Discover more from X’s Infosec Newsletter
InfoSec MASHUP - Week 46/2023
Crypto exchange Poloniex breached; Denmark Hit With Largest Cyberattack; ICBC paid ransom after hack; Another Patch Tuesday; CPU's bugs and attacks coming left & right;
📚 This Week’s Recommended Reading
➝ Listen to best-sellers and new releases with Amazon Audible 🎧 📕
About the authors
Jennifer Jin was raised in Dallas, TX before graduating from The University of Texas at Austin with a degree in Communication Studies. As Threatcare’s Head of Communications, she ensures all departments are running smoothly and efficiently, while also owning event planning, content marketing, and customer support. Jennifer satisfies her undying curiosity by dabbling in photography and modeling, playing and streaming PC games, and traveling to new countries.
Marcus J. Carey is the creator of the best selling Tribe of Hackers cybersecurity book series. Marcus is renowned in the cybersecurity industry and has spent his more than 20-year career working in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA. He started his career in cryptography in the U.S. Navy and holds a Master's degree in Network Security from Capitol College.
Partners and affiliates
🔐 NordVPN’s Cyber Month campaign ⚡️ (from Oct 18 to Nov 29 )
Users purchasing the 2-year plan will save a whopping 68%!
Those buying the 2-year plan will also automatically get 3 additional months
Whether you're a seasoned tech professional, a coding enthusiast, or someone who simply loves to unravel digital mysteries, this t-shirt is a must-have addition to your wardrobe. Wear it and let the world know that when you're around, a bit of hacking magic might just be in progress.
➤ Breaches & Security Incidents
Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.
Earlier today, the Medusa ransomware gang listed TFS to its data leak site on the dark web, demanding a payment of $8,000,000 to delete data allegedly stolen from the Japanese company.
The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.
Plume, a smart WiFi services provider, was posted on a popular data leak forum, with attackers claiming that they’ve downloaded gigabytes of user data.
The attackers allege that they’ve stolen over 20GB of Plume’s WiFi database, containing over 15 million lines of information.
The dataset supposedly includes different protections, including mobile app users, customers, and the company’s staff members.
LONDON, Nov 13 (Reuters) - China’s biggest lender, the Industrial and Commercial Bank of China, has paid a ransom to cybercriminals who hacked ICBC last week, a representative of the Lockbit ransomware gang said on Monday in a statement Reuters was unable to independently verify.
The ICBC's U.S. arm was hit by a ransomware attack that disrupted trades in the U.S. Treasury market on Thursday.
“They paid a ransom, deal closed,” the Lockbit representative told Reuters via Tox, an online messaging app.
ICBC did not immediately respond to a request for comment.
Dragos says it has found no evidence of a data breach after a known ransomware group claimed to have hacked the industrial cybersecurity company’s systems through a third party.
“Dragos is asked to reach out within 24 hours, or we will begin the publication of both the facts and the data of executive members. This is the result of a third-party breach,” the cybercrime group known as BlackCat and Alphv wrote on its leak website in a post dated November 11.
After suspicious outflows of $114 million, cryptocurrency exchange Poloniex has confirmed that it has been hacked. Poloniex investor Justin Sun offered a 5% white hacker bounty. However, the adversary seems to be the notorious Lazarus Group from North Korea.
The attack happened on November 10th, first observed by blockchain security firms PeckShield and Cyvers, which noticed multiple suspicious transactions from Poloniex’s hot wallet.
Hackers breached Booking.com, one of the world’s largest online accommodation reservation sites, by posing as hotel staff to steal credit card information from travelers making bookings.
Phishing scams like this have plagued Japan since May.
The headquarters of Booking.com in the Netherlands conceded the damage is occurring on a global scale.
After learning that the stolen card information could have been used to illegally make purchases, the company said, “it is working to recover the money for the affected customers.”
➤ Cybercrime, Cyber Espionage, APT’s
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities.
The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor's command-and-control (C&C) servers. It's also suspected to be an evolution of a PowerShell-based USB worm that was previously disclosed by Symantec in June 2023.
The U.S. Federal Communications Commission (FCC) is adopting new rules that aim to protect consumers from cell phone account scams that make it possible for malicious actors to orchestrate SIM-swapping attacks and port-out fraud.
"The rules will help protect consumers from scammers who target data and personal information by covertly swapping SIM cards to a new device or porting phone numbers to a new carrier without ever gaining physical control of a consumer's phone," FCC said this week.
Authorities said the man, 52-year-old Aviram Azari, was arrested on computer hacking, wire fraud and identity theft charges when he traveled to the United States in September 2019.
According to the Justice Department, Azari owned and operated an Israel-based ‘intelligence firm’ named Aviram Hawk or Aviram Netz.
Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.
Tensions between China and the Philippines have risen sharply over the past several months. In early August, a Chinese Coast Guard vessel fired its water cannon at a Philippine vessel that was performing a resupply mission to the disputed Second Thomas Shoal in the Spratly Islands. Since then, the Philippines has announced joint patrols with the United States, and naval exercises with Australia.
Coinciding with these real-world events, Unit 42 researchers observed three Stately Taurus campaigns during the month of August. These campaigns are assessed to have targeted entities in the South Pacific including the Philippines government. The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files. Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections.
The US Justice Department announced on Wednesday that a man who admitted being an administrator of a now-defunct cybercrime forum named Darkode has been sentenced to prison.
Thomas Kennedy McCormick, aka ‘Fubar’, a 30-year-old from Cambridge, Massachusetts, has been sentenced to 18 years in prison for his role in running Darkode. The sentence also includes three years of supervised release.
The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files.
Although Citrix made fixes available for CVE-2023-4966 more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, many in the U.S.
The U.S. government says Royal, one of the most active ransomware gangs in recent years, is preparing to rebrand or spin off with a new name, Blacksuit.
In an update this week to a previously published joint advisory about the Royal ransomware gang, the FBI and U.S. cybersecurity agency CISA said that the Blacksuit ransomware variant “shares a number of identified coding characteristics similar to Royal,” confirming earlier findings by security researchers linking the two ransomware operations.
The U.S. Department of Justice announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm.
IPStorm enabled cybercriminals to run malicious traffic anonymously through Windows, Linux, Mac, and Android devices all over the world.
In connection to the case, Sergei Makinin, a Russian-Moldovan national, pleaded guilty to three counts relevant to computer fraud and now faces a maximum penalty of 10 years in prison.
Ransomware groups are often staffed by almost all teenagers and haven’t been taken seriously for far too long as a threat. They are a threat to civil society as long as organizations keep paying.
The cybersecurity reality we live in now is teenagers are running around in organized crime gangs with digital bazookas. They probably have a better asset inventory of your network than you, and they don’t have to wait 4 weeks for 38 people to approve a change request for patching 1 thing.
Malicious actors have been abusing Ethereum's 'Create2' function to bypass wallet security alerts and poison cryptocurrency addresses, which led to stealing $60,000,000 worth of cryptocurrency from 99,000 people in six months.
Create2 is an opcode in Ethereum, introduced in the 'Constantinople' upgrade, that allows creating smart contracts on the blockchain.
Create2 introduced significant benefits, but several security implications and new attack vectors also came along with them.
👾 The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story
Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.
Hackers potentially linked to the Russian GRU Main Intelligence Directorate carried out a series of highly coordinated cyberattacks targeting Danish critical infrastructure in the nation's largest cyber incident on record, according to a new report.
“The ongoing conflict in the Middle East does not appear to have hindered their ongoing operations, as they continue to iterate and use new and clever delivery methods to bypass detection efforts,” Joshua Miller, a senior threat researcher at Proofpoint, said in a statement.
Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.
"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region."
Malaysian law enforcement authorities have announced the takedown of a phishing-as-a-service (PhaaS) operation called BulletProofLink.
The Royal Malaysia Police said the effort, which was carried out with assistance from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI) on November 6, 2023, was based on information that the threat actors behind the platform were based out of the country.
To that end, eight individuals aged between 29 and 56, including the syndicate's mastermind, have been arrested across different locations in Sabah, Selangor, Perak, and Kuala Lumpur, New Straits Times reported.
An attacker exploited the Raft defi project after finding a vulnerability that allowed them to mint 6.7 million of Raft's R stablecoin without any backing.
The attacker then went to convert the R into ETH, which they would then be able to launder and cash out. However, an error in the attacker's code caused 1,570 ETH ($3.25 million) to be sent to the burn address, rendering it permanently inaccessible to everyone including the hacker. Only 7 ETH remained. However, because they had to spend ETH to fund the attack, the hack ultimately resulted in a loss of 4 ETH (~$8,000) for the perpetrator. Oops.
➤ Government, Politics, and Privacy
Britain’s cybersecurity agency said Tuesday that artificial intelligence poses a threat to the country’s next national election, and cyberattacks by hostile countries and their proxies are proliferating and getting harder to track.
On 14th November, Members of the European Parliament’s ‘Civil Liberties’ committee voted against attempts from EU Home Affairs officials to roll out mass scanning of private and encrypted messages across Europe. It was a clear-cut vote, with a significant majority of MEPs supporting the proposed position.
Former National Security Agency Executive Director Harry Coker is one step closer to being the next national cyber director after the Senate Homeland and Governmental Affairs Committee advanced his nomination Wednesday.
Coker, also a former CIA officer, told the panel during the initial nomination hearing that he would plan on continuing the work of his potential predecessors.
➤ ICS & OT
Siemens has released 14 new advisories to inform customers about more than 80 vulnerabilities, many of which impact third-party components.
Schneider Electric has released three new advisories to inform customers about the availability of patches for five vulnerabilities.
➤ Malware & Threats
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain.
The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan.
The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts.
"An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky said in a report published last week.
Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel.
Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.
"The Windows variant [...] confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers," the Canadian company said Friday.
➤ Tech & Tools
Google this week launched a new version of its Titan security key, which adds support for passkeys.
The Titan security key is a phishing-resistant two-factor authentication device that works with an increasing number of applications.
Google has now launched new USB-A and USB-C models that will both provide NFC capabilities. They will replace current models.
➤ Vulnerabilities, Research, and Threat Intelligence
A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens.
"Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG) said in a report shared with The Hacker News.
The flaw, tracked as CVE-2023-37580 (CVSS score: 6.1), is a reflected cross-site scripting (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was addressed by Zimbra as part of patches released on July 25, 2023.
VMware is warning of a critical and unpatched security flaw in Cloud Director that could be exploited by a malicious actor to get around authentication protections.
Tracked as CVE-2023-34060 (CVSS score: 9.8), the vulnerability impacts instances that have been upgraded to version 10.5 from an older version.
"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," the company said in an alert.
Enterprise software maker SAP this week announced the release of three new and three updated security notes as part of its November 2023 Security Patch Day.
Rated ‘hot news’, the highest rating in SAP’s notebook, the most important of the newly released security notes addresses a vulnerability in enterprise resource planning application Business One.
Tracked as CVE-2023-31403 (CVSS score of 9.6), the bug is described as an improper access control in the Business One product installation.
Intel has fixed a high-severity CPU vulnerability in its modern desktop, server, mobile, and embedded CPUs, including the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures.
Attackers can exploit the flaw—tracked as CVE-2023-23583 and described as a 'Redundant Prefix Issue'—to escalate privileges, gain access to sensitive information, or trigger a denial of service state (something that could prove very costly for cloud providers).
A new software-based fault injection attack, CacheWarp, can let threat actors hack into AMD SEV-protected virtual machines by targeting memory writes to escalate privileges and gain remote code execution.
This new attack exploits flaws in AMD's Secure Encrypted Virtualization-Encrypted State (SEV-ES) and Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) tech designed to protect against malicious hypervisors and reduce the attack surface of VMs by encrypting VM data and blocking attempts to alter it in any way.
Returning champion Martin Albrecht helps explain how we measure the security of lattice-based cryptosystems like Kyber and Dilithium against attackers. QRAM, BKZ, and LLL.
For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.
The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.
Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) observed the use of novel malware, dubbed “Effluence,” in combination with the exploit of a recent Atlassian Confluence vulnerability. Once implanted, the malware acts as a persistent backdoor and is not remediated by applying patches to Confluence. The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence.