Thursday, August 10th, 2023
Cybersecurity Week in Review (11/08/2023)
Cyber-attack on UK’s electoral registers revealed
The UK’s electoral oversight body has disclosed that it fell victim to a “sophisticated cyber incident” that has the potential to impact a significant number of voters. The Electoral Commission has stated that unidentified “hostile entities” managed to breach its systems and gain unauthorized access to duplicates of the electoral rolls dating back to August 2021. In addition to this, the hackers also successfully infiltrated the commission’s email accounts and “command systems,” although the breach wasn’t discovered until October of the preceding year. Through a public announcement, the commission explained that the hackers were able to retrieve copies of the registers, which were retained for research purposes and for verifying contributions from political contributors.
The commission clarified that the information that was compromised during the breach included the names and addresses of individuals in the United Kingdom who registered to vote between the years 2014 and 2022. This encompassed those who opted to withhold their details from the publicly accessible register, which can be obtained by entities like credit reference agencies. The accessed data also contained the names (excluding addresses) of overseas voters, according to the commission. While it’s challenging to precisely quantify the number of people who could potentially be impacted, the commission approximates that each annual register contains information on approximately 40 million individuals.
It has not said when exactly the hackers’ access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022. Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers’ access, examine the extent of the incident and put additional security measures in place. Defending the delay, commission chair John Pullinger said – “If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities.” He said the “very sophisticated” attack involved using “software to try and get in and evade our systems”.
The commission further stated that it had implemented measures to enhance the security of its systems against potential future breaches. These measures encompassed updates to its login protocols, alert mechanisms, and firewall regulations. The Information Commissioner’s Office (ICO), the authority overseeing data protection in the UK, declared that it was promptly commencing an investigation into the matter.
Source – https://www.bbc.com/news/uk-politics-66441010
PSNI data breach: Police and politicians react to ‘appalling’ breach affecting thousands of staff
The Police Service of Northern Ireland (PSNI) has issued an apology to its numerous active officers and civilian personnel whose personal and professional information was compromised in a significant data breach. Chris Heaton-Harris, the Northern Ireland Secretary, expressed his profound concern over the data breach, while the Police Federation for Northern Ireland (PFNI) conveyed its members’ strong disapproval. The incident transpired when the PSNI addressed a Freedom of Information inquiry, which sought information about the count of officers and staff in various ranks and positions throughout the organization. Approximately 10,000 officers and staff members were impacted.
In the released response to this inquiry, a table was embedded that not only contained the data on ranks and positions but also included extensive details linking surnames, initials, locations, and departments for all PSNI employees. The data was potentially viewable by the public for between 2.5 to three hours. A special meeting of the Northern Ireland Policing Board will take place on Thursday to discuss the data breach with the PSNI senior team. The Irish Times understands the PSNI chief constable, Simon Byrne, who is on holiday, is to end his break early and will appear before the Policing Board meeting.
Addressing the media in Belfast on Tuesday evening, Assistant Chief Constable Chris Todd apologised to officers for the “unacceptable” breach. He mentioned that once the PSNI was alerted about it, the content was removed, and pointed to this being a “simple human error”. Mr Todd also said there were no immediate security concerns, but they were monitoring the situation. The incident was first reported by the Belfast Telegraph, which reported that it viewed the uploaded material after it was contacted by a relative of a serving officer. Apart from the person who released the information, the PSNI was unaware the information had been released until they saw it on a website, Mr Todd confirmed.
Liam Kelly, chairman of the Police Federation for Northern Ireland, said he has been “inundated” with messages from officers who are “shocked, dismayed and basically angry” after a data breach in the force. Mr Kelly said PSNI officers operate “under the veil of the highest potential threat”. He added that he hasn’t experiences anything like this in his 29 years of the police career. Quite rightly the PSNI have declared this matter as a critical incident and have reported it to the Information Commissioner’s office. Politicians have reacted with shock as well on this incident and have called for action. When the Policing Board meets in emergency session it will have to ask some “fairly probing questions, particularly how a relatively junior member of staff was able to inadvertently publish this background data when they were answering a Freedom of Information request”.
Microsoft Releases Patches for 74 New Vulnerabilities in August Update
In its August 2023 Patch Tuesday updates, Microsoft has resolved a total of 74 software vulnerabilities, marking a reduction from the extensive 132 flaws addressed in the previous month. These include six Critical and 67 Important security vulnerabilities. Alongside these, Microsoft has also issued two defense-in-depth updates: one for Microsoft Office (ADV230003) and another for the Memory Integrity System Readiness Scan Tool (ADV230004). Additionally, Microsoft has tackled 31 issues within its Chromium-based Edge browser since the last Patch Tuesday, and they have also addressed a side-channel vulnerability affecting specific AMD processor models (CVE-2023-20569 or Inception).
Microsoft said that installing the latest update “stops the attack chain” leading to the remote code execution bug. Also patched by the tech giant are numerous remote code execution flaws in Microsoft Message Queuing (MSMQ) and Microsoft Teams as well as a number of spoofing vulnerabilities in Azure Apache Ambari, Azure Apache Hadoop, Azure Apache Hive, Azure Apache Oozie, Azure DevOps Server, Azure HDInsight Jupyter, and .NET Framework. Microsoft further acknowledged the availability of a proof-of-concept (PoC) exploit for a DoS vulnerability in .NET and Visual Studio, noting that the “code or technique is not functional in all situations and may require substantial modification by a skilled attacker.” Lastly, the update also includes patches for five privilege escalation flaws in the Windows Kernel that could be weaponized by a threat actor with local access to the target machine to gain SYSTEM privileges.
Source – https://thehackernews.com/2023/08/microsoft-releases-patches-for-74-new.html
China Hacked Japanese Military Networks, Report Says
Starting in 2020, Chinese military hackers managed to infiltrate classified defense networks in Japan, obtaining data about the military capabilities and strategies of the U.S. ally, as reported by The Washington Post on Monday (7 August). The National Security Agency (NSA) has revealed the discovery of a significant cybersecurity breach within Japan’s defense networks.
The breach was characterized as extensive and persistent, with Chinese military hackers, identified as cyberspies from the People’s Liberation Army, gaining unauthorized access to sensitive defense information. The depth of the intrusion was concerning, as these hackers managed to access crucial plans, military capabilities, and assessments of deficiencies in Japan’s military strategies. Insights from multiple former senior U.S. officials conveyed to The Washington Post underscored the severity of the breach.
In response to this grave breach, the leadership of the NSA took immediate action. Upon learning of the breach, they personally traveled to Tokyo to brief Japan’s defense minister. Subsequently, they were asked by the Japanese defense minister to directly inform the prime minister about the breach, indicating the gravity of the situation. The timeline of these cyber attacks is noteworthy, as they commenced during the Trump administration and persisted into the Biden administration.
Throughout this period, officials uncovered new evidence in 2021 that indicated an ongoing compromise of Japan’s defense systems, raising concerns about the effectiveness of mitigation efforts. Responding decisively, both the United States and Japan joined forces to address this critical issue. Collaboratively, they chose to employ the expertise of a reputable Japanese commercial firm to conduct a comprehensive assessment of vulnerabilities. Working in tandem, the U.S. NSA/Cyber Command team meticulously reviewed the findings from the assessment and provided strategic recommendations to fortify the defense network, ensuring that any gaps were identified and resolved.
The revelation of this breach underscores the evolving landscape of cyber threats and the essential nature of global cooperation in combating these challenges. Both nations remain steadfast in their commitment to safeguarding their respective security interests, as well as the stability of the broader international community.
This is not the first reported case of Chinese state-sponsored hacking which is becoming increasingly common as the country has expanded its cyber capabilities. Last month, China-based hackers gained access to the email accounts of some 25 organizations, including U.S. government agencies. Among those affected were officials at the U.S. State Department and Commerce Department including the email account of Commerce Secretary Gina Raimondo and the U.S. ambassador to China.
China has also targeted transportation, communications and utility systems, according to Microsoft. In May, the company said it uncovered “stealthy and targeted” activity to gain access to critical infrastructure organizations in the U.S. carried out by a state-sponsored actor in China.
Hackers increasingly abuse Cloudflare Tunnels for stealthy connections
Hackers are exploiting Cloudflare Tunnels to establish covert HTTPS connections using compromised devices. This method allows them to evade firewalls, ensuring prolonged access and persistence. This tactic is not novel. As highlighted by Phylum in January 2023, threat actors had previously employed Cloudflare Tunnels to develop malicious PyPI packages. These packages enabled the discreet theft of data and remote device access. However, it appears that more threat actors have started to use this tactic, as GuidePoint’s DFIR and GRIT teams reported last week, seeing an uptick in activity.
CloudFlare Tunnels stands out as a widely utilized feature offered by Cloudflare, enabling individuals to establish secure, one-way connections to the Cloudflare network for their web servers or applications. Creating a tunnel is a straightforward process, involving the installation of one of the available CloudFlareclients tailored for Linux, Windows, macOS, or Docker. Once established, this service becomes accessible on a user-defined hostname, granting the flexibility to cater to legitimate use cases, including resource sharing and testing. In GuidePoint’s report, the researchers say that more threat actors abuse Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the victim’s network, evading detection, and exfiltrating compromised devices’ data. A single command from the victim’s device, which doesn’t expose anything other than the attacker’s unique tunnel token, is enough to set up the discreet communication channel. At the same time, the threat actor can modify a tunnel’s configuration, disable, and enable it as needed in real-time.
Because the HTTPS connection and data exchange occurs over QUIC on port 7844, it is unlikely that firewalls or other network protection solutions will flag this process unless they are specifically configured to do so. Also, if the attacker wants to be even more stealthy, they can abuse Cloudflare’s ‘TryCloudflare’ feature that lets users create one-time tunnels without creating an account. To make matters worse, it’s also possible to abuse Cloudflare’s ‘Private Networks’ feature to allow an attacker who has established a tunnel to a single client (victim) device to access an entire range of internal IP addresses remotely. Therefore to detect unauthorized use of Cloudflare Tunnels, it is recommended that organizations monitor for specific DNS queries (shared in the report) and use non-standard ports like 7844.
New Android 14 Security Feature: IT Admins Can Now Disable 2G Networks
Google has implemented a fresh security feature that grants IT administrators the capability to deactivate 2G cellular network support in Android 14. The tech giant has unveiled an additional user setting, situated at the model level, which permits the disabling of support for cellular connections utilizing null-cipher encryption. Experts at Google said that the Android platform doesn’t rely on link-layer encryption to counter this security threat; instead, it enforces end-to-end encryption (E2EE) for all network traffic.
The disclosure comes as Google said that it’s enabling E2EE for RCS conversations in its Messages app for Android by default for new and existing users, although the company notes that some users may be asked to agree to Terms of Service provided by their carrier network.
Vulnerable 2G networks utilize weak encryption and lack mutual authentication, making them prone to interception and decryption attacks. These networks can be exploited by malicious entities for intercepting communication, malware distribution, and launching attacks like DoS and AitM, raising surveillance risks. Google, in an attempt to address some of these concerns, added an option to disable 2G at the modem level with Android 12 in early 2022. As a next logical step, the company is now putting in place a new restriction that prevents a device’s ability to downgrade to 2G connectivity.
Additionally addressed in the forthcoming mobile operating system update is the concern of null ciphers (such as GEA0) in commercial networks. This vulnerability exposes user voice and SMS traffic, along with critical elements like one-time passwords (OTPs), to easily executable interception attacks. It also follows its plans to add support for Message Layer Security (MLS) to the Messages app for interoperability across other messaging services. Despite Google’s efforts to encourage Apple to embrace RCS, Apple seems content with iMessage for encrypted messaging. There are no indications that Apple is considering an Android version of iMessage, leaving users communicating between the two systems to resort to third-party messaging apps.
Source – https://thehackernews.com/2023/08/new-android-14-security-feature-it.html
Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives
The utilization of a phishing-as-a-service (PhaaS) toolkit called EvilProxy is on the rise among threat actors, as they conduct account takeover attacks primarily targeting senior executives within well-known corporations. In a continuous hybrid campaign, as revealed by Proofpoint, this toolkit has been employed to concentrate on thousands of Microsoft 365 user accounts. This initiative has resulted in the distribution of around 120,000 phishing emails to numerous organizations globally, spanning the period from March to June 2023. Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.
These campaigns are viewed as a countermeasure to the growing implementation of multi-factor authentication (MFA) within enterprises. This has led threat actors to adapt their strategies, incorporating adversary-in-the-middle (AitM) phishing kits. These kits are designed to circumvent emerging security measures by extracting credentials, session cookies, and one-time passwords. EvilProxy was first documented by Resecurity in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others. PhaaS toolkits have lowering the barrier for criminals with lower technical skills to carry out sophisticated phishing attacks at scale in a seamless and cost-effective manner and are an evolution of the cybercrime economy.
The new attacks start with fake emails that seem to be from trusted sources like Adobe and DocuSign. These emails try to make people click on bad links that lead to a series of steps, ultimately taking them to a fake Microsoft 365 login page. This fake page secretly records the information entered by users. Interestingly, the attacks deliberately skip user traffic originating from Turkish IP addresses by redirecting them to legitimate websites, indicating that the campaign operators could be based out of the country.
A successful account takeover is followed by the threat actor taking steps to “cement their foothold” in the organization’s cloud environment by adding their own MFA method, such as a two-factor authenticator app, so as to obtain persistent remote access and conduct lateral movement and malware proliferation. The access is further monetized to either conduct financial fraud, exfiltrate confidential data, or sell the compromised user accounts to other attackers.
Source – https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html
New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy
A group of academics has devised a “deep learning-based acoustic side-channel attack” that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. The researchers stated that because keyboard sounds are everywhere and easily accessible, they become an attack method people often overlook. This can lead victims to underestimate the risk and not take steps to hide their typing. For instance, while people may shield their screens while typing passwords, they often don’t try to mask the sound of their keystrokes.
To pull off the attack, the researchers first carried out experiments in which 36 of the Apple MacBook Pro’s keys were used (0-9, a-z), with each key being pressed 25 times in a row, varying in pressure and finger. This information was recorded both via a phone in close physical proximity to the laptop and Zoom. Next, they focused on each key pressed and turned it into a special picture called a mel-spectrogram. They used a clever computer program called CoAtNet to figure out what each picture meant. To protect against this, the researchers suggest changing how you type, using random passwords instead of ones with real words, and sometimes pressing fake keys if someone tries to hack using the sounds of your typing during a phone call.
As per researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad, after being taught with keystrokes captured from Zoom video calls, the accuracy rate reached an impressive 93%, setting a new record for this type of method. They discuss about side-channel attacks, which are a kind of security trick where hackers try to learn secret information by paying attention to things like how much power a device uses or how it makes sounds while processing sensitive data. They can also look at how fast it works, the invisible stuff it uses to store temporary information, and even the kind of energy it gives off. Although a completely side-channel-free implementation does not exist, practical attacks of this kind can have damaging consequences for user privacy and security as they could be weaponized by a malicious actor to obtain passwords and other confidential data.
Source – https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html
New BitForge cryptocurrency wallet flaws lets hackers steal crypto
Numerous previously unknown security weaknesses referred to as ‘BitForge’ were discovered in widely adopted cryptographic protocols such as GG-18, GG-20, and Lindell 17. These vulnerabilities had an impact on major cryptocurrency wallet services, including well-known names like Coinbase, ZenGo, and Binance, among others. These problems allowed bad people to take cryptocurrency from people’s wallets quickly, without needing to trick the user or the company. The Fireblocks Cryptography Research Team found these problems in May 2023, and they gave them the name ‘BitForge’.
The first flaw (CVE-2023-33241) discovered by Fireblock impacts the GG18 and GG20 threshold signature schemes (TSS), which are considered pioneering and also foundational for the MPC wallet industry, allowing multiple parties to generate keys and co-sign transactions. Fireblock’s analysts discovered that depending on the implementation parameters, it is possible for an attacker to send a specially crafted message and extract key shards in 16-bit chunks, retrieving the entire private key from the wallet in 16 repetitions.
The flaw stems from a lack of checking on the attacker’s Paillier modulus (N) and the status of its encryption based on the existence of small factors or biprimes. The vulnerability discovered in the Lindell17 2PC protocol (CVE-2023-33242) is of similar nature, allowing an attacker to extract the entire private key after approximately 200 signature attempts. The flaw lies in the implementation of the 2PC protocol rather than the protocol itself and manifests through a mishandling of aborts by wallets, which forces them to continue signing operations that inadvertently expose bits of the private key.The attack that exploits this flaw is “asymmetric,” meaning it can be exploited by corrupting the client or the server.
Coinbase thanked the Fireblocks team for finding the problems and fixing them. They said that even though no one lost money because of these problems, they’re really important to fix to make sure everyone’s money stays safe.
Source – https://www.bleepingcomputer.com/news/cryptocurrency/new-bitforge-cryptocurrency-wallet-flaws-lets-hackers-steal-crypto/
INTERPOL shutters ’16shop’ phishing-as-a-service outfit
INTERPOL has revealed a successful investigation into a phishing-as-a-service operation named “16shop” with arrests of alleged operators made in Indonesia and Japan and the platform shut down. On Tuesday, an international organization that helps police work together shared that they found something important. They were studying cyber threats in a group of countries in Southeast Asia called ASEAN. During this study, they discovered something called “16shop.” It’s a place where bad hackers can buy tools to do phishing attacks.
The fight against 16Shop involved a group of people and organizations working together to stop it. These people included the INTERPOL General Secretariat’s cyber crime group, along with authorities from Indonesia, Japan, and the United States. There were also private companies that help with internet security, like Japan’s Cyber Defense Institute, Singapore’s Group-IB, Palo Alto Networks Unit 42, and Trend Micro. They got support from a platform called Cybertoolbelt, which helps with investigating cyber crimes.
Japanese authorities arrested another man allegedly connected to 16shop. Singaporean infosec outfit Group-IB’s analysis of 16Shop led it to assert that over 150,000 phishing domains were created using the outfit’s phishing kits. The infosec firm believes the kits in question had been traded on the cyber criminal underground since at least November 2017, at prices ranging from $60 to $150.
The kits used eight languages and geolocation, so that putative victims saw localized content.
International collaboration was required because the phishing-as-a-service vendor hosted some of its operations on servers tended by a US-based company. The FBI therefore helped to secure information shared with Indonesian investigators.
Source – https://www.theregister.com/2023/08/09/interpol_16shop_phishing_shutdown/
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.