Friday, January 6th, 2023
Cybersecurity Week in Review (6/1/23)
Five Guys Data Breach Puts HR Data Under a Heat Lamp
The Five Guys burger empire has been hit by a cyberattack. The threat actors busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.
Details are scant, but in a letter sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an “unauthorised access to files” was discovered on Sept. 17 and was blocked the same day. The data identified as being corrupted includes Social Security numbers and driver’s license data.
Five Guys employs about 5,000 people worldwide, and while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many were actually caught up in the incident. Five Guys also hasn’t announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring.
In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of the breach. There are any number of follow-on attacks that threat actors could mount using the data in this latest breach, even if it doesn’t include payment-card information such as scams and mule recruitment lures sent to those people affected in the near future.
Since the data breach notice indicates that the attackers accessed a single file server, with no lateral movement, this is likely a case of financially motivated threat actors looking for low-hanging fruit. Restaurants and food-service outlets have thin margins that can often lead to them deprioritising security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more.
200 million Twitter users’ email addresses allegedly leaked online
A data leak described as containing email addresses for over 200 million Twitter users has been published on a popular hacker forum for about $2. Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces.
These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID. The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.
Though Twitter fixed this flaw in January 2022, multiple threat actors have recently begun to leak the data sets they collected over a year ago for free. The first data set of 5.4 million users was put up for sale in July for $30,000 and ultimately released for free on November 27th, 2022. Another data set allegedly containing the data for 17 million users was also circulating privately in November.
This week, a threat actor released a data set consisting of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum’s currency, worth approximately $2. This data set is allegedly the same as the 400 million set circulating in November but cleaned up to not contain duplicates, reducing the total to around 221,608,279 lines.
The data was released as a RAR archive consisting of six text files for a combined size of 59 GB of data. Each line in the files represents a Twitter user and their data, which includes email addresses, names, screen names, follow counts, and account creation dates, as shown below. Unlike previously leaked data collected using this Twitter API flaw, today’s leak does not indicate whether an account is verified.
Even though this data leak only contains email addresses, it could be used by threat actors to conduct phishing attacks against accounts, especially verified ones. All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.
Ongoing Flipper Zero phishing attacks target infosec community
A new phishing campaign is exploiting the increasing interest of security community members towards Flipper Zero to steal their personal information and cryptocurrency.
Flipper Zero is a portable multi-functional cybersecurity tool for pen-testers and hacking enthusiasts. The tool allows researchers to tinker with a wide range of hardware by supporting RFID emulation, digital access key cloning, radio communications, NFC, infrared, Bluetooth, and more.
Threat actors are now taking advantage of the immense interest in Flipper Zero and its lack of availability by creating fake shops pretending to sell it. Three fake Twitter accounts and two fake Flipper Zero stores were identified. At first glance, one of the fake Twitter accounts appears to have the same handle as the official Flipper Zero account. However, in reality, it uses a capital “I” in the name, which looks just like an “l” on Twitter.
This fake Twitter account is actively responding to people about availability and other account’s tweets to make it look legitimate. The goal is to take buyers to the phishing checkout page, where they are requested to enter their email addresses, full names, and shipping addresses. The victims are then given a choice to pay using Ethereum or Bitcoin cryptocurrency and are told that their order will be processed within 15 minutes after submission
As long as the interest and shortages continue, cybercriminals will continue to attempt to impersonate Flipper Zero through fake shops to trick security enthusiasts into giving up their personal information and crypto. Due to this, it is vital to be on the lookout for these promotions and shops claiming immediate product availability and only buy from the official store.
Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe
Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. The intrusions, observed against Spanish and Portuguese-speaking organisations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.
Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors. Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.
An investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim’s browser via social engineering and contains an MSI installer file designed to drop multiple modules. In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that’s known to distribute adware.
The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that’s eventually executed on the machine.
Poland warns of attacks by Russia-linked Ghostwriter hacking group
The Polish government is warning of a spike in cyberattacks from Russia-linked hackers, including the state-sponsored hacking group known as GhostWriter.
In an announcement on Poland’s official site, the government claims that hostile cyber-activities have intensified, targeting public domains and state organisations, strategic energy and armament providers, and other crucial entities. The Polish believe Russian hackers target their country due to the continued support they have provided Ukraine in the ongoing military conflict with Russia.
The first case highlighted by the Polish government post is a DDoS (distributed denial of service) attack against the parliament website (‘sejm.gov.pl’), attributed to the pro-Russian so-called hacktivists’ NoName057(16).’ The attack unfolded the day after the parliament adopted a resolution recognising Russian as a state sponsor of terrorism, rendering the website inaccessible to the public.
Another notable incident mentioned in the announcement is a phishing attack attributed to the ‘GhostWriter’ group, which the European Union has associated with the GRU, Russia’s military intelligence service.
The Russian hackers set up websites that impersonate the gov.pl government domain, promoting fake financial compensation for Polish residents allegedly backed by European funds. Clicking on the embedded button to learn more about the program takes victims to a phishing site where they are requested to pay a small fee for verification.
GhostWriter has been active since at least 2017, previously observed impersonating journalists from Lithuania, Latvia, and Poland, to disseminate false information and anti-NATO narratives to local audiences.
Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks
More than 60,000 Microsoft Exchange servers exposed online are yet to be patched against the CVE-2022-41082 remote code execution (RCE) vulnerability, one of the two security flaws targeted by ProxyNotShell exploits.
According to a recent tweet from security researchers at the Shadowserver Foundation, a nonprofit organisation dedicated to improving internet security, almost 70,000 Microsoft Exchange servers were found to be vulnerable to ProxyNotShell attacks according to version information (the servers’ x_owa_version header). New data published on Monday shows that the number of vulnerable Exchange servers has decreased from 83,946 instances in mid-December to 60,865 detected on January 2nd.
These two security bugs, tracked as CVE-2022-41082 and CVE-2022-41040 and collectively known as ProxyNotShell, affect Exchange Server 2013, 2016, and 2019. If successfully exploited, attackers can escalate privileges and gain arbitrary or remote code execution on compromised servers. Microsoft released security updates to address the flaws during the November 2022 Patch Tuesday, even though ProxyNotShell attacks have been detected in the wild since at least September 2022.
Play ransomware threat actors are now using a new exploit chain to bypass ProxyNotShell URL rewrite mitigations and gain remote code execution on vulnerable servers through Outlook Web Access (OWA). Exchange servers are valuable targets, as demonstrated by the financially motivated FIN7 cybercrime group which has developed a custom auto-attack platform known as Checkmarks and designed to breach Exchange servers. It scans for and exploits various Microsoft Exchange remote code execution and privilege elevation vulnerabilities, such as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
Hackers Using Stolen Bank Information to Trick Victims into Downloading BitRAT Malware
A new malware campaign has been observed using sensitive information stolen from a bank as a lure in phishing emails to drop a remote access trojan called BitRAT.
The unknown adversary is believed to have hijacked the IT infrastructure of a Colombian cooperative bank, using the information to craft convincing decoy messages to lure victims into opening suspicious Excel attachments. Evidence was discovered of a database dump comprising 418,777 records that’s said to have been obtained by exploiting SQL injection faults.
The leaked details include Cédula numbers (a national identity document issued to Colombian citizens), email addresses, phone numbers, customer names, payment records, salary details, and addresses, among others. There are no signs that the information has been previously shared on any forums in the darknet or clear web, suggesting that the threat actors themselves got access to customer data to mount the phishing attacks.
The Excel file, which contains the exfiltrated bank data, also embeds within it a macro that’s used to download a second-stage DLL payload, which is configured to retrieve and execute BitRAT on the compromised host. It uses the WinHTTP library to download BitRAT embedded payloads from GitHub to the %temp% directory. Created in mid-November 2022, the GitHub repository is used to host obfuscated BitRAT loader samples that are ultimately decoded and launched to complete the infection chains.
BitRAT, an off-the-shelf malware available on sale on underground forums for a mere $20, comes with a wide range of functionalities to steal data, harvest credentials, mine cryptocurrency, and download additional binaries.
WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws
WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.
The targeted plugins include the likes of WP Live Chat Support, Yuzo Related Posts, Yellow Pencil Visual CSS Style Editor, Easy WP SMTP, WP GDPR Compliance, Newspaper (CVE-2016-10972) and many more.
Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it’s not clear if it’s a remnant from an earlier version or a functionality that’s yet to see the light. If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.
WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It’s also advised to use strong and unique logins and passwords to secure their accounts.
Port of Lisbon targeted by LockBit ransomware hackers, website still down
The website of the Port of Lisbon (Porto de Lisboa) is still down a week after officials confirmed cyber attackers targeted it. Around the same time, the LockBit ransomware group added the organisation to its extortion site, claiming the ransomware attack. The Administration of the Port of Lisbon confirmed that the cyber attack did not compromise operational activity at the critical infrastructure and they have notified the National Cybersecurity Center and the Judiciary Police of the incident.
The LockBit ransomware gang claims to have stolen financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more. The group has already published samples of the stolen data, though the legitimacy of the data published could not be verified and confirmed.
LockBit has threatened the Port of Lisbon to publish all files they stole during the computer intrusion on Jan. 18, 2023, if their payment demands aren’t met. The hacker set the ransom to US$1,500,000 and also gives the possibility to delay the publication of the data by 24 hours by paying $1,000.
The Port of Lisbon attack is the latest in a series of cyberattacks on ports across Europe that have caused massive issues. Last February, cyberattacks affected oil transport and storage companies across Europe, as authorities confirmed that large-scale cyber attacks also targeted port facilities in Belgium, Germany, and the Netherlands. IT systems were disrupted at SEA-Invest in Belgium and Evos in the Netherlands. At the same time, unconfirmed reports suggest that BlackCat ransomware may have compromised systems at Oiltanking GmbH Group and Mabanaft Group in Germany.