WHSmith breach exposes current and former employee data

WHSmith, a centuries-old British retailer that specialises in books and other publications, has been hit with a cyberattack, with threat actors accessing company data.

The company said it was investigating a breach that led to unauthorised access to company data, including that of existing and former employees, although it is claiming business as usual in spite of the attack.

In a statement WHSmith stated that they are notifying all affected colleagues and have put measures in place to support them, adding that upon discovering the breach, it had notified authorities and launched an investigation. They further said that there has been no impact on the trading activities of the group. Their website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.

The company boasts over 12,500 employees, which means the number of people affected by the breach may be even larger. WHSmith owns close to 600 high street and over 1,100 travel stores worldwide.

The limited information WHSmith provided about the breach suggested the culprits had obtained names, addresses, dates of birth, and national insurance numbers of staff – although acknowledged WHSmith’s claims that no trading data had been compromised.

British companies are popular targets for cyber-crooks. Last November, Russia-linked cyber syndicate LockBit targeted Royal Mail with a ransomware attack, demanding the organisation to cough up $80 million, a demand the firm eventually refused.

Source – https://cybernews.com/news/whsmith-breach-exposes-employee-data/?

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains.

GootLoader, active since late 2020, is a first-stage downloader that’s capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware. It notably employs search engine optimisation (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

The threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners’ knowledge. When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader.

GootLoader is far from the only JavaScript malware targeting business professionals and law firm employees. A second set of attacks also entailed the use of SocGholish, which is a downloader capable of dropping more executables.

The infection chain is further significant for taking advantage of a website frequented by legal firms as a watering hole to distribute the malware under the guise of fake browser updates. Another standout aspect of the twin intrusion sets in the absence of ransomware deployment, instead favoring hands-on activity, suggesting that the attacks could have diversified in scope to include espionage operations.

Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks have steadily been growing to compete with email as the primary infection vector. This has been largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results.

Source – https://thehackernews.com/2023/03/cybercriminals-targeting-law-firms-with.html

Parallax RAT Targeting Cryptocurrency Firms with Sophisticated Injection Techniques

Cryptocurrency companies are being targeted as part of a new campaign that delivers a remote access trojan called Parallax RAT.

The malware uses injection techniques to hide within legitimate processes, making it difficult to detect. Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel.

Parallax RAT grants attackers’ remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures. It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. In February 2022, an activity cluster dubbed TA2541 was identified targeting aviation, aerospace, transportation, manufacturing, and defense industries using different RATs, including Parallax.

The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe. Parallax RAT, besides gathering system metadata, is also capable of accessing data stored in the clipboard and even remotely rebooting or shutting down the compromised machine. One notable aspect of the attacks is the use of the Notepad utility to initiate conversations with the victims and instruct them to connect to an actor-controlled Telegram channel. Analysis of the Telegram chats reveals that the threat actor has an interest in crypto companies such as investment firms, exchanges, and wallet service providers.

The modus operandi entails searching public sources like DNSdumpster for identifying mail servers belonging to the targeted companies via their mail exchanger (MX) records and sending phishing emails bearing the Parallax RAT malware.

The development comes as Telegram is increasingly becoming a hub for criminal activities, enabling threat actors to organise their operations, distribute malware, and facilitate the sale of stolen data, and other illegal goods in part owing to the platform’s lax moderation efforts.

Source – https://thehackernews.com/2023/03/parallax-rat-targeting-cryptocurrency.html

LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults

LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems.

The company said one of its DevOps engineers had their personal home computer hacked and infected with a keylogger as part of a sustained cyber attack that exfiltrated sensitive data from its Amazon AWS cloud storage servers. This intrusion targeted the company’s infrastructure, resources, and the aforementioned employee from August 12, 2022, to October 26, 2022. The original incident, on the other hand, ended on August 12, 2022. The August breach saw the intruders accessing source code and proprietary technical information from its development environment by means of a single compromised employee account.

In December 2022, LastPass revealed that the threat actor leveraged the stolen information to access a cloud-based storage environment and get hold of certain elements of their customers’ information. Later in the same month, the unknown attacker was disclosed as having obtained access to a backup customer vault data that it said was protected using 256-bit AES encryption. It did not divulge how recent the backup was.

GoTo, the parent company of LastPass, also fessed up to a breach last month stemming from unauthorised access to the third-party cloud storage service. Now according to the company, the threat actor engaged in a new series of “reconnaissance, enumeration, and exfiltration activities” aimed at its cloud storage service between August and October 2022.

Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment. The engineer had access to the decryption keys needed to access the cloud storage service. This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.

The employee’s passwords are said to have been siphoned by targeting the individual’s home computer and leveraging a “vulnerable third-party media software package” to achieve remote code execution and plant a keylogger software. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.

LastPass did not reveal the name of the third-party media software used, but indications are that it could be Plex based on the fact that it suffered a breach of its own in late August 2022.

In the aftermath of the incident, LastPass said it upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor, and that it applied extra S3 hardening measures to put in place logging and alerting mechanisms.

LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Source – https://thehackernews.com/2023/02/lastpass-reveals-second-attack.html

SCARLETEEL hackers use advanced cloud skills to steal source code, data

An advanced hacking operation dubbed ‘SCARLETEEL’ targets public-facing web apps running in containers to infiltrate cloud services and steal sensitive data.

One example showed that while the attackers deployed cryptominers in the compromised cloud environments, the hackers showed advanced expertise in AWS cloud mechanics, which they used to burrow further into the company’s cloud infrastructure. The cryptojacking attack is thought to have been used as a decoy for the threat actors’ real purpose, which was the theft of proprietary software.

The SCARLETEEL attack began with the hackers exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). Once the attackers access the container, they download an XMRig coinminer, believed to serve as a decoy, and a script to extract account credentials from the Kubernetes pod.

The stolen credentials were then used to perform AWS API calls to gain persistence by stealing further credentials or creating backdoor users and groups in the company’s cloud environment. These accounts were then used to spread further through the cloud environment. Depending on the AWS cluster role configuration, the attackers may also gain access to Lambda information, such as functions, configurations, and access keys.

Next, the attacker uses the Lambda functions to enumerate and retrieve all proprietary code and software along with its execution keys and the Lambda function environment variables to find IAM user credentials and leverage them for subsequent enumeration rounds and privilege escalation. S3 bucket enumeration also occurs at that stage, and files stored in cloud buckets are likely to contain valuable data for attackers, such as account credentials.

To minimise the traces left behind, the attacker attempted to disable CloudTrail logs in the compromised AWS account. However, it was evident that the attacker retrieved Terraform state files from the S3 buckets containing IAM user access keys and a secret key for a second AWS account. This account was eventually used for lateral movement within the organisation’s cloud network.

The SCARLETEEL attack proves that a single vulnerable point in an organisation’s cloud environment could be enough for persistent and knowledgeable threat actors to leverage it for network infiltration and sensitive data theft.

Source – https://www.bleepingcomputer.com/news/security/scarleteel-hackers-use-advanced-cloud-skills-to-steal-source-code-data/

Danish hospitals latest target of DDoS attacks on NATO-backed countries

A relatively new hacking group known as Anonymous Sudan targeted nine Region H hospitals in Denmark with DDoS attacks late on Feb. 26, bringing down their website for several hours.

On Twitter, officials alerted patients to the outage and shared an emergency page with relevant hospital contact information in case of emergency, as the IT team worked to recover the impacted sites. The apparent DDoS attack did not affect the rest of the digital infrastructure.

The Anonymous Sudan Telegram channel warned it would attack Denmark healthcare infrastructure after an alleged far-right activist burned a Koran in front of the embassy of Turkey in Stockholm on Saturday. The hackers warned the targeting would continue in retaliation for what they view as anti-Islamic behavior.

However, the attack on Denmark’s hospital had limited impact, as The Capital Region and the hospital websites were back to full operation after a few hours of downtime.

It’s the latest nation-backed cyberattack against a country with NATO ties, a growing risk facing the critical infrastructure of countries actively supporting Ukraine amid the Russian conflict. Since the start of the year, Russian-backed threat groups have pummelled the critical infrastructure of NATO members with DDoS attacks that appear highly coordinated.

Anonymous Sudan emerged a month ago and is believed to be unrelated to a group of the same name that levied attacks in 2019. The politically motivated hacktivist group is believed to be based in Russia and is amplified by the country’s hacktivism sphere — including Killnet and Passion Net.

These groups have recently targeted the U.S. health sector in force. Killnet has already hit nearly 50 U.S. healthcare organisations this year, in addition to launching a collaborative marketplace designed to secure funding for future attacks. Anonymous Sudan announced it joined the Russian Killnet collective on Feb. 19.

But unlike hacktivist groups like Killnet, Anonymous Sudan doesn’t use an illegal botnet to generate the needed traffic volume for a successful DDoS attack. The group uses a paid cluster of 61 servers hosted in Germany. The attacks are then routed through open proxies to disguise the real origin of the attacks. The finding suggests that Anonymous Sudan is funded by paid infrastructure. Additional evidence shows the operation is being carefully funded by a willing donor and not a spontaneous action by activists.

Initially, Cybersecurity and Infrastructure Security Agency noted DDoS attacks would have limited impact. But in healthcare, it’s a patient-safety risk when DDoS attacks are deployed against patient-facing tech.

Source – https://www.scmagazine.com/news/threats/danish-hospitals-latest-target-of-ddos-attacks-on-nato-backed-countries

PureCrypter Malware Targets Government Entities in Asia-Pacific and North America

Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware.

The PureCrypter campaign uses the domain of a compromised non-profit organisation as a command-and-control (C2) to deliver a secondary payload. The different types of malware propagated using PureCrypter include RedLine Stealer, Agent Tesla, Eternity, Blackmoon (aka KRBanker), and Philadelphia ransomware.

First documented in June 2022, PureCrypter is advertised for sale by its author for $59 for one-month access (or $245 for a one-off lifetime purchase) and is capable of distributing a multitude of malware. In December 2022, PureCoder – the developer behind the program – expanded the slate of offerings to include a logger and information stealer known as PureLogs, which is designed to siphon data from web browsers, crypto wallets, and email clients. It costs $99 a year (or $199 for lifetime access).

The infection sequence commences with a phishing email containing a Discord URL that points to the first-stage component, a password-protected ZIP archive that, in turn, loads the PureCrypter malware. The loader, for its part, reaches out to the website of the breached non-profit entity to fetch the secondary payload, which is a .NET-based keylogger named Agent Tesla. The backdoor then establishes a connection to an FTP server located in Pakistan to exfiltrate the harvested data, indicating that compromised credentials may have been used to perform the activity.

Source – https://thehackernews.com/2023/02/purecrypter-malware-targets-government.html

ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks

A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format. The files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games.

ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs.

The primary goal of the malware is to compromise web browsers like Google Chrome and modify the browser settings to intercept and direct traffic to dubious advertising websites. What’s more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetise clicks.

Since arriving on the scene, the malware has gone through multiple versions, many of them equipped with capabilities to break into both Windows and macOS systems. The shift to VHD files is yet another sign that the campaign has gone through many changes over the past few months.

The infection chain indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages. Some of the game titles and popular software used are Elden Ring, Dark Souls III, Red Dead Redemption 2, Need for Speed, Call of Duty, The Legend of Zelda: Breath of the Wild, Mario Kart 8 Deluxe, Super Mario Odyssey, Microsoft Office, and Adobe Photoshop.

To mitigate such risks, it’s recommended that users refrain from following suspicious links and download software only from official sources.

Source – https://thehackernews.com/2023/02/chromeloader-malware-targeting-gamers.html

New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware

Threat actors are promoting a new ‘Exfiltrator-22’ post-exploitation framework designed to spread ransomware in corporate networks while evading detection. This new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee.

The prices for Exfiltrator-22 range between $1,000 per month and $5,000 for lifetime access, offering continuous updates and support. Buyers of the framework are given an admin panel hosted on a bulletproof VPS (virtual private server) from where they can control the framework’s malware and issue commands to compromised systems.

The first version of the Exfiltrator-22 (EX-22) appeared in the wild on November 27, 2022, and roughly ten days later, its authors set up a Telegram channel to advertise the framework to other cybercriminals. By the end of the year, the threat actors announced new features that helped conceal traffic on compromised devices, indicating that the framework was under active development.

In January 2023, EX-22 was deemed 87% ready by its authors, and subscription prices were announced, inviting interested users to purchase access to the tool. On February 10, 2023, the threat actors posted two demonstration videos on YouTube to showcase EX-22’s lateral movement and ransomware-spreading capabilities.

EX-22 includes features commonly found in other post-exploitation toolkits but also additional features geared towards deploying ransomware and data theft. The highlight features included in the framework are, among others:

• Establish a reverse shell with elevated privileges.
• Upload files to the breached system or download files from the host to the C2.
• Activate a keylogger to capture keyboard input.
• Activate a ransomware module to encrypt files on the infected device.
• Capture a screenshot from the victim’s computer.
• Start a live VNC (Virtual Network Computing) session for real-time access on the compromised device.
• Gain higher privileges on the infected device.

Establish persistence between system reboots.

The above commands are sent to compromised devices through the  Windows ‘EX22 Command & Control’ console program. These commands’ outputs are then returned to the command and control server and displayed directly in the console application. Through the service’s web panel, cybercriminals can also set scheduled tasks, update agents to a new version, change a campaign’s configuration, or create new campaigns.

Exfiltrator-22 appears to have been created by knowledgeable malware authors who possess the skills to develop an evasive framework. Hence, it is expected to generate much interest in the cybercrime community despite its high price, naturally resulting in further code development and feature improvements.

Source – https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-exploitation-kit-linked-to-lockbit-ransomware/

U.S. Marshals Service investigating ransomware attack, data theft

The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack that has impacted what it describes as a stand-alone USMS system.

USMS is a bureau within the Justice Department that provides support to all elements of the federal justice system by executing federal court orders, seizing illegally obtained assets, assuring the safety of government witnesses and their families, and more.

The federal law enforcement agency stated that the stolen data included employees’ personally identifiable information.

Spokesperson Drew Wade said the USMS discovered the “ransomware and data exfiltration event affecting a stand-alone USMS system” on February 17.

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Wade added.

The compromised system is now disconnected from the USMS network, and the attack is currently under active investigation as a “major incident. According to sources close to the incident, the attackers did not gain access to USMS’ Witness Security Files Information System (aka WITSEC or the witness protection program) database.

This follows another data breach disclosed in May 2020 after the U.S. Marshals Service exposed the details of over 387,000 former and current inmates in a December 2019 incident, including their names, dates of birth, home addresses, and social security numbers.

Source – https://www.bleepingcomputer.com/news/security/us-marshals-service-investigating-ransomware-attack-data-theft/

Canadian Telecom Firm Telus Reportedly Investigating Breach

Telus, one of Canada’s largest telecommunications providers, is reportedly investigating a potentially major breach of its systems after a threat actor posted samples online of what the person claimed was sensitive data from the company.

The leaked data included what the adversary alleged was a sample of employee payroll records, source code from the telecom firm’s private GitHub repositories, and other information.

In a post on BreachForums, the threat actor offered for sale an email database purporting to contain the email addresses of every employee at Telus. The price for the database was $7,000. Another database, supposedly containing payroll information of the top executives at the telco, including its president, was available for $6,000.

The threat actor also offered for sale, for $50,000, a data set that the person claimed included more than 1,000 private GitHub repositories belonging to Telus. The source code available for sale apparently included an API that would allow an adversary to do SIM-swapping — a process where attackers hijack another individual’s phone by transferring the number to their own SIM card.

“This is the FULL breach,” the alleged hacker wrote in the post of BreachForums. “You will receive everything associated with Telus,” including complete subdomain lists and screenshots of active sites, the post went on to say. It’s unclear whether any of the data that the alleged attacker appeared to have is authentic or belonged to Telus, as claimed.

That said, IT World Canada quoted a Telus spokesman as saying the company is currently investigating claims about a “small amount of data” related to the company’s source code and certain employees being leaked on the Dark Web.

If the breach at Telus happened as the threat actor claimed, it will be the latest in a string of attacks that have targeted telecom firms recently. Just since the beginning of the year, attackers have breached multiple major telecommunications firms including three of Australia’s largest: Optus, Telestra, and Dialog. And earlier this month, researchers at SentinelOne reported observing a previously unknown bad actor targeting telecom firms in the Middle East in what appeared to be a cyber-espionage campaign.

Source – https://www.darkreading.com/attacks-breaches/canadian-telecom-firm-telus-reportedly-investigating-breach

Smarttech247