At a glance.
- Hackers hacked.
- Criminals want privacy too (and it's tough to get).
- App developers leak data from misconfigured cloud storage.
- A ransomware threat from the DPRK's Lazarus Group.
- Compact credential-theft campaign.
- Social Security phone scams.
- SITA sustains PII-threatening cyberattack.
Hackers hack hackers.
Threat intelligence shop Flashpoint has found that an attacker infiltrated and shut down exclusive underground cybercrime forum Mazafaka, the Record reports. In a thirty-five-page PDF document published on the forum’s front page, the threat actor exposed the data of about three thousand members, including usernames, passwords, social media IDs, and a private encryption key used by administrators. The document also included members’ credentials for ICQ, an older instant messaging platform that was highly trusted by early cybercriminals, meaning researchers could use these IDs to connect user activity across multiple forums over time. Computing points out that the publication of such data has the potential to lead authorities to the real-life identities of the cybercriminals involved, and at the very least will sow distrust among members. As KrebsOnSecurity notes, this comes on the heels of the breaches of two other hacker forums, leading Russian-language sites Verified and Exploit, as well as a money scam compromise of popular forum Crdclub. Though speculation abounds, the identity of the attacker is unknown, and as a member of Exploit told Krebs, “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”
Criminals want privacy, too, but their fora preserve their digital spoor.
In a related note, Digital Shadows explores the privacy rights—or lack thereof—of members of cybercriminal forums. Many underground forums have a no-deletion policy for member accounts, making it difficult for users to erase their nefarious histories. While this is bad news for cybercriminals, no-deletion policies make it that much easier for security teams to gather intelligence on a hacker’s activities across the web and potentially tie the account to their real-life identity. In the past, the breadcrumbs on a criminal’s web trail have led to the arrests of high profile threat actors like the Silk Road creator known as Dread Pirate Roberts. It’s unclear why these forums prohibit account deletion, but perhaps it’s just too time-consuming a task for administrators. There’s also the risk that a deleted but respected username could be acquired by an imposter looking to benefit from the previous owner’s reputation.
App developers leak data in the cloud.
Researchers at mobile security company Zimperium have found that nearly 20,000 mobile apps are storing data in unsecured cloud containers. After analyzing over 1.3 million platforms, they found that around 84,000 Android apps and 47,000 iOS apps were using cloud storage instead of their own servers, and of those, approximately 14% of the storage containers were misconfigured, making them easy targets for bad actors. As Zimperium's CEO Shridhar Mittal told Wired, “A lot of these apps have cloud storage that was not configured properly by the developer or whoever set things up and, because of that, data is visible to just about anyone. And most of us have some of these apps right now.” The names of the apps have not been released, but they cover a range of user totals from thousands to millions, and some expose highly sensitive data like financial info, payment credentials, and medical test results. Not only is this info vulnerable to theft, in some cases a hacker could delete or overwrite the data, paving the way for fraud or disruption of services. Though Zimperium contacted some of the app developers to let them know about the vulnerabilities, many seemed unconcerned and not all of them have secured the storage containers.
Ransomware attack links TFlower and Lazarus.
Sygnia cybersecurity firm examines a double extortion ransomware attack in which the threat actor used a previously undocumented variant of the MATA malware framework to distribute TFlower ransomware. This is particularly noteworthy because the attack suggests there might be a collaboration between TFlower and Lazarus, a threat group affiliated with the North Korean government and known for exploiting the MATA backdoor.
Compact's credential-theft campaign.
WMC Global this week updated its coverage of the Compact campaign, which since December has impersonated Zoom meeting invitations in a credential-stealing effort. WMC Global estimates that the criminals have obtained more than four-hundred-thousand Outlook Web Access and Office 365 credentials. Compromised SendGrid accounts were used in many of the attempts, and WMC Global says it worked closely with SendGrid to mitigate the problem.
Credential theft is a common objective of such fraud campaigns. Andy Oehler, VP of Product Management at Zentry Security, wrote to say that "Phishing credentials remains a prevalent threat. Fortunately, MFA, when applied can mitigate the risk of compromised credentials. However, it’s not enough. To complement MFA, security professionals should analyze metadata from every login and look for behavior that deviates from typical user behavior – location and time of day can be couple with typical usage patterns to establish baselines. Aberrant activity can be a sign that credentials have been compromised."
James McQuiggan, Security Awareness Advocate at KnowBe4, traced the campaign's origins to this past August:
"Last August, it was discovered that the Sendgrid platform was breached, and thousands of accounts were compromised and stolen. The fallout from that breach now impacts various accounts, as seen with the phishing attacks using Zoom meeting links to steal users' Office 365 credentials.
"If someone is accessing the email on their phone and is not sure about an email's validity, a good rule of thumb is to check on a desktop system. This pause provides the opportunity to not make a quick decision and click on a link. A second rule of thumb is to ask if you're expecting this meeting invite. Do you know the person sending the invite? If not, these are red flags to be aware of when it comes to meeting requests.
"Organizations must implement multi-factor authentication for email accounts, primarily if they utilize a web-based platform. Within the training program, users should be aware of when they would need to re-enter their credentials. The security awareness training program should have frequent updates to keep employees current on the latest attack patterns and phishing emails. Employees can make the proper decisions to identify potential phishing emails and report them. This action makes for a more robust security culture."
How not to fall for a Social Security scam phone call.
The US Social Security Administration notes some ways in which you can recognize an impersonation scam, and avoid having your money or your identity stolen. The Social Security Administration, observing that a lot of the scams people encounter are committed over the phone, says, as a matter of first principle, they “NEVER” (emphasis in the original), do any of these things:
- “text or email images of an employee’s official government identification;
- “suspend your Social Security number;
- “threaten you with arrest or other legal action unless you immediately pay a fine or fee;
- “require payment by retail gift card, wire transfer, internet currency, or mailing cash;
- “promise a benefit increase or other assistance in exchange for payment; or
- “send official letters or reports containing your personal information via email.”
SITA discloses a cyberattack.
SITA, a leading provider of IT services to the airline industry, disclosed yesterday that “it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers.” The company explained that its “Passenger Service System (US) Inc. (‘SITA PSS’) operates passenger processing systems for airlines.”
The disclosure attracted a fair amount of comment from industry. Shlomie Liberow, Solutions Architect at HackerOne, commented specifically on how one of SITA's customers, Singapore Airlines, was affected:
"As Singapore Airlines is currently experiencing, businesses are only as secure as least secure supplier. As this attack has shown, when one company is compromised it can have a domino effect. Being able to quickly and easily share information gives organizations a competitive edge, but that means it is even more important that we foster a culture of responsibility securing data through the entire supply chain. It’s not clear yet what the attack vector was in the SITA breach, but HackerOne vulnerability data shows that the aviation and aerospace industry sees more privilege escalation and SQL injection vulnerabilities than any other industry, accounting for 57% of the vulnerabilities reported to these companies by ethical hackers. SITA would be an attractive target for criminals due to the sensitive nature of the information they hold - names, addresses, passport data. We’ve seen the aviation industry particularly hard hit over the past year, perhaps because criminals know they will be vulnerable and their focus and priorities on remaining in business, however, traditional enterprises like airlines have always been an attractive target since few are digital first businesses and therefore have relied on legacy software, which is more likely to be out of date or have existing vulnerabilities that can be exploited."
That such systems, which handle so much PII and other valuable data, should be attractive targets is unsurprising. Mark Bower, senior vice president with data security specialists comforte AG, explained, “Central airline management systems are attractive targets for attackers. Data has to persist for booking management over long periods of time, and the trove of personal data can be extensive spanning financial data, identity, reservations, passports as well as travel history data. Given global travel data’s very nature, it also falls under a myriad of privacy and data security regulations from GDPR to CCPA and beyond. For this reason, it’s precisely the kind of data that should be protected with modern data tokenization technology to reduce its exposure to compromise, and only make it available when absolutely necessary.”
And Demi Ben-Ari, Co-founder and CTO of Panorays, draws lessons about supply chain security and management of nth-party risk:
"Today's data breaches tell us it's no longer enough to secure your perimeter—you also have to secure your third parties, and their third parties.
"You simply cannot know whether your third parties meet your company's security controls and risk appetite until you've completed a full vendor security assessment on them. But through automated questionnaires, external footprint assessments, and taking into consideration the business impact of the relationship, you can get a clear, up-to-date picture of supplier security risk. It's important to note that the best practice is not a 'one-and-done' activity, but through real-time, continuous monitoring."