Friday, October 7th, 2022
Cybersecurity Week in Review (7/10/22)
Former Uber security chief found guilty of concealing data breach
Uber’s former chief security officer, Joe Sullivan, has been found guilty of criminal obstruction for failing to report a cybersecurity incident to authorities back in 2016.
Fired from Uber in 2017, Sullivan was found guilty on counts of obstruction of justice and deliberate concealment of a felony by a San Francisco jury.
The case was regarded as highly important as it would set a precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents, a concern that has only grown with the surge in ransomware attacks in recent years.
Taking place in 2016 the breach of Uber’s systems affected the data of 57 million passengers and drivers, but Uber only disclosed it publicly a year later. Public disclosures of security breaches are required by law in many US states, with most regulations mandating that the notification be made “in the most expedient time possible and without unreasonable delay”.
This delay led to many federal and state inquiries. In September 2018, Uber paid $148m (£130m) to settle claims by all 50 US states and Washington DC that it was too slow to disclose the hacking.
The justice department filed criminal charges against Sullivan in 2020. At the time, prosecutors alleged he arranged to pay the hackers $100,000 (£87,964) in bitcoin and had them sign nondisclosure agreements that falsely stated they had not stolen data. Sullivan was also accused of withholding information from Uber officials who could have disclosed the breach to the FTC, which had been evaluating the San Francisco-based company’s data security following a 2014 breach.
In July, Uber accepted responsibility for covering up the breach and agreed to cooperate with the prosecution of Sullivan over his alleged role in concealing the hacking, as part of a settlement with US prosecutors to avoid criminal charges.
Hacker steals $566 million worth of crypto from Binance Bridge
2 million Binance Coins (BNB), worth $566 million, have reportedly been stolen from the Binance Bridge.
It appears the attack started at 2:30 PM on October 6th, with the attacker’s wallet receiving two transactions, each consisting of 1,000,000 BNB. The attacker attempted to spread some of the funds across a variety of liquidity pools, in order to transfer the BNB into other assets.
At 7:51 PM, the CEO of Binance, Changpeng Zhao tweeted that an exploit was used in the BSC Token Hub to transfer the BNB to the attacker and that they had asked all validators to suspend the Binance Smart Chain.
“We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.”
While the majority of the stolen funds remain on the BNB Smart Chain, and are now inaccessible to the hacker, Binance estimates that between $70M – $80M were taken off-chain. Working with partners in the cryptocurrency community, $7 million of those off-chain assets have already been frozen.
Experts Warn of New RatMilad Android Spyware Targeting Enterprise Devices
Ratmilad, a novel Android malware, has been observed targeting a Middle Eastern enterprise mobile device by concealing itself as a VPN and phone number spoofing app.
The malware operates as advanced spyware with capabilities that receive and executes commands to collect and exfiltrate a wide variety of data from the infected mobile endpoint.
The malicious app is thought to be distributed through links on social media and communication tools like Telegram, tricking users into sideloading the app and granting it extensive permissions. Embedding the malware within a fake VPN and phone number spoofing service enables a user to verify social media accounts via phone, a technique popular in countries where access is restricted.
Other features of RatMilad, which is spread through apps named Text Me and NumRent, make it possible for the malware to amass SIM information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations.
The source code is believed to have been acquired from an Iranian hacker group known as AppMilad and integrated into a fraudulent app for distributing it to unwitting users.
A post shared on a Telegram channel used to propagate the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited scope.
Indian retailer leaks 200k customer data entries
Indian online retailer, Highrich, has been attributed to the breach of an unprotected 18.2GB-strong database hosted by AWS in the US.
Highrich describes itself as a dynamic e-commerce website providing an array of genuine and quality products, getting 50,000 website visits a month.
The open database contained over 200,000 personal information entries, including emails, phone numbers, and encrypted passwords. However, passwords were protected with a very weak hashing algorithm MD5. The database also contained 470,000 entries of order information: emails, customer IDs, names, physical addresses, and ordered items.
The complex, distributed IT environments of E-commerce such as point-of-sale devices, a relatively transient and non-technical workforce, and access to a wide range of personal and financial customer data make the online retail sector a target for data theft.
This is yet another example of the importance of both employee education on security practices and, if that fails, the need for proper encryption protection.
Researchers Link Cheerscrypt Linux-Based Ransomware to Chinese Hackers
The Linux-Based ransomware strain known as Cheerscrypt has been attributed to a Chinese cyber espionage group known for operating short-lived ransomware schemes.
The threat actor thought to be responsible tracks under the name Emperor Dragonfly but is also known as Bronze Starlight and DEV-0401. Cheerscrypt is the latest addition to a long list of ransomware families previously deployed by the group in little over a year, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.
First documented in May 2022, the ransomware targeted VMware ESXi servers as part of a tried-and-tested tactic called double extortion to coerce its victims into paying the ransom or risk facing data exposure. However, it is thought that the group deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage. It has also claimed to be pro-Ukrainian, displaying a “Glory to Ukraine!” message on their dark web data leak site.
The operation further stands out in its handling of all stages of the ransomware attack lifecycle, right from initial access to ransomware deployment, without relying on affiliates and access brokers, leading to being described as a lone wolf actor.
Infection chains observed to date have made use of the critical Log4Shell vulnerability in Apache Log4j library to compromise VMware Horizon servers to drop a PowerShell payload capable of delivering an encrypted Cobalt Strike beacon. Cheerscrypt’s links to Emperor Dragonfly stems from similarities in initial access vectors, lateral movement techniques, and the deployment of the encrypted Cobalt Strike beacon via DLL side-loading.
Impacket and exfiltration tools used to steal sensitive information from defence industrial base organization.
CISA has discovered that multiple APT groups compromised the network of a Defense Industrial Base organization’s enterprise.
Responding to APT activity from November 2021 through January 2022 the compromises were discovered with some actors gaining long-term access to the environment.
The actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
Impacket uses Windows Management Instrumentation and Server Message Block protocol to create a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.
CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that target the victim’s documents using predetermined file paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder.
The associated tactics, techniques, and procedures (TTPs) used by the actors are available in the US-CERT Alert (AA22-277A).
Researchers Report Supply Chain Vulnerability in Packagist PHP Repository
A high-severity security flaw was discovered in Packagist, a PHP software package repository. Although now patched, the flaw could have been exploited to mount software supply chain attacks.
Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.
Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.
A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.
That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.
Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.
Microsoft warns of two Exchange zero-day bugs exploited by attackers
Microsoft has confirmed two zero-day vulnerabilities affecting its Exchange servers are being exploited in targeted attacks.
The bugs are said to affect Exchange Server 2013, 2016 and 2019. The first flaw is a “server-side request forgery” vulnerability, while the second one allows remote code execution on a server when PowerShell is accessible to an attacker.
If successful, the exploits could be used to create backdoors in affected systems and perform lateral movements to other servers in the system.
Microsoft acknowledged the issue and said it is working on an accelerated timeline to release a fix for these bugs. Until then, the company has shared mitigation and detection guidance to help customers protect themselves such as disabling remote PowerShell access for non-admin users.
This is yet another example of how prevalent cyber threats are. Earlier this year, a hard-to-detect malware was being used to backdoor Microsoft Exchange servers belonging to governments and other organizations around the world. 24 organisations from Europe, the Middle East, South Asia and Africa had been compromised by this malware.