Thursday, July 27th, 2023
Cybersecurity Week in Review (28/07/2023)
8 Million People Hit by Data Breach at US Govt Contractor Maximus
U.S. government services contractor Maximus has disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks.
Maximus is a contractor that manages and administers US government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company employs 34,300 people and has an annual revenue of about $4.25 billion, with a presence in the U.S., Canada, Australia, and the United Kingdom.
In an 8-K form filed with the Securities and Exchange Commission (SEC), Maximum disclosed that the data was stolen using a suffered a zero-day flaw in the MOVEit file transfer application (CVE-2023-34362). The Clop ransomware gang widely exploited this flaw to breach hundreds of high-profile companies worldwide.
After investigating the breach, Maximus found no indication that the hackers progressed further than the MOVEit environment, which was immediately isolated from the rest of the corporate network.
However, this limited access was enough to compromise a large number of individuals to whom the firm is now sending data breach notifications.
“Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident,” reads the SEC 8-K filing.
“Maximus currently plans to record an expense of approximately $15 million for the quarter ended June 30, 2023, representing the Company’s best estimate of the total investigation and remediation activities to be incurred related to the incident.”
The Clop ransomware gang added Maximus to its dark web data leak site yesterday as part of a big batch of 70 new victims, all having been breached using the MOVEit zero-day flaw.
The entry on Clop’s site claims they have stolen 169GB of data during the breach on Maximus’ MOVEit Transfer server. However, no data has been leaked so far, so the extortion process is still underway.
As the list of MOVEit zero-day flaw victims grows and the size of the attack somewhat normalizes the large-scale data breaches that have compromised the data of hundreds of millions, the Clop ransomware gang has resorted to more aggressive extortion tactics.
Recently, they launched clearweb sites to leak the stolen data of specific companies, which applies further leverage on the victims as it makes the data more accessible to a broader audience.
Irish Revenue Officer Under Investigation by Gardaí as Suspected Member of Major Criminal Gang
A Revenue officer with full access to confidential information held within its systems is under investigation as a suspected member of a major criminal gang. Cash and powder, suspected to be cocaine, were discovered at her house during intelligence-led searches carried out recently while a close relative has been charged with major organized crime offences.
However, despite being informed of her links to one of the most powerful drug gangs in the country, Revenue has yet to suspend her or remove her access to its systems.
Sources say that officers from the National Drugs and Organised Crime Bureau (DOCB) and the Criminal Assets Bureau (CAB) are stunned at the revelations and the lack of response from Revenue, headed up by chairman Niall Cody, and are now refusing to share information with the department.
The woman’s home was one of a number of residential properties searched by officers from the DOCB when more than €1m worth of cocaine and a six-figure sum of cash was seized during the operation.
One man was arrested but Operation Tara was the result of a lengthy probe into a multi-national gang running drugs into the country under the cover of the equestrian industry. It has identified a grouping made up of Irish and Spanish-Moldovan criminals who came together to form one gang. Officers believe the gang has been using ferry routes and the transportation of horses as cover for shipping vast quantities of cocaine into Ireland and cash back out.
Over the course of a number of raids, it was discovered that a suspected gang member held a senior position at Revenue with full access to its files both on-site and remotely. During a raid on the woman’s house, her work laptop and phone were seized and are currently under forensic examination for any evidence of information harvesting.
Revenue was immediately informed of the concerns of the country’s most respected officers at the DOCB that someone with such close familial links to the gang could access highly sensitive information.
However, the woman has remained in her job in the weeks since the alarm bells were sounded.
The potential security breach could be one of the most serious ever discovered in Ireland and senior sources say the lack of action taken by Revenue since it was uncovered is even more shocking.
Revenue works with both the CAB and the Drugs and Organised Crime Bureau, along with other agencies, in investigations centred on high-level crime. It also holds highly-sensitive personal details on people on its files – including what is required for tax returns, like earnings, PPS numbers, home addresses and other ‘classified’ information.
The criminal gang at the centre of the security breach scandal are one of the most dangerous in the country and are suspected as having made millions over the past few years. They include a well-known Irish gang known for its trade in drugs and lethal weapons, as well as a Spanish outfit who are one of the top targets of Europol.
The woman in question is a close relative of the top target of the grouping and a relative of a suspected gang boss.
A large quantity of cash was found at her registered address as well as a substance suspected to be cocaine which is under analysis at the moment.
She has been identified as the full owner of another property which was bought outright with no mortgage while she was still a teenager. The woman is understood to have been employed in Revenue over the past five years with access to its full system.
New AI Tool ‘FraudGPT’ Emerges, Tailored for Sophisticated Attacks
Following the footsteps of WormGPT, threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT on various dark web marketplaces and Telegram channels.
It is an AI bot, exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding, etc. The offering has been circulating since at least July 22, 2023, for a subscription cost of $200 a month (or $1,000 for six months and $1,700 for a year).
“If your looking for a Chat GPT alternative designed to provide a wide range of exclusive tools, features, and capabilities tailored to anyone’s individuals with no boundaries then look no further!,” claims the actor, who goes by the online alias CanadianKingpin.
The author also states that the tool could be used to write malicious code, create undetectable malware, find leaks and vulnerabilities, and that there have been more than 3,000 confirmed sales and reviews. The exact large language model (LLM) used to develop the system is currently not known.
The development comes as threat actors are increasingly riding on the advent of OpenAI ChatGPT-like AI tools to concoct new adversarial variants that are explicitly engineered to promote all kinds of cybercriminal activity sans any restrictions.
Such tools, besides taking the phishing-as-a-service (PhaaS) model to the next level, could act as a launchpad for novice actors looking to mount convincing phishing and business email compromise (BEC) attacks at scale, leading to the theft of sensitive information and unauthorized wire payments.
Dozens of Organizations Targeted by Akira Ransomware
The Akira ransomware gang has compromised at least 63 organizations since March 2023, mostly focusing on small- to medium-sized businesses (SMBs), according to recent reports.
Likely opportunistic, the group consists of at least some Conti-affiliated threat actors and engages in double extortion tactics, exfiltrating victim data prior to encryption and threatening to release the data publicly unless a ransom is paid.
The group does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for. The ransomware group demands ransom payments ranging between $200,000 and $4 million. If the victim does not pay, their name and data are added to the group’s leak site.
At least 63 organizations have been listed on the site since March 2023, but some of them have been removed. Roughly 80% of the victims are SMBs.
Distributed via the ransomware-as-a-service (RaaS) business model, Akira is a fast-growing threat that leverages compromised credentials for intrusion. Most of the victims did not have multi-factor authentication (MFA) enabled on their VPNs.
According to researchers, the group also uses malicious email attachments, malicious ads, and pirated software to spread the ransomware, and exploits unpatched vulnerabilities in VPN endpoints. It was also observed exploiting VMware ESXi vulnerabilities for lateral movement.
The group uses multiple readily available tools to obtain initial access to a victim’s environment and to perform system and data discovery, exfiltration, and command-and-control (C&C) activities.
The code used overlaps with the Conti ransomware, including similar functions and a similar implementation of the ChaCha algorithm for encryption.
Following the release of a decryptor for Akira on June 29, the ransomware operators modified the encryption routine, to prevent free file recovery.
ALPHV Ransomware Adds Data Leak API in New Extortion Strategy
The ALPHV ransomware gang, also referred to as BlackCat, is trying to put more pressure on their victims to pay a ransom by providing an API for their leak site to increase visibility for their attacks.
This move follows the gang’s recent breach of Estée Lauder that ended with the beauty company completely ignoring the threat actor’s effort to engage in negotiations for a ransom payment.
Multiple researchers spotted earlier this week that the ALPHV/BlackCat data leak site added a new page with instructions for using their API to collect timely updates about new victims.
APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols. The ransomware gang posted the API calls that would help fetch various information about new victims added to their leak site or updates starting a specific date.
“Fetch updates since the beginning and synchronize each article with your database. After that any subsequent updates call should supply the most recent `updatedDt` from prevoiusly [sic] synchronized articles + 1 millisecond,” the gang explained.
The group also provided a crawler written in Python to help retrieve the latest information on the data leak site.
Although the gang did not explain the release of the API, one reason could be that fewer victims are succumbing to ransomware demands. However, some threat actors continue to make big money by focusing on targeting the supply chain to breach a large number of organizations.
Clop ransomware, for instance, is estimated to make at least $75 million from their massive MOVEit data theft campaign. Clop’s breaches using a zero-day vulnerability in the MOVEit Transfer secure file transfer platform likely impacts hundreds of companies, including Estée Lauder which was also compromised by ALPHV/BlackCat.
Estée Lauder did not respond to any messages from ALPHV, clearly stating that it would not pay the attacker for the stolen files.
This inflamed the ransomware gang and prompted a disgruntled message that mocked the company’s security measures by saying that the security experts brought in following the breach did a poor job because the network was still compromised.
With fewer paying victims, ransomware gangs are looking for new methods to put pressure and get the money. Making their leaks easily available to a larger audience appears to be the latest extortion layer from ransomware but it is likely doomed to fail.
Critical Mikrotik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking
A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices.
Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively.
CVE-2023-30799 does require authentication. In fact, the vulnerability itself is a simple privilege escalation from admin to ‘super-admin’ which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect.
This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default “admin” user, with its password being an empty string until October 2021, at which point administrators were prompted to update the blank passwords with the release of RouterOS 6.49.
CVE-2023-30799 is said to have been originally disclosed as an exploit dubbed FOISted without an accompanying CVE identifier in June 2022. The security hole, however, was not plugged until October 13, 2022, in the RouterOS stable version 6.49.7 and on July 19, 2023, for the RouterOS Long-term version 6.49.8.
A patch for the Long-term release tree was made available only after the vendor was contacted and published new exploits that attacked a wider range of MikroTik hardware. A proof-of-concept (PoC) devised by the company shows that it’s possible to derive a new MIPS architecture-based exploit chain from FOISted and obtain a root shell on the router.
Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI.
With flaws in Mikrotik routers exploited to corral the devices into distributed denial-of-service (DDoS) botnets such as Mēris and use them as command-and-control proxies, it’s recommended that users patch the flaw by updating to the latest version (6.49.8 or 7.x) as soon as possible.
Mitigation advice includes removing MikroTik administrative interfaces from the internet, limiting the IP addresses administrators can login from, disabling the Winbox and the web interfaces, and configuring SSH to use public/private keys and disable passwords.
Norway Says Ivanti Zero-Day was Used to Hack Govt IT Systems
The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country.
The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway’s Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.
The Norwegian Data Protection Authority (DPA) was also notified about the incident, indicating that the hackers might have gained access to and/or exfiltrated sensitive data from compromised systems, leading to a data breach.
“This vulnerability was unique, and was discovered for the very first time here in Norway. If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world,” the NSM said.
“The update is now generally available and it is prudent to announce what kind of vulnerability it is, says Sofie Nystrøm, director of the National Security Agency.
The Norwegian National Cyber Security Center (NCSC) also notified all known MobileIron Core customers in Norway about the existence of a security update to address this actively exploited zero-day bug (tracked as CVE-2023-35078).
As a recommendation, the NCSC urged these system owners to install security updates to block incoming attacks as soon as possible.
The CVE-2023-35078 security bug is an authentication bypass vulnerability that impacts all supported versions of Ivanti’s Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core), as well as unsupported and end-of-life releases.
Successful exploitation allows remote threat actors to access specific API paths without requiring authentication.
“An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory published on Monday.
“An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.”
The company has confirmed that the zero-day is being exploited in attacks and also warned customers that it’s critical to “immediately take action to ensure you are fully protected.
More than 2,900 MobileIron user portals are presently exposed online, out of which around three dozen are linked with U.S. local and state government agencies. Most of these exposed servers are in the United States, with other notable locations including Germany, the United Kingdom, and Hong Kong.
In light of this, it is crucial for all network administrators to promptly install the latest Ivanti Endpoint Manager Mobile (MobileIron) patches to protect their systems from attacks.
Norway has disclosed other cyberattacks in which Chinese and Russian state hackers targeted its government websites and the country’s parliament. Last year, in June, the NSM said that Russian hacktivists took down multiple Norwegian government websites in DDoS attacks.
TETRA Radio Standard Vulnerabilities Can Expose Military Comms, Industrial Systems
Five vulnerabilities, two deemed to be critical, have been found in the Terrestrial Trunked Radio (TETRA) standard.
TETRA is the most widely used police radio communication system outside of the US. It is used by fire and ambulance services, transportation agencies, utilities, and military, border control and customs agencies in more than 100 nations globally — as well as the UN and NATO.
The vulnerabilities were discovered by researchers reverse-engineering the proprietary TETRA Authentication Algorithm (TAA1) and TETRA Encryption Algorithm (TEA) and analyzing them for the first time. In this process they discovered a series of vulnerabilities that they call TETRA:BURST.
The five vulnerabilities are:
CVE-2022-24401, critical: allows decryption oracle attacks leading to a loss of confidentiality and authenticity.
CVE-2022-24402, critical: a backdoor in the TEA1 encryption algorithm allows trivial brute-forcing on keys leading to a loss of confidentiality and authenticity.
CVE-2022-24404, high: lack of authentication on AIE allowing malleability attacks leading to a loss of authentication.
CVE-2022-24403, high: weak obfuscation on radio identities allowing user deanonymization.
CVE-2022-24400, high: a flaw in the authentication algorithm can lead to a loss of authenticity and a partial loss of confidentiality.
The first and third vulnerabilities are of immediate concern. They could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications. There are also concerns over the TEA1 encryption backdoor, which could pose a serious risk to critical infrastructure operators and their industrial control systems (ICS).
By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signaling messages.
Since criminals are constantly looking for weaknesses in systems they can exploit to gain access to data, there is a possibility these bugs have already been discovered and used in the wild.
Banking Sector Targeted in Open-Source Software Supply Chain Attacks
Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector. These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it.
The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities. The npm packages have since been reported and taken down. The names of the packages were not disclosed.
In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the ruse, the threat actor behind it created a fake LinkedIn profile.
Once launched, the script determined the host operating system to see if it was Windows, Linux, or macOS, and proceeded to download a second-stage malware from a remote server by using a subdomain on Azure that incorporated the name of the bank in question.
The attacker cleverly utilized Azure’s CDN subdomains to effectively deliver the second-stage payload. This tactic is particularly clever because it bypasses traditional deny list methods, due to Azure’s status as a legitimate service.
The second-stage payload used in the intrusion is Havoc, an open-source command-and-control (C2) framework that has increasingly come under the radar of malicious actors looking to sidestep detection stemming from the use of Cobalt Strike, Sliver, and Brute Ratel.
In an unrelated attack detected in February 2023 targeting a different bank, the adversary uploaded to npm a package that was meticulously designed to blend into the website of the victim bank and lay dormant until it was prompted to spring into action. Specifically, it was engineered to covertly intercept login data and exfiltrate the details to an actor-controlled infrastructure.
“Supply chain security revolves around protecting the entire process of software creation and distribution, from the beginning stages of development to the delivery to the end user,” the company said.
“Once a malicious open-source package enters the pipeline, it’s essentially an instantaneous breach – rendering any subsequent countermeasures ineffective. In other words, the damage is done.”
The development comes as the Russian-speaking cybercrime group RedCurl breached an unnamed major Russian bank and an Australian company in November 2022 and May 2023 to siphon corporate secrets and employee information as part of a sophisticated phishing campaign, Group-IB’s Russian arm, F.A.C.C.T., said.
Financial institutions have also been at the receiving end of attacks leveraging a web-inject toolkit called drIBAN to perform unauthorized transactions from a victim’s computer in a manner that circumvents identity verification and anti-fraud mechanisms adopted by banks.
Industrial Organizations in Eastern Europe Targeted by Chinese Cyberspies
A China-linked cyberspy group appears to be behind a campaign targeting industrial organizations in Eastern Europe. The attacks have been linked to APT31, a group believed to be sponsored by the Chinese government that is also known as Zirconium, Judgement Panda, Bronze Vinewood and Red Keres. The threat actor has focused on operations whose goal is to steal valuable intellectual property from victims.
While the targets of the campaign were industrial organizations, there is no indication that the hackers targeted industrial control systems (ICS).
The hackers attempted to establish permanent channels for data exfiltration, including for information stored on air-gapped systems, which they targeted through malware-infected removable drives.
The attackers used improved variants of a previously known malware named FourteenHi, which enables the attackers to upload or download files, run commands, and initialize a reverse shell. The new variants were designed to specifically target the infrastructure of industrial organizations.
In addition, the cyberspies leveraged a new malware implant dubbed MeatBall, which provides extensive remote access capabilities. The attackers exploited DLL hijacking vulnerabilities affecting legitimate applications to load some of their malware.
To exfiltrate data and deliver next-stage malware, the threat actor abuses a cloud-based data storage, e.g., Dropbox or Yandex Disk, as well as a service used for temporary file sharing. They also use C2 deployed on regular virtual private servers (VPS).
Imagine360 Data Breach: Medical Information, Social Security Numbers Compromised
Imagine360, a health plan solution company based in Pennsylvania, has disclosed a data breach affecting over 130,000 people. The company is among the victims hurt by Fortra’s vulnerability, exploited by the notorious Cl0p gang.
It identified “unusual activity” within Citrix, a third-party file-sharing platform. Imagine360 immediately terminated access to the platform and launched an investigation into the activity. Unfortunately, during the investigation, it turned out that another file-sharing platform, Fortra, had also experienced a data security incident.
“According to Fortra, an unauthorized actor copied data maintained in this platform belonging to multiple organizations, including Imagine360,” the company said in its notice of data security incident.
Fortra’s GoAnywhere Managed File Transfer vulnerability was actively exploited at the beginning of the year by the Cl0p gang. At the time, companies like Procter & Gamble, Hitachi, Virgin Red, Pluralsight, and Munich Re, among others, confirmed the breach.
Imagine360 determined that sensitive files were copied at the end of January. Compromised information included: names, medical information, health insurance information, and Social Security numbers.
According to a data breach notification filed with Maine’s Attorney General’s Office, the incident has affected over 130,000 customers.
“Individuals are encouraged to remain vigilant against incidents of identity theft and fraud, and to review their account statements and explanation of benefits along with monitoring their free credit reports for suspicious activity and to detect errors,” Imagine360 said.