Friday, February 16th, 2024
Cybersecurity Week in Review (16/02/24)
Pentagon says 26K People Impacted by Data Breach from Early 2023
The US Department of Defense (DOD) is notifying more than 26,000 current and former employees, job applicants, and partners whose sensitive personally identifiable information was exposed in a “data breach incident” detected in early 2023.
It seems that a certain service provider inadvertently exposed personal email messages. A notice encouraging longtime DOD officials to sign up for government-provided identity theft protection services was issued.
“This letter is to notify you of a data breach incident that may have resulted in a breach of your personally identifiable information (PII). During the period of February 3rd, 2023, through February 20th, 2023, numerous email messages were inadvertently exposed to the internet by a [DOD] service provider. Unfortunately, some of these email messages contained PII associated with individuals employed by or supporting the DOD or individuals seeking employment with the DOD. While there is no evidence to suggest that your PII was misused, the department is notifying those individuals whose PII may have been breached as a result of this unfortunate situation,” states the document by the Defence Intelligence Agency, dated February 1st, 2024.
A Pentagon spokesperson did not comment on the status of networks and systems but clarified that the affected server was removed on February 20th last year and that the incident involved multiple department organizations.
Last year, a US Department of Defense cloud server was found wide open on the internet, leaking vast amounts of sensitive US military emails. Discovered by a white hat hacker, Anurag Sen, the server was left exposed on the internet for at least two weeks before it was taken offline by the government.
Leaked emails dated back years. Some contained sensitive personnel information, completed federal security clearance questionnaires filled with personal health data, or other highly sensitive personal details.
The Pentagon server was hosted on the Microsoft Azure Government cloud and was part of an internal mailbox system containing roughly three terabytes of internal military emails – many connected to the US Special Operations Command (USSOCOM).
Source – https://cybernews.com/security/pentagon-26k-people-impacted-in-data-breach/
Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks
A group known as GoldFactory, operating primarily in the Chinese-speaking cybercrime realm, has been identified as the source of sophisticated banking trojans, including a new iOS malware named GoldPickaxe. This malware is capable of extracting personal data like identity documents and facial recognition data, as well as intercepting SMS messages.
GoldPickaxe targets both iOS and Android devices, alongside other malware variants such as GoldDigger and GoldKefu. Their tactics involve social engineering campaigns, particularly targeting the Asia-Pacific region, using fake URLs and phishing messages to lure victims into downloading malicious apps.
While the Android malware masquerades as various legitimate applications, the iOS variant uses Apple’s TestFlight platform and deceptive URLs to gain control over devices. GoldPickaxe even bypasses security measures like facial recognition used for transaction confirmation in Thailand by creating deepfake videos.
The malware’s capabilities include stealing ID documents, intercepting SMS messages, and proxying traffic through compromised devices. GoldDigger, a related malware, focuses on stealing banking credentials, primarily targeting Vietnamese financial apps.
Despite stricter permissions on iOS, GoldFactory’s operations remain sophisticated and adaptable, leveraging various techniques such as accessibility services abuse and fake alerts to dupe victims. This highlights the ongoing challenge in combating mobile banking malware and underscores the importance of user vigilance in avoiding suspicious links and apps.
Source – https://thehackernews.com/2024/02/chinese-hackers-using-deepfakes-in.html
German Battery Maker Varta Halts Production After Cyberattack
Battery maker VARTA AG announced yesterday that it was targeted by a cyberattack that forced it to shut down IT systems, causing production to stop at its plants.
VARTA is a German manufacturer of batteries for the automotive, consumer, and industrial sectors, partially owned by Energizer Holdings. The brand has an R&D history spanning 136 years, and its products are available worldwide. VARTA’s annual revenue exceeds $875 million.
The company announced that hackers targeted parts of its IT infrastructure on Monday night, causing a severe disruption in five production units.
“Last night, February 12th, 2024, the VARTA Group was the target of a cyber attack on parts of its IT systems,” reads a press announcement shared by VARTA.
“This affects the five production plants and the administration. The IT systems and, thus, production were proactively shut down temporarily for security reasons and disconnected from the internet.”
The scope of the incident’s impact is currently under evaluation, and the damage caused has yet to be determined. VARTA says its current priority is to ensure data integrity, opting for proactive shutdowns that could help contain the IT systems breach.
The company says it implemented the measures in its emergency plan and formed a task force consisting of cybersecurity experts and data forensic specialists, who will aid in system restoration.
Although the incident carries the hallmarks of a ransomware attack, this has not been determined yet, and no major threat groups have assumed responsibility for the attack. Halting production operations in five plants with no clear timeline for restoring normal operations has resulted in VARTA’s share price sliding by 4.75% following the announcement of the cyberattack.
Bumblebee Malware Returns with New Tricks, Targeting U.S. Businesses
Bumblebee, a notorious malware loader and initial access broker, has resurfaced in a new phishing campaign observed in February 2024, targeting U.S. organizations. The campaign uses voicemail-themed lures containing links to OneDrive URLs, which lead to Word files posing as documents from the consumer electronics company Humane. These Word documents employ VBA macros to execute a PowerShell command that downloads and runs another PowerShell script, ultimately deploying the Bumblebee loader.
Initially detected in March 2022, Bumblebee is primarily used to download and execute follow-on payloads like ransomware. It has been associated with various crimeware threat actors, including those behind BazaLoader and IcedID, and is suspected to be linked to the Conti and TrickBot cybercrime syndicate. Previous distribution campaigns of Bumblebee involved different tactics, such as zipped LNK files or HTML attachments exploiting vulnerabilities like CVE-2023-38831.
The resurgence of Bumblebee coincides with the reappearance of new variants of other malware like QakBot, ZLoader, and PikaBot. QakBot, in particular, is distributed through MSI files, employing techniques to evade detection and analysis, including stronger encryption methods and the ability to detect virtual environments.
Despite efforts to dismantle QakBot’s infrastructure in late August 2023, new variants have emerged, indicating ongoing development and experimentation by threat actors. The encryption algorithm used by QakBot has been upgraded, making analysis more challenging. Additionally, QakBot has regained features like virtual machine awareness, enhancing its evasion capabilities.
These developments in malware coincide with new phishing campaigns, such as those mimicking financial institutions to trick users into downloading legitimate remote desktop software, ultimately allowing threat actors to gain control of compromised machines.
Source – https://thehackernews.com/2024/02/bumblebee-malware-returns-with-new.html
Trans-Northern Pipelines Investigating ALPHV Ransomware Attack Claims
Trans-Northern Pipelines (TNPI) has confirmed its internal network was breached in November 2023 and that it’s now investigating claims of data theft made by the ALPHV/BlackCat ransomware gang.
TNPI operates 850 kilometers (528 miles) of pipeline in Ontario-Quebec and 320 kilometers (198 miles) in Alberta, transporting 221,300 barrels (35.200m3) of refined petroleum products daily. Both pipeline systems are underground and transport gasoline, diesel fuel, aviation fuel, and heating fuel from refineries to distribution terminals.
“Trans-Northern Pipelines Inc. experienced a cybersecurity incident in November 2023 impacting a limited number of internal computer systems,” TNPI Communications Team Lead Lisa Dornan said.
“We have worked with third-party, cybersecurity experts and the incident was quickly contained. We continue to safely operate our pipeline systems.
“We are aware of posts on the dark web claiming to contain company information, and we are investigating those claims.”
While ALPHV’s claims were not directly mentioned by Dornan when asked for confirmation, the ransomware gang says its operators stole 183GB of documents from the company’s network.
The allegedly stolen files have now been published on ALPHV’s data leak site, and the ransomware group has also added contact information for several TNPI employees to the same leak page.
ALPHV emerged over two years ago, in November 2021, and is believed to be a rebrand of the DarkSide and BlackMatter ransomware operations. Initially tracked as DarkSide, the operation gained notoriety after their Colonial Pipeline attack, which prompted extensive investigations by law enforcement agencies worldwide and led to the seizure of their infrastructure and the operation’s shutdown.
Months later, the ransomware group returned under the BlackMatter name, which again shut down in November 2021 and resurfaced as ALPHV/BlackCat in February 2022. The FBI linked this ransomware gang to more than 60 breaches against organizations worldwide during its first four months of activity, between November 2021 through March 2022.
ALPHV amassed over $300 million in ransom payments from over 1,000 victims worldwide until September 2023, according to the Federal Bureau of Investigation (FBI).
“ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments,” the FBI said in December.
The FBI disrupted ALPHV’s operation in December after breaching the gangs’ servers and temporarily taking down its Tor negotiation and data leak websites after months of monitoring their activities and creating a decryption tool.
The ransomware gang has since “unseized” their data leak site using the private keys they still owned and launched a new Tor URL the FBI can’t take down.
Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks
Nation-state actors associated with Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.
The findings come from a report published by Microsoft in collaboration with OpenAI, both of which said they disrupted efforts made by five state-affiliated actors that used its AI services to perform malicious cyber activities by terminating their assets and accounts.
“Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships,” Microsoft said in a report.
While no significant or novel attacks employing the LLMs have been detected to date, adversarial exploration of AI technologies has transcended various phases of the attack chain, such as reconnaissance, coding assistance, and malware development.
“These actors generally sought to use OpenAI services for querying open-source information, translating, finding coding errors, and running basic coding tasks,” the AI firm said.
For instance, the Russian nation-state group tracked as Forest Blizzard (aka APT28) is said to have used its offerings to conduct open-source research into satellite communication protocols and radar imaging technology, as well as for support with scripting tasks.
Some of the other notable hacking crews are listed below –
- Emerald Sleet (aka Kimusky), a North Korean threat actor, has used LLMs to identify experts, think tanks, and organizations focused on defense issues in the Asia-Pacific region, understand publicly available flaws, help with basic scripting tasks, and draft content that could be used in phishing campaigns.
- Crimson Sandstorm (aka Imperial Kitten), an Iranian threat actor who has used LLMs to create code snippets related to app and web development, generate phishing emails, and research common ways malware could evade detection
- Charcoal Typhoon (aka Aquatic Panda), a Chinese threat actor which has used LLMs to research various companies and vulnerabilities, generate scripts, create content likely for use in phishing campaigns, and identify techniques for post-compromise behavior
- Salmon Typhoon (aka Maverick Panda), a Chinese threat actor which has used LLMs to translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, resolve coding errors, and find concealment tactics to evade detection
Microsoft said it’s also formulating a set of principles to mitigate the risks posed by the malicious use of AI tools and APIs by nation-state advanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates and conceive effective guardrails and safety mechanisms around its models.
Source – https://thehackernews.com/2024/02/microsoft-openai-warn-of-nation-state.html
SAP Patches Critical Vulnerability Exposing User, Business Data
Enterprise software maker SAP announced the release of 13 new and three updated security notes as part of its February 2024 Security Patch Day, including one addressing a critical vulnerability in the SAP ABA cross-application component.
The critical issue, a code injection bug tracked as CVE-2024-22131 (CVSS score of 9.1), could be exploited by an attacker that has remote execution authorization to use a vulnerable interface to invoke an application function and perform actions without permission.
“Depending on the function executed, the attack(er) can read or modify any user/business data and can make the entire system unavailable,” a NIST advisory reads.
According to enterprise application security firm Onapsis, the flaw exists because of a lack of sufficient checks on external calls to a function module.
“The Web Survey feature in SAP provides an RFC-enabled function module that allows dynamically calling any static method of the system without checking any specific authorization. An external call of the function module is only protected by the implicit S_RFC check,” Onapsis says.
SAP has addressed the flaw by adding a configurable check on external calls to the function module. Enabled by default, the check blocks the external calls, but customers can adjust its configuration to be able to use the Web Survey remote capabilities.
The vulnerability impacts SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, and 75I, SAP explains in its advisory.
The software maker also released five new security notes dealing with high-severity bugs, including cross-site scripting (XSS) and XML External Entity (XEE) injection bugs in NetWeaver AS Java, an XSS issues in CRM (WebClient UI), a code injection defect in IDES Systems, and an improper certificate validation in Cloud Connector.
Seven medium-severity flaws impacting Bank Account Management, Companion, NetWeaver Application Server ABAP (SAP Kernel), NetWeaver Business Client for HTML, Fiori, Master Data Governance Material, and CRM (WebClient UI) were also resolved.
On Tuesday, SAP also announced updates for a hot news note delivering patches for 33 vulnerabilities in the Chrome browser for Business Client, a high-priority note addressing an information disclosure bug in NetWeaver Application Server ABAP, and a low-priority note fixing a directory traversal issue in Master Data Governance.
Users are advised to apply the patches as soon as possible. SAP makes no mention of any of these vulnerabilities being exploited in attacks, but threat actors are known to have targeted flaws in SAP products for which fixes have been released.
Source – https://www.securityweek.com/sap-patches-critical-vulnerability-exposing-user-business-data/
Prudential Financial Discloses Data Breach
Insurance giant Prudential Financial this week informed the US Securities and Exchange Commission that it fell victim to a data breach earlier this month. The incident, the company said in a Form 8-K filing, was identified on February 5, one day after a threat actor gained unauthorized access to some of its systems.
“With assistance from external cybersecurity experts, we immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident,” the company said.
Prudential Financial said that the attackers were able to access company administrative and user data stored on the compromised systems, as well as user accounts associated with employees and contractors. What the company did not say was how many of its roughly 40,000 employees worldwide might have been impacted by the incident.
However, the company noted that a cybercrime group was likely responsible for the attack. This could mean a ransomware group is behind the intrusion.
“We continue to investigate the extent of the incident, including whether the threat actor accessed any additional information or systems, to determine the impact of the incident,” the company told SEC.
Prudential Financial also said that it has not found evidence of customer or client data theft, and that the incident was reported to law enforcement and regulatory authorities. The company noted that the incident should not have a material impact on its operations, financial condition, or results of operations.
An American Fortune Global 500 and Fortune 500 company, Prudential Financial provides insurance, investment management, retirement planning, and other products and services to customers in the US, Europe, Asia, and Latin America.
Source – https://www.securityweek.com/prudential-financial-discloses-data-breach/
Integris Health says Data Breach Impacts 2.4 million Patients
Integris Health has reported to U.S. authorities that the data breach it suffered last November exposed personal information belonging to almost 2.4 million people. The organization is Oklahoma’s largest not-for-profit healthcare network, operating hospitals, clinics, and emergency care units across the state.
On December 26, 2023, the organization confirmed it suffered a cyberattack after patients started receiving extortion emails informing that their sensitive personal information. Unless Integris Health met the attacker’s demands, the stolen data would be sold to other cybercriminals on January 5, 2024.
The threat actor stated that their attack did not involve encryption and they only stole the data. This did not cause any network interruption and allowed Integris Health to keep providing its services to patients.
The emails the patients received from the threat actor contained accurate information and linked to a website in the Tor network hosting the stolen details, but access was not free. Visitors could pay $50 and trust the attacker’s word on removing the details, or pay $3 to view information belonging to any other impacted individual.
Integris published last week a notification confirming that the incident impacted patient data, which included the following details:
- Full name
- Date of birth
- Contact information
- Demographic information
- Social Security Number (SSN)
The organization clarified that the leaked data did not involve employment information, driver’s licenses, account credentials (usernames and passwords), or financial information.
The threat actor said that they are selling on a dark web marketplace data for 2.3 million Integris patients (based on the number of social security numbers in the database).
In a new entry today, the U.S. Department of HHS Office for Civil Rights (OCR) portal shows that the number of impacted Integris Health patients is 2,385,646.
Integris Health says all affected patients will receive individual notifications, and recipients should remain vigilant to spot and report identity theft and fraud attempts early. The organization has published a FAQ in the form of a PDF where victims can find some additional information regarding the incident, how it impacts them, and what protective steps they can take.
It is worth noting that the deadline the threat actor set for Integris Health to pay a ransom has long passed and it is very likely that the stolen data has been sold or share with other cybercriminals, who could use it for various scams, phishing, or other types of attacks.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.