Friday, October 21st, 2022
Cybersecurity Week in Review (21/10/22)
Microsoft Confirms Server Misconfiguration Led to 65,000+ Companies’ Data Leak
The information of thousands of Microsoft customers was compromised following a security lapse leaving an endpoint publicly accessible over the internet sans any authentication. The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, and was dubbed BlueBleed. It could have resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.
The scale of the leak has not yet been fully disclosed but it is thought the exposure amounts to 2.4 terabytes of data affecting over 65,000 entities in 111 countries. The data consists of invoices, product orders, signed customer documents, and partner ecosystem details, among others. Microsoft has disputed the extent of the issue stating the data related to business between a customer and Microsoft or an authorized Microsoft partner. They also state that the scope of the problem was greatly exaggerated as the data set contains duplicate information, with multiple references to the same emails, projects, and users.
The BlueBleed search engine has been likened to data breach notification service “Have I Been Pwned,” enabling organizations to search if their data was exposed in a cloud data leak. There is no evidence that the information was improperly accessed by threat actors prior to the disclosure, but such leaks could be exploited for malicious purposes such as extortion, social engineering attacks, or a quick profit.
Data of 3M Advocate Aurora patients compromised via Pixel data scraping
The personal health information of patients of Advocate Aurora Health was shared with third-party vendors, like Google and Facebook. It seems to have come as a result of using the Pixel tracking tool on its MyChart and LiveWell patient portal websites and applications and some scheduling tools. With 3 million affected patients, the privacy incident is among the top three largest reported healthcare data breaches this year.
This is not the first major disclosure involving the Pixel tool. Facebook have been accused of scraping health data from hospital websites such as Novant Health where 1.3 million patients had their data inadvertently disclosed. The tool has been found on the websites of 33 healthcare organizations. This is the first patient notice to include Google’s pixel as performing the data sharing practice. The Google and Meta services were used for measuring and evaluating trends and preferences of patients using the provider websites.
However, it became evident that these pixels or similar technologies installed on its websites actually disclosed certain protected health information in particular circumstances to specific vendors due to the use of those technologies. Upon discovering this unauthorized disclosure, Advocate Aurora disabled and/or removed pixels from its platforms and performed an internal investigation to understand just what patient data was transmitted to vendors. The data could include patients’ IP addresses, appointment dates, times, and/or locations, proximity to Advocate Aurora Health locations, provider details, appointment or procedure types, communications between the patient and others on the MyChart platform like names and medical record numbers, insurance information, and proxy names. However, no social security or financial information was compromised.
Advocate Aurora is continuing to determine how to further reduce the risk of unauthorized disclosures of patient data, as it monitors its security systems to evaluate possible enhancements. Any proposed use of tracking technologies will be evaluated under its newly updated technology vetting process. Patients are being encouraged to block or delete cookies from their browsers and to use browsers with supportive privacy measures, like incognito mode. Facebook and Google privacy settings can also be adjusted.
Experts Warn of Stealthy PowerShell Backdoor Disguising as Windows Update
A previously undocumented and fully undetectable (FUD) PowerShell backdoor that gains its stealth by disguising itself as part of a Windows update process has emerged. Unable to be attributed to a specific threat actor as of now, the covert self-developed tool and the associated C2 commands have targeted approximately 100 victims.
The attack commences with a weaponized Microsoft Word document. Metadata associated with the lure document indicates that the initial intrusion vector is a LinkedIn-based spear-phishing attack, which ultimately leads to the execution of a PowerShell script via a piece of embedded macro code. The PowerShell script (Script1.ps1) is designed to connect to a remote C2 server and retrieve a command to be launched on the compromised machine by means of a second PowerShell script (temp.ps1). The attacker made an error in using a trivial incremental identifier to uniquely identify each victim (i.e., 0, 1, 2, etc.) allowing for the commands issued by the C2 server to be reconstructed.
Some of the commands issued consist of exfiltrating the list of running processes, enumerating files in specific folders, launching whoami, and deleting files under the public user folders. 32 security vendors and 18 anti-malware engines have flagged the decoy document and the PowerShell scripts as malicious.
Apache Commons Text RCE flaw — Keep calm and patch away
A flaw in the open-source Apache Commons Text library has been identified. The remote code execution flaw has the potential to turn into the next Log4Shell but is not thought to be as concerning. Apache Commons Text is a popular open-source Java library with an interpolation system that allows developers to modify, decode, generate, and escape strings based on inputted string lookups.
The new CVE-2022-42889 vulnerability in Apache Commons Text, dubbed “Text4Shell,” is caused by unsafe script evaluation by the interpolation system that could trigger code execution when processing malicious input in the library’s default configuration. Applications using the interpolation defaults in the affected versions may be vulnerable to RCE or unintentional contact with remote servers if untrusted configuration values are used. Although initially discovered and reported on March 9th of this year, it took developers 7 months, until October 12, 2022, to release a fix in version 1.10.0, which disables interpolation.
As the flaw impacts versions that date as far back as 2018, there was initial worry that it could cause widespread damage, but a further report explained that not all versions between 1.5 and 1.9 seem vulnerable and that its exploitation potential was connected to the JDK version used. Apache’s security team has said that the scope of the flaw is not as serious as Log4Shell, explaining that the string interpolation is a documented feature. They have advised developers using the service to upgrade to version 1.10 or later as soon as possible to fix the flaw.
Police breaks up criminal ring that hacked keyless systems to steal cars
A hacker group using fraudulent software to steal vehicles with remote keyless entry has been dismantled by the French National Gendarmerie on Monday 17th Oct. Targeting vehicles with keyless entry and start systems the criminals exploited the technology to get into the car and drive away. Using the fraudulent automotive diagnostic solution, they replaced the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.
31 individuals have been arrested and among them were the software developers, resellers of the software, and the actual car thieves who used the software to steal vehicles. Reports state that the thieves bought from the reseller’s tablets, software and connectors, allowing them to duplicate vehicle keys and program blank keys without having the original, and to modify the embedded systems of many vehicles. The kits were sold online. The now shut down site had 53,000 registered connections.
It’s not known how the crooks managed to install the malicious tool to the targeted vehicles. Potentially they paid someone to do it covertly at car dealerships, mechanic shops, or any other place where vehicles are left unattended for short or long periods.
Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software
An out-of-band security update has been released by HelpSystems, the company behind the Cobalt Strike software platform. The update looks to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.
Cracked versions of the commercial red-team framework have been actively abused by ransomware operators and espionage-focused advanced persistent threat (APT) groups. The post-exploitation tool consists of a team server, which functions as a command-and-control (C2) component, and a beacon, the default malware used to create a connection to the team server and drop next-stage payloads. The issue, tracked as CVE-2022-42948, affects Cobalt Strike version 4.7.1, and stems from an incomplete patch released on September 20, 2022, to rectify a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could lead to remote code execution.
It was found that remote code execution could be triggered in specific cases using the Java Swing framework, the graphical user interface toolkit that’s used to design Cobalt Strike. This means that a malicious actor could exploit this behavior by means of an HTML <object> tag, utilizing it to load a custom payload hosted on a remote server and inject it within the note field as well as the graphical file explorer menu in the Cobalt strike UI.
Keystone Health Data Breach Impacts 235,000 Patients
Patients of Keystone Health, a healthcare provider in Pennsylvania, have been informed of a data breach potentially affecting their personal information. A notification on Keystone’s website discloses a cybersecurity incident identified on August 19 resulting in the disruption of some systems.
An investigation into the incident was immediately launched, which discovered that certain patient information might have been compromised. Affected patients have already had letters mailed to them offering them credit monitoring services. No other information regarding the incident has been provided and it is unclear whether Keystone Health fell victim to ransomware or to a different type of cyberattack. Keystone notified the US Department of Health and Human Services that over 235,000 individuals were impacted by the incident.
Ransom Cartel linked to notorious REvil ransomware operation
New Ransom Cartel ransomware operation has been linked with the notorious REvil gang based on code similarities in both operations’ encryptors. Peaking in the first half of 2021, REvil compromised thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.
The operation was shut down in October 2021 following intense pressure from law enforcement. and in January 2022, the Russian authorities announced arrests, money seizures, and charges against eight of the gang’s members. The new ‘Ransom Cartel’ was launched in December 2021 sharing many code similarities to REvil’s malware. Because the source code of REvil’s encrypting malware was never leaked on hacking forums, it is thought any new project using similar code is either a rebrand or a new operation launched by a core member of the original gang.
There are also similarities in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel, such as double-extortion attacks, large ransom demands, and a data leak site to pressure victims into paying a ransom. However, one technique used by Ransom Cartel, and not seen in REvil attacks, is using the Windows Data Protection API (DPAPI) to steal credentials. A tool named “DonPAPI,” is being used which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine. These credentials are then used to compromise Linux ESXi servers and authenticate to their vCenter web interfaces. Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn).
While irrefutable evidence that Ransom Cartel is a rebrand of the REvil operation is yet to be found, it’s quite clear that at least some of the original members are behind this new ransomware operation.
The Prestige: Ukraine and Poland hit by novel ransomware
A previously unknown ransomware known as Prestige has been observed targeting Ukraine’s and Poland’s transportation and logistics industries. The new ransomware was first deployed on October 11 in attacks occurring within an hour of each other across all victims. The ransomware was not connected to any of the 94 active ransom groups currently tracked by the Microsoft Threat Intelligence Center (MSTIC).
Tracked as DEV-0960, the activity has not yet been linked to any known threat group but shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper). Threat actors gained highly-privileged credentials like Domain Admin to execute the ransomware payload and although initial access vectors have not yet been identified it’s possible that the attacker might have already had existing access from a prior compromise.
The ransomware has been observed to be deployed using three methods:
- The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket [an open-source script-based solution for remote code execution] is used to remotely create a Windows Scheduled Task on target systems to execute the payload.
- The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload.
- The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object.
In a ransom note dropped on the compromised machine, threat actors require victims to purchase their decryption software and ask to contact the attackers via a given email. As the threat landscape in Ukraine continues to evolve, Microsoft urges organizations to build more robust defenses.
Microsoft Office 365 Message Encryption flaw exposes email content
An advisory warning organizations of a security flaw in Microsoft Office 365 Message Encryption (OME) has been released. The bug could expose email content to threat actors and no patch is currently available to fix it. OME utilizes the Electronic Codebook (ECB) implementation – a mode of operation known to leak certain structural information about messages.
As the encrypted messages are sent as regular email attachments, the messages sent may be stored in various email systems and may have been intercepted by any party between the sender and the recipient. If enough OME emails are obtained, attackers could analyze the location and frequency of repeated patterns in individual messages and match them to ones found in other OME emails and files. As a result, they could use the leaked information to partially or fully infer the contents of the messages.
Although informed, Microsoft did not deem the flaw significant enough to meet the bar for security servicing, nor was it considered a breach. No code change was made, so no CVE was issued. Despite this stance from Microsoft, it is thought to be possible that an attacker could compromise backlogs or archives of the previous message since the analysis can be done offline. Since there’s no patch available yet the only mitigation is to avoid using MS 365 Message Encryption.
Police tricks DeadBolt ransomware out of 155 decryption keys
The Dutch National Police reportedly tricked the ransomware gang, Deadbolt into handing over 155 decryption keys by faking ransom payments. DeadBolt is a ransomware operation active since January and known for demanding 0.03 bitcoin ransoms after encrypting thousands of QNAP and Asustor Network Attached Storage (NAS) devices.
After the ransom is paid, DeadBolt creates a bitcoin transaction to the same bitcoin ransom address containing a decryption key for the victim (the decryption key can be found under the transaction’s OP_RETURN output). When the victim enters this key into the ransom note screen, it will be converted into a SHA256 hash and compared to the SHA256 hash of the victim’s decryption key and the SHA256 hash of the DeadBolt master decryption key. If the decryption key matches one of the SHA256 hashes, the encrypted files on the NAS hard drives will get decrypted.
The police tricked the gang into releasing the keys by paying the minimum fee and then cancelling the transaction before they had been included in a block. When a ransom payment was made the operation automatically sent a decryption key when it detected the bitcoin transaction with the correct ransom amount. However, the decryption key is sent immediately without waiting for a bitcoin confirmation that the bitcoin transaction is legitimate. Heavy congestion combined with a low fee caused the Bitcoin blockchain to take much longer to confirm a transaction, allowing the Police to make a transaction, receive the key, and immediately cancel their bitcoin transaction.
This tactic effectively allowed them to obtain the 155 decryption keys without paying anything more than the fees to send the transactions. Unfortunately, after realizing they were tricked and won’t get paid, the DeadBold ransomware gang switched things up and now require double confirmation before releasing decryption keys.