At a glance.
- MercadoLibre data breach.
- Access:7 bugs and the IoT.
- Spyware on Israeli phones connected to foreign actors.
- APT41 targets US state governments.
MercadoLibre user data stolen by Lapsus$ cybergang.
Argentinian e-commerce platform MercadoLibre has disclosed that an intruder gained "unauthorized access" to some of its source code as well as the data of approximately 300,000 users. BleepingComputer notes that the disclosure comes on the heels of data extortion group Lapsus$’s claims that they were in possession of stolen data belonging to MercadoLibre as well as several other companies (including electronics giant Samsung, as we noted yesterday). Initial analysis does not suggest that the company’s IT infrastructure was impacted or that sensitive data was exposed. MercadoLibre, Latin America's largest e-commerce and payments ecosystem, stated, "We have not found any evidence that our infrastructure systems have been compromised or that any users' passwords, account balances, investments, financial information, or credit card information were obtained. We are taking strict measures to prevent further incidents.”
Felix Rosbach, product manager with data security experts comforte AG, puts this Lapsu$ hack into context:
“Like Nvidia and Samsung, Mercado Libre is another target of the Lapsus$ ransomware gang. The nature of the attack fits to a trend researchers and experts see over the past years. Modern targeted ransomware attacks involve a data extortion element more and more often. With advanced persistent threads attackers get access to data on the way, infiltrating organizations for a longer period of time, and with that increase the impact. Due to the fact that more and more organizations have better defense strategies, zero trust and backup-plans, this introduces a way to increase the pressure on organizations to pay a ransom.
"Getting access to source code may be a pure coincidence when at a later stage of the attack - but could also be a targeted operation to increase impact, steal intellectual property or to start a supply chain attack. Protecting data with a data-centric security strategy becomes a critical component of any successful ransomware strategy.”
Access:7 bugs unlucky for IoT devices.
Researchers from CyberMDX (recently acquired by IoT security firm Forescout) have detected seven vulnerabilities, collectively called Access:7, in the IoT remote access tool PTC Axeda. The tool is particularly popular in medical equipment, but can also be found in ATMs, vending machines, barcode scanning systems, and industrial manufacturing equipment. Security Week explains that three of the seven vulnerabilities have been rated “critical” and can be exploited for remote code execution. Three others have been rated “high severity”: two can be exploited for DoS attacks and one for obtaining data. It’s estimated that the vulnerabilities impact hundreds of thousands of devices, affecting over one hundred fifty models from more than one hundred manufacturers. Forescout found Access:7 in 2,000 vulnerable systems among its customer pool alone. 55% of the impacted vendors are in the healthcare sector, and medical systems have proven to be a highly attractive target for threat actors. Daniel dos Santos, head of security research at Forescout, told Wired,“You can imagine the type of impact an attacker could have when they can either exfiltrate data from medical equipment or other sensitive devices, potentially tamper with lab results, make critical devices unavailable, or take them over entirely.”
Spyware on Israeli officials’ phones not connected to police.
After analyzing the phones of three former Israeli ministry directors general suspected of being hacked with Pegasus spyware, Israeli cybersecurity company ZecOps has determined the devices were hacked by a foreign state. The three former officials – Shai Babad, the former director-general of the Finance Ministry; Keren Terner Eyal, also a former director-general of that ministry as well as the Transportation Ministry; and Emi Palmor, a former director-general of the Justice Ministry – were named in a recent Calcalist report alleging that they, along with dozens of high-profile individuals, had been targeted for illicit surveillance by Israeli police using NSO Group’s controversial Pegasus software. ZecOps’ subsequent investigation revealed not only were the three devices not bugged by police, but there was no trace of Pegasus on the phones. Times of Israel reports that ZecOps did not disclose what foreign state was actually at fault for the surveillance.
US state government networks targeted by APT41.
An investigation conducted by researchers at Mandiant reveals that the Chinese state-sponsored threat group APT41 has been attacking the networks of US state governments. By exploiting vulnerable internet-facing ASP.NET web applications, the attackers successfully infiltrated at least six state government networks between May 2021 and February 2022. As SecurityWeek explains, the threat group is notorious for its cyberespionage and financially-motivated operations, and though the goal of the attacks has not been determined, and the focus on government systems may suggest espionage, this particular threat group has been known to engage in financially motivated APT side hustles. Thus the interest in PII may suggest preparation for identity fraud or targeted social engineering.
One of the attacks involved the exploitation of the infamous Log4Shell vulnerability, and in at least two cases, the attackers hacked the Animal Health Emergency Reporting Diagnostic System, or USAHERDS, a web-based platform used to track diseases in livestock. Mandiant analyst Rufus Brown told Wired “It's very unnerving to see this group everywhere. APT41 is going after any external-facing web application that can give them access to a network. Just very persistent, very continuous targeting.” TechCrunch notes that the US indicted five members of APT41 in 2020, but apparently that has done little to slow the group down. Mandiant’s investigation reveals the hackers have adopted a number of new techniques, adapting their methods to fit each target’s environment, and in one case they returned to attack a target a second time after their initial attack vector was contained.
Brain Fox, CTO at Sonatype, wrote with an appreciation of what the incident means for Log4Shell exploitation:
“The news of China’s APT41 hacking group breaching U.S. state government networks tracks with the typical time lapse we see with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn’t surprising: a high-spread, low-complex vulnerability equals a 100 percent chance of being used.
“What is more surprising and even more concerning is our data shows that nearly 40% of Log4Shell downloads are still of vulnerable versions. Meaning there’s a high chance that other state and national governments — not just in the U.S. — will be breached in the coming months by bad actors. What I advise now is what I’ve advocated for a long time: urge your software vendors to create and continuously update a software bill of materials and invest in a tool that includes software composition analysis (SCA). SCA provides a look at all the components in a project and determines the potential risk. These tools should be automated to monitor components across the entire Software Development Lifecycle.”