Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass have revealed that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. This follows a previous update issued last month when the company’s CEO, Karim Toubba, only said that the threat actor gained access to “certain elements” of customer information.

The attacker gained access to Lastpass’ cloud storage using cloud storage access key and dual storage container decryption keys stolen from its developer environment. The threat actor was able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

The encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass’ systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you’ve been following password best practices recommended by LastPass.

The cloud storage breach is the second security incident disclosed by the company since the start of the year after confirming in August that its developer environment was breached using a compromised developer account.

Source – https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/

Guardian shuts offices after ransomware attack

The Guardian is facing a ransom demand to unlock its IT systems after the newspaper’s workplace was shut down by a cyber attack. Employees have been told to work from home for the rest of the week following serious cyber disruption thought to have been caused by a ransomware attack.

The hack, which began late on Tuesday night, wiped out WiFi access at the media group’s headquarters in King’s Cross. Other shared computer systems were also affected. Many of the company’s internal systems are still working and journalists are able to publish stories online and access email as usual. The organisation insisted it was confident it would still be able to print its newspaper on Thursday. It is not yet clear whether a ransom demand has been made, though hackers can sometimes wait several days before issuing a demand.

Earlier this year, Rupert Murdoch’s News Corp fell victim to a cyber attack in which hackers gained access to journalists’ emails and documents. The breach, which affected UK titles The Times and The Sun as well as The Wall Street Journal and The New York Post, is believed to have been carried out by China.

Source – https://www.telegraph.co.uk/business/2022/12/21/guardian-staff-shut-office-newspaper-suffers-glitch/

Okta’s source code stolen after GitHub repositories hacked

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. According to a ‘confidential’ email notification sent by Okta, the security incident involves threat actors stealing their source code.

Earlier this month, GitHub alerted Okta of suspicious access to Okta’s code repositories, according to the notification. Despite stealing the source code, attackers did not gain unauthorised access to the Okta service or customer data. Okta’s “HIPAA, FedRAMP or DoD customers” remain unaffected as the company does not rely on the confidentiality of its source code as a means to secure its services. As such, no customer action is needed. The incident appears to be relevant to Okta Workforce Identity Cloud (WIC) code repositories, but not Auth0 Customer Identity Cloud product.

It’s been a difficult year for Okta with its series of security incidents and bumpy disclosures. September this year, Okta-owned Auth0 disclosed a similar-style incident. According to the authentication service provider, older Auth0 source code repositories were obtained by a third-party individual from its environment via unknown means.

Source – https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/

Raspberry Robin Worm Strikes Again, Targeting Telecom and Government Systems

Raspberry Robin, attributed to an activity cluster tracked by Microsoft as DEV-0856, is being increasingly leveraged by multiple threat actors as an initial access mechanism to deliver payloads such as LockBit and Clop ransomware. The Raspberry Robin worm has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since at least September 2022.

The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI installer file that deploys the main payload responsible for facilitating post-exploitation. Further analysis of Raspberry Robin reveals the use of heavy obfuscation to prevent analysis, with the malware composed of two payloads embedded in a payload loader packed six times. The payload loader, for its part, is orchestrated to load the decoy payload, an adware dubbed BrowserAssistant, to throw off detection efforts.

Should no sandboxing and analysis be observed, the legitimate payload is installed and proceeds to connect to a hard-coded .onion address using a custom TOR client embedded within it to await further commands. The TOR client process masquerades as legitimate Windows processes like dllhost.exe, regsvr32.exe, and rundll32.exe, once again underscoring the considerable efforts made by the threat actor to fly under the radar. The malware’s real routine is run in Session 0, a specialised Windows session reserved for services and other non-interactive user applications to mitigate security risks such as shatter attacks.

The intrusions appear to be a reconnaissance operation, as no data is returned from the TOR domain, suggesting that the group behind the malware is testing the waters to see how far its deployments can spread.

Source – https://thehackernews.com/2022/12/raspberry-robin-worm-strikes-again.html

Russian Hackers Targeted Petroleum Refinery in NATO Country During Ukraine War

The Russia-linked Gamaredon group attempted to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war. The attack, which took place on August 30, 2022, is just one of multiple intrusions orchestrated by the advanced persistent threat (APT) that’s attributed to Russia’s Federal Security Service (FSB).

Gamaredon, also known by the monikers Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, has a history of primarily going after Ukrainian entities and, to a lesser extent, NATO allies to harvest sensitive data.

Monitoring of the group’s activities has uncovered more than 500 new domains, 200 malware samples, and multiple shifts in its tactics over the past 10 months in response to ever-changing and expanding priorities. Beyond cyberattacks, security researchers who highlighted the crew’s undertakings in the days prior to the military invasion in February 2022 have been at the receiving end of threatening tweets from a purported Gamaredon associate, underscoring the intimidation techniques adopted by the adversary. Other noteworthy methods include the use of Telegram pages to look up command-and-control (C2) servers and fast flux DNS to rotate through many IP addresses in a short span of time to make IP-based denylisting and takedown efforts harder.

The attacks themselves entail the delivery of weaponised attachments embedded within spear-phishing emails to deploy a VBScript backdoor on the compromised host that’s capable of establishing persistence and executing additional VBScript code supplied by the C2 server. Gamaredon infection chains have also been observed leveraging geoblocking to limit the attacks to specific locations along with utilising dropper executables to launch next-stage VBScript payloads, which subsequently connect to the C2 server to execute further commands. The geoblocking mechanism functions as a security blindspot as it reduces the visibility of the threat actor’s attacks outside of the targeted countries and makes its activities more difficult to track.

Source – https://thehackernews.com/2022/12/russian-hackers-target-major-petroleum.html

New DDoS Botnet Malware Infecting Windows, Linux, and IoT Devices

A cross-platform botnet, ‘MCCrash’ that starts out from malicious software downloads on Windows devices and spreads to a range of Linux-based devices was recently identified. This activity cluster is being monitored by Microsoft under the name DEV-1028, a cross-platform botnet that affects Windows, Linux, and IoT devices.

The botnet spreads by obtaining the default credentials on Secure Shell (SSH)-capable devices that are open to the internet. Particularly, IoT devices may be vulnerable to attacks like this botnet as they frequently have remote configuration enabled with potentially unsafe settings. The DEV-1028 botnet is known to launch distributed denial of service (DDoS) attacks against private ‘Minecraft servers’. Once it infects a device it can self-spread to other systems on the network by brute-forcing SSH credentials.

The botnet’s first entry points were devices that had been compromised by the installation of malicious cracking tools that claimed to be able to get illegal Windows licenses. The cracking tools contain malicious PowerShell code that downloads a file named ‘svchosts.exe,’ which launches ‘malicious.py,’ the primary botnet payload. After that, MCCrash tries to propagate to more networked devices by attacking Linux and IoT devices with brute-force SSH attacks.

Linux and Windows environments can both run the malicious Python script. Upon initial launch, it creates a TCP communication channel over port 4676 with the C2 and sends basic host information, such as the system it is running on. On Windows, MCCrash establishes persistence by adding a Registry value to the “Software\Microsoft\Windows\CurrentVersion\Run” key, with the executable as its value.

Microsoft researchers recommend keeping your IoT devices’ firmware up to date. Change the default password with a stronger (lengthy) one, and turn off SSH connections when not in use to prevent them from botnets.

Source – https://cybersecuritynews.com/ddos-botnet-malware-infecting-windows/

Beware of Highly Sophisticated DarkTortilla Malware Distributed Via Phishing Sites

Threat actors have been observed distributing the malware DarkTortilla. The complex .NET-based malware known as DarkTortilla has been operating since 2015. Numerous stealers and Remote Access Trojans (RATs) including AgentTesla, AsyncRAT, NanoCore, etc. are known to be dropped by the malware.

Two phishing sites have been identified masquerading as legitimate Grammarly and Cisco sites. The phishing sites link could reach users via spam email or online ads etc., to infect the users. After the execution, the .NET executable downloads an encrypted file from the remote server decrypts it using RC4 logic, and executes it in the memory. The DLL file, which acts as the malware’s final payload and executes additional malicious operations in the system, is then loaded into memory by the malware. The malware modifies the victims .LNK files target path to maintain its persistence.

When the malware is executed, it runs a number of MOV Instructions that copy the encrypted content on the stack for use in additional malicious operations. This method of evading anti-virus detection is employed by the malware. The malware executes a decryption loop on the encrypted content to get the Portable Executable (PE) file, creates a new registry key, and copies the decrypted PE file as a binary value. The PowerShell mechanism is used by the malware, where it creates a Task scheduler entry as a persistence mechanism. Further, the anti-virtual machine check is carried out by the malware to determine whether the file is running in a managed environment like VMware, Vbox, etc.

Source – https://gbhackers.com/highly-sophisticated-darktortilla-malware/

Play ransomware claims attack on German hotel chain H-Hotels

The Play ransomware gang has claimed responsibility for a cyber-attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms. The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under ‘H-Hotels’ and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.

H-Hotels disclosed the cyberattack last week and stated that the security incident occurred on Sunday, December 11th, 2022. After the cyber attack was found, the IT systems were immediately shut down and disconnected from the Internet in order to ward off further spread. Although the attack did not impact guests’ bookings, hotel staff still can’t receive or answer customer requests sent via email, so it is recommended to contact H-Hotels by phone if necessary.

Play ransomware has claimed the attack on H-Hotels and listed the company on its Tor site today, claiming to have stolen an undisclosed amount of data during the cyberattack. The ransomware gang claims to have stolen private and personal data, including client documents, passports, IDs, and more. However, the threat actors have not released any samples to support these claims. H-Hotels denied seeing any evidence of data exfiltration in last week’s announcement, and there has been no update on the matter since then.

Source – https://www.bleepingcomputer.com/news/security/play-ransomware-claims-attack-on-german-hotel-chain-h-hotels/

Restaurant CRM platform ‘SevenRooms’ confirms breach after data for sale

Restaurant customer management platform SevenRooms has confirmed it suffered a data breach after a threat actor began selling stolen data on a hacking forum. SevenRooms is a restaurant customer relationship management (CRM) platform used by international restaurant chains and hospitality service providers, such as MGM Resorts, Bloomin’ Brands, Mandarin Oriental, Wolfgang Puck, and many more.

On December 15, a threat actor posted data samples on the Breached hacking forum, claiming to have stolen a 427 GB backup database with thousands of files containing information about SevenRooms customers. The samples provided by the seller include folders named after big restaurant chains, clients of SevenRooms, API keys, promo codes, payment reports, reservation lists, and more.

The company clarified that guests’ credit card information, bank account data, social security numbers, or any other similarly highly sensitive information was not stored on compromised servers, so it was not exposed in the attack. SevenRooms also claims that there has been no direct breach of its systems, which remain secure against unauthorised external access.

Source – https://www.bleepingcomputer.com/news/security/restaurant-crm-platform-sevenrooms-confirms-breach-after-data-for-sale/

Australian Telecom Giant TPG Discloses Email Hack

Australian telecom and internet service provider TPG Telecom disclosed a data breach detected by an outside cybersecurity forensics team conducting a historical review. The Microsoft Exchange email accounts of as many as 15,000 customers at subsidiaries iiNet and Westnet may be affected by the breach, TPG disclosed in a Wednesday filing to the Australian Securities Exchange.

It appears, TPG wrote, that hackers searched inboxes for data on cryptocurrency and other financial information they could steal. Consumer products were not affected, the company said. TPG encompasses a slew of brands including mobile carrier and ISP brands such as Vodafone, AAPT, Internode, Lebara and Felix.

The breach adds to a growing list of cyberattacks on Australia’s telecommunication industry. Only days ago, Telstra published names, numbers and addresses of over 130,000 customers whose details were supposed to be unlisted.

Source – https://www.databreachtoday.com/australian-telecom-giant-tpg-discloses-email-hack-a-20717