Thursday, November 9th, 2023
Cybersecurity Week in Review (10/11/2023)
Allen & Overy Data hit by Hackers in Ransomware Attack
Allen & Overy, the “magic circle” law firm, has suffered a cyber attack on its systems, making it the latest big corporate to fall victim to a ransomware hack.
A&O confirmed it had “experienced a cyber security incident impacting a small number of storage servers”, after posts on social media platform X on Wednesday claimed the hacking group LockBit had attacked the legal giant and threatened to publish data from the firm’s files on November 28.
The firm did not identify which hacking group may be responsible.
“Investigations to date have confirmed that data in our core systems, including our email and document management system, has not been affected,” A&O said on Thursday. “As a matter of priority, we are assessing exactly what data has been impacted, and we are informing affected clients.”
The UK’s National Cyber Security Centre has warned that law firms present an attractive target for hackers due to the wealth of information they hold on companies across most sectors and regions. Hackers such as LockBit target companies and governments with ransomware that disables access to computer systems. Groups then often demand payments or threaten to release private data and communications.
Royal Mail suffered a ransomware attack by LockBit in January, one of the group’s most high-profile targets. The criminal gang threatened to publish or block access to Royal Mail’s data unless it received a payment from the postal service. At the time, LockBit claimed it had hacked 40 organisations in a month, from a private school in Malaysia to a dental group in Sydney.
A number of law firms have been targeted by hackers over the years, including a major attack on DLA Piper in 2017 by Petya ransomware. A group of law firms including Kirkland & Ellis were reportedly hit by a ransomware group earlier this year.
“Our technical response team, working alongside an independent cyber security adviser, took immediate action to isolate and contain the incident,” A&O said. “We appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our clients’ data safe, secure, and confidential is an absolute priority.
“The firm continues to operate normally with some disruption arising from steps taken to contain the incident,” it added.
A&O is one of London’s so-called magic circle elite law firms, along with Clifford Chance, Freshfields Bruckhaus Deringer, Linklaters, and Slaughter and May. A&O’s partners last month voted to merge with US law firm Shearman & Sterling to create a 4,000-lawyer firm by May 2024.
Source – https://www.ft.com/content/b25135cf-d2be-4ab2-a78b-48709de23cd6?
Sumo Logic Discloses Security Breach, Advises API Key Resets
Security and data analytics company Sumo Logic disclosed a security breach after discovering that its AWS (Amazon Web Services) account was compromised last week.
The company detected evidence of the breach on Friday, November 3, after discovering that an attacker used stolen credentials to gain access to a Sumo Logic AWS account. Sumo Logic says its systems and networks weren’t impacted during the breach and that “customer data has been and remains encrypted.”
“Immediately upon detection we locked down the exposed infrastructure and rotated every potentially exposed credential for our infrastructure out of an abundance of caution,” the company said.
“We are continuing to thoroughly investigate the origin and extent of this incident. We have identified the potentially exposed credentials and have added extra security measures to further protect our systems.”
These measures involve enhanced monitoring and addressing potential vulnerabilities to prevent similar incidents in the future. The company also continues to monitor network and system logs to identify any indications of additional malicious activity.
In light of these developments, Sumo Logic advised customers to rotate credentials used to access its services or any credentials shared with Sumo Logic for accessing other systems. Sumo Logic customers should immediately rotate their API access keys and should also reset the following as a precautionary measure:
- Sumo Logic installed collector credentials
- Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)
- Third-party credentials that have been stored with Sumo as part of webhook connection configuration
- User passwords to Sumo Logic accounts
“While the investigation into this incident is ongoing, we remain committed to doing everything we can to promote a safe and secure digital experience,” the company said.
“We will directly notify customers if evidence of malicious access to their Sumo Logic accounts is found. Customers may find updates at our Security Response Center.”
Sumo Logic operates a cloud-native SaaS analytics platform providing customers with log analytics, infrastructure monitoring, cloud infrastructure security services, and more.
In May, private equity firm Francisco Partners acquired the company for $1.7 billion. Its customer list includes many tech companies like Samsung, Okta, SAP, F5, Airbnb, SEGA, 23andme, Toyota, and others.
Electric Ireland Admits Data Breach That Could see Customer Financial Data Compromised
Energy supplier Electric Ireland has admitted that thousands of its customer accounts may have been compromised by a serious data breach. The blunder could see customers’ financial information falling into the wrong hands.
It said an employee of a company working on its behalf may have inappropriately accessed 8,000 residential customer accounts. Electric Ireland said this could lead to the potential misuse of personal and financial information.
The ESB-owned company said: “Our investigations have established that approximately 8,000 customer accounts may have been compromised.”
Electric Ireland said it has written to all potentially impacted customers to make them aware of the issue. It has also given the customers impacted instructions on what actions to take to mitigate against the risk of potential financial fraud. Customers who have not received a letter from Electric Ireland do not need to take any action, it said.
“This issue is currently under investigation and Electric Ireland is liaising with An Garda Síochána and the Data Protection Commissioner, and as such the details of this case must remain confidential,” the energy supplier said.
Electric Ireland, which has around 1.1 million customers, said it fully appreciates the gravity of this issue and the concern and inconvenience it will create for those affected customers. Customers affected by this issue, who may have experienced any fraudulent activity on their financial accounts in relation to data they gave to Electric Ireland, have been asked to contact the company directly.
Electric Ireland will inform An Garda Síochána who are managing this investigation, it said. Customers are also advised to contact their bank.
This is just the latest blunder to made by Electric Ireland. In September it apologised and said it was refunding customers after it miscalculated their electricity bills and overcharged them. It was the second time in the past few months Electric Ireland has been forced to admit to billing errors.
The latest error has prompted the ESB-owned supplier to contact affected customers and issue them with an apology, saying it would issue credit notes to cover the overcharging.
Electric Ireland could not say how many customers were affected by the overcharging, which affects people with smart meters. The issue relates to wrong tariffs being applied for customers on cheaper night rates around the time the clocks were changing ahead of the summer. The regulator said it was probing the issue.
Experts Expose Farnetwork’s Ransomware-as-a-Service Business Model
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities.
The researchers, who attempted to infiltrate a private RaaS program that uses the Nokoyawa ransomware strain, said they underwent a “job interview” process with the threat actor, learning several valuable insights into their background and role within those RaaS programs.
Throughout the threat actor’s cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware.
The latest disclosure comes nearly six months after details of the Qilin RaaS gang were uncovered about the affiliates’ payment structure and the inner workings of the RaaS program.
Farnetwork is known to operate under several aliases such as farnetworkit, farnetworkl, jingo, jsworm, piparkuka, and razvrat on different underground forums like RAMP, initially advertising a remote access trojan called referred to as RazvRAT as a vendor.
In 2022, besides shifting focus to Nokoyawa, the Russian-speaking individual is said to have launched their own botnet service to provide affiliates with access to compromised corporate networks.
Since the start of the year, farnetwork has been linked to recruitment efforts for the Nokoyawa RaaS program, asking potential candidates to facilitate privilege escalation using stolen corporate account credentials and deploy the ransomware to encrypt a victim’s files, and then demand payment in return for the decryption key.
The credentials are sourced from information stealer logs sold on underground markets, where in other threat actors obtain initial access to target endpoints by distributing off-the-shelf stealer malware like RedLine that are, in turn, pushed through phishing and malvertising campaigns.
The RaaS model allows affiliates to receive 65% of the ransom amount and the botnet owner to receive 20%. The ransomware developer, on the other hand, receives 15% of the total share, a number that could drop further down to 10%.
Nokoyawa has since ceased its operations as of October 2023, although there is a high probability that farnetwork would resurface under a different name and with a new RaaS program.
Source – https://thehackernews.com/2023/11/experts-expose-farnetworks-ransomware.html
Marina Bay Sands Singapore Luxury Resort Breached
Singapore’s iconic resort and casino Marina Bay Sands stated that the personal information of its loyalty members was found compromised in a recent data security incident.
Singapore’s largest hotel and casino resort complex posted a statement about the October breach on its website Tuesday.
“Marina Bay Sands became aware of a data security incident on 20th October 2023 involving unauthorized third-party access on 19th and 20th October 2023 to some of our customers’ loyalty program membership data,” the company said.
The customer data of about 665,000 Sands LifeStyle non-casino rewards program members was accessed by an unknown third party. The Sands rewards membership program has four tiers ranging from a free membership to invite-only memberships for big spenders at the complex.
The luxury resort, considered the most expensive in the world, does not believe membership data from its casino rewards program, Sands Rewards Club, was affected.
Compromised Personal data is said to include:
- Name
- Email address
- Mobile phone number
- Phone number
- Country of residence
- Membership number and tier
Based on its investigation, Marina Bay Sands states “the unauthorized third party has misused the data to cause harm to customers.”
The hospitality company, which employs more than 10,000 workers on the property, said it reported the incident to the proper authorities in both Singapore and other relevant countries. Marina Bay Sands also said it has called in an outside cybersecurity firm and is taking further steps to “strengthen our systems and protect data.”
The company will be contacting affected loyalty program members and sincerely apologized for the inconvenience.
Considered one of Asia’s leading business, leisure, and entertainment destinations and known for its architecture, the integrated resort was built in 2010, making a huge impact on the Singapore skyline. Besides a more than 2,200 room hotel and casino, the landmark complex houses 170 luxury boutiques, convention and exhibition facilities, and its own Arts and Science museum.
The Marina Bay Sands breach had not been claimed by any specific ransomware group as of yet, unlike the two major cyberattacks from September affecting MGM Resorts and Caesars Entertainment on the Las Vegas strip.
Large volumes of customer data was compromised in those attacks, including a trove of customer loyalty rewards program information. The outage left all twelve MGM hotel and casino resorts on the strip completely analog for about a week affecting credit card payment systems, room locks, slot machines, and company websites.
Source – https://cybernews.com/security/marina-bay-sands-breach-singapore-luxury-resort-/
BlueNoroff Hackers Backdoor Macs With New ObjCShellz Malware
The North Korean-backed BlueNorOff threat group has been targeting Apple customers with new macOS malware tracked as ObjCShellz that can open remote shells on compromised devices. BlueNorOff is a financially motivated hacking group known for attacking cryptocurrency exchanges and financial organizations such as venture capital firms and banks worldwide.
The malicious payload observed by analysts (labeled ProcessRequest) communicates with the swissborg[.]blog, an attacker-controlled domain registered on May 31 and hosted at 104.168.214[.]151 (an IP address part of BlueNorOff infrastructure).
This command-and-control (C2) domain mimics the websites of a legitimate cryptocurrency exchange available at swissborg.com/blog. All data transferred to the server is split into two strings and stitched together on the other end to evade static-based detection. The usage of this domain greatly aligns with the activity seen from BlueNorOff in what is being tracked as the Rustbucket campaign.
In this campaign, the actor reaches out to a target claiming to be interested in partnering with or offering them something beneficial under the guise of an investor or head hunter. BlueNorOff often creates a domain that looks like it belongs to a legitimate crypto company in order to blend in with network activity.
ObjCShellz is an Objective-C-based malware, quite different from other malicious payloads deployed in previous BlueNorOff attacks. It is also designed to open remote shells on compromised macOS systems after being dropped using an unknown initial access vector.
The attackers used it during the post-exploitation stage to execute commands on infected Intel and Arm Macs. Although fairly simple, this malware is still very functional and will help attackers carry out their objectives. This seems to be a theme with the latest malware seen coming from this APT group.
Based on previous attacks performed by BlueNorOff, it is suspected that this malware was a late stage within a multi-stage malware delivered via social engineering.
Last year, the BlueNorOff hackers were linked to a long string of attacks targeting cryptocurrency startups around the world, including in the U.S., Russia, China, India, the U.K., Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong.
In 2019, the U.S. Treasury sanctioned BlueNorOff and two other North Korean hacking groups (Lazarus Group and Andariel) for funneling stolen financial assets to the North Korean government.
FBI also attributed the largest crypto hack ever, the hack of Axie Infinity’s Ronin network bridge, to Lazarus and BlueNorOff hackers, who stole 173,600 Ethereum and 25.5M USDC tokens worth over $617 million at the time.
Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ.
Researchers observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R) ransomware.
Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to a loss of confidentiality, integrity, and availability.
Atlassian, on November 6, updated its advisory to note that it observed “several active exploits and reports of threat actors using ransomware” and that it is revising the CVSS score of the flaw from 9.1 to 10.0, indicating maximum severity.
The escalation, the Australian company said, is due to the change in the scope of the attack.
Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote server, leading to the execution of the ransomware payload on the compromised server.
Data gathered shows that the exploitation attempts are originating from three different IP addresses located in France, Hong Kong, and Russia.
Meanwhile, it was also disclosed that a severe remote code execution flaw impacting Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0) is being weaponized to deliver a Go-based remote access trojan called SparkRAT as well as a ransomware variant that shares similarities with TellYouThePass.
Source – https://thehackernews.com/2023/11/experts-warn-of-ransomware-hackers.html
Ransomware Gang Leaks Data Allegedly Stolen From Canadian Hospitals
Five Canadian hospitals have confirmed that patient and employee data that was stolen in a ransomware attack has been leaked online.
The data breach impacts Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital, along with service provider TransForm Shared Service Organization. A shared drive was compromised as part of the incident.
On Monday, Bluewater Health said that a patient database report that included “approximately 5.6 million patient visits made by approximately 267,000 unique patients” was stolen, along with some employee data, from the shared drive.
The organization is now working on identifying the impacted individuals and is also investigating the type of employee information that was compromised.
The shared drive contained information pertaining to 1,446 individuals employed by Chatham-Kent Health Alliance as of February 2, 2021, including their names, addresses, gender, dates of birth, marital statuses, social insurance numbers, and basic pay rates.
The information of some Erie Shores HealthCare patients was also stolen in the attack, along with “approximately 352 current and past employee social insurance numbers”.
For Windsor Regional Hospital and Hôtel-Dieu Grace Healthcare, limited patient and employee information was accessed, but no medical records or social insurance numbers.
No banking information was stolen in the attack, the hospitals said.
“All hospitals have some degree of patient and employee information affected. All of our hospitals are diligently investigating the stolen data to determine who is impacted. […] The teams continue to work around the clock to restore systems,” Bluewater Health said, noting that the Ontario Information and Privacy Commissioner has been notified of the incident.
While the organization did not name the threat actor behind the attack, the Daixin ransomware gang has claimed responsibility for the incident and has posted online data allegedly stolen from the five hospitals.
The group claims to have exfiltrated more than 160 GB of data, including thousands of personally identifiable information (PII) and protected health information (PHI) records.
In October last year, the US cybersecurity agency CISA and the FBI warned healthcare organizations of the risk associated with the Daixin ransomware.
Source – https://www.securityweek.com/ransomware-gang-leaks-data-allegedly-stolen-from-canadian-hospitals/
American Airlines Pilot Union Recovering After Ransomware Attack
The Allied Pilots Association (APA) says it has made progress in restoring its systems after falling victim to a file-encrypting ransomware attack last week.
The incident, the American Airlines pilot union says, occurred on October 30 and resulted in certain systems being encrypted.
“Our IT team, with the support of outside experts, continues to work nonstop to restore our systems. We are pleased to report that our restoration efforts are progressing, and we will soon be able to begin to bring back some of our online services,” the organization said in a November 2 incident notification.
The restoration efforts, APA said, would focus on pilot-facing products and tools, with full operations expected to be restored later.
Over the weekend, the organization announced that it had restored most functionality, including access to the alliedpilots.org website. However, it also reset all passwords on the website, informing users that they would need to select new ones when attempting to access the portal.
In a social media post on Saturday, the union said it expects all systems to be restored to full functionality within days.
“Concurrent with our restoration efforts, we launched an investigation, under the guidance of third-party cybersecurity experts, to determine the scope of this incident,” the organization announced.
While it revealed that ransomware was used in the attack, APA has shared no details on the type of ransomware used and whether user data was exfiltrated during the incident, but promised that more details will be shared as its investigation progresses.
Founded in 1963 and headquartered in Fort Worth, Texas, APA is an independent pilots’ union, providing various representation services to the 15,000 professional pilots who fly for American Airlines.
In June, American Airlines announced that the data of more than 5,000 individuals was compromised in a data breach at pilot recruitment application managing portal Pilot Credentials.
Source – https://www.securityweek.com/american-airlines-pilot-union-recovering-after-ransomware-attack/
Iranian Hackers Launch Destructive Cyber Attacks on Israeli Tech and Education Sectors
Israeli higher education and tech sectors have been targeted as part of a series of destructive cyber attacks that commenced in January 2023 with an aim to deploy previously undocumented wiper malware.
The intrusions, which took place as recently as October, have been attributed to an Iranian nation-state hacking crew it tracks under the name Agonizing Serpens, which is also known as Agrius, BlackShadow and Pink Sandstorm (previously Americium).
The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property. Once the attackers stole the information, they deployed various wipers intended to cover the attackers’ tracks and to render the infected endpoints unusable.
This includes three different novel wipers such as MultiLayer, PartialWasher, and BFG Agonizer, as well as a bespoke tool to extract information from database servers known as Sqlextractor.
Active since at least December 2020, Agonizing Serpens has been linked to wiper attacks targeting Israeli entities. Earlier this May, details of the threat actor’s use of a ransomware strain called Moneybird in its attacks targeting the country were released.
The latest set of attacks entails weaponizing vulnerable internet facing web servers as initial access routes to deploy web shells and conduct reconnaissance of the victim networks and steal credentials of users with administrative privileges.
A lateral movement phase is followed by data exfiltration using a mix of public and custom tools like Sqlextractor, WinSCP, and PuTTY, and finally deliver the wiper malware –
- MultiLayer, a .NET malware that enumerates files for either deletion or corrupting them with random data to resist recovery efforts and render the system unusable by wiping the boot sector.
- PartialWasher, a C++-based malware to scan drives and wipe specified folders and its subfolders.
- BFG Agonizer, a malware that heavily relies on an open-source project called CRYLINE-v5.0.
The links to Agrius stems from multiple code overlaps with other malware families like Apostle, IPsec Helper, and Fantasy, which have been identified as previously used by the group.
Source – https://thehackernews.com/2023/11/iranian-hackers-launches-destructive.html
Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide
A proxy botnet called ‘Socks5Systemz’ has been infecting computers worldwide via the ‘PrivateLoader’ and ‘Amadey’ malware loaders, currently counting 10,000 infected devices.
The malware infects computers and turns them into traffic-forwarding proxies for malicious, illegal, or anonymous traffic. It sells this service to subscribers who pay between $1 and $140 per day in crypto to access it.
Socks5Systemz is detailed in a report that clarifies that the proxy botnet has been around since at least 2016 but has remained relatively under the radar until recently. The Socks5Systemz bot is distributed by the PrivateLoader and Amadey malware, which are often spread via phishing, exploit kits, malvertizing, trojanized executables downloaded from P2P networks, etc.
The samples seen by researchers are named ‘previewer.exe,’ and their task is to inject the proxy bot onto the host’s memory and establish persistence for it via a Windows service called ‘ContentDWSvc.’
The proxy bot payload is a 300 KB 32-bit DLL. It uses a domain generation algorithm (DGA) system to connect with its command and control (C2) server and send profiling info on the infected machine.
In response, the C2 can send one of the following commands for execution:
- idle: Perform no action.
- connect: Connect to a backconnect server.
- disconnect: Disconnect from the backconnect server.
- updips: Update the list of IP addresses authorized to send traffic.
- upduris: Not implemented yet.
The connect command is crucial, instructing the bot to establish a backconnect server connection over port 1074/TCP. Once connected to the threat actors’ infrastructure, the infected device can now be used as a proxy server and sold to other threat actors.
When connecting to the backconnect server, it uses fields that determine the IP address, proxy password, list of blocked ports, etc. These field parameters ensure that only bots in the allowlist and with the necessary login credentials can interact with the control servers, blocking unauthorized attempts.
Analysts have mapped an extensive control infrastructure of 53 proxy bot, backconnect, DNS, and address acquisition servers located mainly in France and across Europe (Netherlands, Sweden, Bulgaria). Since the start of October, the analysts recorded 10,000 distinct communication attempts over port 1074/TCP with the identified backconnect servers, indicating an equal number of victims.
The geographic distribution is sparse and random, covering the entire globe, but India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria count the most infections.
Access to Socks5Systemz proxying services is sold in two subscription tiers, namely ‘Standard’ and ‘VIP,’ for which customers pay via the anonymous (no KYC) payment gateway ‘Cryptomus.’
Subscribers must declare the IP address from where the proxied traffic will originate to be added to the bot’s allowlist. Standard subscribers are limited to a single thread and proxy type, while VIP users can use 100-5000 threads and set the proxy type to SOCKS4, SOCKS5, or HTTP.
Residential proxy botnets are a lucrative business that has a significant impact on internet security and unauthorized bandwidth hijacking.
These services are commonly used for shopping bots and bypassing geo-restrictions, making them very popular.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.