Thursday, February 1st, 2024
Cybersecurity Week in Review (02/02/24)
Johnson Controls Ransomware Attack: Data Theft Confirmed, Cost Exceeds $27 Million
Building technology giant Johnson Controls confirmed this week that the September 2023 ransomware attack resulted in the theft of data and the company said expenses associated with the incident exceed $27 million.
In an SEC filing detailing its financial results for the last quarter of 2023, the company said the attack was discovered during the weekend of September 23, 2023. The incident involved unauthorized access to its systems, data exfiltration, and the deployment of file-encrypting malware.
When the company disclosed the incident in late September, it was reported that a hacker group calling itself Dark Angels was behind the attack, with the hackers claiming to have stolen 27Tb of data from Johnson Controls.
The cybercriminals reportedly demanded a $51 million ransom in exchange for a decryption tool and to delete the stolen files, which may have included highly sensitive information.
The theft of data has been confirmed in the latest SEC filing, which reveals that the disruptions and limitations caused by the ransomware attack continued into the first quarter of 2024. Impacted systems and applications have now been restored, the company said.
“The impact on net income for the three months ended December 31, 2023 of lost and deferred revenues, net of revenues deferred at the end of fiscal 2023 and recognized in the first quarter of fiscal 2024, and expenses during the quarter was approximately $27 million,” Johnson Controls said. “These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries.”
The company expects additional expenses related to the incident throughout 2024, mainly in the first half of the year.
“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the Company’s business operations. Further, the cybersecurity incident caused disruptions to certain of the Company’s billing systems, which negatively impacted cash provided from operations during the first quarter of fiscal 2024,” the firm added.
Johnson Controls said many of the costs associated with containing, investigating and remediating the cyberattack, along with losses caused by business disruptions, should be covered by insurance.
Federal Contractor Suffers Data Breach
Sirius Federal, a subsidiary of tech services giant CDW-G, has been hacked. The attackers behind the breach accessed thousands of people’s sensitive details, including medical records.
The company provides the US federal government with digital government solutions: the General Services Administration and the Department of Defense’s Enterprise Software Initiative are listed as being among its contracts.
According to a breach notification letter sent by Sirius Federal to victims, attackers breached its “internal environment” on July 31st, 2023, and were detected on August 2nd.
The company told the Maine Attorney General, which imposes strict reporting requirements on organizations suffering data breaches that affect its residents, that 3,266 people were exposed in the attack. Not all of these reside in Maine.
Sirius Federal claims malicious actors accessed data held on its internal servers. In the hands of a malicious actor, the information could provide various attack vectors: for instance, criminals could use the data for identity theft or spear phishing and other types of fraud.
The company says it will provide victims with two years of free credit monitoring and identity protection services.
Sirius Federal became a subsidiary of CDW-G in 2021 after the tech services giant acquired it. CDW-G itself is a subsidiary of CDW, dedicated solely to government contracts.
Meanwhile, CDW provides technology products and services to business, government, and educational institutions. It employs over 15,000 people and reported revenues exceeding $23.7 billion in 2022.
Source – https://cybernews.com/news/sirius-federal-data-breach/
New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities
New malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation has been identified targeting Ivanti Connect Secure VPN and Policy Secure devices.
This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.
CHAINLINE is a Python web shell backdoor that is embedded in an Ivanti Connect Secure Python package that enables arbitrary command execution. It has been attributed to UNC5221, adding it also detected multiple new versions of WARPWIRE, a JavaScript-based credential stealer.
The infection chains entail successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.
The flaws have been abused as zero-days since early December 2023. Germany’s Federal Office for Information Security (BSI) said it’s aware of “multiple compromised systems” in the country.
BUSHWALK, written in Perl and deployed by circumventing the Ivanti-issued mitigations in highly-targeted attacks, is embedded into a legitimate Connect Secure file named “querymanifest.cgi” and offers the ability to read or write to files to a server.
On the other hand, FRAMESTING is a Python web shell embedded in an Ivanti Connect Secure Python package (located in the following path “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py”) that enables arbitrary command execution.
Analysis of the ZIPLINE passive backdoor has also uncovered its use of “extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2).”
Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.
Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a “limited number of customers.” The company has also released the first round of fixes to address the four vulnerabilities.
UNC5221 is said to target a wide range of industries that are of strategic interest to China, with its infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.
Source – https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html
Mercedes Source Code Exposed via GitHub Token Leak
A leaked GitHub token gave unrestricted access to the carmaker’s source code, exposing intellectual property passwords and cloud access keys.
The Mercedes-Benz GitHub token, owned by an employee of the company, was discovered in a public repository on September 29th. According to researchers, the token gave access to the company’s internal GitHub Enterprise Server.
“The incident laid bare sensitive repositories housing a wealth of intellectual property, and the compromised information included Database Connection Strings, Cloud Access Keys, Blueprints, Design Documents, SSO Passwords, API Keys, and other critical internal information,” said the report.
According to the researchers, the exposed token could have allowed attackers to exploit the accessible token in various ways. For example, malicious actors could have accessed Mercedes’ source code, extracting intellectual property, reports, files, credentials, and other valuable information.
While the GitHub token was exposed in September, it was only discovered on January 11th, with Mercedes revoking it on the 24th. This means the company’s GitHub Enterprise Server could have been accessed without anyone knowing during a window of several months.
“The leaked GitHub token for Mercedes’s GitHub Enterprise Server opens a gateway for potential adversaries to access and download the entire source code of the organization. Delving into this source code could expose highly sensitive credentials, creating a breeding ground for an extremely serious data breach against Mercedes-Benz,” researchers said.
Mercedes-Benz is among the largest brands of premium vehicles, selling millions of passenger cars every year. The Mercedes brand owner, Mercedes-Benz Group AG, reported revenues exceeding €133 billion ($144 billion). The company employs over 170,000 people.
Source – https://cybernews.com/news/mercedes-github-token-data-leak/
Europcar Denies Data Breach of 50 million Users, says Data is Fake
Car rental company Europcar says it has not suffered a data breach and that shared customer data is fake after a threat actor claimed to be selling the personal info of 50 million customers.
On Sunday, a person claimed to be selling the data for 48,606,700 Europcar.com customers on a popular hacking forum. The post included samples of the stolen data for 31 alleged Europcar customers, including names, addresses, birth dates, driver’s license numbers, and other information.
“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false:
- the number of records is completely wrong & inconsistent with ours,
- the sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),
- and most importantly: none of these email addresses are present in our database.”
As Have I Been Pwned’s Troy Hunt explains, while much of the data is clearly fake, he does not believe it was created using artificial intelligence. Hunt pointed out that the email addresses do not match the usernames. For example, all usernames contain either a first or last name, but none match the full name listed in the data.
The second indicator that the data is fake is that the addresses simply do not exist. For example, two of the listed customer records use the non-existent towns of “Lake Alyssaberg, DC” and “West Paulburgh, PA.” Another indicator is that the addresses and phone numbers are for regions in the U.S., yet many of the associated emails are for other countries.
While Europcar said they believe this data was created using AI, Hunt points out that some of the email addresses are real, appearing in previous data breaches monitored by Have I Been Pwned.
Instead, Hunt believes the mention of artificial intelligence is just a hot take based on the subject’s popularity and was not involved in creating this data.
“We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck,” explains Hunt.
“Who knows, it doesn’t matter, because none of that makes it “AI” and seeking out headlines or sending spam pitches on that basis is just plain dumb.”
There are existing projects that allow anyone to create data that looks almost exactly like what was shared in the fake data breach samples. While threat actors already use artificial intelligence as part of their scams and attacks, and will likely expand its use in the future, this incident does not appear to be one of them.
Telegram Marketplaces Fuel Phishing Attacks with Easy-to-Use Kits and Malware
Cybersecurity researchers are calling attention to the “democratization” of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230.
The messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data. Free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign.
This is not the first time the popular messaging platform has come under the radar for facilitating malicious activities, which are in part driven by its lenient moderation efforts. As a result, what used to be available only on invite-only forums in the dark web is now readily accessible via public channels and groups, thereby opening the doors of cybercrime to aspiring and inexperienced cyber criminals.
In April 2023, it was revealed how phishers create Telegram channels to educate newbies about phishing as well as advertise bots that can automate the process of creating phishing pages for harvesting sensitive information such as login credentials.
One such malicious Telegram bot is Telekopye (aka Classiscam), which can craft fraudulent web pages, emails, SMS messages to help threat actors pull off large-scale phishing scams.
The building blocks to construct a phishing campaign can be readily purchased off Telegram – “some offered at very low prices, and some even for free” – thereby making it possible to set up scam pages via a phishing kit, host the page on a compromised WordPress website via a web shell, and leverage a backdoor mailer to send the email messages.
Backdoor mailers, marketed on various Telegram groups, are PHP scripts injected into already infected-but-legitimate websites to send convincing emails using the legitimate domain of the exploited website to bypass spam filters.
To further increase the likelihood of success of such campaigns, digital marketplaces on Telegram also provide what’s known as “letters,” which are “expertly designed, branded templates” that make the email messages appear as authentic as possible to trick the victims into clicking on the bogus link pointing to the scam page.
Telegram is also host to bulk datasets containing valid and relevant email addresses and phone numbers to target. Referred to as “leads,” they are sometimes “enriched” with personal information such as names and physical addresses to maximize the impact.
The way these lead lists are prepared can vary from seller to seller. They can be procured either from cybercrime forums that sell data stolen from breached companies or through sketchy websites that urge visitors to complete a fake survey in order to win prizes.
Another crucial component of these phishing campaigns is a means to monetize the collected stolen credentials by selling them to other criminal groups in the form of “logs,” netting the threat actors a 10-fold return on their investment based on the number of victims who end up providing valid details on the scam page.
“Social media account credentials are sold for as little as a dollar, while banking accounts and credit cards could be sold for hundreds of dollars — depending on their validity and funds,” the researchers said.
“Unfortunately, with just a small investment, anyone can start a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld.”
Source – https://thehackernews.com/2024/01/telegram-marketplaces-fuel-phishing.html
1.5 Million Affected by Data Breach at Insurance Broker Keenan & Associates
Insurance consulting and brokerage firm Keenan & Associates is informing more than 1.5 million individuals that their personal information was stolen in an August 2023 cyberattack. The incident, the company said in a notification on its website, was discovered on August 27, when disruptions occurred on some of its servers, and was contained within hours.
Keenan’s investigation into the cyberattack revealed that “an unauthorized party gained access to certain Keenan internal systems at various times between approximately August 21, 2023 and August 27, 2023.”
During that time, the attackers exfiltrated some data from the company’s systems, including personal information that Keenan had received and utilized to provide services to its clients.
According to the company, the exposed personal information varies by individual but includes names in combination with dates of birth, Social Security numbers, driver’s license numbers, passport numbers, health insurance information, and general health information.
Keenan says it has notified the impacted clients and has started sending out written notifications to the individuals whose data may have been compromised.
“While we are not aware of any evidence that your personal information has been misused, we wanted to make you aware of the incident and provide you with additional information on steps you may consider taking,” the company said in the notification letter sent to the impacted individuals.
The insurance broker informed the Maine Attorney General’s Office that more than 1.5 million individuals had their personal information compromised in the incident.
Keenan did not say whether ransomware was deployed during the attack, but said it has strengthened the security of its network to prevent similar incidents and that it has observed no other signs of unauthorized activity since the attack.
The impacted individuals are being offered two years of complimentary identity protection services, to detect any potential misuse of the compromised personal information, and are encouraged to remain vigilant against incidents of identity theft and fraud.
Schneider Electric Confirms it was hit by Ransomware Attack
Global energy services company Schneider Electric has suffered a disruption to its systems after being hit by a ransomware attack. The company said the attack was limited to its sustainability business division and that it disrupted the division’s resource advisor service and “other division specific systems”.
Schneider Electric said its incident response team was “immediately mobilised” to contain the incident and to reinforce existing security measures.
The company said the incident had no impact on any other entity of Schneider Electric and that impacted customers have been informed.
“From an impact assessment standpoint, the ongoing investigation shows that data have been accessed,” the company said in a statement. “As more information becomes available, the sustainability business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant.”
The French multinational has offices in Ireland and was worth €34bn in July 2023, according to a Bloomberg report. BleepingComputer reports that the attack occurred on 17 January and that Cactus ransomware is behind the attack.
Cactus is a multipoint extortion group who first appeared in March 2023, but Schneider Electric has not confirmed if Cactus was responsible for the attack. Energy companies hold huge amounts of personal identifiable data which has value on the dark web and is excellent leverage for cyberattackers when demanding a ransom.
The energy sector is a popular target for ransomware due to playing a vital role in society’s daily functioning – disruption can have far-reaching consequences. Schneider Electric themselves were victims of Lockbit’s Moveit ransomware campaign in 2023. In June 2023, it emerged that several US state agencies, banks and universities were also victims of the massive Moveit hack, which also affected many organisations across Ireland and the UK.
Source – https://www.siliconrepublic.com/enterprise/schneider-electric-sustainability-cactus-ransomware
ChatGPT Violated European Privacy Laws, Italy Tells Chatbot Maker OpenAI
Italian regulators said they told OpenAI that its ChatGPT artificial intelligence chatbot has violated European Union’s stringent data privacy rules.
The country’s data protection authority, known as Garante, said Monday that it notified San Francisco-based OpenAI of breaches of the EU rules, known as General Data Protection Regulation.
The watchdog started investigating ChatGPT last year, when it temporarily banned within Italy the chatbot that can produce text, images and sound in response to users’ questions.
Based on the results of its “fact-finding activity,” the watchdog said it “concluded that the available evidence pointed to the existence of breaches of the provisions” in the EU privacy rules.
OpenAI has 30 days to reply to the allegations. It didn’t respond immediately to a request for comment. The company said last year that it fulfilled a raft of conditions that the Garante demanded to get the ChatGPT ban lifted.
The watchdog had imposed the ban after finding that some users’ messages and payment information were exposed and because ChatGPT didn’t have a system to verify users’ ages, allowing children to get answers from the AI tool that were inappropriate for their age.
It also questioned whether there was a legal basis for OpenAI to collect massive amounts of data used to train ChatGPT’s algorithms and raised concerns that the system could sometimes generate false information about individuals.
The growing popularity of generative AI systems like ChatGPT are also drawing increasing scrutiny from regulators on both sides of the Atlantic.
The U.S. Federal Trade Commission opened an inquiry last week into the relationships between AI startups OpenAI and Anthropic and the tech giants that have bankrolled them — Amazon, Google and Microsoft. Competition regulators in the 27-nation EU and Britain, meanwhile, are also examining Microsoft’s OpenAI investments.
AI systems also face broader oversight in the EU, which is finalizing its groundbreaking AI Act, the world’s first comprehensive rulebook for artificial intelligence. The bloc’s 27 member states are expected to give their approval in a key vote Friday.
45k Jenkins Servers Exposed to RCE Attacks Using Public Exploits
Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2024-23897, a critical remote code execution (RCE) flaw for which multiple public proof-of-concept (PoC) exploits are in circulation.
Jenkins is a leading open-source automation server for CI/CD, allowing developers to streamline the building, testing, and deployment processes. It features extensive plugin support and serves organizations of various missions and sizes.
On January 24, 2024, the project released versions 2.442 and LTS 2.426.3 to fix CVE-2024-23897, an arbitrary file read problem that can lead to executing arbitrary command-line interface (CLI) commands.
The issue arises from the CLI’s feature that automatically replaces an @ character followed by a file path with the contents of the file, a functionality intended to facilitate command argument parsing.
However, this feature, enabled by default, allows attackers to read arbitrary files on the Jenkins controller’s file system.
Depending on their level of permissions, attackers can exploit the flaw to access sensitive information, including the first few lines of any file or even entire files.
As the software vendor described in the relevant security bulletin, CVE-2024-23897 exposes unpatched instances to several potential attacks, including RCE, by manipulating Resource Root URLs, “Remember me” cookies, or CSRF protection bypass.
Depending on the instance’s configuration, attackers could decrypt stored secrets, delete items from Jenkins servers, and download Java heap dumps.
Late last week, security researchers warned of multiple working exploits for CVE-2024-23897, which dramatically elevates the risk for unpatched Jenkins servers and increases the likelihood of in-the-wild exploitation.
Researchers monitoring Jenkins honeypots observed activities that resemble genuine attempts at exploitation, although there’s no conclusive evidence yet.
Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029).
The stats represent a dire warning to Jenkins administrators, as hackers are very likely already conducting scans to find potential targets, and CVE-2024-23897 can have severe repercussions if successfully exploited.
Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang
Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust. The latest iteration of the ransomware is being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script.
The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary,” security researchers said in a technical report published last week. “When these files are injected into a system’s memory, they initiate a file encryption attack.”
Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It’s worth noting that Faust was previously documented in November 2023 with the variant desribed as active since 2022 and “does not target specific industries or regions.”
The attack chain commences with an XLAM document that, when opened, downloads Base64-encoded data from Gitea in order to save a harmless XLSX file, while also stealthily retrieving an executable that masquerades as an updater for the AVG AntiVirus software (“AVG updater.exe”).
The binary, for its part, functions as a downloader to fetch and launch another executable named “SmartScreen Defender Windows.exe” in order to kick-start its encryption process by employing a fileless attack to deploy the malicious shellcode.
The development comes as new ransomware families such as Albabat (aka White Bat), DHC, Frivinho, Kasseika, Kuiper, Mimus, NONAME, and NOOSE have gained traction, with the former a Rust-based malware that’s distributed in the form of fraudulent software such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game.
Researchers examined the Windows, Linux, and macOS versions of Kuiper earlier this month, attributed the Golang-based ransomware to a threat actor named RobinHood, who first advertised it on underground forums in September 2023.
The concurrency focused nature of Golang benefits the threat actor, avoiding race conditions and other common problems when dealing with multiple threads, which would have otherwise been a (near) certainty.
Another factor that the Kuiper ransomware leverages, which is also a reason for Golang’s increased popularity, are the language’s cross-platform capabilities to create builds for a variety of platforms. This flexibility allows attackers to adapt their code with little effort, especially since the majority of the code base (i.e., encryption-related activity) is pure Golang and requires no rewriting for a different platform.
NONAME is also noteworthy for the fact that its data leak site imitates that of the LockBit group, raising the possibility that it could either be another LockBit or that it collects leaked databases shared by LockBit on the official leak portal, researcher Rakesh Krishnan pointed out.
The findings follow a report that connected the nascent 3AM (also spelled ThreeAM) ransomware to the Royal/BlackSuit ransomware, which, in turn, emerged following the shutdown of the Conti cybercrime syndicate in May 2022. The links stem from a “significant overlap” in tactics and communication channels between 3 AM ransomware and the “shared infrastructure of ex-Conti-Ryuk-TrickBot nexus.”
Despite the amorphous and ever-evolving nature of the ransomware ecosystem, there are signs that victims are increasingly refusing to pay up, causing the proportion of ransomware victims that opted to pay to decline to 29% in Q4 2023, down from 41% in Q3 and 34% in Q2. A previous low of 28% was recorded in Q3 2022.
The average ransom payment for the time period dropped 33%, dropping from $850,700 to $568,705, figures shared by ransomware negotiation firm Coveware show. The median ransom payment, on the other hand, remained unchanged at $200,000, up from $190,424 in Q2 2023.
Source – https://thehackernews.com/2024/01/albabat-kasseika-kuiper-new-ransomware.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.