InfoSec MASHUP - Week 06/2024
Finance worker pays out $25 million after video call with deepfake CFO; New NSA and Cyber Command Lead; Ransomware Payments Exceed $1 Billion in 2023; Toothbrush DDoS attack never happened;
📚 This Week’s Recommended Reading
➝ Listen to best-sellers and new releases with Amazon Audible 🎧 📕
About the author
Having started her career with over 10 years of ethical hacking, reverse engineering, and advanced vulnerability analysis as a defense contractor, Stephanie Domas has a deep knowledge and passion for the hacker mindset.
Pivoting her offensive skills to the defense she built and lead two cybersecurity businesses focused on defense of embedded systems, medical devices and the healthcare industry. She serves as a prominent industry consultant and advisor with a broad range of tech companies and device manufacturers, from the newest startups to the industry giants. Stephanie is currently the CISO of Canonical, driving Canonical to be the most trusted computational partner in all of open source. Prior to that she served as the Chief Security Technology Strategist at Intel where she owned the cross-Intel security technology strategy, formulating and implementing strategies that would accelerate Intel’s strength, competitiveness, and revenue growth in the area of Security.
Stephanie is a passionate educator, strategist, speaker, advisor, and security enthusiast.
Partners and affiliates
🔐 NordVPN’s 12th Birthday Campaign (February 7 - March 20) 🎂
67% off all our 2-year plans + 3-month coupon of the same plan.
➤ Breaches & Security Incidents
Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including which devices customers bought, as well as each product’s warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.
The data breach involved a staggering 19,718,687 rows of personal identifiable information (PII) including sensitive details such as names, ID card numbers, phone numbers, emails, salaries, and personal photographs. The breach has already resulted in at least 14 cases of cybercrime, with the origin of the breach still unidentified.
Viamedis, whose systems the third-party payments for over 20 million people, announced the data breach on February 2. Its clients include Carte Blanche Partenaires, Itelis, Kalixia and Santéclair among many others.
“To date, we do not know precisely how many people have been affected, the matter is still under investigation,” Viamedis CEO Christophe Candé told AFP.
"We are aware of the claims and are investigating their veracity," HPE's Sr. Director for Global Communications Adam R. Bauer told BleepingComputer on Thursday.
"At this time we have not found evidence of an intrusion, nor any impact to HPE products or services. There has not been an extortion attempt."
According to Verizon’s letter to affected users, the information contained in the file may include name, address, Social Security number or other national identifier, gender, union affiliation, date of birth, and compensation information.
“At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue. We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter,” the notification reads.
According to the company, a security audit triggered by suspicious activity led to the discovery that AnyDesk production systems were compromised. Little information has been shared on the attack itself, but AnyDesk has clarified that the incident “is not related to ransomware”.
“We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” AnyDesk said.
"The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company's business operations," reads the Clorox 2024 Q2 Quarterly report.
John Shirek reports that Atlanta Women’s Health Group just notified more than 30,000 patients about a data breach that occurred in April, 2023. As is too often the case, the incident resulted in the theft of patients’ protected health information.
➤ Cybercrime, Cyber Espionage, APT’s
Ransomware payments in 2023 surpassed the $1 billion mark, the highest number ever observed. Although 2022 saw a decline in ransomware payment volume, the overall trend line from 2019 to 2023 indicates that ransomware is an escalating problem. Keep in mind that this number does not capture the economic impact of productivity loss and repair costs associated with attacks. This is evident in cases like the ALPHV-BlackCat and Scattered Spider’s bold targeting of MGM resorts. While MGM did not pay the ransom, it estimates damages cost the business over $100 million.
An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called Zardoor.
"Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence," security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer said, calling out the threat actor's ability to maintain long-term access to victim environments without attracting attention.
"Today, the Department of State is announcing a reward offer of up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Hive ransomware variant transnational organized crime group," the State Department said.
"In addition, we are also announcing a reward of up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in Hive ransomware activity."
🇨🇳 🇺🇸 China-backed Volt Typhoon hackers have lurked inside US critical infrastructure for ‘at least five years’
According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”
This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.
"This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD) said in a statement. "Because this system was self-contained, it did not lead to any damage to the defense network." The network had less than 50 users.
The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.
Since Hamas attacked Israel in October 2023, Iranian government-aligned actors have launched a series of cyberattacks and influence operations (IO) intended to help the Hamas cause and weaken Israel and its political allies and business partners. Many of Iran’s immediate operations after October 7 were hasty and chaotic – indicating it had little or no coordination with Hamas – but it nevertheless has achieved growing success.
A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business.
Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. and is currently being held in custody. If convicted, he faces a maximum penalty of 25 years in prison.
A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.
The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.
“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.
The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group's Pegasus spyware, according to joint findings from Access Now and the Citizen Lab.
Nine of the 35 individuals have been publicly confirmed as targeted, out of whom six had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023.
➤ Government, Politics, and Privacy
At the opening of the Kyiv International Cyber Resilience Forum 2024, Oleksiy Danilov, secretary of the National Security and Defense Council of Ukraine, suggested that the post of cyber diplomat will soon be created in Ukraine, a Kyiv Post correspondent reports.
“Now there is a big movement in the world - every country is starting to understand today, and many countries already have cyber diplomats. In our country, I think, such a post will certainly appear soon - a cyber diplomat, because this is a significant direction of the struggle for light in this world,” said Danilov.
Elizabeth Kelly will lead the AI Safety Institute at the National Institute for Standards and Technology, which is part of the Commerce Department. Currently an economic policy adviser for President Joe Biden, Kelly played an integral role in drafting the executive order signed at the end of October that established the institute, the Commerce Department said in a statement.
The matter was brought to the agency's attention roughly four years ago by a concerned parent and activist, Jesper Graugaard, who protested how student data is sent to Google without any consideration about the potential for misuse or the impact it could have on those persons in the future.
The agency has now decided that the current methods of transferring personal data to Google do not have a legal basis for all disclosed purposes. Hence, 53 municipalities across Denmark must adjust their data processing practices.
It’s also proposing to create a new criminal offense of livestreaming child sexual abuse. The possession and exchange of “pedophile manuals” would also be criminalized under the plan — which is part of a wider package of measures the EU says is intended to boost prevention of CSA, including by increasing awareness of online risks and to make it easier for victims to report crimes and obtain support (including granting them a right to financial compensation).
The proposal to update the EU’s current rules in this area, which date back to 2011, also includes changes around mandatory reporting of offenses.
404 Media recently exposed Patternz, a global phone spy tool that tracks movements and interests through advertising data. Other internal documents now show the technology was marketed as a way to detect riots.
Uber must pay a fine of 10 million euros to the Dutch data protection authority after the agency found the ride-hailing app maker had not been transparent about how long it kept driver data and which employees outside of Europe had access to the data.
“The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses,” Secretary of State Antony Blinken said in a statement announcing the new policy. “The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”
“I am honored to begin my role as Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service,” General Haugh said. “Having served in both USCYBERCOM and NSA, I have seen our workforce do incredible things on behalf of the nation, creating a unique advantage that has kept us ahead of our adversaries. I have full confidence in our ability to achieve our goals, because I know that the people of the USCYBERCOM and NSA/CSS are standing ready to tackle any challenge that comes their way.”
➤ ICS & OT
“A remote unauthenticated attacker may be able to bypass authentication by sending specially crafted packets and connect to the products illegally (CVE-2023-6942),” the vendor explained. “Furthermore, the attacker may be able to execute a malicious code by remotely calling a function with a path to a malicious library while connected to the products (CVE-2023-6943). As a result, unauthorized users may disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.”
The report is based on a combination of data from a survey of over 400 CIOs conducted in September 2023 by Frost & Sullivan, and data collected by TXOne itself from more than 500 incidents that occurred last year in North America, Europe and the APAC region. The survey respondents represented organizations in the United States, Germany, Japan and the United Arab Emirates (UAE), with roughly 100 respondents from each country.
The survey found that 46% of organizations had dealt with an OT security incident in the previous 12 months. Of these incidents, 47% involved ransomware — the percentage was higher in the US and UAE, exceeding 50%, and the lowest was in Germany.
➤ Malware & Threats
Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that's known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.
Attributed to a threat actor named Storm-0856 (previously DEV-0856), it's propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like Evil Corp, Silence, and TA505.
"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is installed, their malicious activity starts automatically."
The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea.
A newly identified macOS backdoor written in Rust appears linked to the prominent ransomware families Black Basta and Alphv/BlackCat, cybersecurity firm Bitdefender reports.
The malware, dubbed RustDoor, impersonates Visual Studio, supports both Intel and Arm architectures, and appears to have been circulating since November 2023, remaining undetected for roughly three months.
A news story about the hacking of three million smart toothbrushes to create a massive botnet used to launch a distributed denial of service cyberattack against a Swiss organization has gone viral. However, many in the information security industry, including myself, have trouble finding evidence to support the story.
Propagated via phishing mails, Mispadu is a Delphi-based information stealer known to specifically infect victims in the Latin American (LATAM) region. In March 2023, Metabase Q revealed that Mispadu spam campaigns harvested no less than 90,000 bank account credentials since August 2022.
It's also part of the larger family of LATAM banking malware, including Grandoreiro, which was dismantled by Brazilian law enforcement authorities last week.
➤ Tech & Tools
On Thursday, the Innovation, Science and Economic Development Canada agency said it will “pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” A social media post by François-Philippe Champagne, the minister of that agency, said that as part of the push “we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”
[…] today we’re happy to introduce an important new enterprise security tool to our community with Proton Pass for Business. You can now easily create an encrypted Swiss vault to store and control access to your organization’s login details, bank cards, and secure notes.
“So far, the expanded fuzzing coverage offered by LLM-generated improvements allowed OSS-Fuzz to discover two new vulnerabilities in cJSON and libplist, two widely used projects that had already been fuzzed for years,” Google says.
The open sourced tool includes support for Vertex AI code-bison, Vertex AI code-bison-32k, Gemini Pro, OpenAI GPT-3.5-turbo, and OpenAI GPT-4.
➤ Vulnerabilities, Research, and Threat Intelligence
The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication.
"We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected," Ivanti said.
"For users of other supported versions, the mitigation released on 31 January successfully blocks the vulnerable endpoints until remaining patches are released," the company added in a separate advisory.
At the heart of the bug, Munro found that anyone using Livall’s apps for group audio chat and sharing their location must be part of the same friends group, which could be accessed using only that group’s six-digit numeric code.
“That 6-digit group code simply isn’t random enough,” Munro said in a blog post describing the flaw. “We could brute force all group IDs in a matter of minutes.”
In doing so, anyone could access any of the 1 million possible permutations of group chat codes.
Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.
Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been credited with discovering and reporting the bug.
The issues, described as buffer overflow bugs, can be exploited over the network for remote code execution (RCE) or to cause the vulnerable product to become unresponsive.
“These vulnerabilities indicate the possibility that, if a product is connected directly to the Internet without using a router (wired or Wi-Fi), an unauthenticated remote attacker may be able to execute arbitrary code and/or may be able to target the product in a denial-of-service (DoS) attack via the internet,” Canon notes.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google explains in its advisory.
The flaw has been resolved as part of Android’s 2024-02-01 security patch level, which addresses a total of 15 security defects.
While analyzing the Flysmart+ Manager iOS application, which enables users to update the EFB application suite of data from a central solution, Pen Test Partners discovered that it had App Transport Security (ATS) disabled.
The issue, Pen Test Partners explains, allowed an attacker to view data downloaded from the Navblue servers, consisting mostly of SQLite databases containing aircraft information and take-off performance data.
The bugs, tracked as CVE-2023-45025 and CVE-2023-39297, are described as OS command injection flaws that impact QTS versions 5.1.x and 4.5.x, QuTS hero versions h5.1.x and h4.5.x, and QuTScloud version 5.x.