Chinese Hackers Exploit Zero-Day Flaws in Ivanti Connect Secure and Policy Secure

A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers.

The activity was identified on the network of one customer in the second week of December 2023, and attributed to a hacking group under the name UTA0178. There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023.

The two vulnerabilities that have been exploited in the wild to achieve unauthenticated command execution on the ICS device are as follows –

CVE-2023-46805 (CVSS score: 8.2) – An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 (CVSS score: 9.1) – A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The vulnerabilities can be fashioned into an exploit chain to take over susceptible instances over the internet.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti said in an advisory.

The company said it has observed attempts on the part of the threat actors to manipulate Ivanti’s internal integrity checker (ICT), which offers a snapshot of the current state of the appliance.

Patches are expected to be released in a staggered manner starting from the week of January 22, 2024. In the interim, users have been recommended to apply a workaround to safeguard against potential threats.

In the incident analyzed, the twin flaws are said to have been employed to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.

The attacker further modified a legitimate CGI file (compcheck.cgi) on the ICS VPN appliance to allow command execution. In addition, a JavaScript file loaded by the Web SSL VPN login page was altered to log keystrokes and exfiltrate credentials associated with users logging into the device.

The attacks are also characterized by reconnaissance efforts, lateral movement, and the deployment of a custom web shell dubbed GLASSTOKEN via the backdoored CGI file to maintain persistent remote access to the external-facing web servers.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert of its own, said it has added the two shortcomings to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by January 31, 2024.

Source – https://thehackernews.com/2024/01/chinese-hackers-exploit-zero-day-flaws.html

Attackers Impersonate Security Researchers in Extortion Attempts

In recent findings, multiple extortion attempts have been identified, where threat actors impersonate security researchers and approach victim organizations, promising to hack into the infrastructure of original ransomware groups to delete stolen data for a fee.

This alarming trend involves attackers using Tox to contact victims after security breaches, posing as researchers, and claiming access to server infrastructure. Despite variations in personas, there is a belief that these extortion attempts may be orchestrated by the same individual or group, marking the first reported instance of adversaries impersonating security researchers in this manner.

The initial instance of extortion, identified in October 2023, targeted victims of Royal ransomware attacks. An entity, falsely attributing the compromise to the TommyLeaks ransomware group, offered to hack Royal ransomware and delete previously stolen data, despite conflicting claims.

The second instance followed a similar pattern, with a separate entity contacting a victim of Akira ransomware, claiming access to a server hosting exfiltrated data. The posing adversary, asserting control over Akira’s server infrastructure, offered to delete the victim’s data or provide access to the compromised server.

Commonalities between the cases include communication via Tox, posing as security researchers, claims of server infrastructure access, offers to prove access to stolen data, implications of future attacks if not addressed, specification of stolen data amount, a demand for a fee (typically five Bitcoin), similar language in emails to victims, and the use of file.io to provide evidence of stolen data.

With a moderate level of confidence, it is concluded that these extortion attempts may be orchestrated by the same threat actors. The affiliation with the original ransomware groups remains unknown, underscoring the evolving tactics employed by cybercriminals. As organizations grapple with complex cybersecurity challenges, vigilance and swift action are crucial to mitigating risks associated with such extortion schemes.

Source – https://cybernews.com/news/attackers-impersonate-security-researchers-in-extortion-attempts/

Mandiant’s X Account Was Hacked Using Brute-Force Attack

The compromise of Mandiant’s X (formerly Twitter) account last week was likely the result of a “brute-force password attack,” attributing the hack to a drainer-as-a-service (DaaS) group.

“Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected,” the threat intelligence firm said in a post shared on X.

The attack, which took place on January 3, 2023, enabled the threat actor to take control of the company’s X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.

Drainers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from the victim’s wallets after they are tricked into approving the transactions.

According to the Google-owned subsidiary, multiple threat actors are believed to have leveraged CLINKSINK since December 2023 to siphon funds and tokens from Solana (SOL) cryptocurrency users.

As observed in the case of other drainers like Angel Drainer and Inferno Drainer, affiliates are roped in by the DaaS operators to conduct the attacks in exchange for a cut (typically 20%) of the stolen assets.

The identified activity cluster involves at least 35 affiliate IDs and 42 unique Solana wallet addresses, collectively netting the actors no less than $900,000 in illegal profits.

The attack chains involve the use of social media and chat applications such as X and Discord to distribute cryptocurrency-themed phishing pages that encourage the targets to connect their wallets to claim a bogus token airdrop.

CLINKSINK, a JavaScript drainer, is designed to open a pathway to the targeted wallets, check the current balance on the wallet, and ultimately pull off the theft after asking the victim to sign a fraudulent transaction. This also means that the attempted theft will not succeed if the victim rejects the transaction.

The drainer has also spawned several variants, including Chick Drainer (or Rainbow Drainer), raising the possibility that the source code is available to multiple threat actors, allowing them to mount independent draining campaigns.

“The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors,” Mandiant said.

“Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future.”

The development comes amid an uptick in attacks targeting legitimate X accounts to spread cryptocurrency scams.

Earlier this week, the X account associated with the U.S. Securities and Exchange Commission (SEC) was breached to falsely claim that the regulatory body had approved the “listing and trading of spot bitcoin exchange-traded products,” causing bitcoin prices to spike briefly.

X has since revealed the hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third-party,” and that the account did not have two-factor authentication enabled.

Source – https://thehackernews.com/2024/01/mandiants-x-account-was-hacked-using.html

Pro-Ukraine Hackers Breach Russian ISP in Revenge for KyivStar Attack

A pro-Ukraine hacktivist group named ‘Blackjack’ has claimed a cyberattack against the Russian provider of internet services M9com as a direct response to the attack against Kyivstar mobile operator.

Kyivstar is Ukraine’s largest telecommunications service provider and its services were severely disrupted in mid-December by what was later revealed to be an attack from Russian hackers.

An investigation of the Security Service of Ukraine (SSU) revealed that the Russians initially breached Kyivstar in May last year and had been preparing for the attack in December that culminated with simultaneous wiping of thousands of virtual servers and computers.

Earlier this week, the Blackjack hacker group announced on Telegram that they had breached M9com, a major internet service provider (ISP) in Moscow.

The hacktivists claimed that they not only managed to disrupt M9com’s internet services but also stole confidential data from the company.

The group shared a Tor URL for three ZIP archives with images that allegedly prove their access to M9com’s systems, texts with account credentials of employees and customers, and 50GB of call data.

Several screenshots show FTP command execution to delete server files, wiping of data from a backup device, removal of configuration files, the RIPE database and billing portal, a snapshot of the vSphere client, and the dashboard for the Resource Public Key Infrastructure (RPKI).

Some of the leaked text files contain full names, usernames, email addresses, passwords in cleartext form, and other confidential details.

It appears that Blackjack also defaced M9com’s official website.

In a public message, Blackjack promises this to be just the first of a barrage of attacks they are planning in response to the Kyivstar hack.

“Hacker attack on M9com is just a continuation of the series of warm-up acts of retribution for the civilian Kyivstar before the big bada-boom” – Blackjack hacker group

While many pro-Russian hacktivist attacks are typically aiming to take down services (distributed denial-of-service), the Blackjack group’s activity has a greater impact as recovery from wiped servers is more difficult, especially if backups have also been destroyed.

According to Ukrinform citing “a source from Ukraine’s law enforcement agencies,” the Blackjack group is “likely related to the SBU” (the Security Service of Ukraine) and they deleted around 20 terabytes of data during the attack.

Source – https://www.bleepingcomputer.com/news/security/pro-ukraine-hackers-breach-russian-isp-in-revenge-for-kyivstar-attack/

Fidelity National Financial: Hackers Stole Data of 1.3 Million People

Fidelity National Financial (FNF) has confirmed that a November cyberattack (claimed by the BlackCat ransomware gang) has exposed the data of 1.3 million customers.

FNF is an American title insurance and transaction services provider for the real estate and mortgage industries. It is one of the largest companies of this kind in the United States, with an annual revenue of more than $10 billion, a market capitalization of $13.3 billion, and an employee force of over 23,000 people.

In mid-December, the firm warned that it had suffered a cyberattack after the threat actors accessed the network using stolen credentials. FNF’s announcement from the time explained that containment measures forced it to take certain IT systems offline, disrupting business services.

Yesterday, Fidelity National Financial confirmed in an amended SEC Form 8-K filing that the cyberattack occurred on November 19, 2023, and was successfully contained seven days later. According to the filing, the attackers used a non-propagating malware that could exfiltrate data from the breached systems. The investigation that followed to appreciate the impact of the incident was concluded on December 13, 2023, revealing that the intruders had stolen the data of 1.3 million customers.

“We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data,” reads FNF’s SEC filing.

“The Company has notified its affected customers and applicable state attorneys general and regulators, and approximately 1.3 million potentially impacted consumers; is providing credit monitoring, web monitoring, and identity theft restoration services; and is fielding questions from consumers.”

The filing clarifies that the breach was contained on FNF systems, and the attack has not extended to any of the connected customer-owned systems. FNF concludes by saying that it does not believe the incident will have any material impact on its financial status and operations and pledges to “vigorously defend itself” against class action lawsuits targeting it for this data breach.

While not mentioned by Fidelity National Financial, the BlackCat (ALPHV) ransomware gang previously claimed responsibility for the attack by listing the company on their data leak site. The threat actors did not say whether data was stolen in the attack, stating they were waiting for FNF to contact them first.

The Fidelity National Financial breach is one of the many attacks that have recently targeted the mortgage and housing industry since late November, including First American, loanDepot, and Mr. Cooper. Of those, only loanDepot clarified that they suffered a ransomware attack, while all other firms have not shared any details about the nature of the incident.

Source – https://www.bleepingcomputer.com/news/security/fidelity-national-financial-hackers-stole-data-of-13-million-people/

HMG Healthcare Says Data Breach Impacts 40 Facilities

Healthcare services provider HMG Healthcare has disclosed a data breach impacting the personal health information of employees and residents at 40 affiliated nursing facilities. According to a notice from the organization, the incident was identified in November 2023 but an investigation determined that the data breach occurred in August 2023.

“The incident involved hackers gaining access to our server and stealing unencrypted files. Files on the server likely contained medical records and personal information,” HMG Healthcare notes in an incident notification on its website.

The compromised information includes names, contact information, dates of birth, health information, medical treatment details, Social Security numbers, and employee records.

“We are notifying affected individuals and/or their responsible parties that during August 2023, a server containing your or a loved one’s information was accessed without authorization and the records were potentially compromised,” HMG Healthcare said.

While it did not provide specific details on the type of cyberattack it fell victim to, HMG might have been targeted by an extortion gang, likely a ransomware group, and appears to have been in contact with the attackers, to prevent the public release of the stolen data.

“HMG worked diligently to ensure that the stolen files were not further shared by the hackers to other sources. HMG attempted to identify the specific data that was compromised but we have now determined that such identification is not feasible,” it said.

The potentially impacted individuals are advised to monitor their account statements and credit reports to identify any suspicious activity.

The organization has named a total of 40 facilities in Texas and Kansas that were affected by the incident, some of which may not be known by an “HMG” name, but did not say how many individuals might have been impacted.

Source – https://www.securityweek.com/hmg-healthcare-says-data-breach-impacts-40-facilities/

Fake 401K Year-end Statements Used to Steal Corporate Credentials

Threat actors are using communication about personal pension accounts (the 401(k) plans in the U.S.), salary adjustments, and performance reports to steal company employees’ credentials.

Researchers have warned that these attacks are becoming more frequent and even organizations with sound email security practices are having trouble against them.

401(k) is a popular retirement savings plan in the U.S. that offers a convenient way for employees to save for the future with tax benefits, often including additional contributions from their employer.

Cybercriminals take advantage of this topic and are sending targets 401(k) notifications posing as someone from their company’s Human Resources department alleging an important plan update or an increase in contributions.

Last year saw a sharp rise in QR codes embedded in those phishing emails, taking recipients to a fake login page designed to steal credentials. Other lure types seen more often towards the end of the year include open enrollment, surveys, and salary restructuring communications.

Open enrollment is a specific period, typically occurring towards the end of the calendar year, allowing employees to enroll in health insurance or retirement plans. Recipients take these messages very seriously because failing to enroll before the deadline results in loss of eligibility for some benefits until the next enrollment round.

Cybercriminals also appear to use more often lures regarding compensation adjustments, especially about bonuses and increases, which are usually decided at the end of the year.

They also warn about fake employee satisfaction surveys and assessment reports sent to targets from spoofed human resource departments. In one example, the phishing email uses an “employee of the year award” theme to trick recipients into opening their performance reports, allegedly to review and sign them.

All examples in a report are from employees of large enterprises that use effective email security solutions, yet many phishing messages still reach their employees’ inboxes. HR departments should schedule these communications and inform the personnel accordingly to help filter out at least some of the malicious communications.

However, considering that many companies outsource these operations, educating and safeguarding employees from phishing attempts may be difficult. Another measure would be to avoid QR codes in legitimate business communication, since many phishing campaigns rely on them.

Source – https://www.bleepingcomputer.com/news/security/fake-401k-year-end-statements-used-to-steal-corporate-credentials/

SEC’s X Account Hacked, Leading to Bitcoin Market Stir

The US Securities and Exchange Commission (SEC) said its social media account was hacked after a false message regarding the approval of spot bitcoin ETFs was posted on the SEC’s X account.

It all happened about just about 4 p.m. EST on Tuesday, January 9th.

The SEC post – which got more than 1 million views in less than a half hour before the SEC quickly took it down – claimed that the regulatory agency was planning on approving the crypto ETF to be listed on the US national securities exchanges.

The post included an image with a quoted statement attributed to SEC Chair Gary Gensler, apparently a fake.

“The @SECGov X account was compromised, and an unauthorized post was posted,” the SEC wrote without providing any other details.

“The SEC has not approved the listing and trading of spot bitcoin exchange-traded products,” it posted on X (formally known as Twitter).

The post came only a day before the SEC was expected to actually grant the approval of the spot bitcoin ETFs in a long-awaited and widely anticipated moment for the crypto world.

The fake post caused the price of bitcoin to spike from about $45,000 to $48,000 for a short few minutes, coming back down to just over $45,000 once the SEC declared the hack and deleted the post.

According to Fox Business Network’s Charles Gasparino, legal sources say the SEC will be forced to “investigate itself for market manipulation” due to the incident.

Ironically, the SEC has previously rejected all spot bitcoin ETF proposals over fears of market manipulation. Numerous crypto insiders also questioned how the SEC account was hacked, yet the agency, miraculously, was able to gain control of the account and delete the post so quickly.

Others worry the SEC could now delay or simply deny the approval for the crypto product to be listed and traded on all US registered security exchanges because of the hack.

The SEC said it was working with law enforcement to investigate the hack and “related conduct,” but declined to say whether the compromise would have an effect on future approvals for the crypto product.

Meantime, Reuters reported that X’s head of business operations, Joe Benarroch, said the SEC’s account was secure and an investigation has been launched into the “root cause” of the compromise. According to Forbes, spot ETFs directly track the price of bitcoin, offering investors exposure to its price movements without owning the asset directly.

Source – https://cybernews.com/crypto/sec-x-account-hacked-bitcoin-etf-market-fluctuation/

US Mortgage Lender loanDepot Confirms Ransomware Attack

Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption. loanDepot is a major nonbank mortgage lender in the United States, with over $140 billion in serviced loans and roughly 6,000 employees.

Customers began experiencing issues on Saturday when trying to log in to loanDepot’s payment portal to pay loans or contact them by phone.

“loanDepot is experiencing a cyber incident. We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible,” the company stated over the weekend. “We are working quickly to understand the extent of the incident and taking steps to minimize its impact.”

After detecting the security breach, loanDepot started an investigation with the help of external cybersecurity experts and began notifying relevant regulators and law enforcement agencies. Following the attack, the company informed customers via social media that recurring automatic payments would still be processed, although delayed before they appear in the payment history.

However, making new payments using the servicing portal will not be possible, and affected customers are advised to reach out to the call center for assistance.

As the loanDepot revealed in an 8-K filing with the U.S. Securities and Exchange Commission, the attackers also encrypted files on compromised devices, but it’s unclear which ransomware group was behind the attack. The breach also forced loanDepot to shut down some of its systems to block the attackers’ access to other devices on its network.

“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data,” it said.

“The Company will continue to assess the impact of the incident and whether the incident may have a material impact on the Company.”

While loanDepot only mentions that the threat actors gained access to systems and encrypted files, ransomware gangs now also commonly steal corporate and customer data during breaches to use as leverage when pressuring victims into paying a ransom.

Given that loanDepot holds sensitive customer data like financial and bank account information, those affected by the breach should be vigilant against potential phishing attacks and identity theft attempts. In May 2023, loanDepot disclosed a data breach resulting from a cyberattack in August 2022 that exposed customer data.

Mortgage lending giant Mr. Cooper also suffered a cyberattack in November 2023, which led to a data breach that exposed the personal data of 14.7 million customers. Similarly, First American Financial Corporation, one of the target U.S. title insurance companies, took some of its systems offline before Christmas to contain the impact of a cyberattack.

Source – https://www.bleepingcomputer.com/news/security/us-mortgage-lender-loandepot-confirms-ransomware-attack/

Capital Health Attack Claimed by LockBit Ransomware, Risk of Data Leak

The LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health hospital network and threatens to leak stolen data and negotiation chats by tomorrow. Capital Health is a primary healthcare service provider in New Jersey and parts of Pennsylvania, operating two major hospitals and several satellite and specialty clinics.

Last November, the organization experienced an IT systems outage following a cyberattack on its network, warning that the incident would impact its operations for at least a week.

A security incident notification on the Capital Health website informs that all systems have been restored and operations have returned to normal, while additional security measures have been implemented to prevent similar incidents from re-occurring.

Capital Health’s latest updates indicate they are still investigating whether data was stolen in the cyberattack. The LockBit ransomware gang has now claimed responsibility for the attack on Capital Health by listing the healthcare company on its data leak extortion portal yesterday.

Moreover, the cybercriminals allege to have stolen seven terabytes of sensitive medical data they threaten to leak tomorrow if the organization fails to meet their ransom payment demands.

LockBit has an affiliate rule that states their affiliates (hackers) will not encrypt files on hospital networks but allow them to steal data for extortion.

While this policy has been broken numerous times by the operation’s affiliates, in the attack on Capital Health, the LockBit operation says they purposely avoided encrypting the organization’s files and instead only stole data.

“We purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files,” the ransomware gang stated on their data leak site.

Most ransomware groups tend to have strict policies regarding healthcare service providers, advising their affiliates not to perform such assaults for ethical reasons and banning them if they deviate from that instruction.

However, the LockBit operation has repeatedly targeted healthcare networks, including the SickKids children’s cancer hospital, the Katholische Hospitalvereinigung Ostwestfalen (KHO) in Germany, and the Carthage Area Hospital and Claxton-Hepburn Medical Center in upstate New York.

If LockBit and other cybercrime gangs continue to follow a pure data-theft approach, extorting hospital operators without touching infrastructure would create a false sense of “harmless” cyberattacks.

Encryption-less ransomware attacks can still lead to system outages as part of the victim’s response action, catastrophic data breaches for many people who received care in the targeted hospitals, and significant financial losses for already underfunded or economically stressed institutions.

Unfortunately, recent examples of high-impact ransomware attacks in the healthcare sector are abundant, including other victims, such as Ardent Health Services, Integris Health, ESO Solutions, and the Fred Hutchinson Cancer Center (Fred Hutch).

Source – https://www.bleepingcomputer.com/news/security/capital-health-attack-claimed-by-lockbit-ransomware-risk-of-data-leak/

Smarttech247