At a glance.
- Bogus DDoS protection pages distribute malware.
- Estonia deals with DDoS attacks.
- Update to the Joint Alert on Zimbra exploitation.
- Iranian APT data extraction tool described.
- LockBit gang comes under DDoS.
- Twitter whistleblower security claims made public.
- Greek natural gas supplier under criminal cyberattack.
- Deepfake scams appear to have arrived.
- Threat actors prepare to exploit Hikvision camera vulnerability.
- Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
- Exotic Lily and Bumblebee Loader.
- Microsoft describes Nobelium's new approach to establishing persistence.
- LastPass discloses a security incident.
Bogus DDoS protection pages distribute malware.
Researchers at Sucuri warn that fake DDoS protection pages, the sort that ask visitors to perform a browser check before proceeding, are distributing malware in drive-by attacks. "Unfortunately, attackers have begun leveraging these familiar security assets in their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup," Sucuri writes. "Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit. However, the prompt actually downloads a malicious .iso file onto the victim’s computer." The file is a remote access Trojan. The malicious site is an impostor: there's no compromise of CloudFlare itself.
Estonia deals with DDoS attacks.
Infosecurity Magazine speaks with Estonian officials concerned to mitigate the effects of distributed denial-of-service (DDoS) attacks the country has sustained this month. Tõnu Tammer, head of the incident response (CERT-EE) department of the Estonian Information System Authority (RIA), said that the campaign peaked last week, on the 16th and 17th. “The attack against the website of emta.ee (home page of Estonian Tax and Customs Board) on August 17 had the most visible effect, with the website being unavailable from 12.30pm to 1.40 pm. After changing the settings and implementing additional defense mechanisms, it was possible to use the website again. Still, all the services were functional and only the web page was affected,” Tammer told Infosecurity Magazine. He credits defensive preparations and adequate resourcing with having given Estonia the means of mitigating the effects of the attack.
The campaign was claimed by Killnet, the Russian hacktivist front associated with nuisance-level attacks against governments sympathizing with Ukraine during Russia's current war. The proximate cause of recent attacks has been, as it was in 2007, Estonia's removal of Soviet-era Second World War memorials. There may be more pretexts for follow-on attacks: Russia's FSB has claimed that the assassin who killed Russian ultra-nationalist media personality Darya Aleksandrovna Dugina, has taken refuge in Estonia, from where Russia has demanded her extradition. (The identification of the assassin is unconfirmed, and there's no reason beyond the FSB's word to think that the assassin has taken refuge in Estonia.)
Iranian APT data extraction tool described.
Google's Threat Analysis Group Tuesday morning published the results of its investigation into Charming Kitten. The Iranian government-sponsored threat group has been observed using a new extraction tool the researchers call "HYPERSCAPE." It's used to extract user data from Gmail, Yahoo!, and Microsoft Outlook accounts. Google explains, "The attacker runs HYPERSCRAPE on their own machine to download victims’ inboxes using previously acquired credentials. We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development. We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings."
LockBit gang comes under DDoS.
A researcher at Cisco Talos tweeted last weekend that the blog operated by the LockBit gang had come under heavy distributed denial-of-service (DDoS) attack. Researcher Azim Shukuhi observed, "someone is DDoSing the Lockbit blog hard right now. I asked LockBitSupp about it and they claim that they're getting 400 requests a second from over 1000 servers. As of this writing, the attack appears to be active. Lockbit promised more resources & to "drain the ddosers money," and added, in the thread, that the ALPHV gang seemed to be undergoing a similar attack.
According to the Register, LockBit (a Russian criminal operation) said that it had come under attack because it had, in its own turn, hit the large US authentication firm Entrust with ransomware earlier this summer. BleepingComputer reports that LockBit is blaming Entrust for the DDoS attack. "Ddos attack began immediately after the publication of data and negotiations, of course it was them, who else needs it? In addition, in the logs there is an inscription demanding the removal of their data," LockBitSupp, the public face of the gang, told BleepingComputer. But it's unclear who's behind the DDoS attack. Entrust hadn't yet responded to BleepingComputer at the time they published, and it's entirely possible a rival gang, for example, could be behind the attack.
Twitter whistleblower security claims made public.
Peiter "Mudge" Zatko, a well-known white hat hacker who served for a time as Twitter's chief of security before being dismissed in January by Twitter's CEO, has filed a whistleblower report against his former employer, the Washington Post reports. The complaint, which Zatko filed with the US Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, alleges, according to the Post, "that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes."
For its part Twitter says it investigated Zatko's claims at the time he made them, and found them without merit.
Greek natural gas supplier under criminal cyberattack.
The Greek natural gas provider DEFSA disclosed last weekend that it had been the victim of a ransomware attack. "DEFSA suffered a cyberattack on part of its IT infrastructure by cybercriminals that have tried to gain illegal access to electronic data, with a confirmed impact on the availability of some systems and possible leakage of a number of directories and files." BleepingComputer connects the incident with Ragnar Locker, a pioneer of double-extortion attacks that both steal and encrypt data. Ragnar Locker, which claimed responsibility and leaked proof-of-compromise data Friday, is a gang long believed to be based in Russia. An attack on a European natural gas distributor during Russia's war against Ukraine is consistent with privateering aligned with Moscow's interests. The Record reports that DEFSA has refused to negotiate with its attackers.
Deepfake scams appear to have arrived.
Bitcoin.com reports that scammers used an "AI hologram" as a deepfake impersonation of cryptocurrency exchange Binance's Chief Communications Officer Patrick Hillmann in scam Zoom video calls with representatives of various cryptocurrency projects. Hillmann, blogging about the experience last week, said he became aware of the scam when he received messages from the targets, thanking him for taking time to meet with them in calls he had never in fact attended. "It turns out that a sophisticated hacking team used previous news interviews and TV appearances over the years to create a 'deep fake' of me," Hillmann explained.
It's not just deepfakes on Zoom, either. More conventional impersonation is also troubling Binance. Business Insider reports that "Changpeng Zhao, the CEO of cryptocurrency exchange Binance, tweeted that 'LinkedIn has 7000 profiles of 'Binance employees', of which only 50 or so are real.'" Thus reports of fake accounts are by no means confined to Twitter.
Threat actors prepare to exploit Hikvision camera vulnerability.
CYFIRMA researchers report that, not only are Hikvision networked cameras susceptible to exploitation of a command-injection vulnerability. Exploitation could enable attackers to enroll cameras as bots in distributed denial-of-service attacks; it could also afford threat actors the opportunity to pivot to other, more sensitive portions of the networks the cameras connect with. Various criminal groups are exchanging information on the vulnerable systems in underground fora. "CYFIRMA researchers have observed in the sample analysed, multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability (CVE-2021-36260) globally. Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." The report mentions the possibility of exploitation for "geopolitical purposes," which suggests a potential nation-state (or privateering) threat.
Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
Group-IB reports that phishing attacks against employees of Twilio and Cloudflare that impersonated Okta's Identity and Access Management services formed part of a campaign that compromised 9931 accounts in more than one-hundred-thirty organizations. Most of the victims were in the United States, and were Okta users. "The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," Group-IB explained. "With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to." The attacker showed a mixture of sophistication and inexperience, making extensive use of simple, commodity tools in a convincing way, but with static pages and a phishing kit ill-configured for mobile devices.
The campaign appears to have been designed for supply chain attacks, with three notable successes:
- "Marketing firm Klaviyo was breached and personal information connected to cryptocurrency-related accounts, reportedly including names, addresses, emails, and phone numbers, was stolen. This information could be used in order to steal cryptocurrency."
- "Email platform Mailchimp was breached to gain access to data from crypto-related companies and disrupt operations. Mailchimp was used by technology firm DigitalOcean to send confirmation emails, password resets, email-based alerts. By initiating and redirecting password resets the customers of DigitalOcean could have been compromised."
- "Phone number verification provider Twilio was breached, which allowed the attacker to attempt to re-register Signal accounts to new mobile devices."
The researchers developed some information on the threat actor behind what appears to be a criminally motivated operation. "Subject X," as Group-IB calls him, is thought to be a 22-year-old software developer working from the US state of North Carolina. Group-IB has shared what it knows with law enforcement.
Exotic Lily and Bumblebee Loader.
Deep Instinct has released a report describing the Bumblebee loader. The threat actor used a phishing email to gain trust, and then sent malicious files to the victim under the guise that the files were for a file sharing platform. The files execute a script that drops the Bumblebee payload. This has been found by researchers to be consistent with activity from threat actor EXOTIC LILY, and Google’s TAG says, “EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.”
Microsoft describes Nobelium's new approach to establishing persistence.
Microsoft researchers have described how Nobelium, the Russian state threat actor more commonly known as Cozy Bear, that is, the SVR foreign intelligence service, maintains persistence in compromised environments. Nobelium is engaged in cyberespionage, "executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia." It's deploying a new toolkit Microsoft calls "MagicWeb" to maintain persistence in the face of attempts to evict it from compromised networks. "MagicWeb is a malicious DLL [dynamic link library] that allows manipulation of the claims passed in tokens generated by an Active Directory Federated Services (AD FS) server. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML."
LastPass discloses a security incident.
LastPass, whose password manager is widely used by both individuals and organizations, disclosed Thursday that an unauthorized party accessed a portion of the company's development environment. The intruder gained access through a compromised developer account and was able to take "portions of source code and some proprietary LastPass technical information." LastPass says its customers' accounts remain secure, and that its services are operating normally. The company says it's contained the incident, is working on mitigation, and will keep its customers apprised of developments. Proper caution would advise enabling multifactor authentication on LastPass accounts, if you haven't already done so.
Patch news.
Tuesday the US Cybersecurity and Infrastructure Security Agency (CISA) released seven industrial control system (ICS) advisories, for ARC Informatique PcVue ("mitigations for a Cleartext Storage of Sensitive Information vulnerability"), Delta Industrial Automation DIALink ("mitigations for an Use of Hard-coded Cryptographic Key vulnerability"), myScada Pro ("mitigations for a Command Injection vulnerability"), Measuresoft ScadaPro Server ("mitigations for an Out-of-bounds Write vulnerability"), Measuresoft ScadaPro Server and Client ("mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, Use After Free, and Link Following vulnerabilities"), Hitachi Energy RTU500 ("mitigations for a Stack-based Buffer Overflow vulnerability"), and Illumina Local Run Manager (Update A) ("mitigations for Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, and Cleartext Transmission of Sensitive Information vulnerabilities").
CISA has also added CVE-2022-0028, a vulnerability in Palo Alto Networks' PAN-OS to its catalog of Known Exploited Vulnerabilities. It's a "reflected amplification denial-of-service vulnerability." Filtering policy misconfigurations could permit "a network-based attacker to conduct reflected and amplified TCP denial-of-service attacks." US Federal agencies overseen by CISA have until September 12th to apply Palo Alto's update.
On Thursday CISA added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation in the wild. The new additions, which US Federal Civilian Executive Agencies have until September 15th to search for and remediate, are:
- CVE-2022-26352. "dotCMS ContentResource API contains an unrestricted upload of files with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution."
- CVE-2022-24706. "Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges."
- CVE-2022-24112. "Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution."
- CVE-2022-22963. "When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources."
- CVE-2022-2294. "WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability which allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome."
- CVE-2021-39226. "Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss."
- CVE-2021-38406. "Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution.The impacted product is end-of-life and should be disconnected if still in use."
- CVE-2021-31010. "In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions."
- CVE-2020-36193. "PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux."
- CVE-2020-28949. "PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux."
Crime and punishment.
A former Apple engineer has pleaded guilty to criminal charges of trade secret theft while preparing to leave for a Chinese electric, autonomous car startup, Bloomberg reports. Zhang Xiaolang was arrested in July 2018 when he was found to be leaving on a one-way trip to China. Prosecutors accused him of "downloading a 25-page Apple document to his wife’s computer that included schematic drawings of a circuit board design for a portion of an autonomous vehicle." He took a guilty plea to the charges on Monday, and the charges reportedly can include a "maximum penalty of 10 years in prison and a $250,000 fine."
Courts and torts.
Cryptocurrency exchange Coinbase has been hit with a class action lawsuit alleging that the platform has been negligent in protecting user data from cyberattacks. The Recorder explains that Coinbase previously incurred large fines for vulnerabilities found on the platform, but the lawsuit claims the exchange's security issues persist, allowing hackers to continue to infiltrate users’ cryptocurrency wallets. Specifically, the suit alleges that Coinbase customer Manish Aggarwal lost more than $200,000 in Bitcoin after cybercriminals hacked into his account. The suit also notes a 2021 breach in which hackers stole the funds of over six thousand Coinbase customers. Coinbase’s website claims the platform’s “best-in-class storage,” “industry-leading security,” and “state-of-the-art encryption” have made it the “most trusted crypto exchange,” but plaintiffs say these claims are false. “Unfortunately, Coinbase’s representations regarding the security of its platform have proven untrue. Despite claiming to be ‘the only crypto exchange to have never been hacked,’ Coinbase has been hacked and had customer funds stolen in multiple instances within the last two years,” the court documents read.
Policies, procurements, and agency equities.
The governments of Poland and Ukraine have concluded a memorandum of understanding concerning cybersecurity, formalizing cooperation in the fifth domain. Ukraine's SSSCIP describes the purpose of the agreement as organization of joint efforts for "repelling the enemy in cyberspace." The statement adds, "The memorandum aims to strengthen the joint fight against crimes in the digital space, as well as to share experience and detailed information about cyber incidents [faster and more effectively]." Janusz Cieszynski, Poland's Secretary of State for Digital Affairs and Government Plenipotentiary for Cybersecurity, said, "The reason I am here, signing this important MoU, is to work hand in hand with our Ukrainian partners so that we all know more about the danger we are faced with, learn from each other and become more cyber resilient.” Mykhailo Fedorov, Ukraine's Vice Prime Minister, Minister of Digital Transformation, commented, “The first world cyberwar is ongoing. Therefore, joining efforts and exchanging practices is a logical step in this area. With Poland, we have not only a common physical border, but also a joint problem in cyberspace, where we experience the same kind of attacks. I am sure that together we will become stronger and more effective."
US Secretary of Homeland Security Alejandro Mayorkas Wednesday announced that his Department was canceling plans to establish a Disinformation Governance Board. “In accordance with the HSAC’s [Homeland Security Advisory Council's] prior recommendation, Secretary of Homeland Security Alejandro N. Mayorkas has terminated the Disinformation Governance Board and rescinded its charter effective today, August 24, 2022, the Department's announcement said. "With the HSAC recommendations as a guide, the Department will continue to address threat streams that undermine the security of our country consistent with the law, while upholding the privacy, civil rights, and civil liberties of the American people and promoting transparency in our work.” The Disinformation Governance Board had drawn criticism as a step toward erosion of freedom of speech and thought, which of course the Department was at pains to dispute, but which nonetheless induced a pause in the Board's formation and a request for advice, which the Department has now received and accepted.