Thursday, December 21st, 2023
Cybersecurity Week in Review (22/12/2023)
New Phishing Attack Steals Your Instagram Backup Codes to Bypass 2FA
A new phishing campaign pretending to be a ‘copyright infringement’ email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account.
Using 2FA helps protect your accounts if your credentials are stolen or purchased from a cybercrime marketplace, as the threat actor would need access to your mobile device or email to log into your protected account.
When configuring two-factor authentication on Instagram, the site will also provide eight-digit backup codes that can be used to regain access to accounts if you cannot verify your account using 2FA. This could happen for multiple reasons, such as switching your mobile number, losing your phone, and losing access to your email account.
However, backup codes come with some risk, as if a threat actor can steal those codes, they can hijack Instagram accounts using unrecognized devices simply by knowing the target’s credentials, which can be stolen through phishing or found in unrelated data breaches.
Copyright infringement phishing messages claim the recipient has posted something that violates intellectual property protection laws, and hence, their account has been restricted. Recipients of these messages are urged to click a button to appeal the decision, which redirects them to phishing pages where they enter their account credentials and other details.
The same theme has been used several times, including against Facebook users, and has facilitated infection chains for the LockBit ransomware and the BazaLoader malware, among others.
The latest variant of these attacks was spotted by analysts, who report that the increasing adoption rate of 2FA protection pushes phishing actors to broaden their targeting scope.
The latest phishing emails impersonate Meta, Instagram’s parent company, warning that Instagram users received copyright infringement complaints. The email then prompts the user to fill out an appeal form to resolve the issue.
Clicking the button takes the target to a phishing site impersonating Meta’s actual violations portal, where the victim clicks a second button labeled “Go to Confirmation Form (Confirm My Account). The second button redirects to another phishing page designed to appear as Meta’s “Appeal Center” portal, where the victims are requested to enter their username and password (twice).
After siphoning these details, the phishing site asks the target if their account is protected by 2FA and, upon confirmation, requests the 8-digit backup code.
Despite the campaign being characterized by multiple signs of fraud, like the sender’s address, the redirection page, and phishing page URLs, the convincing design and sense of urgency could still trick a significant percentage of targets into giving away their account credentials and backup codes.
New Go-Based JaskaGO Malware Targeting Windows and macOS Systems
A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. The malware is equipped with an extensive array of commands from its command-and-control (C&C) server.
Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools.
Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar.
In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating running processes, and downloading additional payloads.
It’s also capable of modifying the clipboard to facilitate cryptocurrency theft by substituting wallet addresses and siphoning files and data from web browsers.
On macOS, JaskaGO employs a multi-step process to establish persistence within the system, outlining its capabilities to run itself with root permissions, disable Gatekeeper protections, and create a custom launch daemon (or launch agent) to ensure it’s automatically launched during system startup.
It’s currently not known how the malware is distributed and if it entails phishing or malvertising lures. The scale of the campaign remains unclear as yet.
Source – https://thehackernews.com/2023/12/new-go-based-jaskago-malware-targeting.html
Healthcare Software Provider Data Breach Impacts 2.7 Million
ESO Solutions, a provider of software products for healthcare organizations and fire departments, disclosed that data belonging to 2.7 million patients has been compromised as a result of a ransomware attack.
According to the notification, the intrusion occurred on September 28 and resulted in data being exfiltrated before the hackers encrypted a number of company systems.
During the investigation of the incident, ESO Solutions discovered that the attackers accessed one machine that contained sensitive personal data.
On October 23, the company determined that the data breach caused by the ransomware attack impacted patients associated with its customers, including hospitals and clinics in the U.S. The type of data exposed includes the following:
- Full name
- Dates of birth
- Phone number
- Patient account/medical record number
- Injury type and date
- Diagnosis information
- Treatment type and date
- Procedure information
- Social Security Number (SSN)
The exact types of data exposed vary per individual, depending on the details the patients provided to the healthcare organizations using ESO’s software and the care services they received.
The software vendor has informed the FBI and state authorities of the incident. All impacted customers were notified on December 12, and some of the affected hospitals started sending notices of a breach to their patients in the days that followed.
“At this time, we do not have evidence that your information has been misused,” reads the notification to impacted patients.
To mitigate the risk of the data breach, ESO offers 12 months of identity monitoring service coverage through Kroll to all notice recipients.
As of writing, the following healthcare providers are confirmed as impacted by the ransomware attack at ESO:
- Mississippi Baptist Medical Center
- Community Health Systems Merit Health Biloxi
- Merit Health River Oaks
- ESO EMS Agency
- Forrest Health Forrest General Hospital
- HCA Healthcare Alaska Regional Hospital
- Memorial Hospital at Gulfport Health System
- Providence St Joseph Health (Providence Kodiak Island Medical Center)
- Providence Alaska Medical Center
- Universal Health Services (UHS) Manatee Memorial Hospital
- Desert View Hospital
- Ascension Providence Hospital in Waco
- Tallahassee Memorial
- Manatee Memorial Hospital
- CaroMont Health
Unfortunately, these supply-chain breaches have become all too common in the healthcare space, impacting patient data safety and threatening the operational and financial stability of medical institutions.
Mr. Cooper Data Breach Impacts 14.7 Million Individuals
Mortgage giant Mr. Cooper is sending notification letters to 14.7 million individuals to inform them that their personal information was stolen in a recent cyberattack.
The incident was identified on October 31, resulting in certain systems being taken down, including those used for processing customer payments, the company announced in early November. On December 15, Mr. Cooper started notifying customers that, between October 30 and November 1, the attackers had access to certain systems and exfiltrated files containing customer personal information.
“Based on our investigation to date, roughly 14.7 million homeowners, representing former and current customers and co-borrowers, had personal information contained in the files that were affected by this incident,” the company says in an incident notice.
In the notification letter sent to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office, Mr. Cooper says that the compromised personal information includes names, addresses, dates of birth, phone numbers, Social Security numbers, and bank account numbers.
On its website, the company clarifies that “a limited group of approximately 32,000 reverse mortgage customers’ bank account numbers were contained in the files that were affected by this incident.”
Mr. Cooper says it has fully restored the systems that were locked down following the attack, and that it is monitoring the dark web to see if the stolen data is being shared by the attackers.
The company says it has no evidence at this time that the stolen information was misused for fraud or identity theft, but it is providing identity protection and credit monitoring services to the impacted individuals and encourages them to enroll.
Mr. Cooper has not provided specific details on the type of cyberattack it has suffered, but taking systems offline is the typical response to a ransomware attack.
Source – https://www.securityweek.com/mr-cooper-data-breach-impacts-14-7-million-individuals/
Xfinity Customer Data Compromised in Attack Exploiting CitrixBleed Vulnerability
Comcast’s Xfinity is informing customers that their information has been compromised in a cyberattack that involved exploitation of the vulnerability known as CitrixBleed. The number of impacted individuals has been made public and it’s nearly 36 million.
CitrixBleed, officially tracked as CVE-2023-4966, is a critical vulnerability affecting Citrix’s Netscaler ADC and Gateway appliances. Malicious actors can exploit the flaw to hijack existing sessions, which can give them access to the targeted organization’s systems.
Patches were announced by Citrix on October 10, but the vulnerability had been exploited as a zero-day since August. Mass exploitation of CitrixBleed was underway a few weeks after the patch was announced, and reports started emerging about its use in attacks aimed at major companies.
In Xfinity’s case, the telecommunications and smart home solutions provider said it “promptly patched and mitigated” the vulnerability within its systems. However, it discovered on October 25 during a routine cybersecurity exercise that CitrixBleed had been exploited against its systems, with hackers having access between October 16 and 19.
An investigation revealed on November 16 that information had likely been stolen by the attackers. While the analysis is ongoing, Xfinity determined on December 6 that customer information such as usernames and hashed passwords have been compromised.
For some customers, information such as name, contact details, date of birth, last four digits of social security number, and security questions and answers may have also been stolen.
Xfinity is now notifying customers and requiring them to reset their passwords. The company is also advising them to ensure that multi-factor authentication is enabled on their account.
The CitrixBleed vulnerability is believed to have been involved in attacks against many organizations around the world, including high-profile companies such as Toyota.
FBI Disrupts Blackcat Ransomware Operation, Creates Decryption Tool
The Department of Justice announced that the FBI successfully breached the ALPHV ransomware operation’s servers to monitor their activities and obtain decryption keys.
On December 7th, it was first reported that the ALPHV, aka BlackCat, websites suddenly stopped working, including the ransomware gang’s Tor negotiation and data leak sites. While the ALPHV admin claimed it was a hosting issue, it was believed to be a law enforcement operation.
This week, the Department of Justice confirmed, stating that the FBI conducted a law enforcement operation that allowed them to gain access to ALPHV’s infrastructure.
With this access, the FBI silently monitored the ransomware operation for months while siphoning decryption keys. These decryption keys allowed the FBI to help 500 victims recover their files for free, saving approximately $68 million in ransom demands.
In addition, the FBI has seized the domain for ALPHV’s data leak site, which now displays a banner stating that it was seized in an international law enforcement operation. The FBI says they seized the website after obtaining the public and private key pairs for the Tor hidden services that the website operated under, allowing them to take control over the URLs.
“During this investigation, law enforcement gained visibility into the Blackcat Ransomware Group’s network,” reads an unsealed search warrant.
“As a result, the FBI identified and collected 946 public/private key pairs for Tor sites that the Blackcat Ransomware Group used to host victim communication sites, leak sites, and affiliate panels like the ones described above.”
“The FBI has saved these public/ private key pairs to the Flash Drive.”
The seizure message states the law enforcement operation was conducted by police and investigative agencies from the US, Europol, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria.
“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV BlackCat ransomware,” reads the seizure message.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.”
As part of ALPHV’s unseizure message, the gang announced the launch of a new Tor URL for their data leak site that the FBI does not have the private keys for and thus cannot seize.
The ransomware gang claimed that the FBI only gained access to decryption keys for the last month and a half, which is about 400 companies. However, they said 3,000 other victims will now lose their keys.
The operation also said they are removing all restrictions from their affiliates, allowing them to target any organization they wish, including critical infrastructure. Affiliates are still restricted from attacking countries in the Commonwealth of Independent States (CIS), which were previously part of the Soviet Union.
Finally, the ransomware operation has increased the affiliates revenue share to 90% of a paid ransom, likely to convince them from switching to a competing ransomware-as-service.
Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S.
“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” authorities said.
Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware.
It’s worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per data from Corvus.
It was revealed that Play is being offered to other threat actors “as a service,” completing its transformation into a ransomware-as-a-service (RaaS) operation.
Ransomware attacks orchestrated by the group are characterized by the use of public and bespoke tools like AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and for collecting information about backup software and remote administration tools installed on a machine.
The threat actors have also been observed to carry out lateral movement and data exfiltration and encryption steps, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.
“The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data,” the agencies said. “Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”
According to statistics, Play is said to have claimed nearly 40 victims in November 2023 alone, but significantly trailing behind its peers LockBit and BlackCat (aka ALPHV and Noberus).
The alert comes days after U.S. government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining initial access to networks via purchasing stolen login credentials, intrusion brokers (aka initial access brokers), phishing, and known security flaws.
“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the government said.
The developments also come amid speculations that the BlackCat ransomware may have been a target of a law enforcement operation after its dark web leak portals went offline for five days. However, the e-crime collective pinned the outage on a hardware failure.
What’s more, another nascent ransomware group known as NoEscape is alleged to have pulled an exit scam, effectively “stealing the ransom payments and closing down the group’s web panels and data leak sites,” prompting other gangs like LockBit to recruit their former affiliates.
That the ransomware landscape is constantly evolving and shifting, whether be it due to external pressure from law enforcement, is hardly surprising. This is further evidenced by the collaboration between the BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services firms.
Source – https://thehackernews.com/2023/12/double-extortion-play-ransomware.html
Suspected Cyberattack Paralyzes the Majority of Gas Stations Across Iran
Nearly 70% of Iran’s gas stations went out of service on Monday following possible sabotage — a reference to cyberattacks, Iranian state TV reported. The report said a “software problem” caused the irregularity in the gas stations. It urged people not to rush to the stations that were still operational.
Israeli media, including the Times of Israel, blamed the problem on an attack by a hacker group dubbed “Gonjeshke Darande” or predatory sparrow. State TV quoted a statement by the Oil Ministry as saying more than 30% of gas stations remain in service. The country has some 33,000 gas stations.
In recent years, Iran has seen a series of cyberattacks on its filling stations, railway system and industries. Surveillance cameras in government buildings, including prisons, have also been hacked in the past.
In 2022, the Gonjeshke Darande group hacked a major steel company in the southwest of the country. A cyberattack on Iran’s fuel distribution system in 2021 paralyzed gas stations across the country, leading to long lines of angry motorists. The hacking group claimed responsibility for the attack on fuel pumps.
The country disconnected much of its government infrastructure from the internet after the Stuxnet computer virus — widely believed to be a joint U.S.-Israeli creation — disrupted thousands of Iranian centrifuges in the country’s nuclear sites in the late 2000s.
Iran, long sanctioned by the West, faces difficulties in getting up-to-date hardware and software, often relying on Chinese-manufactured electronics or older systems no longer being patched by manufacturers. That would make it easier for a potential hacker to target. Pirated versions of Windows and other software are common across Iran.
Vans and North Face Owner VF Corp Hit by Ransomware Attack
American global apparel and footwear giant VF Corporation, the owner of brands like Supreme, Vans, Timberland, and The North Face, has disclosed a security incident that caused operational disruptions.
VF Corp. is a Colorado-based apparel firm owning 13 globally recognized brands. The company employs 35,000 people and has an annual revenue of $11.6 billion. Apart from the brands mentioned above, VF Corp. owns Dickies, Eastpak, Kipling, Napapijri, AND1, JanSport, Icebreaker, Altra Running, and SmartWool.
In a Form 8-K disclosure filed with the U.S. SEC (Securities and Exchange Commission) on Friday, VF informed shareholders of a cyberattack that occurred on December 13, 2023. In response to the detected unauthorized access on its network, the company shut down some of its systems and brought in external experts to help contain the attack.
However, the threat actors managed to encrypt some of the company’s computers and steal personal data.
“The threat actor disrupted the company’s business operations by encrypting some IT systems, and stole data from the company, including personal data,” warned VF Corp.
It is unclear if the stolen data impacts only employees, suppliers, resellers, partners, or customers.
While the attack bears all the hallmarks of a ransomware attack, at the time of writing this, no ransomware groups have taken responsibility for the incident.
The impact of the incident on the company’s operation is significant and is expected to have a lasting effect on the business.
“The company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerce consumers and wholesale customers,” reads the SEC filing.
“As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the company’s business operations until recovery efforts are completed.”
VF Corp says its physical retail stores will operate normally worldwide. Still, customers will likely experience delays in the fulfillment of online orders or an inability to place orders on some of the said brands’ e-commerce sites.
The company is still assessing the full extent of the security breach and its potential impact on financials and operations. The timing of the incident during the Christmas shopping season no doubt exacerbates the situation.
Delta Dental Says Data Breach Exposed 7 Million Customers
Dental insurance giant Delta Dental of California is informing more than 6.9 million individuals that their personal information was compromised as result of the MOVEit hacking incident.
In notification letters it started sending out last week to the impacted individuals, the dentist network says the attackers stole names, addresses, Social Security numbers, passport numbers, state identification numbers (such as driver’s license numbers), financial account details, tax identification numbers, and health insurance and health information.
The information was compromised after the Cl0p ransomware gang exploited a vulnerability in the MOVEit Transfer managed file transfer application to tap into the data organizations were transferring using the service.
In an incident notice posted on its website, Delta Dental says it was alerted of the MOVEit hack on June 1, and that its investigation determined in July that the attackers had access to its information on the service between May 27 and May 30.
“On November 27, 2023, the company determined what personal information was affected and to whom it belonged,” Delta Dental says in the written notification sent to the affected individuals, a copy of which was submitted to the Maine Attorney General’s Office.
The company also outlines the steps taken to contain and remediate the incident and urges the impacted individuals to remain vigilant of any suspicious activity on their accounts, while offering them free identity monitoring services.
“Our investigation found that approximately 7 million individuals were impacted. In addition to our own investigation, we have also notified law enforcement of the incident and have been cooperating with them since,” the company says.
Delta Dental offers individual and group dental insurance plans, with more than 85 million people across the US using its services. The company says it has the largest network of dentists in the country.
According to researchers, a total of more than 2,680 organizations are confirmed to have been affected by the MOVEit hack, with the number of impacted individuals being close to 91 million.
With more than 6.9 million people impacted, Delta Dental’s MOVEit data breach is the third largest. The top two spots are taken by government services provider Maximus, with 11 million affected individuals, and healthcare SaaS provider Welltok, with approximately 8.5 million.
MongoDB Suffers Security Breach, Exposing Customer Data
MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.
The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.
It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.
In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.
That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event, and that it was resolved as of December 16, 10:22 p.m. ET.
In a follow-up statement, the company said it found no evidence of unauthorized access to MongoDB Atlas clusters –
To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.
We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed.
We are continuing with our investigation, and are working with relevant authorities and forensic firms.
Update (as of December 18, 9:00 p.m. ET)
MongoDB, in an update to its advisory, said it was a victim of a phishing attack and that the malicious actor used Mullvad VPN to conceal their origins. It listed a total of 15 IP addresses from which the activity originated.
However, the company has yet to disclose when the attack took place, which systems were accessed, and how many customers’ information may be affected by the breach of its corporate systems.
Source – https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.