Thursday, April 13th, 2023
Cybersecurity Week in Review (14/04/2023)
Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running activity called DeathNote.
While the nation-state adversary is known for its persistent attacks on the cryptocurrency sector, it has also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what’s perceived as a significant pivot.
The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It’s worth noting that the DeathNote cluster is also tracked under the monikers Operation Dream Job or NukeSped. A subset of the activity has also been tied to a group known as UNC2970.
The phishing attacks directed against crypto businesses typically entail using bitcoin mining-themed lures in email messages to entice potential targets into opening macro-laced documents in order to drop the Manuscrypt (aka NukeSped) backdoor on the compromised machine. The targeting of the automotive and academic verticals is tied to Lazarus Group’s broader attacks against the defense industry, leading to the deployment of BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants.
In an alternative attack chain, the threat actor employed a trojanised version of a legitimate PDF reader application called SumatraPDF Reader to initiate its malicious routine. The Lazarus Group’s use of rogue PDF reader apps was previously revealed by Microsoft.
The targets of these attacks included an IT asset monitoring solution vendor based in Latvia and a think tank located in South Korea, the latter of which entailed the abuse of legitimate security software that’s widely used in the country to execute the payloads. The adversarial crew has since been blamed for the supply chain attack aimed at enterprise VoIP service provider 3CX that came to light last month.
Another attack was discovered in March 2022 that targeted several victims in South Korea by exploiting the same security software to deliver downloader malware capable of delivering a backdoor as well as an information stealer for harvesting keystroke and clipboard data. Around the same time, the same backdoor is said to have been utilised to breach a defense contractor in Latin America using DLL side-loading techniques upon opening a specially-crafted PDF file using a trojanised PDF reader.
The Lazarus Group has also been linked to a successful breach of another defense contractor in Africa last July in which a “suspicious PDF application” was sent over Skype to ultimately drop a variant of a backdoor dubbed ThreatNeedle and another implant known as ForestTiger to exfiltrate data.
Source – https://thehackernews.com/2023/04/lazarus-hacker-group-evolves-tactics.html
Hyundai data breach exposes owner details in France and Italy
Hyundai has disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data. Hyundai is a multinational automotive manufacturer selling over half a million vehicles per year in Europe, with a market share of roughly 3% in France and Italy.
According to multiple reports on Twitter and a sample of the notice shared by “HaveIBeenPwned” creator Troy Hunt, the incident has exposed the following types of data:
- E-mail addresses
- Physical addresses
- Telephone numbers
- Vehicle chassis numbers
The letter also clarifies that the hacker who accessed Hyundai’s database did not steal financial data or identification numbers.
Hyundai says they engaged IT experts in response to the incident, who have taken the impacted systems offline until additional security measures are implemented. In the same communication, the South Korean car brand warns its customers to be cautious with unsolicited e-mails and SMS texts claiming to originate from them, as they could be phishing and social engineering attempts.
The same letter was sent to Hyundai car owners in France, with both entities informing data protection authorities in the two countries. It is unclear how many Hyundai customers this incident impacts, how long the network intrusion lasted, and what other countries might be affected.
Hyundai has suffered from a range of cybersecurity issues recently. In February 2023, the company rolled out emergency software updates on several car models impacted by a simple USB cable hack that enabled thieves to steal them. In December 2022, bugs in the Hyundai app allowed remote attackers to unlock and start various impacted models or expose car owner information.
Source – https://www.bleepingcomputer.com/news/security/hyundai-data-breach-exposes-owner-details-in-france-and-italy/
Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit
Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East. According to findings, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed.
It’s also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after November 2021. ENDOFDAYS appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims with the .ics files containing invites to two backdated and overlapping events so as to not alert the users.
The attacks are suspected to have leveraged a quirk in iOS 14 that any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the users’ calendar without any notification or prompt.
The Microsoft Threat Intelligence team is tracking QuaDream as DEV-0196, describing it as a private sector offensive actor (PSOA). While the cyber mercenary company is not directly involved in targeting, it is known to sell its “exploitation services and malware” to government customers, the tech giant assessed with high confidence.
The malware, named KingsPawn, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively. While the monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).
Other samples support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior to the current time. The data is exfiltrated via HTTPS POST requests.
QuaDream’s customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan.
This is not the first time QuaDream has attracted attention. In February 2022, Reuters reported that the company weaponised the FORCEDENTRY zero-click exploit in iMessage to deploy a spyware solution named REIGN. Then in December 2022, Meta disclosed that it took down a network of 250 fake accounts on Facebook and Instagram controlled by QuaDream to infect Android and iOS devices and exfiltrate personal data.
If anything, the development is yet another indication that despite the notoriety attracted by NSO Group, commercial spyware firms continue to fly under the radar and develop sophisticated spyware products for use by government clients.
Source – https://thehackernews.com/2023/04/israel-based-spyware-firm-quadream.html
Samsung Engineers Feed Sensitive Data to ChatGPT, Sparking Workplace AI Warnings
Recent reports about engineers at Samsung Electronics inadvertently leaking sensitive company information via ChatGPT in three separate incidents highlight why policies governing employee use of AI services in the workplace are quickly becoming a must for enterprise organisations.
The Economist Korea, one of the first to report on the data leaks, described the first incident as involving an engineer who pasted buggy source code from a semiconductor database into ChatGPT, with a prompt to the chatbot to fix the errors. In the second instance, an employee wanting to optimise code for identifying defects in certain Samsung equipment pasted that code into ChatGPT. The third leak resulted when an employee asked ChatGPT to generate the minutes of an internal meeting at Samsung.
The incidents played out exactly the same way that researchers have been warning that they could, since OpenAI made ChatGPT publicly available in November. Security analysts have noted how, in all instances where users share data with ChatGPT, the information ends up as training data for the machine learning/large language model (ML/LLM). They have noted how someone could later retrieve the data using the right prompts.
ChatGPT creator, OpenAI, itself has warned users on the risk: “We are not able to delete specific prompts from your history. Please don’t share any sensitive information in your conversations,” OpenAI’s user guide notes.
The situation has apparently prompted a rethink of ChatGPT use at Samsung after the third incident, just barely three weeks after the South Korean electronics giant allowed employees access to the generative AI tool. The company had initially banned the technology over security and privacy concerns before relenting.
Source – https://www.darkreading.com/vulnerabilities-threats/samsung-engineers-sensitive-data-chatgpt-warnings-ai-use-workplace
Newly Discovered “By-Design” Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers
A “by-design flaw” uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
It could be possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE). The exploitation path that underpins this attack is a mechanism called Shared Key authorisation, which is enabled by default on storage accounts.
According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorisation, or via SAS tokens that are signed with the shared key. These access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.
Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.
In other words, by exfiltrating the access-token of the Azure Function app’s assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.
As mitigations, it’s recommended that organisations consider disabling Azure Shared Key authorisation and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it “plans to update how Functions client tools work with storage accounts.”
The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.
Source – https://thehackernews.com/2023/04/newly-discovered-by-design-flaw-in.html
Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign
Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign leverages all known and recently discovered theme and plugin vulnerabilities to breach WordPress sites. The attacks are known to play out in waves once every few weeks.
The campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites. The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to ‘Please Allow to verify, that you are not a robot,’ thereby enabling the actors to send spam ads.
In the interim years, Balada Injector has relied on over 100 domains and a plethora of methods to take advantage of known security flaws (e.g., HTML injection and Site URL), with the attackers primarily attempting to obtain database credentials in the wp-config.php file. Additionally, the attacks are engineered to read or download arbitrary site files – including backups, database dumps, log and error files – as well as search for tools like adminer and phpmyadmin that could have been left behind by site administrators upon completing maintenance tasks.
The malware ultimately allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. Balada Injector further carries out broad searches from top-level directories associated with the compromised website’s file system to locate writable directories that belong to other sites.
Should these attack pathways turn out to be unavailable, the admin password is brute-forced using a set of 74 predefined credentials. WordPress users are, therefore, recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
The activity, which also employs String.fromCharCode as an obfuscation technique, leads victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.
Source – https://thehackernews.com/2023/04/over-1-million-wordpress-sites-infected.html
SD Worx shuts down UK payroll, HR services after cyberattack
Belgian HR and payroll giant SD Worx has suffered a cyberattack causing them to shut down all IT systems for its UK and Ireland services. SD Worx is a European HR and payroll management company based out of Belgium that services 5.2 million employees for over 82,000 companies, according to its website.
Today, SD Worx began notifying customers that its UK and Ireland division suffered a cyberattack leading them to shut down IT systems to contain the attack.
“Our security team has discovered malicious activities in our hosted data centre last night. We have taken immediate action and have preventively isolated all systems and servers to mitigate any further impact. As a result, there is currently no access to our systems, which we deeply regret of course,” reads a security advisory to SD Worx UK and Ireland customers.
While the login portals for other European countries are working correctly, the company’s UK customer portal is not accessible. While there is no further information as to what type of cyberattack the company suffered, there is concern that sensitive data was stolen during the attack.
As a full-service human resources and payroll company, SD Worx manages a large amount of sensitive data for its client’s employees. According to the company’s general conditions agreement, this data may include tax information, government ID numbers, addresses, full names, birth dates, phone numbers, bank account numbers, employee evaluations, and more.
Other past attacks against payroll and HR management companies have led to lawsuits for inadequately protecting customers’ data. In 2021, a cyberattack against PrismHR caused a massive customer outage. Later that year, a ransomware attack against Kronos led to the filing of a class action lawsuit against the company.
Source – https://www.bleepingcomputer.com/news/security/sd-worx-shuts-down-uk-payroll-hr-services-after-cyberattack/
Illinois hospital forced into EHR downtime after cyberattack
Sarah D. Culbertson Memorial Hospital in Illinois is the latest hospital to be forced into electronic health record downtime procedures after a cyberattack. On its social media page, officials notified patients that a “network disruption” found on March 30 forced its systems offline.
The cyberattack “disabled access to most functions.” The hospital’s response team is continuing to investigate with support from third-party specialists as it works to “understand the full depth of the intrusion.”
After a week of network downtime, officials say they’ve been able to restore a portion of the impacted systems. Full access to its critical service systems is expected to be restored by April 11.
The hospital has already implemented a host of security improvements, alongside its investigation and recovery efforts. Its community notice doesn’t include any patient impacts, like care delays and limited comments on the post, which means there are no responses from patients on possible disruptions.
The Culbertson Memorial news followed an update from the Hospital Clinic of Barcelona Medical Director Antoni Castells on the ongoing outages caused by a RansomHouse cyberattack one month ago. The March 4 hack crippled the hospital’s emergency room, laboratories and clinics.
Healthcare cyberattacks that lead to network downtime cause an average of $1 million to $2 million in losses for each day of outages. Unlike other industries, hospital cyberattacks don’t just cause reputational and financial harm. Network outages cause patient care impacts and an increase in patient morbidity.
Source – https://www.scmagazine.com/news/ransomware/illinois-hospital-forced-health-records-downtime-cyberattack
KFC, Pizza Hut owner discloses data breach after ransomware attack
Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack. This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information.
In the breach notification letters sent to affected people starting Thursday, Yum! Brands revealed that it has now found out the attackers stole some individuals’ personal information, including names, driver’s license numbers, and other ID card numbers.
“Our review determined that the exposed files contained some of your personal information, including [Name or other personal identifier in combination with: Driver’s License Number or Non-Driver Identification Card Number].”
The company also added that the ongoing investigation had not found evidence that the stolen data had been used for identity theft or fraud. As a direct result of the January ransomware attack, Yum! Brands was forced to shut down around 300 restaurants in the United Kingdom.
In a January filing with the U.S. SEC, Yum! Brands also assured investors the ransomware attack would not cause any notable negative financial impact. Yum! Brands and its subsidiaries operate or franchise more than 55,000 restaurants across 155 countries and territories with the help of roughly 36,000 employees worldwide.
A Yum! Brands spokesperson stated that the company found no evidence that customers were affected by this data breach.
“In the course of our forensic review and investigation, we identified some personal information belonging to employees was exposed during the January 2023 cybersecurity incident,”.
“We are in the process of sending individual notifications and are offering complimentary monitoring and protection services. We have no indication that customer information was impacted.”
The company is yet to disclose the total number of employees who had their data stolen during the ransomware attack.
Source – https://www.bleepingcomputer.com/news/security/kfc-pizza-hut-owner-discloses-data-breach-after-ransomware-attack/
Hackers Flood NPM with Bogus Packages Causing a DoS Attack
Threat actors flooded the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.
The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines. The attacks cause a denial-of-service (DoS) that make NPM unstable with sporadic ‘Service Unavailable’ errors.
While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm.
The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files. Given that the whole process is automated, the load created by publishing numerous packages led to NPM intermittently experiencing stability issues towards the end of March 2023.
While there may be multiple actors behind the activity, the end goal is to infect the victim’s system with malware such as RedLine Stealer, Glupteba, SmokeLoader, and cryptocurrency miners.
Other links take users through a series of intermediate pages that ultimately lead to legitimate e-commerce sites like AliExpress with referral IDs, earning the actors a profit when the victim makes a purchase on the platform. A third category entails inviting Russian users to join a Telegram channel that specialises in cryptocurrency.
Source – https://thehackernews.com/2023/04/hackers-flood-npm-with-bogus-packages.html