At a glance.
- Play ransomware makes Santa’s naughty list.
- Update on the LastPass data breach.
- Xfinity customers receive coal in their stockings.
Play ransomware makes Santa’s naughty list.
Fortinet offers an in-depth look at Play ransomware, a newbie threat group that has adopted the double-extortion technique – encrypting the target’s files as well as threatening to release or destroy stolen private data – that has grown ever more popular with ransomware gangs of late. Infection vectors include phishing, valid compromised accounts, and exposed RDP (Remote Desktop Protocol) servers, and impacted parties are typically Microsoft Windows users. Once launched, the ransomware encrypts files of interest like personal and operational documents, leaving them with a “.PLAY” extension, but does not invade system files. Once encryption is complete, a ransom note titled “ReadMe.txt” is added to the primary drive containing a link to the group’s TOR pages and a contact e-mail address for negotiations. Most of Play’s targets have been in the EU (46%), followed by Asia and North America (about 23% each).
Update on the LastPass data breach.
Earlier this month freemium password manager LastPass disclosed it suffered a cyberattack when intruders breached its cloud storage using information previously stolen in an August security incident. While initially it seemed that customer data was largely unimpacted, LastPass has spent the last few weeks investigating the incident, and yesterday the company’s website was updated to explain that “the threat actor copied information from backup that contained basic customer account information and related metadata.” The potentially compromised data include company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. LastPass also notes that while the threat actor was able to copy a backup of customer vault data, that data is stored in a proprietary binary encryption format, Though some of that data like, website URLs, is unencrypted, sensitive fields such as website usernames and passwords, secure notes, and form-filled data are full encrypted. Customers have been reassured that if they use LastPass’s default master password settings and best practices, there is little chance of their data being impacted.
Xfinity customers receive coal in their stockings.
Customers of American telecommunications company Comcast Xfinity have reported that their accounts are being hacked, despite the use of two-factor authentication. The attackers are using the compromised accounts to access the victims’ other services and hijack those accounts as well. The issues started on December 19th, with Xfinity email users receiving notifications that their account info had been changed without their knowledge. When they tried to access their accounts, they found their login credentials had been changed. Once they regained access, the users found a secondary email address with a @yopmail.com domain had been added to their accounts. Bleeping Computer reports that several Xfinity customers shared their experiences with the publication, as well as posting their stories on Twitter, Reddit, and XFinity’s support forum. What’s especially concerning is that many of the users had secured their accounts with two-factor authentication (2FA), meaning the attackers were able to bypass this protection.
One customer tweeted, “How was it that users with 2FA had email password resets sent to Yopmail accounts after midnight. WTH, Xfinity!” According to a researcher, the hackers acquired the stolen login credentials through credential stuffing attacks, and once the attackers are prompted to enter their 2FA code, they allegedly use a privately circulated OTP bypass for the Xfinity site that allows them to forge successful 2FA verification requests. After that, the hackers attempt to breach the victim’s other online services including DropBox, Evernote, and the Coinbase and Gemini cryptocurrency exchanges. Though Comcast has not yet issued a public response, one customer posted on Reddit, "I spoke to a second person in the xfinity security department that told me not to worry about the fraudulent yopmail account on my xfinity account and indicated that this had happened with many (maybe all) xfinity accounts She indicated that xfinity is still working to find the source of the hack. Apparently this is a much more widespread issue than is being reported. It does not seem that xfinity email is secure at this time."
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, commented on the ins-and-outs of MFA, and why it's not necessarily the panacea people take it be:
"This is yet another example of MFA not being as protective as most people think. MFA is a good thing and everyone should use phishing-resistant MFA when they can to protect valuable data and systems. With that said, MFA is oversold to customers as some sort of super solution that will solve most of our cybersecurity ills. Most people using MFA think they are specially protected against hackers...especially logon hacking. As this incident shows, although MFA can provide extra protection in some types of hacking scenarios, it doesn't protect in all scenarios and can be used to steal or bypass a password. No matter what MFA you use, you should be aware of the various types of common attacks against your type of MFA, and how to detect and prevent them if possible. And admins and MFA vendors need to make sure not to oversell MFA's protection. MFA is good and everyone should use it...but it's simply not as protective as people are being told. And thinking you are specially protected by MFA and mistakenly thinking you are highly resistant to hacking attacks is a dangerous mindset."