Cyber Attacks and Hacking

RTH10260 · #201

London NHS hospitals revert to paper records after cyber-attack
Disruption has affected wider range of health providers than first thought, including GPs and community and mental health services

Denis Campbell and Dan Milmo
Wed 5 Jun 2024 21.39 CEST

A cyber-attack thought to have been carried out by a Russian group has forced London NHS hospitals to resurrect long-discarded paper records systems in which porters hand-deliver blood test results because IT networks are disrupted.

Guy’s and St Thomas’ trust (GSTT) has gone back to using paper, rather than computers, to receive the outcome of patients’ blood tests.

Synnovis, which analyses blood tests for GSTT, is still undertaking the work, despite being hit on Monday by a large-scale ransomware attack that has caused serious problems for the NHS.

A GSTT clinical staff member said: “Since the attack, Synnovis have had to print out the blood test results when they get them from their laboratories, which are on site at Guy’s and St Thomas.

“Porters collect them and take them up to the ward where that patient is staying or [to the] relevant department which is in charge of their care. The doctors and nurses involved in their care then analyse them and decide on that person’s treatment, depending on what the blood test shows.

“This is happening because Synnovis’s IT can’t communicate with ours due to the cyber-attack. Usually blood test results are sent electronically, but that’s not an option just now.”

The disclosure came as more details emerged about the impact of the latest hacking incident to hit the NHS, which Ciaran Martin, the former chief executive of the National Cyber Security Centre, said had been perpetrated by Russian cybercriminals.

https://www.theguardian.com/society/art ... ber-attack

RTH10260 · #202

Celebrity TikTok Accounts Compromised Using Zero-Click Attack via DMs

Jun 05, 2024
NewsroomCyber Attack / Online Security

Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform.

The development was first reported by Semafor and Forbes, which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to click or interact with it.

The exploit has been found to take advantage of a zero-day vulnerability in the messaging component that allows malicious code to be executed as soon as the message is opened.

It's currently unclear how many users have been affected, although a TikTok spokesperson said that the company has taken preventive measures to stop the attack and stop it from happening again in the future.

The company further said that it's working directly with impacted account holders to restore access and that the attack only managed to compromise a "very small" number of users. It did not provide any specifics about the nature of the attack or the mitigation techniques it had employed.

This is not the first time security issues have been uncovered in the widely-used service. In January 2021, Check Point detailed a flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity.

https://thehackernews.com/2024/06/celeb ... mised.html

RTH10260 · #203

Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

DEEBA AHMED
JUNE 3, 2024

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP Statistics and LiteSpeed! Learn how these attacks work, the impact they have, and how to fortify your site with a multi-layered defence.

WordPress, the globally used content management system (CMS) powering millions of websites, is being abused in attacks exploiting unauthenticated stored Cross-Site Scripting (XSS) vulnerabilities, warns cloud security provider Fastly. The company discovered active exploitation attempts targeting three high-severity vulnerabilities in popular WordPress plugins.

According to Fastly’s blog post, attackers are injecting malicious scripts and backdoors into websites to create new admin accounts, inject PHP backdoors in plugin and theme files, and set up tracking scripts to monitor infected targets. The malicious payloads were referenced in five domains and with two additional tracking-based domains previously associated with WordPress plugin exploitation.

Vulnerable plugins include WP Meta SEO, and the popular WP Statistics and LiteSpeed Cache plugins, boasting over 600,000 and 5 million active installations respectively, were found vulnerable to attacks, with malicious payloads injected via URL search parameters and scripts disguised as admin notifications, potentially leading to widespread compromise.

https://hackread.com/popular-wordpress- ... or-attack/

RTH10260 · #204

Lost in the Fog: A New Ransomware Threat

June 4, 2024
by Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown and Arctic Wolf Labs Team
Summary

On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.

We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.

About Fog Ransomware

Starting in early May, the Arctic Wolf Incident Response team began investigating cases involving the deployment of the Fog ransomware variant against US organizations in the education and recreation sectors.

We refer to Fog as a ransomware variant rather than a group to distinguish between the entities responsible for creating the encryptor software and those conducting the hands-on-keyboard attacks against victims. This is a critical distinction because ransomware groups sometimes project an image of being a singular group when they are in fact composed of independent affiliate groups. At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown.

In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.

Early in one of the cases, pass-the-hash activity was observed against administrator accounts which were subsequently used to establish RDP connections to Windows Servers running Hyper-V and Veeam. In another case, evidence of credential stuffing was observed, which was thought to facilitate lateral movement throughout the environment. In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts.

On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors. Threat actors were observed encrypting VMDK files in VM storage and deleting backups from object storage in Veeam. Threat actors left behind ransom notes on affected systems and deployed a functionally identical ransomware payload in all cases. Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site.

RTH10260 · #205

MACs no longer a "protected species" when it comes to hacking

Fake Meeting Software Spreads macOS Infostealer

18 JUN 2024
Kevin Poireault Reporter, Infosecurity Magazine

Insikt Group, cybersecurity provider Recorded Future’s threat intelligence service, has observed a widespread malicious campaign targeting cryptocurrency users and involving Vortax, a fake virtual meeting software.

Vortax has a presence on social media and is marketed as a cross-platform and in-browser enterprise-focused alternative to other video chat services that leverages artificial intelligence to generate meeting summaries and action items and suggest questions or comments with its “MeetingGPT” product.

It maintains a Medium blog (medium[.]com/@vortax) with approximately 22 suspected AI-generated articles published between December 7 and 16, 2023. On X (formerly Twitter), the Vortax account even has a gold tick, meaning it is designated as a ‘Verified Organization.’

However, once installed, Vortax delivers three information stealers (infostealers) in cross-platform attacks (Rhadamanthys, Stealc and Atomic macOS Stealer, or AMOS) in an extensive campaign aimed at cryptocurrency theft.

The third infostealer, AMOS, is of particular importance to the researchers because it’s a rare occurrence of a macOS infostealer, which is less common than its Windows counterparts.

Rise in macOS Infostealers

Upon further investigation of the Vortax application, its network of associated accounts, and the malware it deployed, Insikt Group identified 23 other malicious macOS applications masquerading as legitimate. Most of these were targeting virtual meeting software and cryptocurrency users.

Insikt Group researchers also identified connections between the Vortax campaign and a previous infostealer campaign targeting web3 gaming projects.

“Based on these findings, we are confident that the two campaigns are affiliated with the same threat actor – previously identified by Insikt Group as using the AMOS UserID ‘markopolo’,” the researchers wrote.

“This scaled campaign is likely indicative of a widespread credential harvesting operation, which could imply that markopolo acts as an initial access broker (IAB) or ‘log vendor’ on a dark web shop, such as Russian Market or 2easy Shop; however, we have no evidence to make that assessment, as of this writing.”

In the previous report, Insikt Group also observed that mentions of macOS malware and exploit kits increased by 79% between 2022 and 2023 - a trend likely accelerated by increased use of the AMOS infostealer.

“Given its tight-knit community, we assess that other operators of AMOS will likely model future campaigns after the success of markopolo. This may result in a wider proliferation of AMOS in the wild, accompanied by diverse and wide-ranging campaigns attributed to individual threat actors, exacerbating the long-term threat of a less secure landscape for macOS users,” the researchers concluded.

https://www.infosecurity-magazine.com/n ... fostealer/

RTH10260 · #206

UK

Records on 300m patient interactions with NHS stolen in Russian hack
Exclusive: Health service scrambling to set up helpline after Qilin gang put stolen data into public domain overnight

Denis Campbell and Dan Milmo
Fri 21 Jun 2024 14.34 CEST

Russian hackers have stolen records covering 300m patient interactions with the NHS, including the results of blood tests for HIV and cancer, the Guardian can reveal.

The amount and sensitive nature of the data obtained by the Qilin hacking gang has caused alarm among NHS bosses, who are scrambling to set up a helpline to deal with inquiries from what could be a large number of worried patients and also health service staff.

Seven hospitals run by two NHS trusts were affected by the attack, which targeted Synnovis, a private/NHS joint venture that provides pathology services such as blood tests and transfusions. It is unclear at this stage if the hack involves only hospitals in the trusts or is more widespread.

The NHS’s anxiety about the impact of the attack increased on Friday after Qilin acted overnight on a threat to put stolen NHS data into the public domain, an indication that Synnovis has refused to pay a reported $50m (£40m) ransom.

It is as yet unclear exactly what data, or how much of the haul, the ransomware group has made public. But the stolen data includes details of the results of blood tests conducted on patients having many types of surgery, including organ transplants, or suspected of having a sexually transmitted infection, or who have had a blood transfusion, well-placed sources have disclosed.

In a development that will cause anxiety among patients who have received private healthcare in recent years, Qilin’s haul is understood to include records of tests that people have had at multiple private healthcare providers. It is not clear which private healthcare firms Synnovis – a joint venture between the pathology firm Synlab and two major London acute hospital trusts – works for.

The number of test results in the data that Qilin seized in the hack on 3 June is so huge because it covers tests that patients have had going back a significant number of years, sources say.

https://www.theguardian.com/society/art ... ssian-hack

RTH10260 · #207

HealthEquity data breach exposes protected health information

By Bill Toulas
July 3, 2024 03:34 PM 0

Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner's account was compromised and used to access the Company's systems to steal protected health information.

The Company says it detected the compromise after detecting 'anomalous behavior' from a partner's personal device and launched an investigation into the incident.

The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity's systems and, later, exfiltrate sensitive health data.

"The investigation concluded that the Partner's user account had been compromised by an unauthorized third party, who used that account to access information," reads the SEC filing.

"The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members."

"The investigation further concluded that some information was subsequently transferred off the Partner's systems."

HealthEquity specializes in providing health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.

It is one of the largest HSA custodians in the United States, managing millions of HSA, FSA, HRA, and other benefit accounts, and working with numerous employers and health plans.

The exact impact and number of people affected by the security incident haven't been disclosed, though HealthEquity says it has begun notifying impacted individuals.

https://www.bleepingcomputer.com/news/s ... formation/

RTH10260 · #208

A Hacker Stole OpenAI Secrets, Raising Fears That China Could, Too
A security breach at the maker of ChatGPT last year revealed internal discussions among researchers and other employees, but not the code behind OpenAI’s systems.

By Cade Metz
July 4, 2024

Early last year, a hacker gained access to the internal messaging systems of OpenAI, the maker of ChatGPT, and stole details about the design of the company’s A.I. technologies.

The hacker lifted details from discussions in an online forum where employees talked about OpenAI’s latest technologies, according to two people familiar with the incident, but did not get into the systems where the company houses and builds its artificial intelligence.

OpenAI executives revealed the incident to employees during an all-hands meeting at the company’s San Francisco offices in April 2023 and informed its board of directors, according to the two people, who discussed sensitive information about the company on the condition of anonymity.

But the executives decided not to share the news publicly because no information about customers or partners had been stolen, the two people said. The executives did not consider the incident a threat to national security because they believed the hacker was a private individual with no known ties to a foreign government. The company did not inform the F.B.I. or anyone else in law enforcement.

For some OpenAI employees, the news raised fears that foreign adversaries such as China could steal A.I. technology that — while now mostly a work and research tool — could eventually endanger U.S. national security. It also led to questions about how seriously OpenAI was treating security, and exposed fractures inside the company about the risks of artificial intelligence.

After the breach, Leopold Aschenbrenner, an OpenAI technical program manager focused on ensuring that future A.I. technologies do not cause serious harm, sent a memo to OpenAI’s board of directors, arguing that the company was not doing enough to prevent the Chinese government and other foreign adversaries from stealing its secrets.

https://www.nytimes.com/2024/07/04/tech ... -hack.html

RTH10260 · #209

Ransomware Eruption: Novel Locker Malware Flows From ‘Volcano Demon'
Attackers clear logs before exploitation and use "no caller ID" numbers to negotiate ransoms, complicating detection and forensics efforts.

Elizabeth Montalbano, Contributing Writer
July 3, 2024

A double-extortion ransomware player has exploded onto the scene with several attacks in two weeks, wielding innovative locker malware and a slew of evasion tactics for covering its tracks and making it difficult for security experts to investigate.

Tracked as "Volcano Demon" by the researchers at Halcyon who discovered it, the newly discovered adversary is characterized by never-before-seen locker malware, dubbed LukaLocker, that encrypts victim files with the .nba file extension, according to a blog post published this week.

The attacker's evasion tactics include the installation of limited victim logging and monitoring solutions prior to exploitation and the use of "threatening" phone calls from "No Caller ID" numbers to extort or negotiate a ransom.

"Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks," the Halcyon Research Team wrote in the post. Volcano Demon also has no leak site for posting data it steals during its attacks, though it does use double extortion as a tactic, the team said.

In its attacks, Volcano Demon used common administrative credentials harvested from the networks of its victims to load a Linux version of LukaLocker, then successfully locked both Windows workstations and servers. Attackers also exfiltrated data from the network to its own command-and-control server (C2) prior to ransomware deployment so it could use double extortion.

A ransom note instructs victims to contact attackers through the qTox messaging software and then wait for technical support to call them back, making it difficult to track the communication between the parties, according to Halcyon.

https://www.darkreading.com/cyberattack ... cano-demon

RTH10260 · #210

SUPER-GAU

AT&T says hackers stole call records of ‘nearly all’ wireless customers
The information could provide a roadmap for criminals who could impersonate a friend or relative to trick a victim, experts warned.

By Joseph Mennand Aaron Gregg
Updated July 12, 2024 at 3:52 p.m. EDT|Published July 12, 2024 at 8:37 a.m. EDT

Hackers stole records detailing the phone contacts of almost all AT&T Wireless customers in one of the most serious breaches of sensitive consumer data in recent years, the company disclosed in a securities filing Friday.

The cache includes the numbers called or texted by more than 100 million customers between May 1 and Oct. 31, 2022, as well as one day in January 2023. It contains the numbers themselves as well as the frequency and combined durations of the interactions, but not the customer names or the content of those communications, AT&T said.

Since most numbers can be tied to real names, such records illuminate who is close to whom. That would provide a road map for criminals who could impersonate a friend or relative to trick a victim. Texts from financial institutions could be mimicked to get an account holder to divulge passwords, and workplace relationships could reveal the identity of U.S. spies.

“This data could be used by spies, scammers and other bad actors to target specific people or to improve the feasibility of scams by impersonating the numbers of people you regularly call,” said technologist Cooper Quintin of the Electronic Frontier Foundation.

The ability of U.S. intelligence to access similar calling records was one of the most alarming and impactful revelations by federal contractor Edward Snowden a decade ago. Now a large swath of it might be for sale to criminals and other governments.

AT&T said it had not detected the material being made public, and it said one person had been arrested. The company said it learned of the theft in April but delayed disclosing it — as required under recently adopted Securities and Exchange Commission regulations — at the request of law enforcement, for national security or public safety reasons, the first time such a delay has been disclosed.

Justice Department spokesman Joshua Stueve confirmed that the FBI had invoked the legal provision allowing the delay, and said AT&T had aided the investigation. He did not say how the breach could have impacted national security. The Federal Communications Commission said it was also investigating.

While Social Security and credit card numbers were not included in the breach, the identity of cell towers for an undisclosed number of customers was, and those would point to their physical locations.

Even without that location data, hackers could work out relationship webs, experts warned. Someone targeting a criminal prosecutor or police officer might be able to identify a close relative and then use that number to find out where they live. Spurned romantic partners could do the same.

https://www.washingtonpost.com/business ... ta-breach/
Share link https://wapo.st/4bND1zW

RTH10260 · #211

Ransomware attack hits Florida blood donation center that services more than 350 hospitals

By Emily Mae Czachor
Updated on: July 31, 2024 / 3:01 PM EDT / CBS News

A cyberattack on the nonprofit blood donation center OneBlood is stifling operations at an organization that normally services more than 350 hospitals across four states, the organization announced on Wednesday.

The breach, which was first reported by CNN, targeted OneBlood's software system and is being investigated as a ransomware event — where hackers break into a company's online network and essentially block access to important files until a ransom is paid.

OneBlood, which is based in Orlando, said it is working with cybersecurity specialists as well as federal, state and local authorities as they move ahead with a "comprehensive response" to the attack. While donation centers are continuing to collect, test and distribute blood, the organization noted that "they are operating at a significantly reduced capacity."

"OneBlood takes the security of our network extremely seriously. Our team reacted quickly to assess our systems and began an investigation to confirm the full nature and scope of the event," said Susan Forbes, the senior vice president of corporate communications and public relations at OneBlood, in a statement. "Our comprehensive response efforts are ongoing and we are working diligently to restore full functionality to our systems as expeditiously as possible."

In the meantime, Forbes said that OneBlood is carrying out normal operations and procedures manually, to the extent that's feasible.

https://www.cbsnews.com/news/ransomware ... d-florida/

RTH10260 · #212

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

July 15, 2024

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Until this past weekend, Squarespace’s website had an option to log in via email.

The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks.

https://krebsonsecurity.com/2024/07/res ... s-hijacks/

RTH10260 · #213

sh*t happens - even to the best ...

Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services

July 26, 2024

Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder at third-party services that allow logins through Google’s “Sign in with Google” feature.

Last week, KrebsOnSecurity heard from a reader who said they received a notice that their email address had been used to create a potentially malicious Workspace account that Google had blocked.

“In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request,” the notice from Google read. “These EV users could then be used to gain access to third-party applications using ‘Sign In with Google’.”

In response to questions, Google said it fixed the problem within 72 hours of discovering it, and that the company has added additional detection to protect against these types of authentication bypasses going forward.

Anu Yamunan, director of abuse and safety protections at Google Workspace, told KrebsOnSecurity the malicious activity began in late June, and involved “a few thousand” Workspace accounts that were created without being domain-verified.

Google Workspace offers a free trial that people can use to access services like Google Docs, but other services such as Gmail are only available to Workspace users who can validate control over the domain name associated with their email address. The weakness Google fixed allowed attackers to bypass this validation process. Google emphasized that none of the affected domains had previously been associated with Workspace accounts or services.

“The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process,” Yamunan said. “The vector here is they would use one email address to try to sign in, and a completely different email address to verify a token. Once they were email verified, in some cases we have seen them access third party services using Google single sign-on.”

Yamunan said none of the potentially malicious workspace accounts were used to abuse Google services, but rather the attackers sought to impersonate the domain holder to other services online.

In the case of the reader who shared the breach notice from Google, the imposters used the authentication bypass to associate his domain with a Workspace account. And that domain was tied to his login at several third-party services online. Indeed, the alert this reader received from Google said the unauthorized Workspace account appears to have been used to sign in to his account at Dropbox.

Google said the now-fixed authentication bypass is unrelated to a recent issue involving cryptocurrency-based domain names that were apparently compromised in their transition to Squarespace, which last year acquired more than 10 million domains that were registered via Google Domains.

https://krebsonsecurity.com/2024/07/cro ... -services/

RTH10260 · #214

National Public Data confirms massive data breach included Social Security numbers
Social Security numbers, names, addresses, email addresses and phone numbers were in the 2.9 billion records within a data breach. Security firm Pentester.com tool tells you if your data is involved.

Mike Snider USA TODAY
14 hours ago

National Public Data, which aggregates data to provide background checks, has confirmed it suffered a massive data breach involving Social Security numbers and other personal data on millions of Americans.

The Coral Springs, Florida company posted on its website a notice that "there appears to a have been a data security incident that may have involved some of your personal information. The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024."

News about the breach first came from a class action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, and first reported on by Bloomberg Law. Stolen from National Public Data (NPD) were 2.9 billion records including names, addresses, Social Security numbers and relatives dating back at least three decades, according to law firm Schubert, Jonckheer & Kolbe, which filed the suit.

NPD said the breached data included names, email addresses, phone numbers and mailing addresses, as well as Social Security numbers. The company said it is cooperating with investigators and has "implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems."

https://eu.usatoday.com/story/tech/2024 ... 843810007/

RTH10260 · #215

China's Volt Typhoon Exploits Zero-Day in Versa's SD-WAN Director Servers
So far, the threat actor has compromised at least five organizations using CVE-2024-39717; CISA has added bug to its Known Exploited Vulnerability database.

Jai Vijayan, Contributing Writer
August 27, 2024

China's notorious Volt Typhoon group has been actively exploiting a zero-day bug in Versa Networks' Director Servers, to intercept and harvest credentials to be used future attacks.

The bug, now patched and tracked as CVE-2024-39717, affects all versions of Versa Director prior to 22.1.4, and has to do with a feature that lets users customize the look and feel of its graphical user interface (GUI). Versa Director servers are a component of Versa Networks' software-defined wide area networking (SD-WAN) technology. They allow organizations to centrally configure, manage and monitor network devices manage, traffic routing, security policies and other aspects of a SD-WAN environment. Its customers include ISPs, MSP and many larger organizations.

Dan Maier, CMO at Versa, says the vulnerability can be seen as a privilege escalation bug, because the attacker is harvesting credentials to gain privileged access. He notes that attackers gain initial access to Versa Director via high-availability management ports 4566 and 4570 if they're left open and available over the Internet.

"Once the attackers gain initial access, they escalate privileges to gain highest-level administrator credentials," Maier says, adding that Versa has always instructed customers to limit access to such high-availability ports.

https://www.darkreading.com/cyberattack ... or-servers

RTH10260 · #216

Unicoin Staff Locked Out of G-Suite in Mystery Attack

19 Aug 2024
Phil Muncaster UK / EMEA News Reporter, Infosecurity Magazine

A leading cryptocurrency firm has admitted that its employees were unable to use their corporate productivity apps for four days after a threat actor removed access.

Unicoin is the official cryptocurrency of reality TV show Unicorn Hunters, self-described as a “more stable alternative” to most digital currencies.

The firm revealed in a Form 8-K SEC filing last week that on August 9, it detected that an unknown threat actor had managed to access its Google G-Suite account.

The individual changed the passwords “of all users of the company’s G-Suite products (i.e., G-Mail, G-Drive and other related G-Suite functionality), thereby denying access to all users having an @unicoin.com email address,” the filing continued.

“On or about August 13, 2024, the company was able to remove the threat actor’s access to the G-Suite accounts and restore access to its internal users,” it added. “The company is examining the information accessed to determine and mitigate the impact of the event. The company also continues to investigate the extent of the event.”

https://www.infosecurity-magazine.com/n ... ut-gsuite/

RTH10260 · #217

Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection
Analysts have been picking up increased cases of malware delivery via Windows Installer files in Southeast Asia.

Nate Nelson, Contributing Writer
August 22, 2024

Chinese language hackers are taking advantage of the Windows Installer (MSI) file format to bypass standard security checks.

Hackers are known to deliver malware in the same sorts of familiar formats: executables, archive and Microsoft Office files, and so on. A new malware loader targeting Chinese and Korean speakers, which researchers from Cyberint have labeled "UULoader," comes in the somewhat less common MSI form.

In fact, Cyberint isn't the only vendor to have spotted an uptick in malicious MSIs from Asia this summer. The budding trend may be in part thanks to some novel stealth tactics that are allowing threat actors to ignore its shortcomings and take advantage of its strengths.

"It's not really common, [since] malicious MSI files do get flagged quite easily by static scanners," explains Cyberint security researcher Shaul Vilkomir Preisman. "But if you employ a few clever, little tricks — like file header stripping, employing a sideloader, and stuff like that — it'll get you through."

https://www.darkreading.com/threat-inte ... -detection

RTH10260 · #218

Critical Authentication Flaw Haunts GitHub Enterprise Server
GitHub patches a trio of security defects in the GitHub Enterprise Server product and recommends urgent patching for corporate users.

ByRyan Naraine
August 21, 2024

GitHub has released an urgent fix for a trio of security defects in the GitHub Enterprise Server product and warned that hackers can exploit one of the flaws to gain site administrator privileges.

The most severe issue is tracked as CVE-2024-6800 and covers a vulnerability that allows an attacker to manipulate SAML SSO authentication to provision and/or gain access to a user account with site administrator privileges.

The vulnerability carries a CVSS severity score of 9.5/10 and is described as an XML signature wrapping bug in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers.

“This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication,” according to the advisory.

https://www.securityweek.com/critical-a ... se-server/

RTH10260 · #219

North Korean Hackers Deploy New MoonPeak Trojan in Cyber Campaign

Aug 21, 2024
Ravie Lakshmanan Cyber Espionage / Malware

A new remote access trojan called MoonPeak has been discovered as being used by a state-sponsored North Korean threat activity cluster as part of a new campaign.

Cisco Talos attributed the malicious cyber campaign to a hacking group it tracks as UAT-5394, which it said exhibits some level of tactical overlaps with a known nation-state actor codenamed Kimsuky.

MoonPeak, under active development by the threat actor, is a variant of the open-source Xeno RAT malware, which was previously deployed as part of phishing attacks that were designed to retrieve the payload from actor-controlled cloud services like Dropbox, Google Drive, and Microsoft OneDrive.

Some of the key features of Xeno RAT include the ability to load additional plugins, launch and terminate processes, and communicate with a command-and-control (C2) server.

Talos said the commonalities between the two intrusion sets either indicate UAT-5394 is actually Kimsuky (or its sub-group) or it's another hacking crew within the North Korean cyber apparatus that borrows its toolbox from Kimsuky.

Key to realizing the campaign is the use of new infrastructure, including C2 servers, payload-hosting sites, and test virtual machines, that have been created to spawn new iterations of MoonPeak.

https://thehackernews.com/2024/08/north ... y-new.html

RTH10260 · #220

New Backdoor Targeting Taiwan Employs Stealthy Communications
Previously unseen backdoor communicates with command-and-control server using DNS traffic.

20 Aug, 2024
Threat Hunter Team Symantec

A previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique was deployed in an attack against a university in Taiwan.

The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic. While the technique is known and has been used by multiple threat actors, it is nevertheless something that is not often seen.

https://symantec-enterprise-blogs.secur ... alware-dns