Thursday, December 14th, 2023
Cybersecurity Week in Review (15/12/2023)
UK Defense Ministry Fined for Life-Threatening Breach
The UK’s data watchdog said the details of 265 Afghan nationals were compromised via an “email error,” which could have resulted in a threat to life.
The UK Information Commissioner’s Office (ICO) fined the kingdom’s Ministry of Defence (MoD) £350,000 ($442,000) for disclosing personal details of people seeking to leave Afghanistan for the UK after Western forces pulled out from the country in 2021.
Exposing names, faces, and, in some cases, locations of people who have cooperated with the British forces could have put the individuals in life-threatening situations once the Taliban forces took over the country.
According to the ICO, the MoD sent an email to a list of individuals eligible for evacuation, using the “To” field with personal information on 245 people. In other words, somebody put everyone’s email address in the “To” field instead of adding an invisible copy.
A couple of the email recipients replied to the entire list of participants, with one providing their exact location.
“The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life,” reads the ICO’s statement.
Once the MoD realized what it had done, the ministry contacted individuals, asking them to delete the email and change their email address.
However, the ICO believes that the MoD’s UK’s Afghan Relocations and Assistance Policy (ARAP) team failed to meet the rules requiring secure data transfer services for any communications involving sensitive information.
“The ICO investigation found that, at the time of the infringement, the MoD did not have operating procedures in place for the ARAP team to ensure group emails were sent securely to Afghan nationals seeking relocation,” the ICO said.
Source – https://cybernews.com/news/uk-defense-ministry-fined-for-life-threatening-breach/
New Hacker Group ‘GambleForce’ Tageting APAC Firms Using SQL Injection Attacks
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials.
The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.
The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.
Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group’s origins are far from clear.
The attack chains entail the abuse of victims’ public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.
Source – https://thehackernews.com/2023/12/new-hacker-group-gambleforce-tageting.html
KraftHeinz Targeted in Ransomware Attack
The Snatch ransomware gang has claimed the iconic KraftHeinz food corporation as its latest victim. The KraftHeinz Company is considered the fifth largest food and beverage company in the world.
The Snatch gang posted the food giant on its dark leak site Wednesday, December 13th as its latest conquest. One note of interest is that it appears the threat actors had created the KraftHeinz entry back on August 16th but have only updated the post this week.
The entry was also void of any other information or file samples, which are commonly posted by ransom groups as proof of a claim, although in some cases, the criminals will hold off until communications are established, or they break down.
It’s the second major food producer to be hit by Snatch in the past two months.
KraftHeinz employs close to 40 thousand people in more than 40 countries worldwide with net sales of 26 billion in 2022, according to the corporate website. Besides Kraft and Heinz products, the company produces at least two dozen popular food brands under its name, including Oscar Meyer, Velveeta, Maxwell House, Ore-Ida, Kool-Aid, Smart Ones, Philadelphia, and Jell-O. Co-headquartered in Chicago and Pittsburgh, Pennsylvania, KraftHeinz is not the first major food producer to bit hit with ransomware.
On November 13th, Snatch claimed Tyson Foods, the world’s second-largest chicken, beef, and pork processor, on its dark news blog. Tyson Foods supplies such chains as KFC, Taco Bell, McDonalds, Burger King, and Wendy’s.
Similar to KraftHeinz, the ransom operators did not provide any samples or further information about how much stolen data it may have in its possession. Other big names that have been targeted by hackers include North American meat supplier JBS USA and US farm service provider New Cooperative Inc, both in 2021, and more recently, Dole Foods, this past February.
JBS admitted paying its hackers, the Russian-linked REvil gang, an $11 million ransom, while Dole’s attack caused the company to shut down all North American production, leading to a packaged lettuce shortage throughout the US.
Snatch is a lesser-known gang when it comes to ransomware, although it has reportedly been around since 2018. The US Cybersecurity and Infrastructure Security Agency (CISA) put out ransom bulletin about the group in September.
Snatch is known to exploit its victims through Remote Desktop Protocol (RDP) vulnerabilities as well as brute-forcing and gaining administrator credentials to its victims’ network. Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system, CISA states.
According to researchers the group uses a Ransomware-as-a-Service (RaaS) distribution model and double extortion methods, refusing to recruit English-speaking users. Snatch is thought to have victimized at least 95 organizations over the last 12 months.
Snatch’s manifesto also states that the group will always notify a victim, prioritize negotiations, and will not disclose the vulnerability exploited in the attack except to the victim.
Source – https://cybernews.com/news/kraftheinz-ransomware-attack-snatch/
Hackers are Exploiting Critical Apache Struts Flaw Using Public PoC
Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.
It appears that threat actors have just started, with researchers observing a small number of IP addresses engaged in exploitation attempts.
Apache Struts is an open-source web application framework designed to streamline the development of Java EE web apps, offering a form-based interface and extensive integration capabilities.
The product is used extensively across various industries in both the private and public sectors, including government organizations, for its efficiency in building scalable, reliable, and easily maintainable web applications.
On December 7, Apache released Struts versions 6.3.0.2 and 2.5.33 to address a critical severity vulnerability currently identified as CVE-2023-50164.
The security issue is a path traversal flaw that can be exploited if certain conditions are met. It can allow an attacker to upload malicious files and achieve remote code execution (RCE) on the target server. A threat actor exploiting such a vulnerability could modify sensitive files, steal data, disrupt critical services, or move laterally on the network.
This could lead to unauthorized access to web servers, manipulation or theft of sensitive data, disruption of critical services, and lateral movement in breached networks.
The RCE vulnerability affects Struts versions 2.0.0 through 2.3.37 (end of life), Struts 2.5.0 through 2.5.32, and Struts 6.0.0 up to 6.3.0.
On December 10, a security researcher published a technical write-up for CVE-2023-50164, explaining how a threat actor could contaminate file upload parameters in attacks. A second write-up, which includes exploit code for the flaw, was published yesterday.
In a security advisory yesterday, Cisco says that it is investigating CVE-2023-50164 to determine which of its products with Apache Struts may be affected and to what extent.
The set of Cisco products under analysis includes the Customer Collaboration Platform, Identity Services Engine (ISE), Nexus Dashboard Fabric Controller (NDFC), Unified Communications Manager (Unified CM), Unified Contact Center Enterprise (Unified CCE), and Prime Infrastructure.
A full list of potentially impacted products can is available in Cisco’s security bulletin, which is expected to be updated with fresh information.
Law Behemoth CMS Claimed by LockBit Ransomware
CMS, one of the world’s largest law firms, has been claimed by LockBit ransomware, with the attackers alleging a 500GB data theft. The international law firm was posted on LockBit’s dark web blog, where the gang showcases its latest victims. The attackers claim to have taken “all confidential information in the USA.”
In the post announcing the supposed breach, the threat actors imply that they’ve stolen 500GB of data related to “financial and corporate crimes of clients.” The data supposedly also holds information on CMS’s employees, the company’s tax and financial reports, and other data.
With a team of nearly 6,000 lawyers over 81 global offices, CMS is among the world’s largest law firms. The firm was created in 1999 after a merger of six Europe-based law firms.
CMS has been criticized in the UK for aiding Russian billionaires after Moscow launched a full-scale invasion of Ukraine.
The LockBit group first appeared on the ransomware scene sometime in late 2019. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.
The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.
Source – https://cybernews.com/news/law-firm-cms-alleged-ransomware/
New Cybercrime Market ‘OLVX’ Gains Popularity Among Hackers
A new cybercrime marketplace, OLVX, has emerged and is quickly gaining new customers looking to purchase tools to conduct online fraud and cyberattacks.
OLVX follows a recent trend where cybercrime marketplaces are increasingly hosted on the clearnet instead of the dark web, making them more accessible to a broader range of users and possible to promote through search engine optimization (SEO).
Researchers, who first identified OLVX in early July 2023, have reported a substantial uptick in activity on the new marketplace in the fall, noting a rise in both sellers and buyers.
This rise in OLVX’s popularity is attributed to SEO efforts from the market’s admins, advertisements on hacker forums, promotion through the platform’s dedicated Telegram channel, and the hacking community’s “word of mouth.”.
While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX’s ability to maintain and attract customers to the platform.
OLVX does not use an escrow service like most markets of this kind, but instead offers a “deposit to direct payment” system supporting Bitcoin, Monero, Ethereum, Litecoin, TRON, Bitcoin Cash, Binance Coin, and Perfect Money.
This encourages additional spending for the users as funds are constantly available, so browsing leads to more frequent purchases.
Customers running low on funds are urged to “top-off” their accounts using a time-limited anonymized cryptocurrency address to maintain privacy and security. While deposited funds make it easier to make purchases, they also make it easier for the marketplace operators to perform an exit scam to steal all deposited cryptocurrency.
OLVX hosts thousands of low-cost digital items, software, and services to conduct cybercrime or enhance existing operations.
The items sold on OLVX can be summarized as follows:
- Access to compromised legitimate websites worldwide, with the ability to verify the connection before purchase. Prices are as low as under $5.
- Over 6,000 active cPanel accesses are available, presumably from compromised sites. Details like country, domain, hosting provider, and rankings are provided, with prices generally under $10.
- Compromised Remote Desktop Protocol and Secure Shell access to potentially legitimate servers, priced under $10, with verification of credentials’ validity before purchase. Pricing varies based on access level and system specs.
- Over 1,000 compromised SMTP accounts and scripts for running email campaigns, with prices less than $10.
- Over 8,000 compromised webmail credentials, allowing for searches of specific domains needed for social engineering attacks, priced at just a few dollars.
- Bulk lists containing email addresses and compromised credentials, used for large-scale attacks like phishing or brute force, priced between $1-200 depending on the database size, target, and country.
- Credentials from specific domains/services, including user to administrator access, with prices varying. Items for sale include accounts from adult websites, providing a social engineering angle.
- Pre-developed phishing kits, some with advanced features like 2FA bypass, priced up to $150 for feature-rich kits and below $20 for general pages. The kits target various sectors, including retail and finance.
Independently verifying the validity and quality of the above is impossible, given the nature of the platform. However, OLVX’s rising popularity and reputable standing lend credibility to the authenticity of most available items.
Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.
IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.
The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers.
ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.
The campaign involves the use of decoys that are designed to primarily single out European entities with a “direct influence on the allocation of humanitarian aid,” leveraging documents associated with the United Nations, the Bank of Israel, the U.S. Congressional Research Service, the European Parliament, a Ukrainian think tank, and an Azerbaijan-Belarus Intergovernmental Commission.
Some of the attacks have been found to employ RAR archives exploiting the WinRAR flaw called CVE-2023-38831 to propagate HeadLace, a backdoor that was first disclosed by the computer Emergency Response Team of Ukraine (CERT-UA) in attacks aimed at critical infrastructure in the country.
The disclosure comes a week after the threat actor’s exploitation of a critical security flaw of Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims’ accounts within Exchange servers was detailed.
The reliance on official documents as lures, therefore, marks a deviation from previously observed activity, “indicative of ITG05’s increased emphasis on a unique target audience whose interests would prompt interaction with material impacting emerging policy creation.”
“It is highly likely the compromise of any echelon of global foreign policy centers may aid officials’ interests with advanced insight into critical dynamics surrounding the International Community’s (IC) approach to competing priorities for security and humanitarian assistance,” the researchers said.
The development also follows a new advisory in which CERT-UA linked the threat actor known as UAC-0050 to a massive email-based phishing attack against Ukraine and Poland using Remcos RAT and Meduza Stealer.
Source – https://thehackernews.com/2023/12/russian-apt28-hackers-targeting-13.html
Cyberattack Cripples Ukraine’s Largest Telecom Operator
Kyivstar, the largest mobile network operator in Ukraine, was hit by a massive cyberattack on Tuesday, disrupting mobile and internet communications for millions of citizens. Kyivstar has nearly 25 million mobile subscribers and more than 1 million home internet customers.
Kyivstar CEO Oleksandr Komarov claimed the cyberattack was “a result of” the war with Russia and that the company’s IT infrastructure had been “partially destroyed”.
A system used to send air raid alerts in parts of Kyiv was also impacted.
Kyivstar parent company, Netherlands-based VEON Ltd., confirmed that Kyivstar had been the target of a widespread attack on the morning of December 12, 2023, calling it “one of the largest cyberattacks in the history of the global telecom market.”
“Kyivstar technical teams are working on eliminating the consequences of the hacker attack and restoring communication as soon as possible,” the company said. “They are working in close cooperation with Ukrainian law enforcement agencies to determine the circumstances and consequences of the interference in the Kyivstar network. At the time of this release, the personal data of subscribers has not been compromised, to the best of Kyivstar’s knowledge.”
The damaging attack appears to be the most impactful event in cyberspace to hit Ukraine since Russia’s invasion in February 2022, when a cyberattack on Viasat crippled communications on the KA-SAT satellite network used by Ukraine’s government and military, also impacting tens of thousands of modems across Europe.
The attack won’t be as damaging to military communications as the VIASAT hack. Ukraine’s mobile telecommunications systems have been configured for increased resilience to disruption. It is thought that the front lines and the ISR (intelligence, surveillance, reconnaissance) drone operators will have less bandwidth to communicate with artillery and other support elements. This will decrease their operational capacity and reduce their defensive capabilities.
The notorious pro-Russia hacker group Killnet claimed responsibility for the attack through a note on Telegram, but without any evidence to support the claim.
Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation. In addition this claim of responsibility does not match that pattern and was released hours after the operation and does not release any ‘proof,’ raising the possibility that it is simply an opportunistic claim, rather than a legitimate one.
While the source of this attack remains unconfirmed and under active investigation by Ukrainian authorities, it is likely the result of Russian-allied actors. Attacks on critical infrastructure such as telecommunications, electricity, and public utilities are a core component of the Russian cyber warfare landscape.
As of 20:00 Kyiv time on December 12, 2023, Kyivstar said it had partially restored the operation of fixed-line services. “Currently, the Kyivstar technical teams are working on restoring other services, with the intention of and the best effort towards achieving recovery starting 13 December 2023. The restoration of services may be gradual, and Kyivstar will inform the public and its customers as the restoration progresses.”
In the weeks before and immediately after Russia launched its war against Ukraine on February 24, 2022, Russia appeared to intensify its attacks in cyberspace, with distributed denial-of-service (DDoS) attacks, disruptive wiper malware, and misinformation campaigns.
Source – https://www.securityweek.com/cyberattack-cripples-ukraines-largest-telcom-operator/
Norton Healthcare Ransomware Hack: 2.5 Million Personal Records Stolen
Kentucky healthcare organization Norton Healthcare is informing about 2.5 million individuals that their personal information was compromised in a ransomware data extortion hack earlier this year. The incident was identified on May 9, 2023, and involved unauthorized access to certain network storage systems for two days, the company said.
The Louisville-based Norton Norton Healthcare, which runs 140 locations in Greater Louisville and Southern Indiana, said it determined that the attackers exfiltrated files containing the personal information of current and former patients and employees, and dependents.
In mid-November, Norton Healthcare determined that the compromised information included names, contact information, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers.
“In some instances, the data may also have included driver’s license numbers or other government ID numbers, financial account numbers, and digital signatures,” the organization said in an incident notice posted on its website.
According Norton Healthcare, its medical record system and the Norton MyChart application service (which allows patients to access their medical records from their mobile devices) were not affected.
While the notice did not say how many individuals were affected, Norton Healthcare informed the Maine Attorney General’s Office that the attackers stole the personal information of 2.5 million individuals.
The organization said that it did not pay the ransom demands.
In May 2023, shortly after the incident occurred, the BlackCat/Alphv ransomware group claimed responsibility for the incident, threatening to leak roughly 4.7 terabytes of data allegedly stolen from Norton Healthcare.
The Tor-based BlackCat/Alphv leak site has been inaccessible since December 7, following what is believed to be a law enforcement takedown operation. According to Cisco, BlackCat was the second most active ransomware group this year.
Source – https://www.securityweek.com/norton-healthcare-ransomware-hack-2-5-million-personal-records-stolen/
Toyota Warns Customers of Data Breach Exposing Personal and Financial Info
Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack.Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.
Last month, the company confirmed that it detected unauthorized access on some of its systems in Europe and Africa, following a claim from Medusa ransomware about successfully compromising the Japanese automaker’s division. The threat actors demanded a payment of $8,000,000 to delete the stolen data and gave Toyota 10 days to respond to their blackmail.
At the time, a Toyota spokesperson said that the company had detected unauthorized access on some of its systems in Europe and Africa. The company took certain systems offline to contain the breach, which impacted customer services.
Presumably, Toyota has not negotiated a ransom payment with the cybercriminals, and currently, all data has been leaked on Medusa’s extortion portal on the dark web.
Earlier this month, Toyota Kreditbank GmbH in Germany was identified as one of the impacted divisions, admitting that hackers gained access to customers’ personal data.
German news outlet Heise received a sample of the notices sent by Toyota to German customers, informing that the following data has been compromised:
- Full name
- Residence address
- Contract information
- Lease-purchase details
- IBAN (International Bank Account Number)
This type of data can be used in phishing, social engineering, scams, financial fraud, and even identity theft attempts.
The notification verifies the above data as compromised based on the ongoing investigation. However, the internal investigation isn’t complete yet, and there remains a possibility that attackers accessed additional information.
Toyota promises to promptly update affected customers should the internal investigation reveal further data exposure.
Seattle Cancer Centre Confirms Data Breach, Cyber Criminals Threatening Patients
A Seattle cancer centre confirms it has been the victim of a cyber attack and some patients have received email threats as a result.
UW Medicine partners with the Fred Hutchinson Cancer Center to advance cancer research. In a letter to patients, UW Medicine Chief Executive Officer Dr. Timothy Dellit said the “cybersecurity incident” experienced on Fred Hutch systems impacted data for some UW Medicine patients who have not been seen at Fred Hutch.
Some patients have received an email from the cyber-criminals and we are sorry if you received one,” Dellit said. “Unfortunately, this is a common tactic they use and law enforcement has been notified of these messages. If you receive a message demanding a ransom, do not pay it.”
People who have received a message are encouraged to report it to the FBI’s Internet Crime Complaint Center, according to Dellit. People should then block the sender and delete the message, and report it as spam for added security.
Fred Hutch said it immediately notified federal law enforcement and a forensic security firm to investigate and the incident was contained fairly quickly.
The safety, wellbeing, and personal information of our patients and employees is of the utmost importance to Fred Hutch. Our forensic team is continuing to conduct an assessment of the data accessed and we will provide further updates as we have them,” Fred Hutch said on its website.
Patient care has not been interrupted by the incident, according to UW Medicine and Fred Hutch.
This isn’t the first time in recent memory a cybersecurity incident has happened at Fred Hutch. Last year, a data breach occurred after an unauthorized party temporarily accessed an employee’s email account in March. At the time, Fred Hutch said there was no indication that any identity theft or fraud resulted from the hack, but they notified individual’s who may had been affected.
There’s no information to suggest this current cybersecurity incident is connected to the data breach in 2022.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.