Friday, August 19th, 2022
Cybersecurity Week in Review (19/8/22)
Ransomware Victim: Triple-Hacked In Just 2 Weeks
An unnamed automotive supplies company has fallen victim to three different ransomware groups, three times, in the space of just 14 days.
Ransomware gangs known as Hive, LockBit and BlackCat were identified as the attackers in this case. The first two compromises happened very close together, separated by no more than 120 minutes, with the third taking place two weeks later. A ransom note was left with some files encrypted three times, making them all but impossible to retrieve.
Believed to have begun back on December 2, 2021, a remote desktop protocol (RDP) session on the victim’s domain controller took place. This paved the way for the triple-whammy ransomware attack to actually begin on April 20 when a LockBit affiliate accessed the network and exfiltrated data. The same threat actor returned on April 28 to steal passwords, and on May 1 the ransomware binary is executed to encrypt data and drop a ransom note. This was quickly followed by a Hive affiliate dropping its own ransomware, encrypting the data again, and leaving another ransom demand. Finally on May 15, a BlackCat group affiliate moved laterally through the network and dropped two ransomware binaries, encrypting data for the third time.
This attack was unusual given the short amount of time between attacks. The gap between attacks on the same organisation is most often six weeks. Multiple exploitations such as this are usually explained by two core failings:
· Unpatched vulnerabilities and misconfigurations not addressed quickly enough after first attack, this allows a second threat actor to piggyback in through the same holes.
· Incomplete incident response to the first attack effectively leaving a backdoor through which more threat actors can pile in.
Ransomware Group Claims Access to SCADA in Confusing UK Water Company Hack
At least one UK water company has been hit by a ransomware group but there is confusion over who’s system it actually is.
Thames Water, which advertises itself as the UK’s largest water and wastewater company, serving 15 million people has been identified as the victim of the breach by the Cl0p ransomware group on its Tor-based leak website. However, experts have pointed out that the files leaked actually appear to belong to South Staffordshire, whose subsidiaries, South Staffs Water and Cambridge Water, serve 1.6 million people and tens of thousands of businesses in the UK.
Thames Water have denied media reports of water contamination while South Staffordshire did confirm being targeted by cybercriminals although provided few details. They admitted their corporate IT network was disrupted but reassured customers about the safety of their water supply.
The hackers had claimed to have gained access to all of the company’s systems, including SCADA (supervisory control and data acquisition) systems that control chemicals in water.
The cybercriminals claim to have stolen more than 5 Tb of information after spending months in the company’s networks. They also claim that files have not been encrypted — as in many other attacks — and that the victim did offer to pay a ransom, but the amount was too low.
Hundreds of companies have been targeted by the Cl0p ransomware with many of its victims in the industrial sector. Several people accused of having some type of role in the Cl0p operation have been arrested, but that does not appear to have had a big impact.
Exploit out for critical Realtek flaw affecting many networking devices
Millions of networking devices with Realtek’s RTL819x system on a chip (SoC) have been affected by a critical vulnerability for which an exploit code has been released.
Identified as CVE-2022-27255 the flaw allows a remote attacker exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.
CVE-2022-27255 is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data. It is a zero-click vulnerability, so the exploitation is silent and requires no interaction from the user. An attacker exploiting this vulnerability would only need the external IP address of the vulnerable device.
Realtek addressed the issue in March noting that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.
The RTL819xD version of the SoC was present in products from more than 60 vendors such as ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel. Users should check if their networking equipment is vulnerable and install a firmware update from the vendor released after March, if available. Other than this, organizations could try to block unsolicited UDP requests.
RTLS systems vulnerable to MiTM attacks, location manipulation
Multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems) have been discovered, enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.
Used in areas such industrial environments, mass transit, healthcare, and smart city applications the primary role of RTLS technology is to assist in safety by defining geofencing zones using tracking tags, signal reception anchors, and a central processing system.
Sewio Indoor Tracking RTLS UWB Wi-Fi kit and Avalue Renity Artemis Enterprise kit, are two widely used RTLS solutions that support safety functionalities.The tracking tags communicate with the anchor via UWB signals, while the anchors use Ethernet or Wi-Fi to transmit or receive data from the central computer. If Wi-Fi is selected, both devices use a custom binary network protocol for communications. However, since there’s no encryption in the data, Wireshark captures of the network packets make reverse engineering possible.
Apart from data manipulation, an attacker may eavesdrop to track assets and people positions, either for stalking and reconnaissance or for locating a valuable item. An attacker may also alter the position of a tag as needed to allow entrance to a restricted area or to raise false alarms and disrupt production line operations.
Admins of RTLS systems should use firewalls to restrict access, add intrusion detection systems in the network, and use SSH tunnelling with packet synchronization counter-values for data encryption.
New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild
Desktops using Chrome that contained an actively exploited high-severity zero-day flaw in the wild have had patches rolled out by Google.
Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents.
Although acknowledging the issue Google refrained from sharing additional specifics about the shortcoming until a majority of the users are updated. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” it accepted in a statement.
The latest update further addresses 10 other security flaws, most of which relate to use-after-free bugs in various components such as FedCM, SwiftShader, ANGLE, and Blink, among others.
The development marks the fifth zero-day vulnerability in Chrome that Google has resolved since the start of the year –
- CVE-2022-0609 – Use-after-free in Animation
- CVE-2022-1096 – Type confusion in V8
- CVE-2022-1364 – Type confusion in V8
- CVE-2022-2294 – Heap buffer overflow in WebRTC
Users are recommended to update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to mitigate potential threats.
MailChimp Security Breach Exposed the Email Addresses of DigitalOcean Customers
Customers of DigitalOcean were impacted by a recent security incident disclosed by Email Marketing company, Mailchimp. The security breach exposed the email addresses of some customers, and a small percentage of those customers received unauthorized password resets.
Transactional emails from the platform, delivered through Mailchimp, stopped reaching DigitalOcean customers’ inboxes and it was also found that the Mailchimp account had been suspended, with no access, and no other information is provided by Mailchimp. Therefore, DigitalOcean customers’ email confirmations, password resets, email-based alerts for product health, and dozens of other transactional emails were not reaching their destination.
DigitalOcean say on August 10th, first actionable response, and conversation with the Mailchimp/Intuit Legal team to understand the impact of the incident was made. They understand that an attacker “compromised Mailchimp internal tooling.” The attackers then utilized the stolen customer email addresses to try and gain access to DigitalOcean accounts by performing password resets. The internal logging points out the attacker IP address x.213.155.164.
Cybercriminals Developing BugDrop Malware to Bypass Android Security Features
A previously undocumented Android dropper trojan has been identified, highlighting the continuing issues Google Play Store are having with security protections.
The new malware spreads the extremely dangerous Xenomorph banking trojan, allowing criminals to perform On-Device Fraud on victim’s devices. Dubbed BugDrop, the dropper app is designed to defeat new features introduced in the upcoming version of Android that aim to make it difficult for malware to request Accessibility Services privileges from victims.
The dropper is being attributed to a cybercriminal group known as Hadoken Security, which is also behind the creation of the Xenomorph and Gymdrop Android malware families.
Posing as productivity and utility apps the banking trojan is deployed and once installed tricks users into granting invasive permissions. The Accessibility API in particular has come under heavy attack enabling malware operators to capture sensitive data such as credentials and financial information.
Google, with Android 13, has taken the step of entirely blocking accessibility API access to apps installed from outside of an app store. This hasn’t stopped adversaries from attempting to circumvent this restricted security setting. BugDrop, which masquerades as a QR code reader app is being tested by its authors to deploy malicious payloads via a session-based installation process.
Users are advised to avoid falling victim to malware hidden in official app stores by only downloading applications from known developers and publishers, scrutinizing app reviews, and checking their privacy policies.
BlackByte ransomware gang is back with new extortion tactics
A new version of the BlackByte ransomware is back with a data leak site utilizing new extortion techniques borrowed from LockBit included.
After a brief disappearance, the ransomware operation is back promoting the new data leak site on hacker forums and through Twitter accounts the threat actor controls although it is not clear if the ransomware encryptor has changed as well.
The data leak site only includes one victim at this time but now has new extortion strategies that allow victims to pay to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000). The goal of these new extortion techniques is to allow the victim to pay to remove their data and for other threat actors to purchase it if they wish. LockBit introduced these same extortion tactics with the release of their 3.0 version and are seen more as a gimmick than as viable extortion tactics.
The BlackByte ransomware operation launched in the summer of 2021 when the hackers began breaching corporate networks to steal data and encrypt devices. Their highest-profile attack was against the NFL’s 49ers but were also responsible for attacks on critical infrastructure sectors, including government facilities, financial, and food & agriculture. A flaw in the operation was found that allowed a free BlackByte decryptor to be create but after the weakness was reported the threat actors fixed it.
Apple discloses serious security vulnerabilities for iPhones, iPads and Macs
Serious security vulnerabilities for iPhones, iPads and Macs, potentially allowing attackers to take complete control of devices has been disclosed by Apple.
Apple announced that it is “aware of a report that this issue may have been actively exploited”.
One of the flaws means a malicious application may be able to execute arbitrary code with kernel privileges meaning full access to the device. The other – a WebKit bug – could be exploited if a vulnerable device accessed or processed maliciously crafted web content that may lead to arbitrary code execution.
Apple did not give any further information on how many users were affected by the vulnerability.