”
“Almost every software application, website, mobile device, and Internet of Things device — including those used by small businesses, the Federal Government, and the national security community — incorporates open-source software to enable and scale rapid application development processes,” the administration noted in the Tuesday report.
The Center for Internet Security, the Upstate New York nonprofit that runs information sharing and analysis operations to support government agencies, found in a study announced Tuesday that cyberattacks on state and local governments increased from 2022 to 2023. That’s according to the results from its 2022 Nationwide Cybersecurity Review, a survey of more than 3,600 state, local, tribal and territorial government organizations on cybersecurity preparedness.
Three former Department of Homeland Security (DHS) employees were sentenced to prison for stealing proprietary U.S. government software and databases containing the personal data of 200,000 federal employees.
The three individuals are Charles K. Edwards, a former Acting Inspector General of the DHS Office of Inspector General (DHS-OIG), sentenced to 1.5 years in prison; Sonal Patel, a member of the department IT staff, sentenced to 2 years of probation; and Murali Y. Venkata, also from the IT department, sentenced to 4 months in prison.
The three pleaded guilty to conspiracy to commit theft of government property and to defraud the United States and theft of government property at various times between 2019 and 2022.
"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to urging the government to take steps to "ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner."
➤ ICS & OT
The attack disrupted some of Schneider Electric's Resource Advisor cloud platform, which continue to suffer outages today.
The ransomware gang reportedly stole terabytes of corporate data during the cyberattack and is now extorting the company by threatening to leak the stolen data if a ransom demand is not paid.
While it is not known what type of data was stolen, the Sustainability Business division provides consulting services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.
➤ Malware & Threats
"This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims' data," Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a new report.
"Free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign." The company also described Telegram as a "scammers paradise" and a "breeding ground for modern phishing operations."
The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.
"The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News.
The Computer Emergency Response Team in Ukraine (CERT-UA) is warning about a PurpleFox malware campaign that has infected at least 2,000 computers in the country.
PurpleFox (or 'DirtyMoe') is a modular Windows botnet malware first spotted in 2018 that comes with a rootkit module allowing it to hide and persist between device reboots.
It can be used as a downloader that introduces more potent second-stage payloads on compromised systems, offers its operators backdoor capabilities, and can also act as a distributed denial of service (DDoS) bot.
The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.
Following public disclosure earlier this month, the vulnerabilities have come under broad exploitation by other adversaries to drop XMRig cryptocurrency miners as well as Rust-based malware.
Synacktiv's analysis of the Rust malware, codenamed KrustyLoader, has revealed that it functions as a loader to download Sliver from a remote server and execute it on the compromised host.
"The new version of ZLoader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time," researchers Santiago Vicente and Ismael Garcia Perez said.
ZLoader, also known by the names Terdot, DELoader, or Silent Night, is an offshoot of the Zeus banking trojan that first surfaced in 2015, before pivoting to functioning as a loader for next-stage payloads, including ransomware.
A benign image of a pizza was uploaded to a third-party website and was then linked with a URL pasted into the “about” page of a registered Ars user. Buried in that URL was a string of characters that appeared to be random—but were actually a payload. The campaign also targeted the video-sharing site Vimeo, where a benign video was uploaded and a malicious string was included in the video description.
➤ Tech & Tools
If you run the Chrome browser in Windows 10 or 11 and you've suddenly discovered that you're running Microsoft Edge instead, you're not alone. The Verge's Tom Warren reports that he and multiple other users on social media and Microsoft's support forums have suddenly found their Chrome browsing sessions mysteriously replicated in Edge.
➤ Vulnerabilities, Research, and Threat Intelligence
Varonis security researcher Dolev Taler, who has been credited with discovering and reporting the bug, said NTLM hashes could be leaked by leveraging Windows Performance Analyzer (WPA) and Windows File Explorer. These two attack methods, however, remain unpatched.
"What makes this interesting is that WPA attempts to authenticate using NTLM v2 over the open web," Taler said.
"Usually, NTLM v2 should be used when attempting to authenticate against internal IP-address-based services. However, when the NTLM v2 hash is passing through the open internet, it is vulnerable to relay and offline brute-force attacks."
The audit, conducted by non-profit cybersecurity consultancy Radically Open Security between April and August 2023, covered the Tor browser, exit relays, exposed services, infrastructure, and testing and profiling tools. The results of the assessment were made public this week.
The audit, a crystal box penetration test (where the tester has access to the source code), uncovered a total of 17 security issues.
On Wednesday, Apple released visionOS 1.0.2, the software that runs on the Vision Pro, with a fix for a vulnerability in WebKit, the browser engine that runs Safari and other web apps. Apple said the bug, if exploited, allowed malicious code to run on an affected device.
It’s the same vulnerability that Apple patched last week when it rolled out iOS 17.3, which included fixes for iPhones, iPads, Macs and Apple TV — all of which rely on WebKit. No patches for this bug, officially tracked as CVE-2024-23222, were released for Apple Watch.
Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc).
Tracked as CVE-2023-6246, this security flaw was found in glibc's __vsyslog_internal() function, called by the widely-used syslog and vsyslog functions for writing messages to the system message logger.
"The buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions," Qualys security researchers said.
Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.
The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.
Vulnerabilities in WatchGuard and Panda Security products could allow attackers to cause denial of service (DoS) conditions or execute arbitrary code with System privileges.
The bugs were identified in the Panda Kernel Memory Access driver (pskmad_64.sys) that is installed alongside WatchGuard EPDR, Panda AD360, and Panda Dome for Windows.
An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents.
The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes. The bugs exposed the copies of Aadhaar cards, birth and marriage certificates, electricity bills and income statements related to registrants, as well as personal information such as their date of birth, gender and father’s name.