Thursday, August 24th, 2023
Cybersecurity Week in Review (24/08/2023)
Hosting Firm Says it Lost All Customer Data After Ransomware Attack
Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.
The two brands belong to the same company and stated that the attack unfolded last Friday night. However, today’s operational status remains highly problematic, with the firm’s IT teams only managing to restore some servers without any data.
Moreover, the firm’s statement clarifies that it won’t be paying the threat actors a ransom and has already engaged with security experts and reported the incident to the police. Unfortunately, the system and data restoration process isn’t going smoothly, and CloudNordic says many of its customers have lost data that appears to be irrecoverable.
“Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic’s IT team and external experts have been working intensively to assess the damage and determine what could be recovered,” reads CloudNordic’s statement.
“Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us.”
Both public notices include instructions on recovering websites and services from local backups or Wayback Machine archives.
Given the situation, the two hosting service providers previously recommended that heavily impacted customers move to other providers, such as Powernet and Nordicway.
The hosting company’s statements revealed that some of the firm’s servers had been infected by ransomware despite being protected by firewalls and antivirus. During a data centre migration, those servers were connected to the broader network, allowing the attackers to access critical administrative systems, all data storage silos, and all backup systems.
Next, the attackers encrypted all server disks, including primary and secondary backups, corrupting everything without leaving a recovery opportunity.
CloudNordic says that the attack was limited to encrypting data, and the collected evidence does not indicate that any data on the machines was accessed or exfiltrated. That said, there’s no evidence of a data breach.
Danish media reports that the attacks have impacted “several hundred Danish companies” who lost everything they stored in the cloud, including websites, email inboxes, documents, etc.
Martin Haslund Johansson, the director of Azerocloud and CloudNordic, stated that he does not expect customers to be left with them when the recovery is finally completed.
Targeting hosting providers is a tactic used by ransomware gangs in the past as it causes large-scale damage and creates many victims in a single attack. Due to the number of victims, providers will be under a lot of pressure to pay a ransom to restore their operations and potentially avoid lawsuits from customers who lost their data.
In 2017, a similar attack led a South Korean hosting provider to pay a $1 million ransomware demand to recover its customers’ data. More recently, Rackspace suffered a Play ransomware attack on its hosted Microsoft Exchange services that led to email outages for many of its customers.
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks
A malicious toolset dubbed Spacecolon is being deployed as part of an ongoing campaign to spread variants of the Scarab ransomware across victim organizations globally. It finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials.
The origins of the threat actor, dubbed CosmicBeetle, date back to May 2020. The highest concentration of victims has been detected in France, Mexico, Poland, Slovakia, Spain, and Turkey.
While the exact provenance of the adversary is unclear, several Spacecolon variants are said to contain Turkish strings, likely pointing to the involvement of a Turkish-speaking developer. There is no evidence currently linking it to any other known threat actor group.
Some of the targets include a hospital and a tourist resort in Thailand, an insurance company in Israel, a local governmental institution in Poland, an entertainment provider in Brazil, an environmental company in Turkey, and a school in Mexico.
It’s worth noting that Spacecolon was first documented in early February 2023, likely prompting the adversary to tweak its arsenal in response to public disclosures.
The primary component of Spacecolon is ScHackTool, a Delphi-based orchestrator that’s used to deploy an installer, which, as the name implies, installs ScService, a backdoor with features to execute custom commands, download and execute payloads, and retrieve system information from compromised machines.
ScHackTool also functions as a conduit to set up a wide array of third-party tools fetched from a remote server (193.149.185[.]23). The ultimate goal of the attacks is to leverage the access afforded by ScService to deliver a variant of the Scarab ransomware.
An alternate version of the infection chain entails the use of Impacket to deploy ScService as opposed to using ScHackTool, indicating that the threat actors are experimenting with different methods.
CosmicBeetle’s financial motives are further bolstered by the fact that the ransomware payload also drops a clipper malware to keep tabs on the system clipboard and modify cryptocurrency wallet addresses to those under the attacker’s control.
Furthermore, there is evidence that the adversary is actively developing a new ransomware strain dubbed ScRansom, which attempts to encrypt all hard, removable, and remote drives using the AES-128 algorithm with a key generated from a hard-coded string.
Akira Ransomware Targets Cisco VPNs to Breach Organizations
There’s mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.
Cisco VPN solutions are widely adopted across many industries to provide secure, encrypted data transmission between users and corporate networks, typically used by remotely working employees. Reportedly, Akira has been using compromised Cisco VPN accounts to breach corporate networks without needing to drop additional backdoors or set up persistence mechanisms that could give them away.
Akira’s abuse of VPN accounts was first noted in May when researchers stated that the ransomware gang breached a network using “VPN access using Single Factor authentication.”
However, an incident responder, known as ‘Aura,’ shared further information on Twitter on how they responded to multiple Akira incidents that were conducted using Cisco VPN accounts that weren’t protected by multi-factor authentication.
Aura stated that due to the lack of logging in Cisco ASA, it remained unclear if Akira brute-forced the VPN account credentials or if they bought them on dark web markets.
Evidence was found of Akira using Cisco VPN gateways in leaked data posted on the group’s extortion page and observed Cisco VPN-related traits in at least eight cases, indicating this is part of an ongoing attack strategy by the ransomware gang. Additionally, analysts observed Akira using the RustDesk open-source remote access tool to navigate compromised networks, making them the first ransomware group known to abuse the software.
Because RustDesk is a legitimate tool, its presence is unlikely to raise any alarms, so it can offer stealthy remote access to breached computers.
Other benefits that arise from using RustDesk include:
- Cross-platform operation on Windows, macOS, and Linux, covering Akira’s full targeting range.
- P2P connections are encrypted and hence less likely to be flagged by network traffic monitoring tools.
- Supports file transfer which can facilitate data exfiltration, streamlining Akira’s toolkit.
Other TTPs observed in Akira’s latest attacks include SQL database access and manipulation, disabling firewalls and enabling RDP, disabling LSA Protection, and disabling Windows Defender.
These not-so-subtle changes are performed after the attackers establish their presence in the environment and are ready to proceed to the final phases of their attack. In late June 2023, Avast released a free decryptor for Akira ransomware. However, the threat actors have patched their encryptors since then, and Avast’s tool will only help victims of older versions.
Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software
Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes.
Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an due to an insufficiently restrictive Apache HTTPD configuration.
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS),” the company said.
“While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet.”
Successful exploitation of the bug could allow an attacker to change configuration, run system commands, or write files onto the system. It’s recommended that users restrict access to MICS to internal management networks.
While exact details surrounding the nature of exploitation are currently unknown, the company said it’s “only aware of a limited number of customers” who have been affected.
What’s more, CVE-2023-38035 could be weaponized after exploiting CVE-2023-35078 and CVE-2023-35081, two other recently disclosed flaws in the Ivanti Endpoint Manager Mobile (EPMM), in scenarios where port 8443 is not publicly accessible as the admin portal is used to communicate with the Ivanti EPMM server.
The development comes a week after Ivanti fixed two critical stack-based buffer overflow flaws (CVE-2023-32560) in its Avalanche software that could lead to crashes and arbitrary code execution on vulnerable installations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added CVE-2023-38035 to its Known Exploited Vulnerabilities (KEV) catalogue, alongside CVE-2023-27532, a critical bug in Veeam Backup & Replication software, following active in-the-wild exploitation.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the patches by September 12, 2023, to secure their networks against possible cyber-attacks.
Scraped Data of 2.6 million Duolingo Users Released on Hacking Forum
The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide.
In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.
While the real name and login name are publicly available as part of a user’s Duolingo profile, the email addresses are more concerning as they allow this public data to be used in attacks. When the data was for sale, DuoLingo confirmed that it was scraped from public profile information and that they were investigating whether further precautions should be taken.
However, Duolingo did not address the fact that email addresses were also listed in the data, which is not public information. The scraped 2.6 million user dataset was released yesterday on a new version of the Breached hacking forum for 8 site credits, worth only $2.13.
“Today I have uploaded the Duolingo Scrape for you to download, thanks for reading and enjoy!,” reads a post on the hacking forum.
This data was scraped using an exposed application programming interface (API) that has been shared openly since at least March 2023, with researchers tweeting and publicly documenting how to use the API.
The API allows anyone to submit a username and retrieve JSON output containing the user’s public profile information. However, it is also possible to feed an email address into the API and confirm if it is associated with a valid DuoLingo account.
This API allowed the scraper to feed millions of email addresses, likely exposed in previous data breaches, into the API and confirm if they belonged to DuoLingo accounts. These email addresses were then used to create the dataset containing public and non-public information.
Another threat actor shared their own API scrape, pointing out that threat actors wishing to use the data in phishing attacks should pay attention to specific fields that indicate a DuoLingo user has more permission than a regular user and are thus more valuable targets.
Companies tend to dismiss scraped data as not an issue as most of the data is already public, even if it is not necessarily easy to compile. However, when public data is mixed with private data, such as phone numbers and email addresses, it tends to make the exposed information more risky and potentially violate data protection laws.
Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack
A previously unidentified APT hacking group named ‘Carderbee’ was observed attacking organizations in Hong Kong and other regions in Asia, using legitimate software to infect targets’ computers with the PlugX malware.
The legitimate software used in the supply chain attack is Cobra DocGuard, created by Chinese developer’ EsafeNet,’ and used in security applications for data encryption/decryption. The fact that Carderbee uses PlugX, a malware family widely shared among Chinese state-backed threat groups, indicates that this novel group is likely linked to the Chinese threat ecosystem.
Researchers spotted the first signs of Carderbee activity in April 2023. However, a report from September 2022 highlights a malicious update in Cobra DocGuard being used as the initial compromise point, so the threat actor’s activity might date back to September 2021.
Cobra DocGuard software was installed on 2,000 computers but malicious activity was only observed in 100, indicating that the threat actors only further compromised high-value targets. For those targeted devices, Carderbee used the DocGuard software updater to deploy a range of malware strains, including PlugX. However, it remains unclear how the threat actors were able to conduct the supply chain attack using the legitimate updater.
The updates arrive in the form of a ZIP file fetched from “cdn.streamamazon[.]com/update.zip,” which is decompressed to execute “content.dll,” which acts as a malware downloader. Interestingly, the downloader for PlugX malware is digitally signed using a certificate from Microsoft, specifically Microsoft Windows Hardware Compatibility Publisher, making detecting the malware more challenging.
Microsoft disclosed in December 2022 that hackers abused Microsoft hardware developer accounts to sign malicious Windows drivers and post-compromise rootkits. The malicious DLL pushed by Carderbee also contains x64 and x86 drivers, used to create the Windows services and registry entries required for persistence.
Eventually, PlugX is injected into the legitimate ‘svchost.exe’ (Service Host) Windows system process to evade AV detection.
The PlugX sample seen by Symantec in these attacks features the following capabilities:
- Command execution via CMD
- File enumeration
- Checking running processes
- File downloading
- Firewall ports opening
Carderbee’s exact targeting scope remains murky. While links to the ‘Budworm’ group are likely based on the collected evidence, the extent of their relationship remains unclear. The use of a supply chain attack and signed malware makes this new threat very stealthy, and the selective deployment of malware indicates high-level preparation and reconnaissance.
US Gov Warns of Foreign Intelligence Cyberattacks Against US Space Industry
The Air Force Office of Special Investigations (AFOSI), the Federal Bureau of Investigation (FBI), and the National Counterintelligence and Security Center (NCSC) have issued an alert about the increased targeting of the US space industry by foreign intelligence entities (FIEs).
According to the advisory (PDF), the US is the main driver behind the projected growth of the global space economy, making the US space industry an attractive target for FIEs.
“[FIEs] see US space-related innovation and assets as potential threats as well as valuable opportunities to acquire vital technologies and expertise,” the three US government agencies say.
To gain access to the US space industry, these entities use tactics ranging from cyberattacks and supply chain compromise to strategic investments, the FBI, NCSC, and AFOSI say.
This targeting and exploitation of the US space industry, the agencies say, has an impact not only on national security, but also on economic security and on the global competition in the sector.
Threat actors, the agencies say, may leak intellectual property and steal innovations, collect information on and disrupt US satellite communications and related capabilities, impact the US’s ability to provide critical services, and find and exploit vulnerabilities in US commercial space infrastructure.
The targeting may negatively affect the revenue of the US commercial space sector and global market, may lead to exploitation of critical resources, and impact international laws, norms, and regulations to disadvantage space firms.
Signs of potential targeting by FIEs include usual cyber activity aimed at US space companies, requests to visit from unknown parties, specific questions about proprietary information, unsolicited offers for joint ventures, acquisition and investment efforts, and attempts to recruit an organization’s employees.
US space organizations are advised to log abnormal incidents, establish an insider threat program, invest in improving the enterprise-wide security posture, secure their most valuable assets, audit suppliers and their security practices, conduct due diligence on investors, and build resilience and redundancy into their operations.
Organizations that believe they are at risk or might have been targeted are encouraged to contact law enforcement.
HiatusRAT Malware Resurfaces: Taiwan Firms and US Military Under Attack
The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs). The identity and the origin of the threat actors are presently unknown.
Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts.
HiatusRAT was first disclosed in March 2023 as having targeted business-grade routers to covertly spy on victims primarily located in Latin America and Europe as part of a campaign that commenced in July 2022.
As many as 100 edge networking devices globally were infected to passively collect traffic and transform them into a proxy network of command-and-control (C2) infrastructure.
The latest set of attacks, observed from mid-June through August 2023, entail the use of pre-built HiatusRAT binaries specifically designed for Arm, Intel 80386, and x86-64 architectures, alongside MIPS, MIPS64, and i386.
A telemetry analysis to determine connections made to the server hosting the malware has revealed that over 91% of the inbound connections stemmed from Taiwan, and there appeared to be a preference for Ruckus-manufactured edge devices.
The HiatusRAT infrastructure consists of payload and reconnaissance servers, which directly communicate with the victim networks. These servers are commandeered by Tier 1 servers, which, in turn, are operated and managed by Tier 2 servers.
The attackers have been identified as using two different IP addresses 207.246.80[.]240 and 45.63.70[.]57 to connect to the DoD server on June 13 for approximately a period of two hours. 11 MB of bi-directional data is estimated to have been transferred during the period.
It’s not clear what the end goal is, but it’s suspected that the adversary may have been looking for publicly available information related to current and future military contracts for future targeting.
The targeting of perimeter assets such as routers has become something of a pattern in recent months, with China-affiliated threat actors linked to the exploitation of security flaws in unpatched Fortinet and SonicWall appliances to establish long-term persistence within target environments.
Suspected N. Korean Hackers Target S. Korea-US Drills
Suspected North Korean hackers have attempted an attack targeting a major joint military exercise between Seoul and Washington that starts on Monday, South Korean police said.
South Korea and the United States will kick off the annual Ulchi Freedom Shield drills on Monday through August 31 to counter growing threats from the nuclear-armed North.
Pyongyang views such exercises as rehearsals for an invasion and has repeatedly warned it would take “overwhelming” action in response.
The hackers — believed to be linked to a North Korean group dubbed Kimsuky — carried out “continuous malicious email attacks” on South Korean contractors working at the allies’ combined exercise war simulation centre, the Gyeonggi Nambu Provincial Police Agency said in a statement on Sunday.
“Police investigation confirms that North Korean hacking group was responsible for the attack,” it said in a statement, adding that military-related information was not stolen.
A joint investigation by the police and the US military found that the IP address used in the latest attack matched one identified in a 2014 hack against South Korea’s nuclear reactor operator blamed on the group, according to the statement.
The Kimsuky hackers use “spearphishing” tactics — sending malicious attachments embedded in emails — to exfiltrate desired information from victims. According to findings by the US Cybersecurity and Infrastructure Security Agency in 2020, Kimsuky is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”
The group — believed to be active since 2012 — targets individuals and organizations in South Korea, Japan, and the United States, focusing on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions, it added.
Tesla Insider Breach Exposes Thousands of Employees
Elon Musk Tesla’s ex-employees managed to get their hands on the personal details of over 75,000 individuals. The incident points to a recent Tesla expose by the German newspaper Handelsblatt.
Tesla, the electric car maker owned by billionaire Musk, sent out breach notification letters to the people affected. According to Tesla’s letter to the Maine Attorney General, 75,735 individuals were exposed in the breach, which the company described as “insider wrongdoing.”
Tesla claims that in May 2023, the German business newspaper Handelsblatt informed the company that it had obtained its confidential data. The letter states that the media outlet did not intend to publish personal information.
“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet,” reads Tesla’s breach notification letter.
The company’s breach notification letter says that the breach exposed current and former employee details, such as names, addresses, phone numbers, and email addresses. Information Tesla submitted to the Maine Attorney also indicates that Social Security numbers may have been leaked.
Musk’s car maker said it would provide affected individuals with complimentary identity theft protection services.
In May 2023, a whistleblower reportedly leaked 100 GB of data to Handelsblatt, containing thousands of customer complaints about Tesla’s Full Self Driving (FSD) features.
Following the leak, Handelsblatt published a series of stories detailing Tesla’s inner workings: from the FSD issue to the company instructing employees to avoid leaving a written record of complaints.
Tesla’s breach notification letter doesn’t indicate that the two leaks were linked, but both happening in May and concerning the same German-language magazine point to the cases being related.
“Among other things, we identified and filed lawsuits against the two former employees. These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information. Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties,” Tesla’s breach notification letter reads.
Musk’s company has a reputation for taking questionable measures against whistleblowers. For example, in 2019, Bloomberg reported Tesla going the extra mile to belittle a former employee, with Musk personally overseeing the investigation into the whistleblower.