Friday, September 2nd, 2022
Cybersecurity Week in Review (2/9/22)
Apple Releases iOS Update for Older iPhones to Fix Actively Exploited Vulnerability
Apple have backported security updates to older iPhones and Apple devices to address a security flaw that has been actively exploited in the wild.
Tracked as CVE-2022-32893 (CVSS score: 8.8), the flaw is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.
The tech giant said it fixed the bug with improved bounds checking using the iOS 12.5.6 update.
The latest set of patches arrives weeks after the iPhone maker remediated the two flaws in iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1 as part of updates shipped on August 18, 2022.
Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App
A now-patched high severity vulnerability in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link was identified.
Successful exploitation of the flaw could have permitted access to sensitive information, unauthorized exposure of private videos and being able to modify the user’s profile. Attackers could also have abused the bug to send messages and upload videos on behalf of users.
Tracked as CVE-2022-28799 (CVSS score: 8.8), the vulnerability has to do with the app’s handling of a deeplink, a special hyperlink that allows apps open a specific resource within another app installed on the device rather than directing users to a website. This would have made it possible to circumvent the apps’s restrictions to reject untrusted hosts and load any website of the attacker’s choice through the Android System WebView
A consequence of this exploit designed to hijack WebView to load rogue websites is that it could permit the adversary to invoke over 70 exposed TikTok endpoints, effectively compromising a user’s profile integrity. There’s no evidence that the bug has been weaponized in the wild.
Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government
The Montenegrin Agency for National Security announced last week that government servers had been targeted in an ongoing attack that was described as massive and coordinated.
The attack targeted government systems and other critical infrastructure and managed to cause some disruptions.
Although no data was stolen, or damage caused authorities said the attack was politically motivated and launched by multiple Russian agencies. The ransomware group known as Cuba has claimed on its Tor-based leak website that it breached systems of the country’s parliament. They claim to have stolen files on August 19, including financial documents and source code and have allegedly obtained correspondence with bank employees, balance sheets, account activity, compensation data, and tax documents.
The threat actor has been around since 2019 and acts by encrypting files on compromised systems and stealing information from victims in an effort to increase its chances of getting paid. They have been identified as having connections to Russia.
Ukraine takes down cybercrime group hitting crypto fraud victims
The National Police of Ukraine (NPU) took down a network of call centres used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds.
Throughout this cross-border fraud operation, the attackers used software and high-tech equipment that made it possible to spoof the phone numbers of state banking organizations.
While claiming to be members of a “Community of cryptocurrency brokers,” they used contact information belonging to previous victims of other cryptocurrency scammers to deceive them that they could help them recover their stolen funds for a “commission.”
They used VoIP (Voice over Internet Protocol) phone numbers to hide their actual location while scamming thousands of foreign investors.
In September 2021, the Security Service of Ukraine (SBU) also took down another network of call centres in Lviv linked to a ring of scammers who defrauded cryptocurrency investors worldwide.
Those linked to this fraud scheme are investigated for being part of an organized criminal group, fraud, and using malicious software, and are facing up to 12 years in prison.
Russian streaming platform confirms data breach affecting 7.5M users
Russian media streaming platform ‘START’ (start.ru) has shared that network intruders managed to steal a 2021 database from its systems and are now distributing samples online.
The stolen database contains email addresses, phone numbers, and usernames. Financial information, bank card data, browsing history, or user passwords have not been impacted because these details were not present in the database.
The rumours about a data first appeared on Sunday, August 28, when a 72GB MongoDB JSON dump containing information of almost 44 million users started to be distributed over a social network. The dump did contain 7,455,926 unique email addresses, which is likely close to the real number of exposed users.
One discrepancy between START’s statement and the leaked dump is that the latter contains md5crypt-hashed passwords, IP addresses, login logs, and subscription details, which have not been included in the official statement from the platform.
Due to the increased cyber-offensive activity against Russian online platforms, the Moscow is implementing methods to defend user data from unauthorized access and to protect its citizens from exposure such as a compensation fund for victims and fines on breached company’s turnover.
NATO Investigating the Sale of Missile Data & Blueprints of Weapons used in Ukraine
A hacking group sold classified military data, including blueprints of weapons being used by Nato allies in the Ukraine war. NATO is investigating and assessing the impact of the data breach.
The group is touting what it claims are top secret files stolen from European weapons manufacturer MBDA Missile Systems. Moreover, MBDA Missile Systems says its data was among the stash but claimed none of the classified files belong to the firm.
MBDA Missile Systems is one of the largest weapons makers in the world employing 13,000 people and is a joint venture of Airbus, BAE Systems, and Leonardo.
Cyber criminals, operating on Russian and English forums, are selling 80GB of the stolen data for 15 Bitcoins (approximately £273,000) and claimed to have sold the stash to at least one unknown buyer so far.
The MDBA files being sold purportedly specify details of a “communications intelligence” operation a U.S. air regiment carried out over the Baltics in 2020 – including the full name, phone number, and coordinates of someone said to have been at the centre of the mission.
Chinese hackers zero in on Australian manufacturers, wind turbine operators
A Chinese-based cyberespionage group has targeted Australian officials with reconnaissance malware to siphon off details about the victims.
The campaign focused on government, energy and manufacturing personnel in the Asia-Pacific region deploying phishing emails directing targets to a fake news outlet. The attackers — referred to as both TA423, Red Landon and APT40 — designed the site to deliver malware known as ScanBox and have been active for nearly a decade.
The phony “Australian Morning News” news site contained images and stories lifted from legitimate news organizations. With subject lines such as “Sick Leave,” “User Research” and “Request Cooperation,” the phishing emails explained that the sender was starting a “humble news website” and wanted feedback.
The ScanBox the hackers intended to deploy on victims allows attackers to log keystrokes and to collect a range of information about victims to better calibrate future exploitation, such as software versions and configurations, operating system details, browser versions.
Analysis of the latest operation showed links to earlier activity from the group dating back to March 2021. In March 2022, the operation picked up again using a malicious Microsoft Word document, and then the current wave began in April using domains leading victims to the phony news website.
India’s Newest Airline Akasa Air Found Leaking Passengers’ Personal Information
Akasa Air, India’s newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error.
The issue, identified on August 7th, is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers.
Once aware the company temporarily shut down parts of its system to incorporate additional security guardrails. It has also reported the incident to the Indian Computer Emergency Response Team (CERT-In).
Akasa Air emphasized that no travel-related information or payment details were left accessible and that there is no evidence the glitch was exploited in the wild. The airline further said it has directly notified affected users of the incident, although the scale of the leak remains unclear, adding it “advised users to be conscious of possible phishing attempts.”
FBI Warns Investors to Take Precautions with Decentralized Financial Platforms
The U.S. Federal Bureau of Investigation (FBI) on Monday 29th August warned of cyber criminals increasingly exploiting flaws in decentralized finance (DeFi) platforms to plunder cryptocurrency.
Different methods to hack and steal are being used including initiating flash loans that trigger exploits in the platforms’ smart contracts and exploiting signature verification flaws in their token bridge to withdraw all investments.
Criminals are also defrauding the platforms by manipulating cryptocurrency price pairs – assets that can be traded for each other on an exchange – by exploiting a series of vulnerabilities to bypass slippage checks and steal roughly $35 million in digital funds.
Losses arising from cryptocurrency hacks have jumped nearly 60% in the first seven months of the year to $1.9 billion. Much of the hacks against DeFi services have been attributed to the North Korea-affiliated hacking unit known as the Lazarus Group, with the nation-state adversary attributed to the theft of nearly $1 billion.
It’s recommended consumers research DeFi platforms prior to investing, ensure their code has been subjected to thorough audits, and be cognizant of the risks posed by open source code repositories.
Iranian state-sponsored Actors Exploiting Log4j 2 Flaws in Unpatched Systems
MuddyWater, an umbrella threat group with connections to Iran’s intelligence apparatus, MOIS, is believed to be the group behind the exploitation of the Log4j 2 flaws.
Once the malware begins to establish persistence, it dumps credentials and moves throughout the organization using both custom and well-known hacking tools. Some of the most common techniques used by Mercury include Adversary-in-the-mailbox phishing, Use of cloud file-sharing services and use of commercial remote access applications.
Reconnaissance seems to be the primary function of most commands, done by downloading the actor’s tool for lateral movement and persistence through one encoded PowerShell script. Once successful web shells were deployed to allow commands to be executed through the web. A lateral movement would then be possible, which would assist the actor in the process of reconnaissance, persistence, credential theft, etc.
A remote monitoring and management tool called eHorus is also used for C2 communications during intrusions, along with a reverse-tunneling tool called Ligolo, which is the tool of choice for adversaries for reverse tunneling communications.
To mitigate against these types of attacks you should assess your environment for possible intrusions using the included indicators of compromise. Verify authenticity and investigate any anomalous behavior for remote access infrastructure, including single-factor authentication accounts. Utilise MFA to mitigate potential credential compromise and ensure all remote connections are MFA enabled.
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised.
The campaign gained the moniker of Oktapus due to its focus on abusing identity and access management firm Okta.
114 US-based firms were targeted, with additional victims found across 68 additional countries.
The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.
Next, attackers sent phishing links to targets via text messages. Those links led to webpages mimicking the Okta authentication page used by the target’s employer. Victims were then asked to submit Okta identity credentials in addition to a multi-factor authentication (MFA) codes employees used to secure their logins. 0ktapus’ ultimate goal was to access company mailing lists or customer-facing systems in hopes of facilitating supply-chain attacks.
To mitigate 0ktapus-style campaigns, the researchers recommended good hygiene around URLs and passwords, and using FIDO2-compliant security keys for MFA.
Nelnet Servicing breach exposes data of 2.5M student loan accounts
Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing.
The hackers compromised the company’s network likely after exploiting a vulnerability. Initially gaining access in June they stayed on the systems until July 22.
Although Nelnet states it blocked the cyberattack as soon as the breach was detected, a subsequent investigation completed on August 17, 2022, determined that certain student loan account registration information might have been accessed. Information included name, address, phone number, email and social security number.
No financial or payment information were exposed.
Both EdFinancial and OSLA have offered impacted individuals free access to a 24-month identity theft protection service through Experian, with instructions on how to enroll enclosed in the letters.
New Golang-based ‘Agenda Ransomware’ Can Be Customized For Each Victim
A new ransomware strain written in Golang dubbed “Agenda” has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand.
The threat actor advertising the ransomware is known as Qilin. They are said to provide options to tailor the binary payloads for each victim, enable the operators to decide the ransom note as well as the list of processes and services to terminate before commencing the encryption process.
The ransomware also incorporates techniques for detection evasion by taking advantage of the ‘safe mode’ feature of a device to proceed with its file encryption routine unnoticed.
Upon successful encryption, Agenda renames the files with the configured extension, drops the ransom note in each encrypted directory, and reboots the machine in normal mode with ransom demands ranging anywhere from $50,000 to $800,000.
Similarities have been observed between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware families.
Black Basta, which first emerged in April 2022, is known to employ the double extortion technique of encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, while also threatening to post the stolen sensitive information should a victim choose not to pay the ransom.
Malicious Plugins Found on 25,000 WordPress Websites
Analysis of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites.
Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The dataset used spanned over a period of eight years, between July 2012 and July 2020.
Adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins. Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation.
More than 6,000 plugins impersonated benign plugins available through legitimate marketplaces that offered a trial option to website owners, something that is not typically available in most paid plugin marketplaces.
Only 10% of website owners were seen attempting to clean up their installations, and more than 12% of the cleaned-up websites were reinfected.
Have third-party hacking groups lost interest in Russia-Ukraine conflict?
A new study argues that while the onset of the war saw notable involvement from groups like the IT Army of Ukraine and others defacing websites or conducting denial-of-service attacks against Russian websites the activity has tailed off significantly in the months after the start of the invasion as many participants got “bored” and moved on.
The researchers collected evidence of more than 281,000 web defacement attacks and 1.7 million reflected denial-of-service (DDoS) attacks executed in the two months before the invasion and the four months following.
U.S. officials did not endorse the vigilante hacktivism, worried it could undercut international efforts to pressure countries like Russia to be more accountable for the actions of ransomware groups and other cybercriminals operating within their own borders. However, the researchers argue that alarmist predictions of civilian-directed cyberwar “have not come to pass” and much of the activity they did track amounted to small nuisance attacks against unaffiliated websites and organizations.
The war has also seen unprecedented involvement from legitimate businesses in the West and other regions, though this assistance has largely been defensive in nature.
Not everybody agrees with the view put forward by the researchers that non-governmental hackers have gone quiet. Intel 471, a threat intelligence company has not observed a drop off in interest around the Ukraine-Russia war from non-governmental hackers but admits that it is difficult to track.
FTC sues data broker Kochava over sale of data tying users to health clinics
A lawsuit has been filed against Kochava by the FTC over the sale of geolocation data from millions of devices. Users are from organisations such as reproductive health clinics, addiction recovery facilities, places of worship, and homeless and domestic violence shelters.
Kochava is a data broker that purchases location information from mobile devices. They then package it into customized feeds matching unique device identification numbers complete with time-stamped latitude and longitude locations.
The suit claims these customized feeds allow purchasers to both identify and track specific mobile device users. The data could also enable the purchasers to track users at sensitive locations and reveal information about personal health choices, religious beliefs, and steps taken to protect themselves from abuse. Kochava asserts that the data feeds are meant to support clients with advertising by analysing foot traffic at physical locations.
The lawsuit comes on the heels of a number of growing concerns from Congress and other groups about the impact the repeal of Roe v. Wade will have on women’s health and safety. In particular, the FTC is concerned the data tied to reproductive health clinics could be used to identify individuals and expose private medical decisions.
Critical Atlassian Bitbucket Server and Data Centre Flaw Let Attackers Execute Malicious Code
A critical flaw, tracked as CVE-2022-36804, has been revealed by Atlassian. Found in multiple API endpoints of Bitbucket Server and Data Centre the flaw allows attackers to execute malicious code on vulnerable instances and has received a CVSS severity score of 9.9.
Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Bitbucket offers both commercial plans and free accounts with an unlimited number of private repositories.
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
A bug fix has been released with Atlassian advising to upgrade to one of these versions if affected. If you’re unable to upgrade Bitbucket, the company recommends applying temporary partial mitigation by turning off public repositories using “feature.public.access=false”.