News Items

After Berlin agreed to send its advanced Leopard 2 tanks to Ukraine, Russia-backed threat group Killnet retaliated with DDoS attacks aimed at Germany's government, banking, and airport sites. Germany's BSI federal agency, which oversees information security, stated that the attacks caused some minor outages but otherwise did little damage. BSI noted that currently, some websites are not accessible. According to the BSI's assessment, the DDoS attacks should not affect the targeted companies' services. Last fall, Killnet was behind similar DDoS attacks against US airports and has been escalating its nefarious cyber activities throughout Russia's invasion of Ukraine.

Dark Reading reports: "German Government, Airports, Banks Hit With Killnet DDoS Attacks"

Researchers discovered that threat actors could exploit a new Microsoft cloud authentication protocol to steal or fake cloud tickets as well as conduct lateral movement in cloud-based Azure AD Kerberos. According to researchers at Silverfort, the new attacks stem from well-known on-premises Kerberos attacks Silver Ticket and Pass The Ticket (PTT), which are used for lateral movement in Active Directory. As part of its cloud migration, Microsoft made Azure AD Kerberos available to authenticate access to cloud resources without requiring the on-premises AD version. Silverfort developed Bounce the Ticket and Silver Iodide, which are two variants of Silver Ticket and PTT that work for Azure AD Kerberos. According to the researchers, the new attacks provide malicious access to hosted infrastructure such as servers and storage. A Microsoft spokesman stated that this technique is not a vulnerability and that a potential attacker would need administrator or elevated rights to access the storage account data in order to use it. This article continues to discuss the vulnerability discovered by Silverfort researchers in Azure AD Kerberos, Microsoft's response to this discovery, and recommended mitigations.

SC Media reports "Mitigations Developed for Potential Lateral Movement on Azure AD Kerberos"

A database storing hundreds of thousands of unencrypted credit card numbers and cardholder information was found exposed on the Internet. The database had around 330,000 credit card numbers, cardholder names, and complete billing addresses when it was taken offline, with the amount of data growing in real-time as users placed new orders. The data included all the information a criminal would need to execute fraudulent purchases and transactions using a cardholder's information. The exposed credit card data belong to customers who made purchases through a network of nearly identical websites claiming to sell designer products. When a customer made a purchase on these websites, their credit card details and billing information were stored in a database that was left unprotected on the Internet. The unencrypted financial information was accessible to anyone who knew the database's IP address. Anurag Sen, a security researcher, discovered the exposed credit card records and requested assistance from TechCrunch in notifying the owner. Sen was not the first to uncover the exposed data, since a ransom message left on the exposed database indicated that the data had already been discovered. Instead of attempting to identify the owner and reporting the exposure appropriately, the unidentified individual claimed to have copied the records and demanded a small sum of cryptocurrency to return it. This article continues to discuss the exposure of customer credit cards by a network of knockoff apparel online stores.

TechCrunch reports "A Network of Knockoff Apparel Stores Exposed 330,000 Customer Credit Cards"

According to a new report from the GuidePoint Research and Intelligence Team (GRIT), ransomware activity increased from Q3 2022 to Q4 2022, with rebranded ransomware gangs significantly increasing the number of publicly claimed victims. No quarter of 2022 had less than 569 victims, with the biggest slowdown occurring in late June and early July, most likely due to the switch from Lockbit2 to Lockbit3 among threat actors. The cryptocurrency market's challenges could have also had an impact. On average, ransomware gangs were responsible for publicly sharing 6.87 victims each day to their respective leak sites throughout the year. GRIT tracked 54 groups implementing a double-extortion methodology as part of the report. Many of the groups were found to be using a Ransomware-as-a-Service (RaaS) model to boost productivity and maximize revenue. In every month in 2022, at least one new gang with double-extortion capabilities emerged. This article continues to discuss key findings from GRIT's report on ransomware attack trends in 2022.

BetaNews reports "Ransomware Groups Rebrand and Claim More Victims"

A Dutch hacker allegedly stole data on 9 million Austrian citizens via a misconfigured cloud database, thus leading to their recent arrest. The attack was first detected in May 2020 and involved the Fees Info Service (GIS), which is responsible for collecting TV and radio license fees in Austria. According to Austria's Federal Criminal Police Office (Bundeskriminalamt/BK), the GIS had hired an Information Technology (IT) company based in Vienna to work on its internal databases. The databases contained information about citizens' locations, which could be used to find anyone attempting to avoid paying a broadcast fee. One of the IT company's employees used GIS data during a test and left a database accessible online without protecting it. According to investigators, the hacker discovered the data via a search engine. The data is suspected of having impacted nearly all Austrian citizens, as the country has a population of approximately 9.1 million people. Names, dates of birth, and registration addresses were among the exposed data. This article continues to discuss the theft of data from a misconfigured cloud database that has impacted almost the entire Austrian population.

ITPro reports "Dutch Hacker Steals Data From Virtually Entire Population of Austria"

The UK has issued a warning about the threat posed by targeted spear-phishing attacks against organizations and individuals conducted by malicious threat actors in Russia and Iran. In an advisory, the National Cyber Security Centre (NCSC) detailed the attackers' methods and recommended mitigation strategies to tackle the ongoing threat. Throughout 2022, separate campaigns were launched by the Russia-based group SEABORGIUM and Iran-based group TA453, also known as APT42, to target various organizations and individuals in the UK and worldwide for information-gathering. According to the advisory, the attacks are not directed at the general public but rather at specific sectors, including academia, defense, government, non-governmental organizations, think tanks, politicians, journalists, and activists. This article continues to discuss the NCSC's warning about targeted spear-phishing campaigns carried out by cyber actors based in Russia and Iran.

HSToday reports "UK Warns of Targeted Phishing Attacks from Russia and Iran"

A leading UK bank has recently warned consumers about the rise of scams in which victims are asked to pay an upfront fee for a product or service that doesn't materialize. According to Lloyds Bank, so-called "advance fee" fraud surged by 82% year-on-year in 2022, with fake ads for loans, jobs, and rental properties among the most common tactics used by scammers. The lender claimed that the cost-of-living crisis may be forcing consumers into making risky decisions. The bank noted that this is especially true of loan fee scams, where fraudsters target people on low incomes or with a poor credit history in the hope they'll take the bait. They'll approve a loan no matter what the victim's credit history is and then request an upfront fee in order to receive the funds, which never arrive. Reports of loan fee scams have increased 105% year-on-year and continue to rise sharply. The company stated that the important thing to remember is that a genuine lender will always conduct thorough credit checks prior to agreeing a loan and won't ask for an upfront payment before releasing the funds. The average victim lost $881 last year, down significantly from $1479 in 2021. The bank noted that this could be because fraudsters are going for higher volumes of lower value scams. Those aged 25 - 44 years old are most likely to fall victim. People in this age range make up around half (49%) of all victims.

Infosecurity reports: "Lloyds Bank Warns of 80% Surge in Advance Fee Scams"

According to the Identity Theft Resource Center (ITRC), there were fewer compromises reported in the first half of 2022 due in part to Russia-based cybercriminals being distracted by the war in Ukraine and the volatility in the cryptocurrency markets. However, data breaches steadily escalated in the latter part of 2022. Since 2021, the number of affected victims (422.1 million) has increased by 41.5 percent. Cyberattacks continue to be the leading cause of data breaches. In 2022, the number of data breaches caused by supply chain attacks surpassed those caused by malware. Malware is commonly viewed as the core of most cyberattacks, but supply chain attacks surpassed malware-based attacks by 40 percent in 2022. More than 10 million people were affected by supply chain attacks targeting 1,743 organizations, according to the report. In comparison, 70 attacks involving malware impacted 4.3 million users. This article continues to discuss key findings from ITRC regarding data breaches in 2022.

Help Net Security reports "Supply Chain Attacks Caused More Data Compromises Than Malware"

At least two US federal agencies were victims of a malicious cyber campaign involving legitimate Remote Monitoring and Management (RMM) software to carry out a phishing scam. US cybersecurity authorities stated that cybercriminal actors sent phishing emails that led to the download of legitimate RMM software, such as ScreenConnect and AnyDesk, which was then used in a refund scam to steal money from victims' bank accounts. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory pertaining to the widespread campaign. The attacks, which occurred between mid-June and mid-September 2022, were financially motivated. However, threat actors could use the access for various activities, including selling it to other hacker groups. The use of remote software by hackers has long been a cause for concern, since it provides an effective approach to gaining local user access on a host without elevating privileges or gaining a foothold through other ways. This article continues to discuss the campaign involving legitimate RMM software.

THN reports "US Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software"

Belgian researchers successfully broke the SIKE cryptographic algorithm, a fourth and final-round candidate that the US National Institute of Standards and Technology (NIST) evaluated for its Post-Quantum Cryptography (PQC) standard. In roughly 62 minutes, Wouter Castryck and Thomas Decru, researchers at the KU Leuven research university in Leuven, Belgium, cracked the SIKE algorithm using a single core on a six-core Intel Xeon CPU E5-2630v2 at 2.60GHz. NIST expects its PQC standard algorithms to be resistant to post-quantum hacking techniques, so it decided not to standardize the SIKE algorithm. According to the Office of Management and Budget (OMB), the US must move its cryptographic systems to quantum-resistant cryptography by 2035, minimizing as much quantum risk as possible. However, quantum computers may be able to break classical encryption schemes by 2030. Therefore, affected companies must implement the PQC standards before quantum computers become fully operational. This article continues to discuss researchers cracking the SIKE PQC candidate algorithm, NIST's selection of cryptographic algorithms for PQC standardization, the challenges of creating such algorithms, and the importance of organizations implementing PQC standards before quantum computers become fully available.

CACM reports reports "NIST Post-Quantum Cryptography Candidate Cracked"

VMware has patched multiple vulnerabilities in its vRealize Log Insight appliance, tracked as CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711. The log collection and analytics virtual appliance allows administrators to gather, view, manage, and analyze syslog data. Log Insight monitors application logs, network traces, configuration files, messages, and performance data in real-time. The product's most severe vulnerabilities include a directory traversal flaw and a broken access control vulnerability. An unauthenticated attacker can exploit one of the two vulnerabilities to inject files into an impacted appliance's operating system, resulting in Remote Code Execution (RCE). This article continues to discuss the potential exploitation and impact of the vulnerabilities in the VMware vRealize Log Insight appliance.

Security Affairs reports "VMware Warns of Critical Code Execution Bugs in vRealize Log Insight"

The professional rugby union club Stade Francais exposed its followers to security risks for almost a year after its website's source code leaked. Stade Francais is a Paris-based rugby union club with hundreds of thousands of devoted social media fans. Researchers at Cybernews found that the server hosting the official Stade Francais website was leaking its source code via the publicly accessible .git directory. Poor access control to .git directories potentially allowed threat actors to make unauthorized changes to the club's server. If the threat actors had exploited the vulnerability, user data may have been compromised, and the server could have been taken over. Unauthorized access to the website's .git directory made it possible for anyone to download the application's source code. It raises concerns because threat actors could have used this access to trick unsuspecting users into installing malicious applications. Threat actors could have also used the access to add skimmers that allow payment card stealers on the website's online store. This article continues to discuss the leak of the Stade Francais website's source code.

Cybernews reports "French Rugby Club Leaks Source Code"

Security researchers at Check Point have discovered that Yahoo knocked DHL off the top spot as the most imitated brand in the last quarter of 2022, now responsible for 20% of all phishing attempts recorded in the wild. The researchers stated that several cybercriminals had been found distributing emails with subject lines that told a recipient they had won prize money from initiatives organized by Yahoo worth hundreds of thousands of dollars. Email senders showed names such as "Award Promotion" or "Award Center." The phishing messages also warned that the target must refrain from telling people about winning the prize because of legal issues. It asked the recipient to share their personal information and bank details in order to receive the winning prize money into their accounts. As for other brands most impersonated in Q4 2022, DHL came in second place with 16% of all brand phishing attempts, and Microsoft followed in the third spot with 11%. The researchers noted that industry-wise, the technology sector was the most imitated by brand phishing in the last quarter of 2022, followed by shipping and social networks.

Infosecurity reports: "Yahoo Overtakes DHL As Most Impersonated Brand in Q4 2022"

Google has recently awarded a total of more than $25,000 to the researchers who reported the vulnerabilities patched with the release of a Chrome 109 update. The company informed users on Tuesday that six security holes have been patched in Chrome, including four reported by external researchers. Google noted that two of them are high-severity use-after-free issues affecting the WebTransport and WebRTC components. Researchers Chichoo Kim and Cassidy Kim have been credited for reporting the flaws, and they have earned a total of $19,000 for their findings. These vulnerabilities are tracked as CVE-2023-0471 and CVE-2023-0472. Google noted that use-after-free bugs affecting Chrome can typically be exploited for remote code execution and sandbox escapes, but in many cases, they need to be chained with other flaws. The latest Chrome update also fixes a medium-severity type confusion issue that earned a researcher $7,500 and a medium-severity use-after-free issue for which the reward has yet to be determined. Google noted that none of these vulnerabilities appear to have been exploited in the wild. According to Google's own data, eight Chrome flaws were exploited in attacks in 2022.

SecurityWeek reports: "Security Update for Chrome 109 Patches 6 Vulnerabilities"

A new Python-based malware with Remote Access Trojan (RAT) capabilities has been discovered in the wild, giving its operators control over compromised systems. The new RAT, dubbed "PY#RATION" by researchers at Securonix, leverages the WebSocket protocol to communicate with the command-and-control (C2) server and exfiltrate data from the target system. Since August 2022, when the PY#RATION campaign began, the researchers have observed various variants of the RAT, indicating its active development. The PY#RATION malware is spread via a phishing campaign involving password-protected ZIP attachments containing two shortcut .LNK files appearing as images. This article continues to discuss findings and observations regarding the PY#RATION RAT.

Bleeping Computer reports "New Stealthy Python RAT Malware Targets Windows in Attacks"

Cybersecurity Snapshots #38 -

Royal Ransomware

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it. Over the past four years, there have been thousands of cyber incidents involving K-12 institutions. The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary schools, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and develop an online training toolkit for school officials. CISA noted that discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records or to implement cybersecurity protocols. Most reported that the breadth of available cybersecurity information, like news coverage, conference panels, webinars, and more, only made matters more complicated. Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations. According to CISA, "with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk," such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs. CISA also discovered that many school districts struggle with insufficient IT resources and cybersecurity capacity. CISA noted that this can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP). CISA stated that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities. CISA recommended that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel. The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan. They should also prioritize investments in line with CISA's Cross-Sector Cybersecurity Performance Goals (CPGs).

SecurityWeek reports: "CISA Provides Resources for Securing K-12 Education System"

Security researchers at Neustar Security Services have discovered that only 49% of organizations based in EMEA and the US believe they have sufficient budget to meet their current needs, with many claiming funding may actually decrease in 2023. The researchers polled senior IT and security professionals from six markets across the US and EMEA to better understand their cyber risk challenges. The researchers found that budget was a pressing concern, with over one in 10 (11%) respondents claiming they only had enough to protect their most critical assets. More than a third (35%) admitted that budgets would stay flat or decline in 2023, potentially exposing their organization as a result. The researchers noted that even though the vast majority of respondents (83%) said their C-suite understands the gravity of the current threat landscape, 69% are concerned that budgetary challenges are restricting the deployment of new strategies and technologies. These concerns are particularly acute at a time when ransomware (75%), phishing (74%), DDoS (72%), targeted hacking (71%), and social engineering (71%) attacks are perceived to be on the rise. Respondents believe that the biggest threat to their security posture is the increased sophistication of attacks, cited by 60%. Other top concerns were listed as an increase in attacker activity (54%), budget constraints (35%), and an expanding attack surface (35%).

Infosecurity reports: "Just Half of Firms Have Sufficient Cybersecurity Budget"

An app operated by India's Education Ministry contains a security flaw that exposed the personal information of millions of students and teachers for over a year. The Digital Infrastructure for Knowledge Sharing (Diksha) app, which was launched in 2017, stored the data. During the height of the COVID-19 pandemic, when the Indian government was forced to close schools across the country, Diksha became a major tool for students to receive course materials and assignments from home. However, the cloud server storing Diksha's data was left unsecured, leaving the data of millions of individuals exposed to hackers, fraudsters, and anyone else who knew where to look. More than one million teachers' full names, phone numbers, and email addresses were included in files on the insecure server. Another file contained data on around 600,000 students. Although the students' email addresses and phone numbers were partially hidden, the data included their full names, where they went to school, their enrollment dates, and more. This article continues to discuss the mandatory app that exposed the personal information of students and teachers across India.

Wired reports "A Major App Flaw Exposed the Data of Millions of Indian Students"

Researchers at Bitdefender warn of a new wave of attacks exploiting known Microsoft Exchange vulnerabilities. At the end of November 2022, researchers observed an uptick in attacks involving ProxyNotShell/OWASSRF exploits targeting on-premises Microsoft Exchange deployments. The Server-Side Request Forgery (SSRF) attacks allow an attacker to send a specially crafted request from a vulnerable server to a second server. This allows them to gain access to the vulnerable server's resources and carry out malicious activities on the server. SSRF flaws are among the most commonly exploited vulnerabilities. If a web application is vulnerable to SSRF, an attacker could send a request from the vulnerable server to a local network resource that is normally inaccessible to the attacker. An attacker could also send a request to an external server, such as a cloud service, to perform actions on behalf of the vulnerable server. Multiple techniques are combined to establish exploit chains that result in Remote Code Execution (RCE) in the latest wave of attacks against Microsoft Exchange. This article continues to discuss findings regarding the new set of attacks targeting Microsoft Exchange.

SiliconANGLE reports "New Wave of Attacks Use Known Vulnerabilities to Target Microsoft Exchange"

LastPass' parent company GoTo has revealed that attackers stole customers' encrypted backups during a recent breach. LastPass initially confirmed the breach on November 30, 2022. At the time, the LastPass chief executive Karim Toubba stated that an unauthorized entity had accessed some customers' information stored in a third-party cloud platform shared by LastPass and GoTo. The attackers used information stolen during an earlier intrusion into LastPass' systems to further access the companies' shared cloud data. Now, about two months later, in a new statement, GoTo confirmed that the cyberattack affected several of its products, including the business communications tool Central, the online meetings service Join.me, the hosted Virtual Private Network (VPN) service Hamachi, and its Remotely Anywhere remote access tool. GoTo stated that the intruders stole encrypted backups from these services as well as the encryption key used by the company to secure the data. This article continues to discuss GoTo's confirmation that hackers stole customers' backups and the company's encryption key.

TechCrunch reports "LastPass Owner GoTo Says Hackers Stole Customers' Backups"

A security researcher recently published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device. The vulnerability is tracked as CVE-2022-38181 (CVSS score of 8.8). The issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022). The researcher stated that the issue is related to a special function for sending "job chains" to the GPU, which also supports jobs implemented in the kernel, which run on the CPU instead (which are called software jobs or softjobs). The researcher noted that due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this and involves a special type of GPU memory: the JIT memory. The researcher noted that some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer. The researcher discovered that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory. As a final step in exploiting the vulnerability, an attacker would need to "map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux." The researcher reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6. Initially, the Android team marked the flaw "high severity," but it then informed the researcher that no patch will be released and redirected the report to the Arm team. After Arm's patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices.

SecurityWeek reports: "Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones"

Palo Alto Networks recently warned of an increase in cyberattacks targeting CVE-2021-35394, a remote code execution (RCE) vulnerability in the Realtek Jungle SDK. The vulnerability was disclosed in August 2021, and the vulnerability impacts hundreds of device types that rely on Realtek's RTL8xxx chips, including routers, residential gateways, IP cameras, and Wi-Fi repeaters from 66 different manufacturers, including Asus, Belkin, D-Link, Huawei, LG, Logitech, Netgear, ZTE and Zyxel. The company noted that the bug allows unauthenticated attackers to execute code on vulnerable devices, gaining complete control over them. The first in-the-wild attacks targeting CVE-2021-35394 were observed days after details of the bug were made public, with an estimated one million devices exposed to attacks at the time. The company noted that as of December 2022, they observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks occurred after the start of August 2022. The end goal of many of the observed attacks was malware distribution, as threat groups are targeting the flaw in large-scale attacks aimed at Internet of Things (IoT) devices, which underscores the need for organizations to ensure that these devices are properly protected. A Shodan search performed by Palo Alto Networks security researchers has revealed the existence of more than 80 different IoT device models from 14 unique vendors that have port 9034 open. The researchers discovered that D-Link devices are the most popular devices (31 models), followed by LG (8) and Belkin and Zyxel (6 each). According to Palo Alto Networks, while the impacted vendors might have released software updates to resolve the issue or mitigation recommendations for their users, many organizations continue to use vulnerable devices. To date, the researchers observed three types of attacks: a script is used to fetch malware from a remote location, an injected command directly writes the payload to a file and executes it, or an injected command is used to cause a denial-of-service (DoS) condition. Most of the observed malicious payloads are Mirai, Gafgyt, and Mozi malware variants. A Golang-based distributed denial-of-service (DDoS) botnet called RedGoBot has been distributed as well, starting in early September 2022. An analysis of the observed 134 million exploit attempts shows that 30 regions were the source of attacks, with the US leading the fray at 48.3%, followed by Vietnam at 17.8%, and Russia at 14.6%.

SecurityWeek reports: "Attacks Targeting Realtek SDK Vulnerability Ramping Up"