Friday, September 16th, 2022
Cybersecurity Week in Review (16/9/22)
Uber hacked, internal systems breached and vulnerability reports stolen
A hacker gained access to Uber’s vulnerability reports and shared screenshots of the company’s internal systems, email dashboard, and Slack server.
The screenshots show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain. Other systems the hacker accessed include the company’s Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server, to which the hacker posted messages.
The hacker breached Uber after performing a social engineering attack on an employee and stealing their password. The threat actor then gained access to the company’s internal systems using the stolen credentials.
The hacker also had access to the company’s HackerOne bug bounty program. The program allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. It is thought that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.
Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available.
Source – https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/
FBI: Hackers steal millions from healthcare payment processors
Hackers are targeting healthcare payment processors to route payments to bank accounts controlled by the attacker the FBI has warned.
The FBI says that it received multiple reports where hackers are using publicly available personal details and social engineering to impersonate victims with access to payment processors in the healthcare industry and to modify payment instructions.
They say that in just three such incidents in February and April this year, hackers diverted to their accounts more than $4.6 million from the victims. In February, one threat actor used credentials from a major healthcare company to replace the direct deposit banking information of a hospital with accounts they controlled, stealing $3.1 million.
Among the mitigations the FBI proposes, one is running regular network security assessments (e.g. penetration testing, vulnerability scans) to ensure compliance with current standards and regulations as well as observing any suspicious changes to the email server or requests to reset passwords or phone numbers for two-factor authentication.
Source – https://www.bleepingcomputer.com/news/security/fbi-hackers-steal-millions-from-healthcare-payment-processors/
Group of Hackers Attack Asian Governments Using ShadowPad RAT Malware
Government institutions in Asia have become the target of cyber espionage by a distinct group of threat actors which was previously associated with a renowned RAT, “ShadowPad.”
Some of the prime targets have included the Head of government/Prime Minister’s Office, Government institutions linked to finance, Government-owned aerospace and defense companies as well as state-owned telecom companies, IT organizations, and media companies.
In order to carry out the attack, a malicious DLL is first implanted. An executable file containing a .dat file inside of a legitimate app is launched in order to load this file through side loading. The Bitdefender Crash Handler executable that was abused by these hackers is 11 years old, which is an example of a legitimate application being abused by hackers.
By taking advantage of this, the threat actors can easily facilitate the direct execution of commands from memory or even execute additional payloads as well. This can be leveraged to execute commands or additional payloads directly from memory.
To steal user credentials from LSASS, the threat actors install the “ProcDump” after establishing backdoor access. It was again possible to side-load the LadonGo penetration testing framework by exploiting DLL hijacking. Two computers in the same network were exploited by the hackers in order to elevate their privileges through CVE-2020-1472 (Netlogon). Crash Handler was executed by the attackers using PsExec. Next, the hackers load the payloads from additional computers in the network using the DLL order hijacking trick. Users’ credentials and log files were accessed via a snapshot of the active directory server mounted by threat actors.
Furthermore, exploit attempts were conducted by the threat actors against other machines on the network using Fscan. In particular, leveraging the Proxylogon (CVE-2021-26855) vulnerability to compromise an Exchange Server. A previously unseen and extremely powerful information stealer with a lot of features was used in the attack. This information stealer was called Infostealer.Logdatter.
In this context, it is likely that this espionage campaign is being carried out by Chinese hackers. However, there is not enough proof to support a confident attribution based on the available evidence.
Source – https://gbhackers.com/hackers-attack-asian-governments-using-shadowpad-rat-malware/
Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
Tracked as CVE-2022-3180 (CVSS score: 9.8), a zero-day flaw is being weaponized by threat actors to add a malicious administrator user to sites running the WPGateway plugin on WordPress.
WPGateway allows for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard. A common indicator that the plugin has been compromised is the presence of an administrator with the username “rangex.” Additionally, the appearance of requests to “//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1” in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn’t necessarily imply a successful breach.
The development comes days after reports of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.
Source – https://thehackernews.com/2022/09/over-280000-wordpress-sites-attacked.html
Twitter was warned by FBI that it employed a Chinese agent
A cesspool of cybersecurity and privacy risks is how whistle-blower Peter Zatko described Twitter in his congressional appearance on Tuesday, Sept 13th. He also claimed the site had at least one Chinese agent on its payroll.
Zatko, who worked as Twitter’s head of security between November 2020 and early this year, was called to testify after he filed a complaint in August alleging that the site poses a risk to national security. Twitter has accused him of making misleading claims.
His testimony claimed that thousands of Twitter employees — potentially including spies — have access to sensitive user data including private messages, current locations, home addresses, and phone numbers.
Furthermore, he reiterated previous claims that Twitter employed at least one Indian agent — testifying that Twitter was ill-equipped to deal with an array of security challenges because top executives failed to heed his concerns.
A Twitter spokesperson said in a statement to The Post: “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies.”
The spokesperson added that the company’s hiring process is free of foreign influence and said that user data is protected through security measures including background checks, access controls and monitoring systems.
Zatko made the comments during a two-and-a-half hour hearing with the Senate Judiciary Committee that concluded just 30 minutes before Twitter shareholders formally approved a $44 billion buyout offer from Elon Musk that the mogul is now seeking to withdraw. The top Republican on the Committee, Sen. Chuck Grassley of Iowa, blasted Twitter CEO Parag Agrawal for rejecting a call to testify in front of the committee. Agrawal rejected the request as it would “jeopardize” the company’s ongoing legal battle against Elon Musk over his takeover bid, Grassley said.
Musk received permission from a Delaware judge to use Zatko’s claims in his legal battle to get out of the deal. He also sent a letter to Twitter on Friday arguing that he should be allowed to ditch the deal, citing the revelations.
Source – https://nypost.com/2022/09/13/twitter-was-warned-by-fbi-that-it-employs-a-chinese-agent-whistleblower/
Iranian Hackers Target High-Value Targets in Nuclear Security and Genomic Research
Individuals specializing in Middle Eastern affairs, nuclear security, and genome research have been targeted by hackers with ties to the Iranian government with a campaign designed to hunt for sensitive information.
Threat actor TA453, which broadly overlaps with cyber activities monitored under the monikers APT42, Charming Kitten, and Phosphorus have been attributed to the attacks.
A phishing email impersonating legitimate individuals at Western foreign policy research organizations is distributed designed to gather intelligence on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC).
What differentiates this from other phishing attacks is the use of a tactic called Multi-Persona Impersonation (MPI), wherein the threat actor employs not one but several actor-controlled personas in the same email conversation to bolster the chances of success. The idea is to increase the authenticity of the threat actor’s correspondence to make the target buy into the scheme. Once the initial email elicits a response from the target, the persona then sends a follow-up message containing a malicious OneDrive link that downloads a Microsoft Office document, one of which purportedly alludes to a clash between Russia and the U.S.
Remote template injection is then administered to download Korg, a template consisting of three macros that are capable of gathering usernames, a list of running processes, and the victims’ public IP addresses.
This is not the first time the threat actor has undertaken impersonation campaigns. In July 2021, a phishing operation dubbed SpoofedScholars targeted individuals focused on Middle East affairs in the U.S. and the U.K. under the guise of scholars with the University of London’s School of Oriental and African Studies (SOAS).
The latest disclosure comes amid a flurry of Iranian-linked cyber activity. Last week, Microsoft took the wraps off a string of ransomware attacks mounted by a Phosphorus subgroup dubbed DEV-0270 using living-off-the-land binaries such as BitLocker.
Source – https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html
Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw
To address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild, Apple has released another round of security updates
Tracked as CVE-2022-32917, the issue is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. CVE-2022-32917 is the second Kernel related zero-day flaw that Apple has remediated in less than a month.
Patches are available in versions iOS 15.7, iPadOS 15.7, iOS 16, macOS Big Sur 11.7, and macOS Monterey 12.6. The iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
With the latest fixes, Apple has addressed seven actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year.
Besides CVE-2022-32917, Apple has plugged 10 security holes in iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for incorporating a new Lockdown Mode that’s designed to make zero-click attacks harder.
iOS further introduces a feature called Rapid Security Response that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update.
Source – https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html
Hackers steal Steam accounts in new Browser-in-the-Browser attacks
A Browser-in-the-Browser phishing technique that is rising in popularity among threat actors is being used to steal Steam credentials.
The method involves the creation of fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service.
This new campaign using the ‘Browser-in-the-Browser’ method targets Steam users, going after accounts for professional gamers. They then aim to sell access to those accounts, with some prominent Steam accounts valued between $100,000 and $300,000.
The phishing kit used in this campaign isn’t widely available in hacking forums or dark web markets. Instead, it is used privately by hackers that come together on Discord or Telegram channels to coordinate their attacks. Prospective victims are targeted with direct messages on Steam, inviting them to join a team for LoL, CS, Dota 2, or PUBG tournaments.
To join a competition, the visitors are requested to log in via their Steam account. However, the new login page window isn’t an actual browser window overlaid over the existing website but rather a fake window created within the current page, making it very hard to spot as a phishing attack.
Once the victim enters their credentials, a new form prompts them to enter the 2FA code. If the second step is unsuccessful, an error message is displayed. If successful, the user is redirected to a URL specified by the C2, usually a legitimate address, to minimize the chances of the victim realizing the compromise.
At this point, the victim’s credentials have already been stolen and sent to the threat actors. In similar attacks, the threat actors quickly hijack the Steam accounts, changing passwords and email addresses to make it more difficult for the victims to regain control over their accounts.
In order to detect these types of attacks users should be very wary of direct messages received on Steam, Discord, or other game-related platforms, and avoid following links sent by users they do not know. As well as that the browser window can be checked in the taskbar and by minimizing or resizing the window.
Source – https://www.bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/
U-Haul discloses data breach exposing customer driver licenses
U-Haul International have disclosed a data breach. This is after a customer contract search tool was hacked to access customers’ names and driver’s license information.
An incident investigation started on July 12 after discovering the breach. The company found on August 1 that attackers accessed some customers’ contracts between November 5, 2021, and April 5, 2022.
The accessed information included the name and driver’s license or state identification number. The impacted individuals were notified by U-Haul.
Although an explanation of how was not provided the attacker was said to have accessed the U-Haul rental contracts search portal after compromising two unique passwords.
U-Haul added no credit card information was accessed or acquired during the incident. This was because the compromised search tool does not provide users with access to payment card information.
Affected customers were provided one year of free identity theft protection services. This will help them detect when or if their personal information is misused.
Source – https://www.bleepingcomputer.com/news/security/u-haul-discloses-data-breach-exposing-customer-driver-licenses/
New attack can unlock and start a Tesla Model Y in seconds
A sophisticated relay attack has been discovered allowing someone with physical access to a Tesla Model Y to unlock and steal it
The vulnerability involves what’s called an NFC relay attack and requires two thieves working in tandem. One thief needs to be near the car and the other near the car owner, who has an NFC keycard or mobile phone with a Tesla virtual key on their person.
Near-field communication key cards allow Tesla owners to unlock their vehicles and start the engine by tapping the card against an NFC reader embedded in the driver’s side body of the car.
The first hacker uses a Proxmark RDV4.0 device to initiate communication with the NFC reader. The car responds by transmitting a challenge that the owner’s NFC card is meant to answer. In the hack scenario, the Proxmark device transmits via Wi-Fi or Bluetooth to the mobile phone held by the accomplice, who places it near the owner’s pocket or purse to communicate with the key card. The key card’s response is then transmitted back to the Proxmark device. This transmits it to the car, authenticating the thief to the car by unlocking the vehicle.
The attack is limited because of distance the two accomplices can be from one another. It is possible farther away with Wi-Fi, using a Raspberry Pi to relay the signals.
Until last year, drivers who used the NFC card to unlock their Tesla had to place the NFC card on the console between the front seats in order to shift it into gear and drive. But a software update last year eliminated that additional step.
There is one hitch to the operation. Once the thieves shut off the engine, they can’t restart the car with that original NFC key card.
The company downplayed the problem indicating that the PIN-to-drive function would mitigate it. This requires a driver to type a four-digit PIN into the car’s touchscreen in order to operate the vehicle.
Source – https://www.theverge.com/2022/9/12/23348765/tesla-model-y-unlock-drive-car-thief-nfc-relay-attack