US Government Issues Guidance on Securing Water Systems

The US government on Wednesday released new guidance on the actions that water and wastewater (WWS) sector entities should take to improve the resilience of their networks to cyberattacks.

In addition to instructions, the document, titled Top Cyber Actions for Securing Water Systems (PDF), provides information on available free resources that can help WWS organizations assess and improve their security posture.

To minimize cyber risks to water systems, WWS entities are advised to reduce internet exposure by removing OT devices from the public access, conduct regular assessments to identify vulnerable OT and IT systems and prioritize patching, and improve password hygiene by changing default passwords to unique, complex ones and implementing multi-factor authentication (MFA).

Furthermore, they should inventory OT and IT assets, focusing on software and hardware assets exposed to the internet, and should regularly backup OT and IT systems, storing the backups in isolated locations.

All systems and applications, the document notes, should be updated in a timely manner, and organizations should prioritize OT patches in line with the US cybersecurity agency CISA’s Known Exploited Vulnerabilities catalog.

Finally, organizations should conduct cybersecurity awareness training at least once a year, the document, authored by CISA, the Environmental Protection Agency (EPA), and the FBI, reads.

Organizations that lack the necessary resources to fully implement a cybersecurity resilience plan can access free programs, tools, services, and training that CISA and EPA provide, including a free vulnerability scanner tailored to water utilities.

All WWS entities and critical infrastructure organizations are advised to review the guide and implement the recommended actions to improve their cyber resilience.

The new guidance was published roughly one month after CISA, EPA, and the FBI released an incident response guide to help WWS entities improve their cyber resilience and incident response capabilities.

Source – https://www.securityweek.com/us-government-issues-guidance-on-securing-water-systems/

Mr. Cooper Leak Exposes Over Two Million Customers

Mr. Cooper, a major US mortgage company, left an open Google Cloud instance exposing details of millions of its customers only two months after the company suffered a severe data breach.

America’s third-largest mortgage servicer left details of its customers accessible to anyone willing to look, recent research revealed. Mr. Cooper’s open Google Cloud storage bucket contained a trove of data, including marketing materials and site assets, but more importantly, names, loan numbers, and other data about its customers.

The leak was discovered in late December 2023, less than two weeks after Mr. Cooper revealed it suffered a significant data breach in October 2023, which exposed the information of 14.6 million of the company’s clients. However, the publicly accessible data discovered by the team does not include data exposed in the October breach, pointing to the incidents being unrelated.

Documents with personal customer data were likely used to track Mr. Cooper’s push to adopt the “Paperless” feature, where customers are sent digital documents instead of printed ones.

The leaked data includes:

• Names
• Customer IDs
• Loan numbers
• Enrollment links for the Paperless feature
• Email addresses
• Phone numbers

Two kinds of sensitive files were discovered on the open instance: one type containing names and emails and another containing names and phone numbers. Files with names and emails had details on 1.7 million individuals, and files with names and phone numbers had data on 2.7 million individuals.

The leaked data also contained the names and phone numbers of other mortgage brand customers serviced by Mr. Cooper:

• 207,672 United Wholesale Mortgage customers
• 161,761 LakeView customers
• 53,924 Veterans United customers
• 37,384 USAA customers
• 35,794 RightPath Servicing customers
• 12,722 Wintrust Mortgage Customers
• 3,778 Paddio Customers

Researchers warn that exposing personal details such as names, email addresses, and phone numbers could be misused for phishing attacks, doxxing, and distributing spam.

“Since the leak was discovered after the company reported a significant data breach, it may show that the company’s reaction to the incident was insufficient and failed to identify sensitive resources that needed proactive attention,” researchers said.

Additionally, some of the leaked details included “enrollment links,” allowing the modification of some account settings without logging in. For example, malicious actors could use the flaw to enable the “Paperless” feature for users’ loans.

“Permission to modify account settings without logging in is a poor security practice. While settings that could have been modified weren’t sensitive in this case, this is a fundamental issue and could point to other weaknesses within the website’s design,” researchers said.

According to Mr. Cooper’s website, the company has 4.3 million US customers and is the country’s third-largest mortgage servicer. The company’s revenue for 2022 stood at nearly $3 billion, and the company employed over 8,000 staff.

Source – https://cybernews.com/security/mrcooper-leak-exposes-millions-customers/

Change Healthcare Cyberattack Causes Significant Disruption

US healthcare technology giant Change Healthcare on Wednesday fell victim to a cyberattack that resulted in widespread network disruptions. The incident was initially disclosed on February 21 at 02:15 EST, when the company announced that some of its applications are unavailable.

In an update at 08:38 EST, Change Healthcare said that it was experiencing enterprise-wide connectivity issues as result of the incident. Over 100 applications across dental, pharmacy, medical record, clinical, enrollment, patient engagement, revenue, and payment services were listed as affected.

“Change Healthcare is experiencing a network interruption related to a cyber security issue and our security experts are working to address the matter. The disruption is expected to last at least through the day,” the company said six hours later.

In the afternoon, Change Healthcare also disclosed that the disruption was caused by an outside threat and that it had disconnected its systems to contain the incident.

While Change Healthcare did not say what type of cyberattack it fell victim to, ransomware might have been involved, given that the typical response to such an attack is to disconnect the affected systems from the network.

In 2022, Change Healthcare merged with Optum, a subsidiary of UnitedHealth Group, creating one of the largest healthcare technology companies in the US. The organization handles payment processes for healthcare providers and payers across the country.

The company has access to the medical records of roughly one third of US patients, handling billions of healthcare transactions per year, and the disruption has had a significant impact on the healthcare system, with some pharmacies being unable to process prescriptions.

“Due to a nationwide outage from the largest prescription processor in North America, we are currently unable to process prescriptions at any of our four locations of Scheurer Family Pharmacy. We are still able to accept prescriptions, but unable to process them through your insurance,” Scheurer Health announced.

Source – https://www.securityweek.com/change-healthcare-cyberattack-causes-significant-disruption/

New SSH-Snake Malware Steals SSH Keys to Spread Across the Network

A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure.

SSH-Snake is described as a “self-modifying worm” that stands out from traditional SSH worms by avoiding the patterns typically associated with scripted attacks. The worm searches for private keys in various locations, including shell history files, and uses them to stealthily spread to new systems after mapping the network.

SSH-Snake is available as an open-source asset for automated SSH-based network traversal, which can start from one system and show the relationship with other hosts connected through SSH. However, researchers say that SSH-Snake takes the typical lateral movement concept to a new level because it is more rigorous in its search for private keys.

By avoiding the easily detectable patterns associated with scripted attacks, this new tool provides greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful.

Released on January 4, 2024, SSH-Snake is a bash shell script tasked with autonomously searching a breached system for SSH credentials and utilizing them for propagation.

The researchers say that one particularity of SSH-Snake is the ability to modify itself and make itself smaller when running for the first time. It does this by removing comments, unnecessary functions, and whitespace from its code.

Designed for versatility, SSH-Snake is plug-and-play yet allows customizing for specific operational needs, including adapting strategies to discover private keys and identify their potential use.

SSH-Snake employs various direct and indirect methods to discover private keys on compromised systems, including:

• Searching through common directories and files where SSH keys and credentials are typically stored, including .ssh directories, config files, and other locations.
• Examining shell history files (e.g., .bash_history, .zsh_history) to find commands (ssh, scp, and rsync) that may have used or referenced SSH private keys.
• Using the ‘find_from_bash_history’ feature to parse the bash history for commands related to SSH, SCP, and Rsync operations, which can uncover direct references to private keys, their locations, and associated credentials.
• Examining system logs and network cache (ARP tables) to identify potential targets and gather information that might indirectly lead to discovering private keys and where they can be used.

Analysts confirmed SSH-Snake’s operational status after discovering a command and control (C2) server used by its operators to store data harvested by the worm, including credentials and victim IP addresses.

This data shows signs of active exploitation of known Confluence vulnerabilities (and possibly other flaws) for initial access, leading to the deployment of the worm on these endpoints.

According to the researchers, the tool has been used offensively on around 100 victims.

Sysdig sees SSH-Snake as “an evolutionary step” as far as malware goes because it targets a secure connection method that is widely used in corporate environments.

Source – https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals-ssh-keys-to-spread-across-the-network/

ConnectWise Confirms ScreenConnect Flaw Under Active Exploitation

Less than 24 hours after shipping emergency patches for critical security defects in its ScreenConnect remote desktop access product, ConnectWise says hackers are already launching exploits to take over enterprise accounts.

“We received updates of compromised accounts that our incident response team have been able to investigate and confirm,” ConnectWise said in an updated advisory issued Wednesday.

The acknowledgement of in-the-wild exploitation comes as several security companies published proof-of-concept code to amplify the urgency for businesses to upgrade on-prem installations to ConnectWise ScreenConnect 23.9.8.

Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server.

The addition of an unauthenticated RCE exploit module in the Metasploit pen-test tool and confirmed that remote code execution is achieved by leveraging the vulnerability to create a new admin account, and then using these creds to upload an extension (i.e. a plugin) that hosts a payload.

ConnectWise, a company that has seen its software featured in CISA’s Known Exploited Vulnerabilities (KEV) catalog, also published three IP addresses used by malicious actors to compromise ScreenConnect accounts and urged customers to hunt for signs of infections.

The company first flagged with an urgent advisory on Tuesday that cryptically described an “authentication bypass using an alternate path or channel” that carries the maximum CVSS severity score of 10/10.

A second bug, documented as an improper limitation of a pathname to a restricted directory (“path traversal”) was also fixed and tagged with a CVSS severity score of 8.4/10.

Because of the severity and risk of exploitation, ConnectWise is urging enterprise admins to install the patches “as emergency changes” within days.

ConnectWise documented the issue in an advisory marked as “critical” because it addresses vulnerabilities “that could allow the ability to execute remote code or directly impact confidential data or critical systems.”

Affected versions include ScreenConnect 23.9.7 and prior versions and the company said it is most relevant on on-prem or self-hosted customers. 

Source – https://www.securityweek.com/connectwise-confirms-screenconnect-flaw-under-active-exploitation/

New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world. In a joint advisory published by Germany’s Federal Office for the Protection of the Constitution (BfV) and South Korea’s National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a “cost-effective” manner.

“The regime is using the military technologies to modernize and improve the performance of conventional weapons and to develop new strategic weapon systems including ballistic missiles, reconnaissance satellites and submarines,” they noted.

The infamous Lazarus Group has been blamed for one of the two hacking incidents, which involved the use of social engineering to infiltrate the defense sector as part of a long-standing operation called Dream Job. The campaign has been ongoing since August 2020 over several waves.

In these attacks, the threat actors either create a fake profile or leverage legitimate-but-compromised profiles on platforms like LinkedIn to approach prospective targets and build trust with them, before offering lucrative job opportunities and shifting the conversation to a different messaging service like WhatsApp to initiate the recruitment process.

Victims are then sent coding assignments and job offer documents laden with malware that, when launched, activate the infection procedure to compromise their computers.

“Universally, the circumstance that employees usually do not talk to their colleagues or employer about job offers plays into the hands of the attacker,” the agencies said.

“The Lazarus Group changed its tools throughout the campaign and demonstrated more than once that it is capable of developing whatever is necessary to suit the situation.”

The second case concerns an intrusion into a defense research center towards the end of 2022 by executing a software supply chain attack against an unnamed company responsible for maintaining one of the research center’s web servers.

“The cyber actor further infiltrated the research facility by deploying remote-control malware through a patch management system (PMS) of the research center, and stole various account information of business portals and email contents,” the BfV and NIS said.

The breach, which was carried by another North Korea-based threat actor, unfolded over five stages:

• Hack into the web server maintenance company, steal SSH credentials, and gain remote access to the research center’s server
• Download additional malicious tooling using curl commands, including a tunneling software and a Python-based downloader
• Conduct lateral movement and plunder employee account credentials
• Leverage the stolen security manager’s account information to unsuccessfully distribute a trojanized update that comes with capabilities to upload and download files, execute code, and to collect system information
• Persist within target environment by weaponizing a file upload vulnerability in the website to deploy a web shell for remote access and send spear-phishing emails

“The actor avoided carrying out a direct attack against its target, which maintained a high level of security, but rather made an initial attack against its vendor, the maintenance and repair company,” the agencies explained. “This indicates that the actor took advantage of the trustful relationship between the two entities.”

The security bulletin is the second to be published by BfV and NIS in as many years. In March 2023, the agencies warned of Kimsuky actors using rogue browser extensions to steal users’ Gmail inboxes. Kimsuky was sanctioned by the U.S. government in November 2023.

The development comes as blockchain analytics firm Chainalysis revealed that the Lazarus Group has switched to using YoMix bitcoin mixer to launder stolen proceeds following the shutdown of Sinbad late last year, indicating their ability to adapt their modus operandi in response to law enforcement actions.

“Sinbad became a preferred mixer for North Korea-affiliated hackers in 2022, soon after the sanctioning of Tornado Cash, which had previously been the go-to for these sophisticated cybercriminals,” the company said. “With Sinbad out of the picture, Bitcoin-based mixer YoMix has acted as a replacement.”

The malicious activities are the work of a plethora of North Korean hacking units operating under the broad Lazarus umbrella, which are known to engage in an array of hacking operations ranging from cyber espionage to cryptocurrency thefts, ransomware, and supply chain attacks to achieve their strategic goals.

Source – https://thehackernews.com/2024/02/new-report-reveals-north-korean-hackers.html

Critical Infrastructure Software Maker Confirms Ransomware Attack

PSI Software SE, a German software developer for complex production and logistics processes, has confirmed that the cyber incident it disclosed last week is a ransomware attack that impacted its internal infrastructure.

The company operates at a global level with a staff of more than 2,000 and specializes in software solutions for major energy suppliers.

It also provides “control system solutions for operational management, network utilization, pipeline management, leak detection and location, portfolio management, energy trading and sales.”

On February 15, PSI Software announced that a cyberattack forced it to disconnect several IT systems, including email, as a measure to mitigate the risk of data loss.

In an update, the company confirmed that the disruption was caused by ransomware actors targeting its systems. The firm has yet to determine the exact intrusion vector.

“We detected unusual activity in our network during the night of February 15, 2024. As a result, all external connections and systems were successively shut down still in the night” – PSI Software

PSI says the investigation so far has not revealed any evidence that the attacker pivoted to customer systems.

Authorities have been informed of the incident and experts from the Federal Office for Information Security have been helping PSI’s incident response and remediation efforts since February 16.

Source – https://www.bleepingcomputer.com/news/security/critical-infrastructure-software-maker-confirms-ransomware-attack/

Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative

Hackers, supported by Iran and Hezbollah, conducted cyber attacks aimed at undermining public support for the Israel-Hamas war post-October 2023. These attacks included targeting key Israeli organizations, hack-and-leak operations in Israel and the U.S., phishing campaigns for intelligence theft, and information operations against Israel. Iran led nearly 80% of government-backed phishing activities targeting Israel in the six months before the October 7 attacks, as reported by Google. The cyber operations in the Israel-Hamas conflict seem to be independent of kinetic actions, unlike in the Russo-Ukrainian war, offering a low-cost method for engaging with regional rivals without direct military confrontation.

Iran-affiliated groups like GREATRIFT propagated malware through fake “missing persons” sites and blood donation-themed lure documents. Hacktivist personas such as Karma and Handala Hack deployed wiper malware to stage destructive attacks against Israel. Another group, Charming Kitten, targeted media and NGOs with a PowerShell backdoor named POWERPUG. Hamas-linked groups targeted Israeli software engineers with coding assignment decoys to distribute SysJoker malware. They also used social engineering tactics to deliver remote access trojans and backdoors like MAGNIFI. Additionally, spyware targeting Android phones, such as MOAAZDROID and LOVELYDROID, was utilized by Hamas-affiliated actor DESERTVARNISH.

Iranian state-sponsored groups like MYSTICDOME targeted mobile devices in Israel with MYTHDROID and SOLODROID spyware. Google removed the apps from the Play store. Another Android malware, REDRUSE, exfiltrated data via SMS phishing messages impersonating the police. Iran’s critical infrastructure was disrupted in December 2023 by an actor known as Gonjeshke Darande, linked to the Israeli Military Intelligence Directorate.

Microsoft revealed that Iranian government-aligned actors launched cyber attacks and influence operations to support Hamas and weaken Israel and its allies. These attacks expanded beyond Israel to countries perceived as aiding Israel, with collaboration observed among Iran-affiliated groups and Hezbollah cyber units.

Lastly, the U.S. launched a cyber attack against an Iranian military ship named MV Behshad. Recorded Future’s analysis detailed how Iranian hacking personas and front groups operate through contracting firms to conduct intelligence gathering and information operations, with recent operations showing a more deliberate approach.

Source – https://thehackernews.com/2024/02/iran-and-hezbollah-hackers-launch.html

LockBit Ransomware Operation Shut Down; Criminals Arrested; Decryption Keys Released

The U.K. National Crime Agency (NCA) on Tuesday confirmed that it obtained LockBit’s source code as well as a wealth of intelligence pertaining to its activities and their affiliates as part of a dedicated task force called Operation Cronos.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the agency said.

It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. Indictments and sanctions have also been unsealed in the U.S. against two other Russian nationals who are alleged to have carried out LockBit attacks.

Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims throughout the U.S., including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries, per the U.S. Department of Justice (DoJ).

Kondratyev has also been charged with three criminal counts arising from his use of the Sodinokibi, also known as REvil, ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

The development comes in the aftermath of an international disruption campaign targeting LockBit, which the NCA described as the “world’s most harmful cyber crime group.”

As part of the takedown efforts, the agency said it took control of LockBit’s services and infiltrated its entire criminal enterprise. This includes the administration environment used by affiliates and the public-facing leak site hosted on the dark web.

In addition, 34 servers belonging to LockBit affiliates have also been dismantled and more than 1,000 decryption keys have been retrieved from the confiscated LockBit servers.

LockBit, since its debut in late 2019, runs a ransomware-as-a-service (RaaS) scheme in which the encryptors are licensed to affiliates, who carry out the attacks in exchange for a cut of the ransom proceeds. It is run by a threat actor known as LockBitSupp.

The attacks follow a tactic called double extortion to steal sensitive data prior to encrypting them, with the threat actors applying pressure on victims to make a payment in order to decrypt their files and prevent their data from being published.

“The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms,” Europol said.

“Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates distributed denial-of-service (DDoS) attacks as an additional layer of pressure.”

The data theft is facilitated by means of a custom data exfiltration tool codenamed StealBit. The infrastructure, which was used to organize and transfer victim data, has since been seized by authorities from three countries, counting the U.S.

According to Eurojust and DoJ, LockBit attacks are believed to have affected over 2,500 victims all over the world and netted more than $120 million in illicit profits. A decryption tool has also been made available via No More Ransom to recover files encrypted by the ransomware at no cost.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” NCA Director General Graeme Biggar said.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate.”

Source – https://thehackernews.com/2024/02/lockbit-ransomware-operation-shut-down.html

Cactus Ransomware Claim to Steal 1.5TB of Schneider Electric Data

The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the company’s network last month.

25MB of allegedly stolen were also leaked on the operation’s dark web leak site today as proof of the threat actor’s claims, together with snapshots showing several American citizens’ passports and non-disclosure agreement document scans.

The ransomware group gained access to the energy management and automation giant’s Sustainability Business division on January 17th. The gang is now extorting the company, threatening to leak all the allegedly stolen data if a ransom demand is not paid.

It is currently unknown what specific data was stolen, but Schneider Electric’s Sustainability Business division provides renewable energy and regulatory compliance consulting services to many high-profile companies worldwide, including Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart.

Given this, the data stolen from its compromised systems could include sensitive information about customers’ industrial control and automation systems and information about environmental and energy regulations compliance.

Schneider Electric is a French energy and automation manufacturing multinational that employs over 150,000 people worldwide. The company reported a $28.5 billion revenue in 2023 and previously fell victim to Clop ransomware’s MOVEit data theft attacks that impacted more than 2,700 other organizations.

Cactus ransomware is a relatively new operation that surfaced in March 2023 with double-extortion attacks. Its operators breach corporate networks using purchased credentials, partnerships with various malware distributors, phishing attacks, or exploiting security vulnerabilities.

After gaining access to a target’s network, they move laterally through the compromised network while stealing sensitive data to use as leverage in ransom negotiations.

Since its emergence, the Cactus ransomware has added over 100 companies to its data leak site. The threat actors have already leaked some data online or are threatening to do so while still negotiating a ransom.

Source – https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-steal-15tb-of-schneider-electric-data/

Smarttech247