Thursday, May 4th, 2023
Cybersecurity Week in Review (05/05/2023)
Brightline data breach impacts 783K pediatric mental health patients
Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform. Brightline is a mental and behavioral health provider offering virtual counseling for children, teenagers, and their families.
In a new ‘data security notice’ displayed on the company’s website, Brightline confirmed that data was stolen from its GoAnywhere MFT service that contained protected health information. These attacks were conducted by the Clop ransomware gang, who utilised a zero-day vulnerability tracked as CVE-2023-0669 to allegedly steal data from 130 companies.
The threat actors are thought to have began leveraging this vulnerability since January 18th, 2023. Brightline was listed on Clop’s extortion portal on March 16th, 2023, indicating that the health startup was among the firms the ransomware actors breached in their large-scale attack.
The company’s internal investigation revealed that the data stolen by the Clop ransomware gang included the following personal information:
- Full names
- Physical addresses
- Dates of birth
- Member identification numbers
- Date of health plan coverage
- Employer names
Brightline’s extensive partnerships with healthcare institutes and companies in the U.S. has resulted in a security incident impacting many entities. This includes well-known organisations like Diageo, Nintendo of America Inc., Harvard University, Stanford University, and Boston Children’s Hospital.
Data published today on the breach portal of the U.S. Department of Health and Human Services indicates that the incident has impacted a total of 783,606 people. However, this figure may increase as internal investigations progress. Brightline only submitted eight individual entries on the government portal, presumably corresponding to eight affected entities, but its website lists a more significant number of impacted organisations.
Update 5/3/23: Since this incident occurred, the Cl0p ransomware operation stated that they have deleted Brightline’s data from their data leak site.
“We delete the data and we did not know what this company is doing, because not all companies are analysing. And we ask for forgiveness for this incident,” Clop said.
Source – https://www.bleepingcomputer.com/news/security/brightline-data-breach-impacts-783k-pediatric-mental-health-patients/
Hackers start using double DLL sideloading to evade detection
An APT hacking group known as “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27” is demonstrating a new trend of using several complex variations of the classic DLL sideloading technique to evade detection.
These attack variations begin with an initial vector that leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL.
The lure for victims is trojanised Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been supposedly localised for people in China. The trojanised apps are believed to be promoted using BlackSEO or malvertising. According to analysts who followed the threat actor’s recent attacks, the targeting scope of this campaign is focused on Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.
DLL sideloading is a technique exploited by attackers since 2010, taking advantage of the insecure way Windows loads DLL (Dynamic Link Library) files required by an application.
The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application’s directory. When the user launches the executable, Windows prioritises the local malicious DLL over the one in the system folders. The attacker’s DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.
In this campaign, the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry. If the victim attempts to launch the newly created desktop shortcut, which is the expected first step, instead of launching the app, the following command is executed on the system.
Next, the installer loads a second-stage application using a clean dependency (‘libexpat.dll’) to load a second clean application as an intermediate attack stage.
In one variation of the attack, the clean application “XLGame.exe” is renamed to “Application.exe,” and the second-stage loader is also a clean executable, signed by Beijing Baidu Netcom Science and Technology Co., Ltd. In another variation, the second-stage clean loader is “KingdomTwoCrowns.exe,” which is not digitally signed, and it couldn’t be determined what advantage it offers besides obfuscating the execution chain. In a third variation of the attack, the second-stage loader is the clean executable “d3dim9.exe,” digitally signed by HP Inc.
This “double DLL sideloading” technique achieves evasion, obfuscation, and persistence, making it harder for defenders to adjust to specific attack patterns and effectively shield their networks. In all observed attack variations, the final payload DLL is decrypted from a txt file (‘templateX.txt’) and executed on the system.
This payload is a backdoor that supports several commands, such as system reboot, registry key modification, fetching files, stealing clipboard content, executing commands on a hidden CMD window, and more. The backdoor also targets the MetaMask cryptocurrency wallet Chrome extension, aiming to steal digital assets from victims.
In summary, DLL sideloading remains an effective attack method for hackers and one that Microsoft and developers have failed to address for over a decade.
Source – https://www.bleepingcomputer.com/news/security/hackers-start-using-double-dll-sideloading-to-evade-detection/
Russian hackers use WinRAR to wipe Ukraine state agency’s data
The Russian ‘Sandworm’ hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices.
In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren’t protected with multi-factor authentication to access critical systems in Ukrainian state networks.
Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.
On Windows, the BAT script used by Sandworm is ‘RoarBat,’ which searches disks and specific directories for filetypes such as doc, docx, rtf, txt, xls, xlsx, ppt, pptx, vsd, vsdx, pdf, png, jpeg, jpg, zip, rar, 7z, mp4, sql, php, vbk, vib, vrb, p7s, sys, dll, exe, bin, and dat, and archives them using the WinRAR program.
However, when WinRar is executed, the threat actors use the “-df” command-line option, which automatically deletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the device.
CERT-UA says RoarBAT is run through a scheduled task created and centrally distributed to devices on the Windows domain using group policies.
On Linux systems, the threat actors used a Bash script instead, which employed the “dd” utility to overwrite target file types with zero bytes, erasing their contents. Due to this data replacement, recovery for files “emptied” using the dd tool is unlikely, if not entirely impossible.
As both the ‘dd’ command and WinRar are legitimate programs, the threat actors likely used them to bypass detection by security software.
CERT-UA says the incident is similar to another destructive attack that hit the Ukrainian state news agency “Ukrinform” in January 2023, also attributed to Sandworm.
CERT-UA recommends that all critical organisations in the country reduce their attack surface, patch flaws, disable unneeded services, limit access to management interfaces, and monitor their network traffic and logs. As always, VPN accounts that allow access to corporate networks should be protected with multi-factor authentication.
Source – https://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/
Chinese APT Uses New ‘Stack Rumbling’ Technique to Disable Security Software
A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software. Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organisations in the Philippines, Taiwan, and Thailand.
As part of the newly observed campaign, the threat actor was seen performing DLL sideloading via Windows Defender binaries and employing two methods of disabling security products: a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).
The attacks typically start with the exploitation of vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers to deploy the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy.
Earth Longzhi was also observed abusing legitimate Windows Defender executables to sideload DLLs and execute malware such as Croxloader (a customised Cobalt Strike loader) and SPHijacker (a tool for disabling security products).
SPHijacker leverages a vulnerable Zemana driver to terminate security applications, then leverages stack rumbling to prevent the software from running by causing it to crash upon launch. For that, it modifies the IFEO registry key with a new value large enough to crash the target application due to a stack overflow. The method, which causes a permanent DoS condition, targets roughly 30 antivirus-related processes.
While the campaign was investigated, additional malicious tools linked to Earth Longzhi were identified, such as the Roxwrapper loader and a new tool for privilege escalation. Various decoy documents in Vietnamese and Indonesian were discovered, which were likely meant to be distributed via phishing emails to victims in Vietnam and Indonesia.
The observed attacks focused on government, healthcare, manufacturing, and technology organisations in Fiji, the Philippines, Taiwan, and Thailand.
Source – https://www.securityweek.com/chinese-apt-uses-new-stack-rumbling-technique-to-disable-security-software/
ChatGPT Confirms Data Breach, Raising Security Concerns
OpenAI’s ChatGPT, the fastest-growing consumer app in history, suffered a minor data breach that exposed the personal information of some users. The data leak occurred because of a vulnerability in the Redis open-source library that was used to cache user information for faster recall and access. OpenAI patched the bug within days of discovering it.
The vulnerability allowed users to view other active users’ chat history and payment information, including their email address, payment address, the last four digits of a credit card number, and the credit card’s expiration date.
The impacted paying subscribers made up less than 1% of ChatGPT’s users, and OpenAI addressed the issue promptly with minimal damage. However, the incident highlights the risks that chatbots and their users face, including privacy and security concerns.
Because of privacy concerns, some businesses and entire countries are clamping down. JPMorgan Chase, for example, has restricted employees’ use of ChatGPT due to the company’s controls around third-party software and applications, but there are also concerns surrounding the security of financial information if entered into the chatbot. And Italy cited the data privacy of its citizens for its decision to temporarily block the application across the country. The concern, officials stated, is due to compliance with GDPR.
Experts warn that threat actors could use AI to create sophisticated and realistic phishing emails, and disinformation and conspiracy campaigns, which could go beyond cyber risks. OpenAI has offered a bug bounty of up to $20,000 to anyone who discovers unreported vulnerabilities, but it does not cover model safety or hallucination issues.
Source – https://securityintelligence.com/articles/chatgpt-confirms-data-breach/
IT Services Firm Bitmarck Takes Systems Offline Following Cyberattack
German IT services provider Bitmarck on Monday announced that it has shut down customer and internal systems following a cyberattack. Headquartered in Essen, Bitmarck is one of the largest IT companies in Germany, providing technical infrastructure and services to over 80 organisations in the public health insurance sector.
On May 1, the company announced that its early warning systems were triggered by an attack on its internal network, to which it responded by promptly taking data centers and other systems offline.
According to Bitmarck, no customer or insured individuals’ data appears to have been stolen in the incident. Patient data, which is subject to special protection under German regulation, “was and is never endangered by the attack”, the company says.
The IT giant says it has already started restoration operations, but that some systems will take longer to restore, as the operation is performed in line with a ‘security and priority-oriented process’.
According to the company, systems for “the digital processing of electronic certificates of incapacity for work (eAU) and access to the electronic patient file (ePA)” have been restored or will be restored shortly.
The company is also considering setting up a temporary emergency operating environment to provide health insurance companies with the necessary services, such as payment transactions.
Although services are gradually coming back online, Bitmarck expects the disruptions to continue for the foreseeable future, given that entire data centers were shut down in some cases, leading to services having to be restarted due to potential failures.
Bitmarck says it cannot share details on the attackers, due to the ongoing investigation. It’s unclear whether the massive disruption was caused by ransomware or another type of attack, or if the firm pulled the plug before a payload was executed.
Source – https://www.securityweek.com/it-services-firm-bitmarck-takes-systems-offline-following-cyberattack/
Medusa ransomware gang leaks students’ psychological reports and abuse allegations
Students and teachers at the Minneapolis Public School (MPS) District, which suffered a huge ransomware attack at the end of February, have had highly sensitive information about themselves published on the web, including allegations of abuse by teachers and psychological reports.
MPS initially said that it had refused to pay a US $1 million ransom to its extortionists, and that it had successfully restored its encrypted systems via backups.
However, the Medusa hacking group who attempted to blackmail MPS had not just encrypted the school district’s data but had also exfiltrated their own copy of it which was ultimately published on the internet, and promoted through links on a Telegram channel.
In all, approximately 100 GB of what claimed to be data from the MPS District was published on the public internet, alongside a video summary showing some of the contents.
Contained in the published data were:
- names and birthdates of children with special needs,
- details of their home lives and any disorders,
- results of intelligence tests,
- and details of what medication they might be taking.
The leaked files also include hundreds of forms documenting times when faculty learned that a student had been potentially mistreated. Most of those are allegations that a student had suffered neglect or was physically harmed by a teacher or student. Some are extraordinarily sensitive and allege incidents like a student being sexually abused by a teacher or by another student. Each report names the victim and cites birthday and address.
The situation is made worse by the fact that data stolen by the Medusa hacking group has not taken the conventional course of being published on a dark web leak site, but instead on a conventional website that does not need a specialist tool like Tor to access it.
Posts bragging about the hacks, and then pointing to the leak website, have been published on social media – increasing the potential for the highly damaging information to be seen by an even larger audience.
MPS says that it is attempting to the have the leaked data removed from these public webpages, but for now – at least – they’re still available.
It’s quite clear that the Medusa group is revelling in the chaos it is causing, and feels no guilt about the impact it has on vulnerable, innocent young people. While some ransomware gangs have sometimes apologised and even occasionally offered free decryption tools after hacking schools, it’s clear that there are many other criminal groups who have no qualms about the harm their attacks can cause.
Source – https://www.bitdefender.com/blog/hotforsecurity/medusa-ransomware-gang-leaks-students-psychological-reports-and-abuse-allegations/
Vietnamese Threat Actor Infects 500,000 Devices Using Malvertising Tactics
A Vietnamese threat actor has been attributed as behind a “malverposting” campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer.
Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to “amplify” their posts.
Such attacks commence with the adversary creating new business profiles and hijacking already popular accounts to serve ads that claim to offer free adult-rated photo album downloads. Within these ZIP archive files are purported images that are actually executable files, which, when clicked, activate the infection chain and ultimately deploy the stealer malware to siphon session cookies, account data, and other information.
The attack chain is highly effective as it creates a “vicious circle” wherein the information plundered using the stealer is used to create an ever-expanding army of hijacked Facebook bot accounts that are then used to push more sponsored posts, effectively scaling the scheme further. To slip under the radar of Facebook, the threat actor has been found to pass off the newly generated business profile pages as photographer accounts. A majority of the infections have been reported in Australia, Canada, India, the U.K., and the U.S.
The method through which the PHP-based stealer is deployed is said to be constantly evolving to incorporate more detection evasion features, suggesting that the threat actor behind the campaign is actively refining and retooling their tactics in response to public disclosures.
The findings come as details of an ongoing phishing operation that’s aimed at Facebook users by tricking them to enter their credentials on fake copycat sites designed to steal their account credentials and take over their profiles were revealed.
Source – https://thehackernews.com/2023/05/vietnamese-threat-actor-infects-500000.html
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks
An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog targeting enterprise networks.
Decoy Dog, as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion.
Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level. The malware which was identified in early April 2023 following anomalous DNS beaconing activity, has atypical characteristics that allow it to map additional domains that are part of the attack infrastructure.
That said, the usage of Decoy Dog in the wild is “very rare,” with the DNS signature matching less than 0.0000027% of the 370 million active domains on the internet.
One of the chief components of the toolkit is Pupy RAT, an open source trojan that’s delivered by means of a method called DNS tunneling, in which DNS queries and responses are used as a C2 for stealthily dropping payloads. It’s worth noting that the use of the cross-platform Pupy RAT has been linked to nation-state actors from China such as Earth Berberoka (aka GamblingPuppet) in the past, although there’s no evidence to suggest the actor’s involvement in this campaign.
Further investigation into Decoy Dog suggests that the operation had been set up at least a year prior to its discovery, with three distinct infrastructure configurations detected to date.
Another crucial aspect is the unusual DNS beaconing behavior associated with Decoy Dog domains, such that they adhere to a pattern of periodic, but infrequent, DNS requests so as to fly under the radar.
Source – https://thehackernews.com/2023/05/new-decoy-dog-malware-toolkit-uncovered.html
T-Mobile discloses second data breach since the start of 2023
T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023.
Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.
T-Mobile said the threat actors didn’t gain access to call records or affected individuals’ personal financial account info, but the exposed personally identifiable information contains more than enough data for identity theft.
While the exposed information varied for each of the affected customers, it could include full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.
After detecting the security breach, T-Mobile proactively reset account PINs for impacted customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
This is the second such incident T-Mobile has revealed since the start of the year, with the previous data breach disclosed on January 19, after attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022.
The mobile carrier spotted the threat actors’ malicious activity on January 5 and cut off their access to its systems within 24 hours.
Other incidents reported by T-Mobile during the last few years include:
- In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers.
- In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information.
- In December 2020, threat actors accessed customer proprietary network information (phone numbers, call records).
- In February 2021, an internal T-Mobile application was accessed by unknown attackers without authorisation.
- In August 2021, hackers brute-forced their way through the carrier’s network following a breach of a T-Mobile testing environment.
- In April 2022, the Lapsus$ extortion gang breached T-Mobile’s network using stolen credentials.