News

Blog

Friday, December 9th, 2022

Cybersecurity Week in Review (9/12/22)

Popular HR and Payroll Company Sequoia Discloses a Data Breach

Human Resources, payroll, and benefits management company Sequoia disclosed at the beginning of the month that it detected unauthorised access to a cloud storage repository. The repository contained an array of sensitive and personal data related to the company’s Sequoia One customers.

The breach is thought to have occurred between September 22nd and October 6th with the data affected including names, addresses, dates of birth, gender, marital status, employment status, Social Security numbers, work email addresses, wage data related to benefits, and member IDs as well as any other ID cards, Covid-19 test results, and vaccine cards that individuals uploaded to the employment system.

When the breach was discovered an incident response plan was put in place including an outside forensic review. The forensic review found no evidence that the unauthorised party misused or distributed data. The disclosures say that malware was not found on Sequoia’s systems, did not see evidence of a data extortion attempt, did not find any compromised computers or servers in Sequoia’s infrastructure, and did not see evidence of ongoing unauthorised access to the company’s systems. Sequoia emphasises that it has not detected any use or distribution of the data so far.

Still, it is common for hackers or even their automated systems to find and scrape unsecured cloud storage systems, and stolen data can take time to surface.

Source – https://www.wired.com/story/sequoia-hr-data-breach/

Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack

Agrius, an Iranian advanced persistent threat (APT) actor has been identified as being the operation behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper (Fantasy) is believed to have been deployed using a supply-chain attack targeting an Israeli software suite developer. Victims include HR firms, IT consulting companies, and a diamond wholesaler in Israel; a South African entity working in the diamond industry; and a jeweller based in Hong Kong.

The Fantasy wiper is built on the foundations of the previously reported Apostle wiper but does not attempt to masquerade as ransomware. Apostle was first documented in May 2021 as a wiper-turned-ransomware that was deployed in destructive attacks against Israeli targets. Agrius has been active since at least December 2020 and leverages known flaws in internet-facing applications to drop web shells that are used to facilitate reconnaissance, lateral movement, and the delivery of final-stage payloads.

Fantasy is executed by means of another tool called Sandals, a 32-bit Windows executable written in C#/.NET. It’s said to be deployed on the compromised host through a supply-chain attack using the Israeli developer’s software update mechanism. The wiper works by recursively retrieving the directory listing for each drive, overwriting every file in those directories with garbage data, assigning a future timestamp to the files, and then deleting them. In a further attempt to erase all traces of the activity, Fantasy clears all Windows event logs, recursively purges all files in the system drive, overwrites the system’s Master Boot Record, self-deletes itself, and finally reboots the machine.

The name of the Israeli company that fell victim to the supply-chain attack was not disclosed but evidence points to it being Rubinstein Software, which markets an enterprise resource planning (ERP) solution called Fantasy that’s used for jewelry stock management.

Source – https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html

Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier

Russian-sponsored threat actors have been linked to attacks that spoof the Microsoft login page of Global Ordnance, a legitimate U.S.-based military weapon and hardware supplier. The threat activity group tracks under the name TAG-53 and is broadly known by the cybersecurity community as Blue Callisto, Callisto, COLDRIVER, SEABORGIUM, and TA446. It is thought this credential harvesting activity is enabled in part through phishing.

38 domains were discovered, nine of which contained references to companies like UMO Poland, Sangrail LTD, DTGruelle, Blue Sky Network, the Commission for International Justice and Accountability (CIJA), and the Russian Ministry of Internal Affairs. It’s suspected that the themed domains are likely an attempt to masquerade as authentic parties in social engineering campaigns.

The threat actor has also been attributed to a spear-phishing operation targeting Ukraine’s Ministry of Defence, coinciding with the onset of Russia’s military invasion of the country earlier this March. In these findings a total of 87 domains were uncovered, with two of them alluding to private sector companies Emcompass and BotGuard. Also targeted were four NGOs involved in Ukraine crisis relief. One of those attacks involved email communications between the NGO and the attacker using a spoofed email address mimicking a trusted source, followed by sending a malicious PDF containing a phishing link in an attempt to evade detection from email gateways.

The disclosures arrive as threat intelligence revealed that Russian threat actors compromised the IT environments belonging to several companies in the U.K., the U.S., France, Brazil, South Africa, and are rerouting through their networks to launch attacks against Ukraine.

Source – https://thehackernews.com/2022/12/russian-hackers-spotted-targeting-us.html

CryWiper Malware Masquerades as Ransomware & Purposely Destroys Data

CryWiper Malware has been recently discovered and is spreading around the internet. The previously unknown data wiper that masquerades as ransomware completely destroys the data it infects instead of encrypting it. The operation was identified during an attack against the Russian mayor’s offices and courts.

CryWiper is primarily written in C++ and it’s a Windows executable based on 64-bit architecture. As a result of its configuration, CryWiper abuses numerous WinAPI functions and remains hidden under the name browserupdate.exe. As soon as the malware is executed on the system, it automatically creates a list of tasks scheduled to run at an interval of every five minutes. This Trojan then uses an HTTP GET request to contact its command and control server (C2), passing the name of the system that is infected as a parameter to the server in order to gain access to the compromised system. CryWiper will then immediately begin its malicious activity if the run option has been returned. In an effort to trick the victims, in some cases, the complete execution delays are extended up to 4 days which is around 345,600 seconds. To destroy the data CryWiper has to free the locked data, and to do so, it stops all the processes that are marked as critical.

A pseudorandom number generator that is known as ‘Mersenne Twister’ is used as the algorithm for corrupting the files. Once this is accomplished, a ransom note, which will be titled ‘README.txt’, will be generated by CryWiper. In this note, it asks for 0.5 Bitcoin which is about $8,000 in exchange for a decrypter in order to be released.

Source – https://gbhackers.com/crywiper-malware-masquerades-as-ransomware-destroys-data-purposefully/

Massive DDoS attack takes Russia’s second-largest bank VTB offline

VTB Bank, Russia’s second-largest financial institution suffered a cyberattack after its website and mobile apps were taken offline due to a DDoS (distributed denial of service) attack. VTB is 61% state-owned, with the Ministry of Finance and Ministry of Economic Development having a share in the group, so these attacks have a political agenda, being an indirect blow to the Russian government.

The bank says its internal analysis indicates the DDoS attack was planned and orchestrated with the specific purpose of causing inconvenience to its customers by disrupting its banking services. VTB’s online operations are currently down, but the institute says all core banking services are working as normal. Customer data is thought to be protected as it’s stored in the internal perimeter of its infrastructure, which the attackers have not breached. The bank says it has identified that most malicious DDoS requests originate from outside the country. However, there are several Russian IP addresses involved in the attack too.

The pro-Ukraine hacktivist group, ‘IT Army of Ukraine,’ has claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram at the end of November.

Source – https://www.bleepingcomputer.com/news/security/massive-ddos-attack-takes-russia-s-second-largest-bank-vtb-offline/

French Hospital Halts Operations After Cyber-Attack

The André-Mignot hospital in the Parisian suburb of Versailles suffered a cyber-attack and was forced offline over the weekend, leading to the cancellation of all operations and the transfer of some patients. Six patients have been transferred from the facility’s intensive care and neonatal units to nearby hospitals, as staff struggle to maintain care levels and keep outpatient services running.

Health minister, Francois Braun, is quoted as saying that the attack has led to a “total reorganisation of the hospital,” with extra staff needed in intensive care because several critical machines require monitoring more closely as they are no longer networked.

The attack looks to be the work of ransomware operators and follows a similar attack on another facility near Paris in September of this year. The Centre Hospitalier Sud Francilien (CHSF) in Corbeil-Essonnes was forced back to pen and paper after being hit with a $10m ransom demand by the LockBit 3.0 group. A few months earlier, the GHT Cœur Grand Est hospital group said it had been forced to cut internet connectivity to its Vitry-le-François and Saint-Dizier hospitals after receiving a $1.3m ransom demand.

Source – https://www.infosecurity-magazine.com/news/french-hospital-halts-operations/

New BMC Supply Chain Vulnerabilities Affect Servers from Dozens of Manufacturers

American Megatrends (AMI) MegaRAC Baseboard Management Controller (BMC) software has seen three flaws identified that could lead to remote code execution on vulnerable servers. These flaws could be misused by malicious actors for the remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking).

BMCs are privileged independent systems within servers that are used to control low-level hardware settings and manage the host operating system, even in scenarios when the machine is powered off. This makes them an appealing target for attackers looking to plant persistent malware on devices that can survive operating system reinstalls and hard drive replacements.

Some of the major server manufacturers that are known to have used MegaRAC BMC include AMD, Ampere Computing, Arm, ASRock, Asus, Dell EMC, GIGABYTE, Hewlett Packard Enterprise, Huawei, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan. Collectively called BMC&C, the newly identified issues can be exploited by attackers having access to remote management interfaces (IPMI) such as Redfish, potentially enabling adversaries to gain control of the systems and put cloud infrastructures at risk. The most severe among the issues is CVE-2022-40259 (CVSS score: 9.9), a case of arbitrary code execution via the Redfish API that requires the attacker to already have a minimum level of access on the device (Callback privileges or higher). CVE-2022-40242 (CVSS score: 8.3) relates to a hash for a sysadmin user that can be cracked and abused to gain administrative shell access, while CVE-2022-2827 (CVSS score: 7.5) is a bug in the password reset feature that can be exploited to determine if an account with a specific username exists.

The findings underscore the importance of securing the firmware supply chain and ensuring that BMC systems are not directly exposed to the internet.  

Source – https://thehackernews.com/2022/12/new-bmc-supply-chain-vulnerabilities.html

Google Chrome High-Severity Zero-Day Flaw Exploited in The Wild

In response to the active exploit of an open high-severity zero-day vulnerability (CVE-2022-4262) in the Chrome web browser, Google has released an emergency security patch to address the issue. Since the beginning of the year, Chrome has patched a total of nine zero-day vulnerabilities, including this one that was exploited in the wild.

 As a security patch, Google released Chrome 108.0.5359.94/.95 for Windows, Mac and Linux. As of now, Stable Desktop channel users have started to receive the new version as part of the rolling-out process. Within a few days or a few weeks, it will be reached by the entire user base.

Zero-Day Flaw Profile

  • CVE ID: CVE-2022-4262
  • Severity: High
  • Description: Type Confusion in V8
  • Reporting: It was reported on 2022-11-29

Successful exploitation of this zero-day bug leads to crashes of the browser by reading or writing memory out of buffer bounds. V8, the open-source Google JavaScript engine written in C++ that powers both Chrome and other Chromium-based browsers is an especially attractive target for attackers.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,’’ stated Google.

Source – https://gbhackers.com/google-chrome-high-severity-zero-day/amp/

SiriusXM Vulnerability Lets Hackers Remotely Unlock and Start Connected Cars

A security vulnerability in vehicles such as Honda, Nissan, Infiniti, and Acura has been identified that could be abused to conduct remote attacks through a connected vehicle service provided by SiriusXM. The issue could be exploited to unlock, start, locate, and honk any car in an unauthorised manner just by knowing the vehicle’s vehicle identification number (VIN). SiriusXM’s Connected Vehicles (CV) Services are said to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.

The system allows for a wide range of services such as automatic crash notification, enhanced roadside assistance, remote door unlock and engine start as well as stolen vehicle recovery assistance, among others. The vulnerability relates to an authorisation flaw in a telematics program that made it possible to retrieve a victim’s personal details as well as execute commands on the vehicles by sending a specially crafted HTTP request containing the VIN number to a SiriusXM endpoint (“telematics.net”).

A separate vulnerability was also discovered affecting Hyundai and Genesis cars that could be abused to remotely control the locks, engines, headlights, and trunks of the vehicles made after 2012 by using the registered email addresses. SiriusXM and Hyundai have since rolled out patches to address the flaws.  

Source – https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html

Watch out for this triple-pronged PayPal phishing and fraud scam

A writer at ZDNet was targeted by a phishing scam posing as their Paypal account. This scam is called a triple threat phish as it offers scammers three different avenues to succeed in stealing from potential victims. The idea is that if one of the three tactics fails, there are two more tactics waiting and ready to swipe again.

For the phish attempt, the scammers make use of legitimate services to make it all look a bit more convincing. The twist here is that the money request, weighing in at $699.99, comes with a note attached which is written as though it’s from a PayPal employee. It’s worth noting that the message is not written particularly well, which may serve as an alert to any potential victims. On the other hand, urgent requests for payment sprinkled with fraud attempt references will trick some to send the funds. Here’s the message in question:

“We have detected some fraudulently activities with your PayPal account. If you did not make this transaction, please call us as soon as possible at tool free number [removed] to cancel and claim a refund. If this is not the case, you will be charged $699.99 today. Within the automated deduction of the amount, this transaction will reflect on PayPal activity after 24 hours. Our service hours: (06:00 a.m. to 06.00 p.m. Pacific Time, Monday through Friday)”

This is where stages two and three of the scam come into play. According to the PayPal support rep that the ZDNet writer talked to, the phone numbers are there to try and trick people who don’t initially fall for the “Send money” aspect of the attack. The numbers direct callers to international lines, where complying with the “press X number to continue” instruction ends up billing the caller with expensive premium rates. Additionally, further numbers put potential victims through to the scammers directly. From there the threat actors engage in social engineering, attempting to find personal details under the guise of a PayPal fraud department. They may try to extract payment information over the phone, or just grab as much personal data as possible for use at a later date.

PayPal offers several forms of security to help keep accounts safe.

  • You can enable two-factor authentication via mobile codes or authentication app.
  • You can also use a hardware security key, which plugs directly into your device.
  • PayPal checks for unusual activity and asks users to confirm that it is in fact the right person performing an action against an account.
  • Do you suspect unauthorised access where your account is concerned? You can contact PayPal directly about it.

Source – https://www.zdnet.com/article/watch-out-for-this-triple-pronged-paypal-phishing-and-fraud-scam/

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021