Cyber Attacks and Hacking

[RTH10260]

Roku says 576,000 user accounts hacked after second security incident

Zack Whittaker@zackwhittaker
6:04 PM GMT+2•April 12, 2024

Streaming giant Roku has confirmed a second security incident in as many months, with hackers this time able to compromise more than half a million Roku user accounts.

In a statement Friday, the company said about 576,000 user accounts were accessed using a technique known as credential stuffing, where malicious hackers use usernames and passwords stolen from other data breaches and reuse the logins on other sites.

Roku said in fewer than 400 account breaches, the malicious hackers made fraudulent purchases of Roku hardware and streaming subscriptions using the payment data stored in those users’ accounts. Roku said it refunded customers affected by the account intrusions.

The company, which has 80 million customers, said the malicious hackers “were not able to access sensitive user information or full credit card information.”

Roku said it discovered the second incident while it was notifying some 15,000 Roku users that their accounts were compromised in an earlier credential stuffing attack.

Following the security incidents, Roku said it rolled out two-factor authentication to users.



https://techcrunch.com/2024/04/12/roku- ... ts-hacked/

[RTH10260]

LockBit 3.0 Variant Generates Custom, Self-Propagating Malware
Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.

Jeffrey Schwartz, Contributing Writer
April 16, 2024

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions.

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky.

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says.

The Appeal of LockBit 3.0 to Attackers




https://www.darkreading.com/endpoint-se ... ng-malware

[RTH10260]

“Highly capable” hackers root corporate networks by exploiting firewall 0-day
No patch yet for unauthenticated code-execution bug in Palo Alto Networks firewall.

DAN GOODIN -
4/12/2024, 10:48 PM

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

“Highly capable” UTA0218 likely to be joined by others

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance provided here. The advice includes enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that’s not possible, customers should temporarily disable telemetry until a patch is available.

Volexity, the security firm that discovered the zero-day attacks, said that it’s currently unable to tie the attackers to any previously known groups. However, based on the resources required and the organizations targeted, they are "highly capable" and likely backed by a nation-state. So far, only a single threat group—which Volexity tracks as UTA0218—is known to be leveraging the vulnerability in limited attacks. The company warned that as new groups learn of the vulnerability, CVE-2024-3400 is likely to come under mass exploitation, just as recent zero-days affecting products from the likes of Ivanti, Atlassian, Citrix, and Progress have in recent months.

“As with previous public disclosures of vulnerabilities in these kinds of devices, Volexity assesses that it is likely a spike in exploitation will be observed over the next few days by UTA0218 and potentially other threat actors who may develop exploits for this vulnerability,” company researchers wrote Friday. “This spike in activity will be driven by the urgency of this window of access closing due to mitigations and patches being deployed. It is therefore imperative that organizations act quickly to deploy recommended mitigations and perform compromise reviews of their devices to check whether further internal investigation of their networks is required.”

The earliest attacks Volexity has seen took place on March 26 in what company researchers suspect was UTA0218 testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On April 7, the researchers observed the group trying unsuccessfully to install a backdoor on a customer’s firewall. Three days later, the group’s attacks were successfully deploying malicious payloads. Since then, the threat group has deployed custom, never-before-seen post-exploitation malware. The backdoor, which is written in the Python language, allows the attackers to use specially crafted network requests to execute additional commands on hacked devices.



https://arstechnica.com/security/2024/0 ... all-0-day/

[RTH10260]

New Vulnerability “LeakyCLI” Leaks AWS and Google Cloud Credentials
A critical vulnerability named LeakyCLI exposes sensitive cloud credentials from popular tools used with AWS and Google Cloud. This poses a major risk for developers, showing the need for strong security practices. Learn how to mitigate LeakyCLI and fortify your cloud infrastructure.

WAQAS
APRIL 16, 2024

Cloud infrastructure is the backbone of modern technology, and its security hinges on the tools developers use to manage it. However, a recently discovered vulnerability dubbed “LeakyCLI” exposes a critical weakness in these tools, potentially granting unauthorized access to sensitive cloud credentials.

This vulnerability affects the command-line interfaces (CLIs) used by major cloud providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP). Security researchers at Orca Security identified LeakyCLI, which can inadvertently expose environment variables containing sensitive information like passwords and access keys within logs.

The Flaw and the Risk

CLIs are typically designed for use in secure environments. However, the integration with Continuous Integration and Continuous Deployment (CI/CD) pipelines, which automate development processes, introduces a security risk. LeakyCLI bypasses secret labelling mechanisms within CI/CD pipelines, potentially printing sensitive credentials to logs that shouldn’t contain them.

“CLI commands are by default assumed to be running in a secure environment,” explains an Orca advisory. “But coupled with CI/CD pipelines, they may pose a security threat.” This vulnerability creates a prime target for attackers employing social engineering tactics.



https://www.hackread.com/vulnerability- ... edentials/

[RTH10260]

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely
Hard-coded credentials last thing you want in home security app

Matthew Connatser
Mon 15 Apr 2024 // 22:35 UTC

Some smart locks controlled by Chirp Systems' software can be remotely unlocked by strangers thanks to a critical security vulnerability.

This remote exploitation is possible due to passwords and private keys being hard-coded in Chirp's Android app. Anyone who knows or finds these credentials can use them with an API maintained by smart lock supplier August to remotely open someone's Chirp-powered lock and thus unlock whatever door it is supposed to be protecting. Chirp has claimed its system is being used by over 50,000 households.

For those unfamiliar with this tech, Chirp provides application software to remotely control compatible locks, which can be bought from vendors such as August. It turns out it's possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer via that aforementioned API, enumerate locks, and control them. Presumably victims would need to be using an August-supported lock; we note that Yale is a brand August uses as both are owned by the same parent, Sweden's Assa Abloy. We've asked August for more details.

Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access
The Chirp-side security flaw was given a CVSS severity score of 9.1 out of 10 last month. The US govt's Cybersecurity and Infrastructure Security Agency also issued an alert about the situation. The warning notes Chirp hasn't responded to CISA at all about fixing the hole.

As the watchdog put it, "Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access to systems using the affected product.

"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access."

The vulnerability was discovered and disclosed to Chirp three years ago by Amazon Web Services senior engineer Matt Brown, who delved into Chirp's Android app because his apartment building switched over to the "smart" locks in March 2021. We note that Chirp updated its Android app last month after the CISA alert, to apply "bug fixes and improved stability," so the hole may have been quietly patched by now.




https://www.theregister.com/2024/04/15/ ... hirp_lock/

[RTH10260]

Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

MSRC / By MSRC /
March 08, 2024

This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM.

As we said at that time, our investigation was ongoing, and we would provide additional details as appropriate.

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.



https://msrc.microsoft.com/blog/2024/03 ... -blizzard/

[RTH10260]

UnitedHealth Data Leak May Affect ‘Substantial’ Swath of U.S.
The company said a ransom was paid to protect patient data.

Bloomberg News
Apr 23, 2024

(Bloomberg) -- UnitedHealth Group Inc. found files containing private information on a vast number of Americans whose data may have been compromised in a February cyberattack that upended the US health system.

A sample of the breached files found they contain personal information, including health data, that “could cover a substantial proportion of people in America,” according to a statement on the company’s website Monday.

The disclosure suggests the attack could be one of the largest health-care data breaches on record. Before the hack, Change Healthcare said it processed $2 trillion in health claims and handled 15 billion transactions per year. The disclosure is likely to add to pressure on the company from Washington to explain what led to the hack and how the company responded.

Two months after the attack on the company’s Change Healthcare unit came to light, the health-care system is still dealing with the repercussions. Among the many unanswered questions is how many people’s private data may have been exposed.

Tallying the privacy impacts may take months, UnitedHealth said. The company has not yet found evidence that doctors’ charts or full medical histories were exposed. It set up a website and call center to assist people with credit monitoring.

Companies typically have 60 days to report data breaches to the Department of Health and Human Services under health privacy rules. The agency opened an investigation into the incident last month.

Late last week, the HHS office that oversees data breach reporting said it hadn’t received notice from UnitedHealth, Change Healthcare, or other affected entities, according to its website.



https://www.itprotoday.com/attacks-and- ... l-swath-us

[RTH10260]

Hackers stole 340,000 Social Security numbers from government consulting firm

Lorenzo Franceschi-Bicchierai
6:30 PM GMT+2•April 8, 2024

U.S. consulting firm Greylock McKinnon Associates (GMA) disclosed a data breach in which hackers stole as many as 341,650 Social Security numbers.

The data breach was disclosed on Friday on Maine’s government website, where the state posts data breach notifications.

In its data breach notice sent by mail to affected victims, GMA said it was hit by an unspecified cyberattack in May 2023 and “promptly took steps to mitigate the incident.”

GMA provides economic and litigation support to companies and U.S. government agencies, including the U.S. Department of Justice, bringing civil litigation. According to its data breach notice, GMA told affected individuals that their personal information “was obtained by the U.S. Department of Justice (“DOJ”) as part of a civil litigation matter” supported by GMA.

The reasons and target of the DOJ’s civil litigation are not known. A spokesperson for the Justice Department did not respond to a request for comment.

GMA said that individuals notified of the data breach are “not the subject of this investigation or the associated litigation matters,” and that the cyberattack “does not impact your current Medicare benefits or coverage.”



https://techcrunch.com/2024/04/08/hacke ... ting-firm/