Thursday, February 9th, 2023
Cybersecurity Week in Review (10/2/23)
MTU Cork confirms it suffered ransomware cyber attack as campus remains closed
Munster Technological University Cork was targeted in a cyber attack, the educational institution has said. The TU Cork campus has been closed this week following a significant IT breach and phone outages.
In a statement late on Wednesday night, MTU Cork confirmed the breach was a cyber attack. The extent of the attack, including which data may have been breached, remains under investigation.
“Following extensive and ongoing initial investigations MTU can confirm that its Cork campuses have been targeted in a cyber attack. The Kerry campuses of MTU remain unaffected,” the statement said.
The incident was detected by MTU’s IT security systems last weekend with immediate steps being taken to intercept and manage the incident. It resulted in the encryption of certain MTU systems for the purpose of demanding a ransom. MTU has been in close and ongoing contact with the National Cyber Security Centre, the Data Protection Commission, An Garda Síochána and other relevant stakeholders including Government departments since the incident.
While the extent of the incident remains under investigation, the third-level facility said students and staff do not need to take any action at this time and MTU will notify any affected individuals.
The vice-president for finance and administration at Munster Technological University, Paul Gallagher, confirmed the development on RTÉ’s Morning Ireland and said they college would work methodically to solve the issue.
“The worst thing we can do is rush this, that could make matters worse,” he said. When asked the amount of the ransom demanded, Mr Gallagher declined to comment, but he did acknowledge that a demand had been found encoded in one of the servers. “We have not engaged, we are taking advice from the National Cyber Security Centre.
The college is in a position to restore the system themselves. The difficulty is actually getting into the system because the first thing that is attacked is your security and your network management system, and it is encrypted in those systems. So it took time to get those back and to understand the full extent of the attack.
Source – https://www.irishtimes.com/ireland/education/2023/02/09/mtu-cork-confirms-it-suffered-ransomware-cyber-attack-as-campus-remains-closed/
PayPal and Twitter abused in Turkey relief donation scams
Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria: this time stealing donations by abusing legitimate platforms like PayPal and Twitter.
This week, high magnitude earthquakes claimed more than 15,000 lives, caused extensive infrastructural damage and disrupted network connectivity across the Middle East and Mediterranean region. As government, businesses and charity organisations step up to raise funds and aid victims of this ecological disaster, threat actors are wasting no time in targeting unsuspecting donors.
Multiple scams running on Twitter have been identified abusing legitimate platforms like PayPal’s fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims.
One of the scams, for example, touts itself to be a “Turkey Earthquake Relief” fundraiser on Twitter. To lend itself some credibility, the account persistently retweets updates from established news outlets and government officials. What makes a scam like this especially convincing is, instead of using a separate scam or phishing domain, threat actors use a trustworthy payments platform like PayPal. Picking scams apart from real fundraisers is further complicated by the fact that any person can set up fundraisers online and claim to have the best of intentions, which remains questionable.
Threat actors have also spun up fake charities, as they did during ‘Help Ukraine’ scams that arose last year. Adversaries are sending phishing emails that claim to come from charities. These charities themselves have dubious origins. These emails urge recipients to support earthquake victims by making crypto donations to wallet addresses that are, predictably, not associated with any known government or trustworthy entities. Among various guidelines issued for donors, a particularly handy one is searching the government’s charity register to ensure your proceeds are reaching a legitimate cause. This advice is applicable to UK-centric donors. Your regional government or tax authority (such as the IRS) may have similar directories and non-profit registers.
Source – https://www.bleepingcomputer.com/news/security/paypal-and-twitter-abused-in-turkey-relief-donation-scams/
NIST Standardises Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices
The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardised for lightweight cryptography applications.
The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators. They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles.
The idea is to adopt security protections via lightweight cryptography in devices that have a limited amount of electronic resources. NIST still recommends the Advanced Encryption Standard (AES) and SHA-256 for general use. Ascon is credited to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University.
The suite comprises authenticated ciphers ASCON-128, ASCON-128a, and a variant called ASCON-80pq that comes with resistance against quantum key-search. It also offers a set of hash functions ASCON-HASH, ASCON-HASHA, ASCON-XOF, and ASCON-XOFA.
It’s primarily aimed at constrained devices, and is said to be “easy to implement, even with added countermeasures against side-channel attacks. This means that even if an adversary manages to glean sensitive information about the internal state during data processing, it cannot be leveraged to recover the secret key. Ascon is also engineered to provide authenticated encryption with associated data (AEAD), which makes it possible to bind ciphertext to additional information, such as a device’s IP address, to authenticate the ciphertext and prove its integrity.
Implementations of the algorithm are available in different programming languages, such as C, Java, Python, and Rust, in addition to hardware implementations that offer side-channel protections and energy efficiency.
Source – https://thehackernews.com/2023/02/nist-standardizes-ascon-cryptographic.html
New ESXiArgs ransomware version prevents VMware ESXi recovery
New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.
Last Friday, a massive and widespread automated ransomware attack encrypted over 3,000 Internet-exposed VMware ESXi servers using a new ESXiArgs ransomware. Preliminary reports indicated that the devices were breached using old VMware SLP vulnerabilities. However, some victims have stated that SLP was disabled on their devices and were still breached and encrypted.
When encrypting a device, an ‘encrypt.sh’ script looks for virtual machine files matching the following extensions:
For each file that is found, the script checks the file size, and if the file is smaller than 128 MB, encrypts the whole file in 1MB increments. However, for files larger than 128 MB, it would compute a ‘size_step,’ which would cause the encryptor to alternate between encrypting 1 MB of data and not encrypting chunks (the size_step in megabytes) of data.
The encrypt.sh script uses the following formula (slightly modified for readability) to determine what size_step should be used: size_step=((($size_in_kb/1024/100)-1))
This means for a 4.5 GB file, it would generate a size_step of ’45,’ causing the encryptor to alternate between encrypting 1 MB of the file and skipping 45 MB of the file. So, as you can see, quite a bit of data remains unencrypted by the time it’s finished encrypting a file. For even larger files, like a 450GB file, the amount of skipped data rises dramatically, with the size_step becoming ‘4607,’ now alternating between encrypting 1MB and skipping 4.49 GB of data.
Due to these large chunks of unencrypted data, researchers devised a method to recover virtual machines using the large and primarily unencrypted flat files, where the virtual machine’s disk data is stored. A script created by CISA later automated this recovery process.
Unfortunately, a second ESXiArgs ransomware wave started today and includes a modified encryption routine that encrypts far more data in large files. The second wave was identified after an admin posted in the ESXiArgs support topic stating that their server was encrypted and could not be recovered using the methods that had worked previously. After sharing the samples it was noticed that the encryptor had not changed, but the encrypt.sh script’s ‘size_step’ routine had been taken out and simply set to 1 in the new version.
All files over 128 MB will now have 50% of their data encrypted, making them likely unrecoverable. This change also prevents the previous recovery tools from successfully recovering machines, as the flat files will have too much data encrypted to be usable. This second wave of attack also made a minor change to the ransom note by no longer including bitcoin addresses in the ransom note. The removal of the bitcoin addresses was likely due to them being collected by security researchers to track ransom payments.
However, even more concerning, the admin who shared the new samples said they had SLP disabled on their server but were still breached again. They also checked for the vmtool.py backdoor seen in previous attacks, and it was not found. With SLP disabled, it becomes even more confusing as to how this server was breached.
Source – https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-version-prevents-vmware-esxi-recovery/
Grocery delivery platform Weee! confirms data breach
Attackers posted a database with information on 11 million Weee! customers on a popular hacker forum earlier this February, exposing delivery-related sensitive information. The company’s spokesperson stated that Weee! is aware a data breach affected some of its customers. The online grocery delivery platform said it does not retain any payment details, and the breach did not impact user financial data. For customers that placed an order between July 12, 2021 and July 12, 2022, information such as name, address, email addresses, phone number, order number, and order comments may have been impacted.
The leak appeared to be composed of data that didn’t appear in previous leaks. Some of the leaked logs included delivery notes that Weee! customers left for couriers, such as codes to enter residential or office buildings.
Weee! is an online grocery delivery platform specialising in Hispanic and Asian foods. The delivery platform operates throughout most of the United States. The company boasts its delivery app was downloaded over 2.6 million times. According to data on the Google Play store, Weee! Asian Grocery Delivery app has been downloaded over 500k times.
Source – https://cybernews.com/news/weee-confirms-data-breach/
LockBit ransomware gang claims Royal Mail cyberattack
The LockBit ransomware operation has claimed the cyberattack on UK’s leading mail delivery service Royal Mail that forced the company to halt its international shipping services due to severe service disruption.
This comes after LockBitSupport, the ransomware gang public-facing representative, previously said that the LockBit cybercrime group did not attack Royal Mail. Instead, they blamed the attack on other threat actors using the LockBit 3.0 ransomware builder that was leaked on Twitter in September 2022.
LockBitSupp failed to explain why printed Royal Mail ransom notes seen included links to LockBit’s Tor negotiation and data leak sites rather than ones operated by another threat actor. However, LockBitSupp confirmed that LockBit was indeed behind the attack in a post on a Russian-speaking hacking forum after determining that one of their affiliates deployed the gang’s ransomware payloads on Royal Mail’s systems.
The ransomware gang’s representative also added that they would only provide a decryptor and delete data stolen from Royal Mail’s network after a ransom is paid. The entry for the Royal Mail attack on LockBit’s data leak site says stolen data was to be published online on Thursday, February 9, at 03:42 AM UTC.
Royal Mail first detected the attack on January 10 and hired outside forensic experts to help with the investigation. The company also reported the incident to UK security agencies and is investigating the incident alongside the National Crime Agency and UK National Cyber Security Centre (NCSC).
However, Royal Mail is yet to acknowledge that it’s dealing with a ransomware attack that could likely lead to a data breach since LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met. For now, the company is still describing the attack as a “cyber incident” and says that it has restored some of the services impacted by the attack.
Last month’s incident follows a November 2022 outage that led to the Royal Mail’s tracking services being unavailable for more than 24 hours. Royal Mail’s recurring IT issues come at a time when its mailing services are already strained amid planned national strikes and ongoing negotiations with the Communication Workers Union.
Source – https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-royal-mail-cyberattack/
PixPirate Android Malware Stealing Banking Passwords From Browsers
The introduction of Pix, an instant payment platform developed and managed by the monetary authority of Brazil, the Central Bank of Brazil (BCB), has enabled the quick execution of payments and transfers but also brings threats with it . Currently counting over 100 million registered accounts; it highlights the adoption of instant payments that has been rapidly increasing in Europe, America, and, more recently, also in Brazil.
One such threat that has just been spotted in the wild is a new strain of mobile malware that targets Brazil and other LATAM nations. The malware’s main objectives are to steal sensitive data and commit fraud against users of the Pix platform who frequently use it. The malware known as “PixPirate,” which was discovered between the end of 2022 and the beginning of 2023, is the most recent generation of Android banking trojans that can use the ATS (Automatic Transfer System).
It allows attackers to automatically insert a malicious money transfer over the Instant Payment platform Pix, which is used by many Brazilian banks. PixPirate portrays itself to victims as a trusted application while actually serving harmful ends behind well-known names and icons.
Since they offer features to communicate with other apps, banking trojans frequently take advantage of the accessibility services. After receiving permission from the victim, PixPirate will activate all of its harmful features. Notably, the android banking malware takes advantage of the accessibility services API to perform its malicious tasks, which include disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and delivering fake advertisements via push notifications.
PixPirate can distinguish the various UI elements of the bank’s activity and the password element displayed on the screen through Accessibility Services. It takes the user’s password if it notices any changes to the password input text. The malware is capable of long-clicking, selecting the delete button, and completing the deletion when the default SMS app is active in the foreground.
Threat actors incorporated certificate pinning, a popular method for protecting communications from man-in-the-middle attacks. PixPirate has also been seen to attack the Pix instant payment system, which is used by numerous Brazilian institutions.
As a result, researchers say it is not possible to rule out that in the near future, there will be even more threats that will follow the PixPirate instance, targeting other LATAM countries or even shifting their attention to other regions, despite the fact that PixPirate appears to still be in the early stages of development.
Source – https://cybersecuritynews.com/malware-stealing-banking-passwords/
20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
PeopleConnect-owned background check services Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.
In individual data breach notices published on February 3, the organisations informed users that the incident was discovered after cybercriminals started sharing databases stolen from the two companies on underground forums. The databases – or ‘lists’, as the two companies call them – contain names, email addresses, phone numbers, encrypted passwords, and password reset tokens that are either expired or inactive.
The two organisations note that the leaked information does not include details on user activity or payment data. While Instant Checkmate and TruthFinder also note that no “readable or usable passwords or other means to compromise user accounts” leaked either, it is not uncommon for cybercriminals to try to crack stolen encrypted passwords.
Investigations were launched into both incidents, but no evidence of malicious activity has been found as of now on their networks. According to the two announcements, the data breach was the result of the “inadvertent leak or theft” of the impacted database. While neither Instant Checkmate nor TruthFinder shared information on the number of affected individuals, the data has already been added to Troy Hunt’s breach notification service Have I been pwned.
The leaked databases include the information of more than 11.9 million Instant Checkmate accounts, and the details of over 8.1 million TruthFinder accounts.
Source – https://www.securityweek.com/20-million-users-impacted-by-data-breach-at-instant-checkmate-truthfinder/
Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack
An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023.
Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker NEPTUNIUM, which is an Iran-based company known as Emennet Pasargad. In January 2022, the U.S. Federal Bureau of Investigation (FBI) tied the state-backed cyber unit to a sophisticated influence campaign carried out to interfere with the 2020 presidential elections. Two Iranian nationals have been indicted for their role in the disinformation and threat campaign.
Microsoft’s disclosure comes after a “hacktivist” group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses. The breach, which allowed NEPTUNIUM to gain access to an internal database, is suspected to have been orchestrated as a retaliation against the publication for conducting a cartoon contest ridiculing Iranian Supreme Leader Ali Khamenei.
The release of the full cache of stolen data, which was advertised for 20 Bitcoin, could lead to mass doxing and put its readership at risk of online or physical targeting by extremist organisations. This amplification effort made use of a particular set of influence tactics, techniques, and procedures (TTPs) witnessed before in Iranian hack-and-leak influence operations. The points of similarity include the use of false-flag personas to conduct their hack-and-leak operations, inauthentic sockpuppet accounts, and the impersonation of authoritative sources, corroborating an October 2022 advisory from the FBI.
The goal, the FBI assessed, is to undermine public confidence in the security of the victim’s network and data, as well as embarrass victim companies and targeted countries. These hack-and-leak campaigns involve a combination of hacking / theft of data and information operations that impact victims via financial losses and reputational damage.
Source – https://thehackernews.com/2023/02/microsoft-iranian-nation-state-group.html