InfoSec MASHUP - Week 44/2023
Discover more from X’s Infosec Newsletter
InfoSec MASHUP - Week 44/2023
HackerOne paid over $300 million in bounties; NGINX Ingress Controller for k8s vuln.; Has India's Biggest Leak Happened? Boeing confirms breach; Citrix Bleed massively exploited; Okta hit by breach;
📚 This Week’s Recommended Reading
➝ Listen to best-sellers and new releases with Amazon Audible 🎧 📕
About the author
Edward Snowden was born in Elizabeth City, North Carolina, and grew up in the shadow of Fort Meade. A systems engineer by training, he served as an officer of the Central Intelligence Agency, and worked as a contractor for the National Security Agency. He has received numerous awards for his public service, including the Right Livelihood Award, the German Whistleblower Prize, the Ridenhour Prize for Truth-Telling, and the Carl von Ossietzky Medal from the International League of Human Rights. Currently, he serves as president of the board of directors of the Freedom of the Press Foundation.
Partners and affiliates
🔐 NordVPN’s Cyber Month campaign ⚡️ (from Oct 18 to Nov 29 )
Users purchasing the 2-year plan will save a whopping 68%!
Those buying the 2-year plan will also automatically get 3 additional months
➝ Why You Should Use a VPN When Booking a Hotel 🏝️
👕 Geek at Work: Hacking in Progress T-Shirt (Unisex)
Whether you're a seasoned tech professional, a coding enthusiast, or someone who simply loves to unravel digital mysteries, this t-shirt is a must-have addition to your wardrobe. Wear it and let the world know that when you're around, a bit of hacking magic might just be in progress.
➤ Breaches & Security Incidents
~~
🔓 Okta hit by another breach, this one stealing employee data from 3rd-party vendor
Identity and authentication management provider Okta has been hit by another breach, this one against a third-party vendor that allowed hackers to steal personal information for 5,000 Okta employees.
The compromise was carried out in late September against Rightway Healthcare, a service Okta uses to support employees and their dependents in finding health care providers and plan rates. An unidentified threat actor gained access to Rightway’s network and made off with an eligibility census file the vendor maintained on behalf of Okta. Okta learned of the compromise and data theft on October 12 and didn’t disclose it until Thursday, exactly three weeks later.
Related: Okta hit by third-party data breach exposing employee information
Related: Okta Hack Blamed on Employee Using Personal Google Account on Company Laptop
🇨🇦 📚 Toronto Public Library outages caused by Black Basta ransomware attack
Earlier this week, TPL warned that a cyberattack is causing technical outages on its websites and some online services.
These outages include the tpl.ca site being taken offline, the inability to access your online account, and outages in the tpl:map passes and digital collections services.
The library warned that public computers and printing services are also unavailable.
🔓 💸 LastPass breach linked to theft of $4.4 million in crypto
Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
🇮🇳 India's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
In what is suspected to be the biggest data leak case in the country so far, details of 81.5 crore Indians with the Indian Council of Medical Research (ICMR) are on sale.
A ‘threat actor’ with a handle on X, formerly Twitter, has advertised the database in the breached forum on dark web which involves records of 81.5 million Indian citizens — Aadhaar and passport information along with names, phone numbers and addresses. The ‘threat actor’ claimed the data — extracted from the Covid-19 test details of citizens — was sourced from ICMR.
🔓 ✈️ Lockbit ransomware group claims to have hacked Boeing
Boeing, a major American aerospace company with an estimated annual revenue of over $66 billion and a workforce of 150,000 employees worldwide, has recently been named by Lockbit as a victim in their ransomware activities.
Related: Boeing Confirms Distribution Business Hit by Cyberattack 🚨
➤ Cybercrime, Cyber Espionage, APT’s
~~
🇳🇱 ⚖️ Dutch hacker jailed for extortion, selling stolen data on RaidForums
A former Dutch cybersecurity professional was sentenced to four years in prison after being found guilty of hacking and blackmailing more than a dozen companies in the Netherlands and worldwide.
The suspect, a 21-year-old man from Zandvoort named Pepijn Van der Stap, has been convicted on multiple charges, including hacking into victims' computers, extortion, and laundering at least 2.5 million euros in cryptocurrency.
🇷🇺 🇺🇸 Russian Reshipping Service ‘SWAT USA Drop’ Exposed
One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.
🇮🇷 🦠 Iranian Cyber Spies Use ‘LionTail’ Malware in Latest Attacks
An Iranian espionage group has been caught using a new malware framework in a recent spate of cyberattacks, according to a warning from researchers at Check Point.
Tracked as Scarred Manticore and linked to the OilRig threat actor, the nation-state hacking group has been active since at least 2019, targeting high-profile organizations in the Middle East.
Related: Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East
📉 Security researchers observed ‘deliberate’ takedown of notorious Mozi botnet
Mozi is a peer-to-peer Internet of Things botnet that exploits weak telnet passwords and known exploits to hijack home routers and digital video recorders. The botnet, first discovered in 2019 by 360 Netlab, uses masses of these hijacked devices to launch DDoS attacks, payload execution, and data exfiltration. Mozi has infected more than 1.5 million devices since 2019, with the majority — at least 830,000 devices — originating from China.
Related: Mozi Botnet Likely Killed by Its Creators
🇮🇳 📱 Apple warns Indian opposition leaders of state-sponsored iPhone attacks
Apple has warned over a half dozen Indian lawmakers from Prime Minister Narendra Modi’s main opposition of their iPhones being targets of state-sponsored attacks, these people said Tuesday, in a remarkable turn of events just months before the general elections in the South Asian nation.
Rahul Gandhi, Indian opposition leader, said in a media briefing Tuesday that his team had received the said alert from Apple. […]
🇺🇸 ⚖️ Florida SIM Swapper Sentenced to Prison for Cryptocurrency Theft
A Florida man was sentenced to prison last week for his role in a hacking scheme that resulted in the theft of approximately $1 million in cryptocurrency.
The 20–year-old Orlando man, identified as Jordan Dave Persad, was found guilty of hacking into victims’ email accounts and hijacking their phone numbers to gain access to cryptocurrency accounts, the US Department of Justice said.
🌍 Four dozen countries declare they won’t pay ransomware ransoms
The United States and a consortium of some four dozen countries will pledge this week to no longer pay ransoms demanded as part of ransomware attacks, a senior administration official said Monday.
The statement will come as part of a meeting of the International Counter Ransomware Initiative set to take place Tuesday. The commitment to no longer pay ransoms will be part of a joint policy statement signed by 48 countries, the European Union and Interpol.
Related: Why ransomware victims can’t stop paying off hackers 🧐
🇷🇺 How Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate Cybercrime
Recently, we came across a service that, while it is not necessarily illegal, facilitates cybercrime operations that rely on large-scale social media spamming: the Kopeechka service. In Russian, “kopeechka” means “penny.”
🇦🇹 🏴☠️ Pirate IPTV network in Austria dismantled and $1.74 million seized
The Austrian police have arrested 20 people across the country linked to an illegal IPTV network that, between 2016 and 2023, decrypted copyright-protected broadcasts and redistributed them to thousands of customers.
Investigation into the illegal network started after a complaint was filed in Germany, leading to the discovery of a criminal enterprise consisting of 80 perpetrators, all Turkish citizens.
➤ Government, Politics, and Privacy
~~
🇪🇺 EU digital ID reforms should be ‘actively resisted’, say experts
A group of 309 cyber security experts, researchers and scientists hailing from 31 countries around the world has called on the European Union (EU) to rethink proposals to reform the electronic identification, authentication and trust services (eIDAS) Regulations, saying that “as proposed in its current form, this legislation will not result in adequate technological safeguards for citizens and businesses, as intended. In fact, it will very likely result in less security for all”.
The group’s concerns over the amendments largely centre on Article 45 of the reformed eIDAS, where it says the text “radically expands the ability of governments to surveil both their own citizens and residents across the EU by providing them with the technical means to intercept encrypted web traffic, as well as undermining the existing oversight mechanisms relied on by European citizens”.
🇷🇺 🇺🇦 FSB arrests Russian hackers working for Ukrainian cyber forces
The Russian Federal Security Service (FSB) arrested two individuals believed to have helped Ukrainian forces carry out cyberattacks to disrupt Russian critical infrastructure targets.
Both suspects were taken into custody one same day in two different regions of Siberia (Tomsk and Kemerovo) and are facing high treason charges that carry a punishment of up to 20 years in prison.
🇺🇸 FTC orders non-bank financial firms to report breaches in 30 days
The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days.
Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.
This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations.
🇨🇦 📱 Canada Bans WeChat and Kaspersky Apps On Government Devices
Canada on Monday announced a ban on the use of apps from Tencent and Kaspersky on government mobile devices, citing an "unacceptable level of risk to privacy and security."
"The Government of Canada is committed to keeping government information and networks secure," the Canadian government said. "We regularly monitor potential threats and take immediate action to address risks."
🇺🇸 SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures
In a surprising development on Monday that is spooking the cybersecurity community, the Securities and Exchange Commission (SEC) has filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks.
Related: SEC sues SolarWinds for misleading investors before 2020 hack
Related: Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO
🇺🇸 🤖 Biden Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
President Joe Biden on Monday [Oct 30, 2023] will sign a sweeping executive order to guide the development of artificial intelligence — requiring industry to develop safety and security standards, introducing new consumer protections and giving federal agencies an extensive to-do list to oversee the rapidly progressing technology.
Related: Biden issues sweeping executive order that touches AI risk, deepfakes, privacy
🇵🇸 💥 The Destruction of Gaza’s Internet Is Complete
For more than three weeks, Gaza has faced an almost total internet blackout. The cables, cell towers, and infrastructure needed to keep people online have been damaged or destroyed as Israel launched thousands of missiles in response to Hamas attacking Israel and taking hundreds of hostages on October 7. Then, this evening, amid reports of heavy bombing in Gaza, some of the last remaining connectivity disappeared.
➤ ICS & OT
~~
➤ Malware & Threats
~~
🦠 📱 Avast confirms it tagged Google app as malware on Android phones
Czech cybersecurity company Avast confirmed that its antivirus SDK has been flagging a Google Android app as malware on Huawei, Vivo, and Honor smartphones since Saturday.
On affected devices, users were warned to immediately uninstall the Google app because it could secretly send SMS messages, download and install other apps, or steal their sensitive information.
"This security notification was not triggered by Google Play Protect and appears to be from a device that is not Play Protect certified and does not have access to officially download Google's core apps from Play," a Google spokesperson told BleepingComputer.
"We recommend contacting the device manufacturer for further information. Google Play is the only app store where you can officially download Google's core apps for Android."
Related: Huawei, Vivo phones tag Google app as TrojanSMS-PA malware
🦠 🇰🇵 North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware
State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN.
"Threat actors lured blockchain engineers with a Python application to gain initial access to the environment," security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease said in a report published today.
"This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques."
🦠 Malicious NuGet Packages Caught Distributing SeroXen RAT Malware
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment.
"The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs, said in a report shared with The Hacker News.
🦠 🇷🇺 Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection
"As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts," security researchers Daniel Frank and Tom Fakterman said in a technical report.
"They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices."
👥 💸 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub
A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News.
Related: IAM Credentials in Public GitHub Repositories Harvested in Minutes
🦠 Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
Based on the installers used as lures, it's suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.
🦠 🐍 Trojanized PyCharm Software Version Delivered via Google Search Ads
A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads.
"Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes, said in a report.
"Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead."
➤ Tech & Tools
~~
✅ 🤖 Google Play adds security audit badges for Android VPN apps
Google Play, Android's official app store, is now tagging VPN apps with an 'independent security reviews' badge if they conducted an independent security audit of their software and platform.
Specifically, that standard is MASA (Mobile App Security Assessment), which was introduced last year as an initiative of the App Defense Alliance (ADA) to define a concrete set of requirements for mobile app security.
🔐 Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
"In recent months, we've concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response," said Microsoft President Brad Smith.
"Therefore, we're launching today across the company a new initiative to pursue our next generation of cybersecurity protection – what we're calling our Secure Future Initiative (SFI)."
Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’
Related: Microsoft upgrades security for signing keys in wake of Chinese breach
🆕 FIRST Releases CVSS 4.0 Vuln Scoring Standard
The Forum of Incident Response and Security Teams (FIRST) on Monday pushed out a refresh of its CVSS vulnerability scoring standard as part of an attempt to provide more data and remove ambiguities in rating the severity of downstream issues.
The updated standard, used by organizations to rate the severity of known software flaws, offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity and simplifies threat metrics, FIRST said.
Related: New CVSS 4.0 vulnerability severity rating standard released
🆕 MITRE Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
ATT&CK v14 covers a total of 760 pieces of software, 143 activity clusters (groups), and 24 campaigns across enterprise, mobile and ICS.
The latest version of ATT&CK brings a significant expansion of detection notes and analytics, as well as enhanced relationships between detections, data sources and mitigations.
⛔️ 🦠 Samsung Galaxy gets new Auto Blocker anti-malware feature
Samsung has unveiled a new security feature called 'Auto Blocker' as part of the One UI 6 update, offering enhanced malware protection on Galaxy devices.
Auto Blocker is an opt-in security feature that prevents the side-loading of risky apps (APKs) downloaded from outside the Galaxy Store and Google Play.
🔐 Google Chrome now auto-upgrades to secure connections for all users
Google has taken a significant step towards enhancing Chrome internet security by automatically upgrading insecure HTTP requests to HTTPS requests for 100% of users.
This feature is called HTTPS-Upgrades and will secure old links that utilize the http:// by automatically attempting to first connect to the URL over the encrypted https:// protocol.
A limited rollout of this feature in Google Chrome began in July, but as of October 16th, Google has now rolled it out to all users on the Stable channel.
🍏 🔐 Apple Improves iMessage Security With Contact Key Verification
“iMessage contact key verification advances the state of the art of key transparency deployments by having user devices themselves verify consistency proofs and ensure consistency of the KT system across all user devices for an account,” Apple says.
Related: iMessage Contact Key Verification blocks the ‘ghost proposal’ plan by government spy agency
➤ Vulnerabilities, Research, and Threat Intelligence
~~
🔓 Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover
As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems.
"By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said.
🔓 🪶 3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online
Over three thousand internet-exposed Apache ActiveMQ servers are vulnerable to a recently disclosed critical remote code execution (RCE) vulnerability.
The flaw in question is CVE-2023-46604, a critical severity (CVSS v3 score: 10.0) RCE allowing attackers to execute arbitrary shell commands by exploiting the serialized class types in the OpenWire protocol.
Fixes were made available on the same day with the release of versions 5.15.16, 5.16.7, 5.17.6, and 5.18.3, which are the recommended upgrade targets.
Related: HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability
🗣️ Atlassian CISO Urges Quick Action to Protect Confluence Instances From Critical Vulnerability
Enterprise software maker Atlassian on Monday urged all Confluence Data Center and Server customers to patch their instances against a critical-severity vulnerability that can be exploited without authentication.
The security defect, tracked as CVE-2023-22518 (CVSS score of 9.1), is described as an improper authorization bug that impacts all Confluence versions.
While it did not share technical details on the flaw in its advisory, Atlassian instead drew attention to the high impact successful exploitation would have.
Related: Atlassian warns of critical Confluence flaw leading to data loss
🧐 Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing
For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware.
🔓 🩸 “This vulnerability is now under mass exploitation.” Citrix Bleed bug bites hard
A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.
Citrix Bleed, the common name for the vulnerability, carries a severity rating of 9.4 out of a possible 10, a relatively high designation for a mere information-disclosure bug. The reason: the information disclosed can include session tokens, which the hardware assigns to devices that have already successfully provided credentials, including those providing MFA. The vulnerability, tracked as CVE-2023-4966 and residing in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, has been under active exploitationsince August. Citrix issued a patch on October 10.
Related: Hackers use Citrix Bleed flaw in attacks on govt networks worldwide
🔓 ☁️ New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes
Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.
"These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044.
🐛 💰 HackerOne paid ethical hackers over $300 million in bug bounties
HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception.
Thirty hackers have earned over a million USD for their submissions, and one has broken the record, receiving over $4 million for his bug reports.