Royal Mail hit by Russia-linked ransomware attack

The Royal Mail, UK’s leading mail delivery service, stopped its international shipping services due to severe service disruption caused by a cyber incident. The attack on Royal Mail is now confirmed to be a ransomware attack by the LockBit operation, or at least someone using their encryptors.

The ransomware attack encrypted devices used for international shipping and caused ransom notes to be printed on printers used for customs dockets. The ransom note states it was created by “LockBit Black Ransomware,” which is the operation’s latest encryptor name as it includes code and features from the now-shut down BlackMatter ransomware gang. The note also contains multiple links to the LockBit ransomware operation’s Tor data leak sites and negotiation sites, including a ‘Decryption ID’ required to log in to chat with the threat actors.

It is unclear if the ransomware gang deleted the ID after news of the circulating ransom notes or if they moved negotiations to a new ID to avoid scrutiny by researchers and journalists. LockBitSupport, the public-facing representative of the ransomware operation, stated that they did not attack Royal Mail and blamed it on other threat actors using their leaked builder. In September, the LockBit 3.0 ransomware builder was leaked on Twitter. This allowed other threat actors to launch ransomware operations based on the LockBit’s encryptor.

LockBitSupp’s explanation does not explain why Royal Mail’s ransom notes included links to LockBit’s Tor negotiation and data leak sites rather than the other threat actor’s sites who are allegedly using the builder.

These recurring IT issues come at a time when the mail delivery giant’s services are already strained amid negotiations with the Communication Workers Union and planned national strikes.

Source – https://www.bleepingcomputer.com/news/security/royal-mail-cyberattack-linked-to-lockbit-ransomware-operation/

FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organisations.

The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.

The infection chain shows that the end goal was to deploy a generic Linux implant modified for FortiOS that’s equipped to compromise Fortinet’s intrusion prevention system (IPS) software and establish connections with a remote server to download additional malware and execute commands.

The threat actors were able to deter analysis and displayed advanced capabilities to manipulate FortiOS logging and terminate logging processes to remain undetected. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.

Fortinet said it was unable to recover the payloads used in the subsequent stages of the attacks. It did not disclose when the intrusions took place. The network security company also noted that the exploit requires a “deep understanding of FortiOS and the underlying hardware” and that the threat actor possesses skills to reverse engineer different parts of FortiOS.

Source – https://thehackernews.com/2023/01/fortios-flaw-exploited-as-zero-day-in.html

Corrupted file to blame for computer glitch which grounded every US flight

A corrupted file has been blamed for a glitch on the Federal Aviation Administration’s computer system which grounded every flight across the US. All outbound flights were grounded until around 9am Eastern Time (2pm GMT) on Wednesday as the FAA worked to restore its Notice to Air Missions (NOTAM) system, which alerts pilots of potential hazards along a flight route.

As of 3pm GMT yesterday 4,948 flights within, into or out of the US had been delayed, according to flight tracker FlightAware.com, while 868 had been cancelled. Most delays were concentrated along the East Coast. Normal air traffic operations resumed gradually across the US following the outage to the NOTAM system that provides safety information to flight crews.

The NOTAM system had failed, which is part of the air traffic control system. This is critical for flights to be able to take off safely. A corrupted file affected both the primary and the backup systems, a senior government stated, adding that officials continue to investigate. Preliminary work traced the outage to a damaged database file. At this time, there is no evidence of a cyberattack.

A total of 21,464 flights were scheduled to depart airports in the US Thursday, according to aviation analytics firm Cirium. Nearly 2.9 million seats were available on those departures.

Source – https://news.sky.com/story/all-flights-across-us-grounded-due-to-faa-computer-system-glitch-us-media-12784252

Multiple Danish Banks Disrupted By DDoS Cyber-Attack

Denmark’s central bank and seven private banks, including Jyske Bank and Sydbank, have been hit by distributed denial of service (DDoS) attacks that disrupted their operations this week.

A spokesperson for the central bank said its website was working normally on Tuesday afternoon. The attack, which also affected IT financial industry solutions developer Bankdata, did not reportedly impact the bank’s other systems or day-to-day operations. However, it impacted access to the websites of the aforementioned private banks, which was briefly restricted on Tuesday after the DDoS attack on Bankdata.

Financial institutions have experienced an increase in destructive attacks aimed at destroying data and dismantling subnets in the sector. The main motive of the attack on Denmark’s banking industry appears to be disruption – impacting daily operations for the businesses and society at large. As the financial industry continues to be at a heightened risk of attacks ranging from DDoS to ransomware to island hopping, these institutions plan to increase their cybersecurity budget by upwards of 30%.

The attack on Denmark’s central bank and IT partner comes at a time of substantial increase in DDoS attacks against organisations worldwide.

Source – https://www.infosecurity-magazine.com/news/danish-banks-hit-by-ddos-attack/

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks

A recent wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player.

Gootkit, also called Gootloader, is known to employ search engine optimisation (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords. The keywords “hospital,” “health,” “medical,” and “enterprise agreement” have been paired with various city names in Australia, marking the malware’s expansion beyond accounting and law firms.

Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions.

The starting point of the cyber assault is to direct users searching for the same keywords to an infected WordPress blog that tricks them into downloading malware-laced ZIP files. Upon accessing the site, the user is presented with a screen that has been made to look like a legitimate forum. They are then led to access the link so that the malicious ZIP file can be downloaded.

The JavaScript code that’s used to pull off this trickery is injected into a valid JavaScript file at random sections on the breached website. The downloaded ZIP archive contains a JavaScript file that, upon execution, not only employs obfuscation to evade analysis but is further used to establish persistence on the machine by means of a scheduled task. The execution chain subsequently leads to a PowerShell script that’s designed to retrieve files from a remote server for post-exploitation activity, which commences only after a waiting period that ranges from a couple of hours to as long as two days.

Once the wait time elapses, two additional payloads are dropped – msdtc.exe and libvlc.dll – the former of which is a legitimate VLC Media Player binary that’s used to load the Cobalt Strike DLL component, followed by downloading more tools to facilitate discovery.

Source – https://thehackernews.com/2023/01/australian-healthcare-sector-targeted.html

Dark Pink APT Group Targets Governments and Military in APAC Region

Government and military organisations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor. The ongoing campaign is being tracked under the name Dark Pink and has been attributed to seven successful attacks between June and December 2022.

Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers. The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organisations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam.

The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuable information from compromised networks. There is not enough data to explicitly attribute the threat actor to a particular country, but it’s likely of Asia-Pacific origin given the geolocation of identified victims.

In addition to its sophisticated malware arsenal, the group has been observed leveraging spear-phishing emails to initiate its attacks as well as Telegram API for command-and-control (C2) communications. Also notable is the use of a single GitHub account for hosting malicious modules and which has been active since May 2021, suggesting that Dark Pink has been able to operate without getting detected for over 1.5 years. The Dark Pink campaign further stands out for employing multiple infection chains, wherein the phishing messages contain a link to a booby-trapped ISO image file to activate the malware deployment process. In one instance, the adversary posed as a candidate applying for a PR internship.

It’s also suspected that the hacking crew may be trawling job boards in order to tailor their messages and increase the likelihood of success of their social engineering attacks. The ultimate goal is to deploy TelePowerBot and KamiKakaBot, which are capable of executing commands sent via an actor-controlled Telegram bot, in addition to using bespoke tools like Ctealer and Cucky to siphon credentials and cookies from web browsers. While Ctealer is written in C/C++, Cucky is a .NET program. Another custom malware is ZMsg, a .NET-based application that allows Dark Pink to harvest messages sent via messaging apps such as Telegram, Viver, and Zalo.

The use of an almost entirely custom toolkit, advanced evasion techniques, the threat actors’ ability to rework their malware to ensure maximum effectiveness, and the profile of the targeted organisations demonstrate the threat that this particular group poses.

Source – https://thehackernews.com/2023/01/dark-pink-apt-group-targets-governments.html

StrongPity Hackers Distribute Trojanised Telegram App to Target Android Users

The advanced persistent threat (APT) group known as StrongPity has targeted Android users with a trojanised version of the Telegram app through a fake website that impersonates a video chat service called Shagle.

StrongPity, also known by the names APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The existence of the group was first publicly reported in October 2016. The threat actor’s campaigns have since expanded to encompass more targets across Africa, Asia, Europe, and North America, with the intrusions leveraging watering hole attacks and phishing messages to activate the killchain.

One of the main hallmarks of StrongPity is its use of counterfeit websites that purport to offer a wide variety of software tools, only to trick victims into downloading tainted versions of legitimate apps. In December 2021, Minerva Labs disclosed a three-stage attack sequence stemming from the execution of a seemingly benign Notepad++ setup file to ultimately deliver a backdoor onto infected hosts. That same year, StrongPity was observed deploying a piece of Android malware for the first time by possibly breaking into the Syrian e-government portal and replacing the official Android APK file with a rogue counterpart.

In the latest attack an updated version of the Android backdoor payload is distributed, which is equipped to record phone calls, track device locations, and collect SMS messages, call logs, contacts lists, and files. In addition, granting the malware accessibility services permissions enables it to siphon incoming notifications and messages from various apps like Gmail, Instagram, Kik, LINE, Messenger, Skype, Snapchat, Telegram, Tinder, Twitter, Viber, and WeChat.

The backdoor functionality is concealed within a legitimate version of Telegram’s Android app that was available for download around February 25, 2022. That said, the bogus Shagle website is no longer active, although indications are that the activity is very narrowly targeted due to the lack of telemetry data.

There is also no evidence the app was published on the official Google Play Store. It’s currently not known how the potential victims are lured to the fake website, and if it entails techniques like social engineering, search engine poisoning, or fraudulent ads.

Source – https://thehackernews.com/2023/01/strongpity-hackers-distribute.html

Severe Security Flaw Found in “jsonwebtoken” Library Used by 22,000+ Projects

A high-severity security flaw has been disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could lead to remote code execution on a target server. By exploiting this vulnerability, attackers could achieve remote code execution (RCE) on a server verifying a maliciously crafted JSON web token (JWT) request.

Tracked as CVE-2022-23529 (CVSS score: 7.6), the issue impacts all versions of the library, including and below 8.5.1, and has been addressed in version 9.0.0 shipped on December 21, 2022. The flaw was reported by the cybersecurity company on July 13, 2022.

jsonwebtoken is a JavaScript module that allows users to decode, verify, and generate JSON web tokens as a means of securely transmitting information between two parties for authorisation and authentication. It has over 10 million weekly downloads on the npm software registry and is used by more than 22,000 projects. The ability to run malicious code on a server could break confidentiality and integrity guarantees, potentially enabling a bad actor to overwrite arbitrary files on the host and perform any action of their choosing using a poisoned secret key. However, in order to exploit the vulnerability described in this post and control the secretOrPublicKey value, an attacker would need to exploit a flaw within the secret management process.

As open source software increasingly emerges as a lucrative initial access pathway for threat actors to stage supply chain attacks, it’s crucial that vulnerabilities in such tools are proactively identified, mitigated, and patched by downstream users.

Source – https://thehackernews.com/2023/01/critical-security-flaw-found-in.html

‘Copyright Infringement’ Lure Used for Facebook Credential Harvesting

An extensive credential-harvesting campaign has hackers leveraging Facebook copyright infringement notices to steal enterprise credentials.

Malicious actors continue to use tried and true phishing techniques and social engineering tactics with this latest campaign sending users an email warning that because the page has uploaded a photo violating Facebook’s copyright infringement policy, the account will be permanently suspended unless they click on the link to appeal the decision. This link leads not to a Meta site but rather a credential-harvesting site.

Brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources. As digital applications proliferate and use of social media remains strong, educating users against social engineering attempts is a key part of a strong defence.

Employing security tactics like always double-checking sender addresses, hovering over all URLs before clicking, and logging into the Facebook account directly to check the status of the account, instead of clicking on the URL in the email are good basic methods of mitigation.

Source – https://www.darkreading.com/attacks-breaches/-copyright-infringement-lure-facebook-credential-harvesting

Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners. The flaws range from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.

The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.

The research builds on findings from late last year when security flaws were identified in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks. The most serious of the issues, which concern Spireon’s telematics solution, could have been exploited to gain full administrative access, enabling an adversary to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.

Vulnerabilities identified in Mercedes-Benz could grant access to internal applications via an improperly configured single sign-on (SSO) authentication scheme, while others could permit user account takeover and disclosure of sensitive information. Other flaws make it possible to access or modify customer records, internal dealer portals, track vehicle GPS locations in real time, manage the license plate data for all Reviver customers, and even update vehicle status as stolen.

While all the security vulnerabilities have since been fixed by the respective manufacturers following responsible disclosure, the findings highlight the need for defence-in-depth strategy to contain threats and mitigate risk.

Source – https://thehackernews.com/2023/01/millions-of-vehicles-at-risk-api.html

Russian hackers targeted US nuclear research laboratories

A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States this past summer, according to internet records.

Between August and September, as Vladimir Putin indicated Russia would be willing to use nuclear weapons to defend its territory, Cold River targeted the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore national laboratories (LLNL), according to internet records that showed the hackers creating fake login pages for each institution and emailing nuclear scientists in an effort to make them reveal their passwords. Researchers were unable to determine why the labs were targeted or if any attempted intrusion was successful.

Cold River has escalated its hacking campaign against Kyiv’s allies since the invasion of Ukraine. The digital blitz against the US labs occurred as UN experts entered Russian-controlled Ukrainian territory to inspect Europe’s biggest atomic power plant and assess the risk of what both sides said could be a devastating radiation disaster amid heavy shelling nearby. Cold River, which first appeared on the radar of intelligence professionals after targeting Britain’s Foreign Office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years.

In May, Cold River broke into and leaked emails belonging to the former head of Britain’s MI6 spy service. That was just one of several “hack and leak” operations last year by Russia-linked hackers in which confidential communications were made public in Britain, Poland and Latvia. In another recent espionage operation targeting critics of Moscow, Cold River registered domain names designed to imitate at least three European NGOs investigating war crimes.

Western officials say the Russian government is a global leader in hacking and uses cyber-espionage to spy on foreign governments and industries to seek a competitive advantage. However, Moscow has consistently denied that it carries out hacking operations.

Source – https://amp.theguardian.com/world/2023/jan/06/russian-hackers-targeted-us-nuclear-research-laboratories-records