Thursday, September 21st, 2023
Cybersecurity Week in Review (22/09/2023)
Cyber Group ‘Gold Melody’ Selling Compromised Access to Ransomware Attackers
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. Dubbed Gold Melody, the group is also known by the names Prophet Spider and UNC961.
The financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers. The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption.
Gold Melody has been previously linked to attacks exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers.
The cybercrime group has been observed expanding its victimology footprint to strike retail, health care, energy, financial transactions, and high-tech organizations in North America, Northern Europe, and Western Asia as of mid-2020.
An analysis published in March 2023, said that “in multiple instances, UNC961 intrusion activity has preceded the deployment of Maze and Egregor ransomware from distinct follow-on actors.”
It further described the group as “resourceful in their opportunistic angle to initial access operations” and noted it “employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using publicly available exploit code.”
Besides relying on a diverse arsenal comprising web shells, built-in operating system software, and publicly available utilities, it’s known to employ proprietary remote access trojans (RATs) and tunneling tools such as GOTROJ (aka MUTEPUT), BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address.
The attacks entailed the abuse of a different set of flaws, including those impacting Oracle E-Business Suite (CVE-2016-0545), Apache Struts (CVE-2017-5638), Sitecore XP (CVE-2021-42237), and Flexera FlexNet (CVE-2021-4104) to obtain initial access.
A successful foothold is succeeded by the deployment of web shells for persistence, followed by creating directories in the compromised host to stage the tools used in the infection chain.
Lakeland Community College Breach Exposes 285K People
Lakeland Community College attackers took the personal details of hundreds of thousands of individuals. It took the college nearly six months to notice those affected. The Ohio, USA-based school has started notifying individuals whose data might have been impacted in the recent data breach.
According to the breach notice which Lakeland submitted to the Maine Attorney General, attackers roamed the college’s network for nearly three weeks between March 7th, 2023, and March 31st, 2023.
An investigation, which the school carried out together with cybersecurity consultants, determined that attackers accessed individuals’ full names and Social Security numbers (SSNs). The breach impacted 285,948 individuals.
Stolen SSNs may end up on underground criminal marketplaces, where cybercrooks can buy the data to use in whichever way they like. It’s estimated that on its own, an SSN costs up to $4 on the dark web. However, the price of a collated dataset with additional information on the individual can double the price. Having SSNs exposed poses significant risks, as impersonators can use stolen data with names and driver’s license numbers for identity theft.
While the breach notification doesn’t indicate the nature of the attack, it could be linked to a ransomware attack by the Vice Society gang. Lakeland’s data was posted on the gang’s dark web blog.
Ransomware attacks on educational institutions can be particularly devastating. For example, Lincoln College, established in 1865, had to close up shop after a ransomware attack disrupted the admission process.
One of the reasons that ransomware weighs heavily on educational institutions is that it takes schools and universities the longest to recover from attacks.
China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers
China’s Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei’s servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries.
In a message posted on WeChat, the government authority said U.S. intelligence agencies have “done everything possible” to conduct surveillance, secret theft, and intrusions on many countries around the world, including China, using a “powerful cyber attack arsenal.” Specifics about the alleged hacks were not shared.
It explicitly singled out the U.S. National Security Agency’s (NSA) Computer Network Operations (formerly the Office of Tailored Access Operations or TAO) as having “repeatedly carried out systematic and platform-based attacks” against the country to plunder its “important data resources.”
The post went on to claim that the cyber-warfare intelligence-gathering unit hacked Huawei’s servers in 2009 and that it had carried out “tens of thousands of malicious network attacks” on domestic entities, including the Northwestern Polytechnical University, to siphon sensitive data, an allegation that was first leveled by China in September 2022.
Further, China’s National Computer Virus Emergency Response Centre (NCVERC) is said to have isolated a spyware artifact dubbed Second Date when dealing with an incident at the public research university that’s purportedly developed by the NSA and run stealthily on “thousands of network devices in many countries around the world.”
Details about Second Date were previously reported by South China Morning Post and China Daily last week, describing it as a cross-platform malware capable of monitoring and hijacking network traffic as well as injecting malicious code. Germany, Japan, South Korea, India, and Taiwan are believed to be some of the countries targeted by the spyware.
“The U.S. intelligence agency has used these large-scale weapons and equipment to carry out cyber attacks and cyber espionage operations for more than ten years against China, Russia and other 45 countries and regions around the world,” MSS said, adding the attacks targeted telecom, scientific research, economy, energy and military sectors.
MSS also claimed that the U.S. has forced technology companies to install backdoors in their software and equipment to conduct cyber espionage and steal data, citing examples of companies such as X-Mode Social and Anomaly Six, which have demonstrated abilities to track the mobile phones of users.
In July 2023, after Microsoft disclosed a China-linked espionage campaign mounted by an actor codenamed Storm-0558 targeting two dozen organizations in the U.S. and Europe, China responded by calling the U.S. “the world’s biggest hacking empire and global cyber thief.”
Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT
Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT.
The activity, observed since early 2023, entails sending email messages containing URLs pointing to compressed executables that are responsible for installing the malware. Other infection chains have been found to leverage Microsoft Excel and PDF attachments that embed these URLs to trigger malicious activity.
These campaigns demonstrate variation in the use of infrastructure, sender domains, email content, targeting, and payloads, indicating that different threat clusters are mounting the attacks.
Over 30 such campaigns have been detected in 2023 that employ malware typically associated with Chinese cybercrime activity. Since April 2023, no less than 20 of those campaigns are said to have delivered Sainbox, a variant of the Gh0st RAT trojan that’s also known as FatalRAT.
At least three other campaigns have been identified delivering the Purple Fox malware and six additional campaigns propagating a nascent strain of malware dubbed ValleyRAT, the latter of which commenced on March 21, 2023.
ValleyRAT, first documented in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) sent from a remote server and enumerating running processes, among others.
While Gh0st RAT has been widely used in various cyber campaigns linked to China over the years, the emergence of ValleyRAT suggests it could be widely deployed in the future.
TransUnion Denies it was Hacked, Links Leaked Data to 3rd Party
Credit reporting firm TransUnion has denied claims of a security breach after a threat actor known as USDoD leaked data allegedly stolen from the company’s network. The Chicago-based company’s over 10,000 employees provide their services to millions of consumers and more than 65,000 businesses from 30 countries.
“Immediately upon discovering these assertions, we partnered with outside cybersecurity and forensic experts to launch a thorough investigation,” the company said.
“At this time, we and our internal and external experts have found no indication that TransUnion systems have been breached or that data has been exfiltrated from our environment.”
The investigation into the claims found that the information leaked by USDoD was likely obtained from another organization’s systems, given that the data and its formatting are different than TransUnion’s.
“Through our investigation, we have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion, indicating that any such data came from a third party,” TransUnion said.
According to the USDoD’s listing published on a hacking forum over the weekend, the database allegedly stolen from TransUnion’s systems includes a wide range of sensitive information of roughly 59,000 people worldwide.
The threat actor was also linked to the attempted sale of InfraGard’s user database on Breached in December 2023 for $50,000, stolen after obtaining InfraGard membership through social engineering.
“USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other,” Brian Krebs reported at the time.
“USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.”
The data contained the sensitive information of over 80,000 members of InfraGard, an FBI program designed to share intelligence between state and local law enforcement agencies and private sector organizations.
ShroudedSnooper’s HTTPSnoop Backdoor Targets Middle East Telecom Companies
Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.
HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.
Also part of the threat actor’s arsenal is a sister implant codenamed PipeSnoop that can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
It’s suspected that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to gain initial access to target environments, with both the malware strains impersonating components of Palo Alto Networks’ Cortex XDR application (“CyveraConsole.exe”) to fly under the radar.
Three different HTTPSnoop variants have been detected to date. The malware uses low-level Windows APIs to listen for incoming requests matching predefined URL patterns, which are then picked up to extract the shellcode to be executed on the host.
These HTTP URLs imitate those from Microsoft Exchange Web Services, OfficeTrack, and provisioning services associated with an Israeli telecommunications company in an attempt to make malicious requests nearly indistinguishable from benign traffic.
The nature of the malware indicates that PipeSnoop cannot function as a standalone implant and that it requires an auxiliary component, which acts as a server to obtain the shellcode via other methods, and use the named pipe to pass it on the backdoor.
The targeting of the telecom sector, particularly in the Middle East, has become something of a pattern in recent years.
In January 2021, a set of attacks orchestrated by Lebanese Cedar that was aimed at telecom operators in the U.S., the U.K., and Middle-East Asia. Later that December, Broadcom-owned Symantec shed light on an espionage campaign targeting telecom operators in the Middle East and Asia by a likely Iranian threat actor known as MuddyWater (aka Seedworm).
Other adversarial collectives tracked under the monikers BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium) have also been attributed to attacks on telecommunication service providers in the region over the past year.
Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data
Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data.
The leak was discovered on the company’s AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data. It also included a disk backup of two former employees’ workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.
The repository, named “robust-models-transfer,” is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a 2020 research paper titled “Do Adversarially Robust ImageNet Models Transfer Better?”
Specifically, the repository’s README.md file instructed developers to download the models from an Azure Storage URL that accidentally also granted access to the entire storage account, thereby exposing additional private data.
In response to the findings, Microsoft said its investigation found no evidence of unauthorized exposure of customer data and that “no other internal services were put at risk because of this issue.” It also emphasized that customers need not take any action on their part.
The Windows makers further noted that it revoked the SAS token and blocked all external access to the storage account. The problem was resolved two days after responsible disclosure.
To mitigate such risks going forward, the company has expanded its secret scanning service to include any SAS token that may have overly permissive expirations or privileges. It said it also identified a bug in its scanning system that flagged the specific SAS URL in the repository as a false positive.
Canadian Government Targeted With DDoS Attacks by Pro-Russia Group
The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.
To date, the group has targeted financial, government, military, media, supply, telecoms, and transportation organizations in Ukraine and NATO-associated targets, including the Czech Republic, Denmark, Estonia, Lithuania, Norway, and Poland.
“Since 13 September 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sectors,” the Canadian Centre for Cyber Security warns.
In July 2022, Canada’s Cyber Centre assessed that Russian state-sponsored threat actors would continue to engage in malicious activities in support of Russia’s military objectives in Ukraine. In February, the Centre observed similar DDoS activity targeting Ukraine-supporting countries.
NoName057(16) uses a botnet to target the web servers of victim organizations and then boasts about its malicious activities.
Previous reporting revealed that, throughout 2022, NoName057(16) was abusing systems infected with the Bobik malware to launch disruptive DDoS attacks.
“In most cases, this nuisance activity can be managed by on-premises solutions; however, assistance from third party DDoS solutions should be considered to prevent significant and focused malicious activity,” the Canadian government’s recent alert reads.
Meant to raise awareness on NoName057(16)’s activities, the alert also provides guidance on how targeted organizations should protect themselves.
Canadian organizations are advised to review systems to identify potential DDoS activity, review and proactively implement DDoS protections, review the US CISA’s guidance on mitigating DDoS attacks, improve internet gateways’ monitoring and protections, isolate web-facing applications, and report NoName057(16)-suspected DDoS attacks to the Cyber Centre.
APT36 State Hackers Infect Android Devices Using YouTube App Clones
APTThe APT36 hacking group, aka ‘Transparent Tribe,’ has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), ‘CapraRAT.’
Once the malware is installed on a victim’s device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
APT36 is a Pakistan-aligned threat actor known for using malicious or laced Android apps to attack Indian defense and government entities, those dealing with Kashmir region affairs, and human rights activists in Pakistan.
This latest campaign warns people and organizations linked to military or diplomacy in India and Pakistan to be very wary of YouTube Android apps hosted on third-party sites.
The malicious APKs are distributed outside Google Play, Android’s official app store, so the victims are most likely socially engineered to download and install them.
The APKs were uploaded to VirusTotal in April, July, and August 2023, with two of them being called ‘YouTube’ and one ‘Piya Sharma’ associated with the channel of a persona likely used in romance-based tactics.
During installation, the malware apps request numerous risky permissions, some of which the victim might treat without suspicion for a media streaming app like YouTube.
The interface of the malicious apps attempts to imitate Google’s real YouTube app, but it resembles a web browser rather than the native app due to using WebView from within the trojanized app to load the service. Also, it misses several of the features available on the actual platform.
Once the CapraRAT is up and running on the device, it performs the following actions:
- Recording with the microphone, front & rear cameras
- Collecting SMS and multimedia message contents, call logs
- Sending SMS messages, blocking incoming SMS
- Initiating phone calls
- Taking screen captures
- Overriding system settings such as GPS & Network
- Modifying files on the phone’s filesystem
CapraRAT variants were spotted in the recent campaign feature enhancements over previously analyzed samples, indicating continuous development.
Regarding the attribution, the C2 (command and control) server addresses CapraRAT communicates with are hardcoded in the app’s configuration file and have been associated with past Transparent Tribe activities.
Some IP addresses retrieved are linked with other RAT campaigns, though the exact relationship between the threat actors and those remains unclear.
TikTok Faces Massive €345 Million Fine Over Child Data Violations in E.U.
The Irish Data Protection Commission (DPC) have issued TikTok with a €345 million (about $368 million) fine for violating the European Union’s General Data Protection Regulation (GDPR) in relation to its handling of children’s data.
The investigation, initiated in September 2021, examined how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020.
Some of the major findings include –
- The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks
- A failure to provide transparency information to child users
- The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos
- A weakness in the Family Sharing setting that allowed any non-child user (someone who could not be verified as a parent or their guardian) to pair their account to that of a minor’s, which made it possible for the adult user to enable direct messages for child users above the age of 16
In addition to the financial penalty, the DPC has ordered TikTok to bring its processing mechanisms into compliance within three months.
“Social media companies have a responsibility to avoid presenting choices to users, especially children, in an unfair manner – particularly if that presentation can nudge people into making decisions that violate their privacy interests,” Anu Talus, EDPB Chair, said.
“Options related to privacy should be provided in an objective and neutral way, avoiding any kind of deceptive or manipulative language or design.”
In a statement shared on its website, the company disagreed with the decision and said that the criticisms are focused on features and settings that were in place three years ago, which have since been changed by setting all under 16 accounts to private by default. It’s immediately clear if the company intends to appeal the ruling.
The company also said it will roll out a redesigned account registration flow for new 16 and 17-year-old users late this month that will be pre-selected to a private account. TikTok has about 134 million monthly users in the E.U.
TikTok was previously handed out a €5 million (about $5.4 million) fine by the French data protection watchdog in January 2023 for breaking cookie consent rules and for making the opt-out mechanism more complex than opting-in.
Then in April 2023, it was fined £12.7 million by the U.K. Information Commissioner’s Office (ICO) for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.
Outside of Europe, the ByteDance-owned company also paid in 2019 a $5.7 million penalty to settle U.S. Federal Trade Commission (FTC) allegations that it breached the Children’s Online Privacy Protection Act (COPPA) by failing to seek parental consent from users under the age of 13 before collecting information.
The development arrives days after California’s Attorney General announced that Google would fork out $93 million to settle a privacy lawsuit alleging it violated the U.S. state’s consumer protection laws by collecting users’ location data for consumer profiling and advertising purposes without informed consent.