🔒
There are new articles available, click to refresh the page.
Before yesterdaySecurity News

Hackers behind Twilio data breach also targeted Cloudflare employees

10 August 2022 at 13:48

Cloudflare revealed that at least 76 employees and their family members were targeted by smishing attacks similar to the one that hit Twilio.

The content delivery network and DDoS mitigation company Cloudflare revealed this week that at least 76 employees and their family members received text messages on their personal and work phones.

According to the company, the attack is very similar to the one that recently targeted the Communications company Twilio.

“Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.” reads the announcement published by Cloudflare. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications.”

cloudflare smishing

Cloudflare pointed out that its systems were not compromised, it also added that its Cloudforce One threat intelligence team was able to perform additional analysis of the attack.

The experts believe that this is a sophisticated attack targeting employees and systems of multiple organizations,

On July 20, 2022, the company received reports of employees receiving text messages containing links to what appeared to be a Cloudflare Okta login page. The company uses Okta as its identity provider and messages include a link to a phishing page that was designed to look identical to a legitimate Okta login page.  The attackers sent the messages to at least 76 employees in less than 1 minute, but the company security team was not able to determine how the threat actors obtained the list of employees’ phone numbers.

“They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com.” continues the report. “That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.”

Once the recipient of the message has provided his credentials through the phishing page, the credentials were immediately sent to the attacker via the messaging service Telegram. Experts states that the real-time relay was crucial for the attackers because the phishing page would also prompt for a Time-based One Time Password (TOTP) code. Once obtained this info the attackers can access the victim company’s actual login page.

According to Cloudflare, only three employees fell for the phishing message and entered their credentials. However, the company does not use TOTP codes, instead, its employees use a FIDO2-compliant security YubiKey key. This means that without the hardware key, attackers cannot access the company systems even knowing the credentials.

Researchers also discovered that in some cases the phishing page was used to deliver the malicious payloads, including AnyDesk’s remote access software. The software would allow an attacker to control the victim’s machine remotely.

“We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software.” concludes Cloudflare.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, smishing)

The post Hackers behind Twilio data breach also targeted Cloudflare employees appeared first on Security Affairs.

The Security Pros and Cons of Using Email Aliases

10 August 2022 at 15:10

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.

What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as [email protected] Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.

Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.

Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.

Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.

“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”

According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.

Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.

Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.

That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.

But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.

“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”

HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.

While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.

What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.

Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.

What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.

Former Twitter Employee Found Guilty of Spying for Saudi Arabia

10 August 2022 at 15:12
A former Twitter employee has been pronounced guilty for his role in digging up private information pertaining to certain Twitter users and turning over that data to Saudi Arabia. Ahmad Abouammo, 44, was convicted by a jury after a two-week trial in San Francisco federal court, Bloomberg reported Tuesday. He faces up to 20 years in prison when sentenced. The verdict comes nearly three years

Experts found 10 malicious packages on PyPI used to steal developers’ data

10 August 2022 at 15:14

10 packages have been removed from the Python Package Index (PyPI) because they were found harvesting data.

Check Point researchers have discovered ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.

The researchers provide details about the malicious packages:

  • Ascii2text is a malicious package that mimics the popular art package by name and description. The code on the __init__.py file downloads and executes a malicious script that searches for local passwords and uploads them using a discord web hook.
  • Pyg-utilsPymocks and PyProto2 are malicious packages to that allows attackers to steal users’ AWS credentials.
  • Free-net-vpn and Free-net-vpn2 are malicious packages developed to target environment variables.
  • Test-async downloads and executes malicious payloads.
  • Zlibsrc downloads and executes malicious payloads.
  • Free-net-vpn and Free-net-vpn2 are malicious packages that target environment variables.
  • WINRPCexploit a malicious package that steals users’ credentials as part of its setup.py installation script.
  • Browserdiv is able to steal the installers credentials by collecting and sending them to a predefined discord webhook.
PyPI 2
Ascii2Text The malicious snippet inside the __init__.py

Unfortunately, in recent months, many other malicious packages have been found on the official PyPI repository.

In June 2022, Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal secrets (i.e. AWS credentials and environment variables) and also upload these to a publicly exposed endpoint.

In November 2021, JFrog researchers discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even carry out dependency confusion attacks.

Supply chain attacks are designed to exploit trust relationships between an organization and external parties. These relationships could include partnerships, vendor relationships, or the use of third-party software. Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations’ environments.” concludes the report. “Such attacks became more frequent and grew in impact in recent years, therefore it is essential developers make sure are keeping their actions safe, double checking every software ingredient in use and especially such that are being downloaded from different repositories, especially ones which were not self-created.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PyPI)

The post Experts found 10 malicious packages on PyPI used to steal developers’ data appeared first on Security Affairs.

Risky Business: Enterprises Can’t Shake Log4j flaw

10 August 2022 at 17:17

70% of Large enterprises that previously addressed the Log4j flaw are still struggling to patch Log4j-vulnerable assets.

INTRODUCTION

In December 2021 security teams scrambled to find Log4j-vulnerable assets and patch them. Eight months later many Global 2000 firms are still fighting to mitigate the digital assets and business risks associated with Log4j. The ease of Log4j vulnerability exploitation coupled with the critical nature of the bug, which allows attackers to run arbitrary code inside cloud and company networks, is driving a business-risk imperative to find vulnerable assets and patch them fast.  

Log4j CVE-2021-44832

An examination by CyCognito of large enterprise external attack surfaces found 70% of firms that previously addressed Log4j in their attack surface are still struggling to patch Log4j-vulnerable assets and prevent new instances of Log4j from resurfacing within their IT stack.

Our research highlights business continuity risks such as digital asset sprawl, subsidiary risk and the importance of reducing the time it takes to identify a vulnerable Log4j asset and patch it.

Log4j: Analysis of Current and Lasting Legacy

On Dec. 9, 2021 the Log4j critical vulnerability (CVE-2021-44228) was first identified and was assigned a severity rating of 10 out of 10. It is a remote code execution class flaw found in the Apache Log4j library (part of the Apache Logging Project). This Log4j vulnerability is considered extremely dangerous because it is easy to exploit and soon after its discovery a public proof-of-concept became available.

Eight months later, Log4j has proven to be one of the worst vulnerabilities of the last few years, if not decade.

A July report (PDF) by the U.S. Department of Homeland Security stated: “The Log4j event is not over. Log4j remains deeply embedded in systems, and even within the short period available for our review, community stakeholders have identified new compromises, new threat actors, and new learnings.”

Report Highlights:

Our exclusive analysis of Log4j examines the external attack surfaces of three dozen Global 2000 companies, securely protected by CyCognito solutions. This report underscores the Log4j cybersecurity risks facing non-CyCognito customers and the at large cybersecurity community.

Incidents of vulnerable Log4j assets discovered by the CyCognito platform are based on simulated adversarial scans of exposed assets in the wild. These instances of Log4j (now mitigated) represented briefly exposed assets that, if overlooked, could have allowed an attacker access to the cloud or on-premises assets and networks of these organizations.   

Top Log4j Takeaways for July 2022:  

  • Instances of Log4j-vulnerable assets are growing, not shrinking within a subset of companies examined.
  • Some firms are seeing a doubling of Log4j-vulnerable digital assets within their external attack surface – not a decrease.
  • Only 30% of firms with at least one past Log4j issue had no Log4j-vulnerable assets at the time of our analysis.
  • Of those exposed Log4j-vulnerable assets, the most common were web applications.

Drilling Down on Data Points

Growing not Shrinking: After eradicating an external attack surface of Log4j-vulnerable digital assets, new instances of Log4j-vulnerable systems have come back online. 

Of those firms with at least one Log4j vulnerability discovered in January 2022, 62% continued to report one or more Log4j-vulnerable assets exposed in July. Research did not indicate whether those were new or existing exposures.

Of the firms that did have an exposed asset in July, 38% experienced a gain of one or more Log4j-vulnerable assets. Data indicates that, for many companies, instances of new Log4j exposed assets remains a growing problem.   

Double the Log4j Trouble: An examination of organizations revealed 21% of those with vulnerable assets in July experienced a triple-digit percentage growth in the number of exposed Log4j-vulnerable assets compared to January.

While the initial number of vulnerable assets were small within each organization examined, over a half-dozen are seeing a steady increase in the number of Log4j-vulnerable assets. One firm, with seven exposed assets in February of 2022 had 39 exposed assets in July.

Success Rates Rare: The number of organizations that experienced a drop in vulnerable assets was 38%. In each of those instances, CyCognito found zero instances of Log4J in their internet exposed attack surface in July.

Thirty-four percent of those firms with over one vulnerable asset in January had the same number of assets exposed in July.

Web App Worries: Breaking down the numbers even more, data reveals those firms with vulnerable assets had a greater number of web applications vulnerable to a Log4j exploit versus other types of systems.

This is concerning given web apps are high risk for business and their users alike because they often access or contain sensitive financial, confidential, or personally identifiable information.

Why Businesses are Struggling to Quash Log4j  

A CyCognito analysis of why companies are struggling to squelch Log4j vulnerabilities once and for all are multifold.

First, organizations have underestimated the deep-rooted prevalence of Log4j software, and software vendors have not yet rid their products of the vulnerable Log4j code. The battle to mitigate Log4j-vulnerable assets is exacerbated by new instances of exploitable Log4j being introduced to an attack surface.

Further driving this trend is attack surface sprawl, subsidiary and business-unit risk, mergers and acquisitions (M&A) and a lag in the time to remediate vulnerabilities (known as mean-time-to-remediate, or MTTR). 

CyCognito found that among Global 2000 companies, M&A activity is growing or shrinking an organization’s attack surface by 5.5% each month (PDF). Organizations were initially unaware of 10-to-30% of their subsidiaries, according to separate CyCognito research published in June.

(See related CyCognito June report: “Anybody Got a Map?”)

The global consultancy Bain & Company reports that M&A activity in 2022 is likely to reach US$4.7 trillion in deal value, making it the second-largest year on record. That kind of business change combined with emergent risks and poor IT ecosystem visibility make it extremely difficult for security and IT managers to have a 360-degree view of their entire external attack surface. This increases the odds of security gaps in their attack surface going unseen, opening them up to dangerous and preventable risks such as Log4j.  

Why a Focus on Risk, Versus Vulnerability, is Paramount to Log4j Exposures  

Trends in the growth of external attack surface sprawl are making it harder for security teams to reduce the mean time to remediate vulnerabilities – including Log4j.

In June 2021, the average time to fix a high-risk application vulnerability was estimated at 246 days (8.2 months), soaring from 194 days (6.5 months) at the start of that year, according to a study from Synopsys.

A CyCognito-sponsored research report by Informa Tech found security teams are suffering from cybersecurity debt issues. That’s when new cybersecurity issues outpace a security teams’ ability to mitigate existing ones.

Compounding the problem is inadequate and incomplete security scanning of external attack surfaces for vulnerabilities and other risks. CyCognito found competing discovery tools can leave between 10-to-50% of digital assets undiscovered and therefore untested and ignored.  

Informa Tech found the majority of security teams only have the bandwidth to remediate about 50 vulnerabilities in an average month. Considering the deluge of new vulnerabilities discovered each month, current remediation rates are insufficient to keep pace with high and critical risk vulnerabilities such as Log4j issues. 

That’s why CyCognito advocates a business-risk-first management approach to cybersecurity that focuses on identifying and addressing the most urgent risks (such as Log4j) immediately within an attack surface.  

If you want to have info on how CyCognito can help organizations find and remediate Log4j business risks with its unmatched ability to continuously discover the external attack surfaces of its customers give a look at the original analysis of the company:  

https://www.cycognito.com/blog/log4j_risky-business?hs_preview=SXnnXKfC-81448195746

About the author: TOM SPRING, MEDIA MANAGER

Tom Spring, Media Manager, is a seasoned technology reporter and editor who has helped bring stories to life for over three decades.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4j flaw)

The post Risky Business: Enterprises Can’t Shake Log4j flaw appeared first on Security Affairs.

Cisco was hacked by the Yanluowang ransomware gang

10 August 2022 at 21:20

Cisco discloses a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.

Cisco disclosed a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.

The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 

Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker.

Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user.

“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.” reads the analysis published by Cisco Talos. “After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”

The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 

According to Talos, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. Then the threat actors escalated to administrative privileges before logging into multiple systems. The attackers were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket.

Talos researchers added that the attackers were not able to steal sensitive data from the IT giant.

“We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive.” continues the analysis.

Cisco said that the Yanluowang gang did not deploy any ransomware on its network during the attack.

The Yanluowang ransomware group is attempting to extort the company and published a list of files stolen from the company threatening to leak all stolen data if Cisco will not pay the ransom.

#yanluowang ransomware has posted #Cisco to its leaksite. #cybersecurity #infosec #ransomware pic.twitter.com/kwrfjbwbkT

— CyberKnow (@Cyberknow20) August 10, 2022

Cisco said that the Yanluowang gang did not deploy any ransomware on its network during the attack.

“While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements.” Talos experts conclude. “Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Yanluowang ransomware)

The post Cisco was hacked by the Yanluowang ransomware gang appeared first on Security Affairs.

Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key

11 August 2022 at 05:47

Cisco addressed a high severity flaw, tracked as CVE-2022-20866, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

Cisco addressed a high severity vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

The flaw, tracked as CVE-2022-20866, impacts the handling of RSA keys on devices running Cisco ASA Software and FTD Software, an unauthenticated, remote attacker can trigger it to retrieve an RSA private key. Once obtained the key, the attackers can impersonate a device that is running ASA/FTD Software or to decrypt the device traffic.

“This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.” reads the advisory published by the IT giant.

The advisory states that the following conditions may be observed on an affected device:

  • This issue will impact approximately 5 percent of the RSA keys on a device that is running a vulnerable release of ASA Software or FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.
  • The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key. 
  • The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.

The flaw impacts products running vulnerable Cisco ASA (9.16.1 and later) or Cisco FTD (7.0.0 and later) software that perform hardware-based cryptographic functions:

  • ASA 5506-X with FirePOWER Services
  • ASA 5506H-X with FirePOWER Services
  • ASA 5506W-X with FirePOWER Services
  • ASA 5508-X with FirePOWER Services
  • ASA 5516-X with FirePOWER Services
  • Firepower 1000 Series Next-Generation Firewall
  • Firepower 2100 Series Security Appliances
  • Firepower 4100 Series Security Appliances
  • Firepower 9300 Series Security Appliances
  • Secure Firewall 3100

Cisco recommends administrators of ASA/FTD devices to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys, because it is possible that the RSA private key has been leaked to a malicious actor.

The flaw was reported by Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder.

Cisco has credited Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting the security flaw.

The Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this issue.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ASA)

The post Cisco fixed a flaw in ASA, FTD devices that can give access to RSA private key appeared first on Security Affairs.

Ex Twitter employee found guilty of spying for Saudi Arabian government

11 August 2022 at 05:50

A former Twitter employee was found guilty of spying on certain Twitter users for Saudi Arabia.

A former Twitter employee, Ahmad Abouammo (44), was found guilty of gathering private information of certain Twitter users and passing them to Saudi Arabia.

“Ahmad Abouammo, a US resident born in Egypt, was found guilty by a jury Tuesday of charges including acting as an agent for Saudi Arabia, money laundering, conspiracy to commit wire fraud and falsifying records, following a two-week trial in San Francisco federal court.” reported Bloomberg.

The man faces from 10 up to 20 years in prison when he’s sentenced. 

In November 2019, the former Twitter employees Abouammo and the Saudi citizen Ali Alzabarah have been charged with spying on thousands of Twitter user accounts on behalf of the Saudi Arabian government. The two former Twitter employees operated for the Saudi Arabian government with the intent of unmasking dissidents using the social network.

Representatives of the Saudi Arabian government recruited the duo in 2014, their mission was to gather non-public information of Twitter accounts associated with known prominent critics of the Kingdom of Saudi Arabia and the Royal Family.

Abouammo and Alzabarah had unauthorized access to information associated with some profiles, including email addresses, devices used, user-provided biographical information, birth dates, logs that contained the user’s browser information, a log of all of a particular user’s actions on the Twitter platform at any given time, and other info that can be used to geo-locate a user such as IP addresses and phone numbers.

According to the indictment, Alzabarah joined Twitter in August 2013 as a “site reliability engineer,” he worked with the Saudi officials between May 21 and November 18, 2015. He is accused of allegedly spied on more than 6,000 Twitter accounts, including tens of users for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter.

Abouammo was charged with acting as a foreign agent on US soil, it also provided falsified records to feds to interfere with their investigation.

The man also deleted certain information from the social media platform and in some cases, he shut down Twitter accounts at the request of Saudi government officials. Of course, he was also able to unmask the identities of some users on behalf of the Saudi Arabian Government.

Saudi officials paid up to $300,000 to Abouammo for his work, the indictment explained that it was possible by masquerading the payments with faked invoices. The document also states that the man received a Hublot Unico Big Bang King Gold Ceramic watch.

According to an indictment, Abouammo lied to FBI agents saying the watch was a replica costing $500 and that the last $100,000 wire from Al-Asaker was for legitimate freelance consulting work.

US DoJ Department of Justice has also charged the Saudi national Ahmed al Mutairi, also known as Ahmed ALJBREEN, who directed a Saudi Saudi social media marketing company with ties to the royal family.

Ahmed al Mutairi, was acting as an intermediary between the two former Twitter employees and the officials of the Saudi Arabian Government.

Abouammo was arrested by the FBI in November 2019 in Seattle

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyberespionage)

The post Ex Twitter employee found guilty of spying for Saudi Arabian government appeared first on Security Affairs.

GitHub Dependabot Now Alerts Developers On Vulnerable GitHub Actions

11 August 2022 at 06:07
Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows. "When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories,"

Critical Flaws Disclosed in Device42 IT Asset Management Software

11 August 2022 at 09:23
Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. "By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the

What the Zola Hack Can Teach Us About Password Security

11 August 2022 at 10:10
Password security is only as strong as the password itself. Unfortunately, we are often reminded of the danger of weak, reused, and compromised passwords with major cybersecurity breaches that start with stolen credentials. For example, in May 2022, the popular wedding planning site, Zola, was the victim of a significant cybersecurity breach where hackers used an attack known as credential

Hackers Behind Cuba Ransomware Attacks Using New RAT Malware

11 August 2022 at 10:21
Threat actors associated with the Cuba ransomware have been linked to previously undocumented tactics, techniques and procedures (TTPs), including a new remote access trojan called ROMCOM RAT on compromised systems. The new findings come from Palo Alto Networks' Unit 42 threat intelligence team, which is tracking the double extortion ransomware group under the constellation-themed moniker 

Cisco Confirms It's Been Hacked by Yanluowang Ransomware Gang

11 August 2022 at 15:04
Networking equipment major Cisco on Wednesday confirmed it was the victim of a cyberattack on May 24, 2022 after the attackers got hold of an employee's personal Google account that contained passwords synced from their web browser. "Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account," Cisco Talos said in a detailed write-up.

It Might Be Our Data, But It’s Not Our Breach

11 August 2022 at 17:45

Image: Shutterstock.

A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm’s analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn’t theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company.

Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file on a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called “dbfull,” and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million unique SSNs. There are no passwords in the database.

Hold Security founder Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending in “att.net” accounted for 13.7 percent of all addresses in the database, with addresses from SBCGLobal.net and Bellsouth.net — both AT&T companies — making up another seven percent. In contrast, Gmail users made up more than 30 percent of the data set, with Yahoo addresses accounting for 24 percent. More than 10,000 entries in the database list “[email protected]” in the email field.

Hold Security found these email domains account for 87% of all domains in the data set. Nearly 21% belonged to AT&T customers.

Holden’s team also examined the number of email records that included an alias in the username portion of the email, and found 293 email addresses with plus addressing. Of those, 232 included an alias that indicated the customer had signed up at some AT&T property; 190 of the aliased email addresses were “[email protected]”; 42 were “[email protected],” an oddly specific reference to an AT&T entity that included broadband Internet. In September 2016, AT&T rebranded U-verse as AT&T Internet.

According to its website, AT&T Internet is offered in 21 states, including Alabama, Arkansas, California, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Michigan, Missouri, Nevada, North Carolina, Ohio, Oklahoma, Tennessee, Texas and Wisconsin. Nearly all of the records in the database that contain a state designation corresponded to those 21 states; all other states made up just 1.64 percent of the records, Hold Security found.

Image: Hold Security.

The vast majority of records in this database belong to consumers, but almost 13,000 of the entries are for corporate entities. Holden said 387 of those corporate names started with “ATT,” with various entries like “ATT PVT XLOW” appearing 81 times. And most of the addresses for these entities are AT&T corporate offices.

How old is this data? One clue may be in the dates of birth exposed in this database. There are very few records in this file with dates of birth after 2000.

“Based on these statistics, we see that the last significant number of subscribers born in March of 2000,” Holden told KrebsOnSecurity, noting that AT&T requires new account holders to be 18 years of age or older. “Therefore, it makes sense that the dataset was likely created close to March of 2018.”

There was also this anomaly: Holden said one of his analysts is an AT&T customer with a 13-letter last name, and that her AT&T bill has always had the same unique misspelling of her surname (they added yet another letter). He said the analyst’s name is identically misspelled in this database.

KrebsOnSecurity shared the large data set with AT&T, as well as Hold Security’s analysis of it. AT&T ultimately declined to say whether all of the people in the database are or were at some point AT&T customers. The company said the data appears to be several years old, and that “it’s not immediately possible to determine the percentage that may be customers.”

“This information does not appear to have come from our systems,” AT&T said in a written statement. “It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web. However, customers often receive notices after such incidents, and advice for ID theft is consistent and can be found online.”

The company declined to elaborate on what they meant by “a previous data incident at another company.”

But it seems likely that this database is related to one that went up for sale on a hacker forum on August 19, 2021. That auction ran with the title “AT&T Database +70M (SSN/DOB),” and was offered by ShinyHunters, a well-known threat actor with a long history of compromising websites and developer repositories to steal credentials or API keys.

Image: BleepingComputer

ShinyHunters established the starting price for the auction at $200,000, but set the “flash” or “buy it now” price at $1 million. The auction also included a small sampling of the stolen information, but that sample is no longer available. The hacker forum where the ShinyHunters sales thread existed was seized by the FBI in April, and its alleged administrator arrested.

But cached copies of the auction, as recorded by cyber intelligence firm Intel 471, show ShinyHunters received bids of up to $230,000 for the entire database before they suspended the sale.

“This thread has been deleted several times,” ShinyHunters wrote in their auction discussion on Sept. 6, 2021. “Therefore, the auction is suspended. AT&T will be available on WHM as soon as they accept new vendors.”

The WHM initialism was a reference to the White House Market, a dark web marketplace that shut down in October 2021.

“In many cases, when a database is not sold, ShinyHunters will release it for free on hacker forums,” wrote BleepingComputer’s Lawrence Abrams, who broke the news of the auction last year and confronted AT&T about the hackers’ claims.

AT&T gave Abrams a similar statement, saying the data didn’t come from their systems.

“When asked whether the data may have come from a third-party partner, AT&T chose not to speculate,” Abrams wrote. “‘Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,'” AT&T told BleepingComputer.

Asked to respond to AT&T’s denial, ShinyHunters told BleepingComputer at the time, “I don’t care if they don’t admit. I’m just selling.”

On June 1, 2022, a 21-year-old Frenchman was arrested in Morocco for allegedly being a member of ShinyHunters. Databreaches.net reports the defendant was arrested on an Interpol “Red Notice” at the request of a U.S. federal prosecutor from Washington state.

Databreaches.net suggests the warrant could be tied to a ShinyHunters theft in May 2020, when the group announced they had exfiltrated 500 GB of Microsoft’s source code from Microsoft’s private GitHub repositories.

“Researchers assess that Shiny Hunters gained access to roughly 1,200 private repositories around March 28, 2020, which have since been secured,” reads a May 2020 alert posted by the New Jersey Cybersecurity & Communications Integration Cell, a component within the New Jersey Office of Homeland Security and Preparedness.

“Though the breach was largely dismissed as insignificant, some images of the directory listing appear to contain source code for Azure, Office, and some Windows runtimes, and concerns have been raised regarding access to private API keys or passwords that may have been mistakenly included in some private repositories,” the alert continues. “Additionally, Shiny Hunters is flooding dark web marketplaces with breached databases.”

Last month, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit over a breach in 2021 that affected 40 million current and former customers. The breach came to light on Aug. 16, 2021, when someone starting selling tens of millions of SSN/DOB records from T-Mobile on the same hacker forum where the ShinyHunters would post their auction for the claimed AT&T database just three days later.

T-Mobile has not disclosed many details about the “how” of last year’s breach, but it said the intruder(s) “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

A sales thread tied to the stolen T-Mobile customer data.

Conti Cybercrime Cartel Using 'BazarCall' Phishing Attacks as Initial Attack Vector

11 August 2022 at 17:52
A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. "Three autonomous threat groups have since adopted and independently developed their own targeted phishing tactics derived from the call back phishing methodology," cybersecurity firm AdvIntel said in a Wednesday report.

Palo Alto Networks warns of Reflected Amplification DoS issue in PAN-OS

11 August 2022 at 17:58

Palo Alto Networks devices running the PAN-OS are abused to launch reflected amplification denial-of-service (DoS) attacks.

Threat actors are exploiting a vulnerability, tracked as CVE-2022-0028 (CVSS score of 8.6), in Palo Alto Networks devices running the PAN-OS to launch reflected amplification denial-of-service (DoS) attacks.

The vendor has learned that firewalls from multiple vendors are abused to conduct distributed denial-of-service (DDoS) attacks, but it did not disclose the name of the impacted companies.

“Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue.” reads the advisory published by Palo Alto Networks. “Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products.

The root cause of the issue affecting the Palo Alto Network devices is a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to conduct reflected and amplified TCP DoS attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against a target chosen by the attackers.

Palo Alto Networks GlobalProtect VPN

The issue could be exploited if the firewall configuration has a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.

The flaw can be mitigated by removing the URL filtering policy, the company also recommends enabling only one security feature between packet-based attack protection and flood protection on their Palo Alto.

If exploited, this flaw would not impact the confidentiality, integrity, or availability of Palo Alto Networks products. However, the company pointed out that the resulting denial-of-service (DoS) attack may allow threat actors to hide their identity and implicate the firewall as the source of the attack.

Below is the Product Status shared by the vendor:

Versions Affected Unaffected
Cloud NGFW None All
PAN-OS 10.2 < 10.2.2-h2 >= 10.2.2-h2 (ETA: week of August 15, 2022)
PAN-OS 10.1 < 10.1.6-h6 >= 10.1.6-h6
PAN-OS 10.0 < 10.0.11-h1 >= 10.0.11-h1 (ETA: week of August 15, 2022)
PAN-OS 9.1 < 9.1.14-h4 >= 9.1.14-h4 (ETA: week of August 15, 2022)
PAN-OS 9.0 < 9.0.16-h3 >= 9.0.16-h3 (ETA: week of August 15, 2022)
PAN-OS 8.1 < 8.1.23-h1 >= 8.1.23-h1 (ETA: August 15, 2022)
Prisma Access 3.1 None All
Prisma Access 3.0 None All
Prisma Access 2.2 None All
Prisma Access 2.1 None All

The US Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory to warn of this vulnerability.

“Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. A remote attacker could exploit this vulnerability to conduct a reflected denial-of service,” reads the advisory published by CISA.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-0028)

The post Palo Alto Networks warns of Reflected Amplification DoS issue in PAN-OS appeared first on Security Affairs.

Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability

12 August 2022 at 06:14
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The two high-severity issues relate to weaknesses in Zimbra Collaboration, both of which could be chained to achieve unauthenticated remote code execution on affected email servers - CVE-2022-27925 (CVSS score: 7.2)

BazarCall attacks have revolutionized ransomware operations

12 August 2022 at 06:25

The Conti ransomware gang is using BazarCall phishing attacks as an initial attack vector to access targeted networks.

BazarCall attack, aka call back phishing, is an attack vector that utilizes targeted phishing methodology and was first used by the Ryuk ransomware gang in 2020/2021.

The BazarCall attack chain is composed of the following stages:

  • Stage One. Attackers send a mail to the victims that notify them that they have subscribed to a service for which payment is automatic. The email includes a phone number to call to cancel the subscription.
  • Stage Two. The victim is tricked into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, to help them cancel their subscription service.
  • Stage Three. Once accessed the victim’s desktop, the attacker silently extended a foothold in the user’s network, weaponizing legitimate tools that are known to be in Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
  • Stage Four. The initiated malware session yields the adversary access as an initial point of entry into the victim’s network.
bazarcall conti

The researchers at cybersecurity firm AdbIntel state that currently at least three autonomous threat groups are adopting and independently developing their own targeted phishing tactics derived from the call back phishing methodology. The three groups are tracked as Silent Ransom, Quantum, and Roy/Zeon, they emerged after the Conti gang opted to shut down its operation in May 2022.

In March 2022, formed members of the Conti, who were experts in call back phishing attacks, created “Silent Ransom” when it became an autonomous group.

Silent Ransom’s previous bosses, tracked as Conti Team Two, who were the main Conti subdivision, rebranded as Quantum and launched their own version of call back phishing campaigns. On June 13, 2022, AdvIntel researchers uncovered a massive operation called “Jörmungandr”.

The third iteration of the BazarCall group was observed in late June 20 and goes by the name of Roy/Zeon. The group is composed of old-Guard members of Conti’s “Team One,” which created the Ryuk operation. This group has the advanced social engineering capabilities of the three groups.

It involved large investments into hiring spammers, OSINT specialists, designers, call center operators, and expanding the number of network intruders. As a highly skilled (and most likely government-affiliated) group, Quantum was able to purchase exclusive email datasets and manually parse them to identify relevant employees at high-profile companies.

bazarcall

The adoption of Callback phishing campaigns has impacted the strategy of ransomware gangs, experts observed targeted attacks aimed at Finance, Technology, Legal, and Insurance industries. The industries are considered privileged targets in almost all internal manuals, which were shared between ex-Conti members.

“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain.” concludes the report published by Advintel. “Although the first to begin using this TTP as its primary initial attack vector, Silent Ransom is no longer the only threat group utilizing the highly specified phishing operations that they pioneered. Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaign as a base and developing the attack vector into their own.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

The post BazarCall attacks have revolutionized ransomware operations appeared first on Security Affairs.

Experts warn of mass exploitation of an RCE flaw in Zimbra Collaboration Suite

12 August 2022 at 08:00

Threat actors are exploiting an authentication bypass Zimbra flaw, tracked as CVE-2022-27925, to hack Zimbra Collaboration Suite email servers worldwide.

An authentication bypass affecting Zimbra Collaboration Suite, tracked as CVE-2022-27925, is actively exploited to hack ZCS email servers worldwide.

Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries.

Yesterday, August 11, CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The two issues are:

  • CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
  • CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability: Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.

CISA orders federal agencies to fix both issues by August 25, 2022.

The vendor has already released security updates to address both vulnerabilities.

Cybersecurity firm Volexity described confirmed that the flaw is actively exploited in attacks in the wild.

In July and early August 2022, the company worked on multiple incidents where the organizations had their Zimbra Collaboration Suite (ZCS) email servers compromised. Volexity discovered that threat actors have exploited the CVE-2022-27925 remote-code-execution (RCE) vulnerability in these attacks.

The flaw was patched in March 2022, since the release of security fixes, it was reasonable that threat actors performed reverse engineering of them and developed an exploit code.

“As each investigation progressed, Volexity found signs of remote exploitation but no evidence the attackers had the prerequisite authenticated administrative sessions needed to exploit it. Further, in most cases, Volexity believed it extremely unlikely the remote attackers would have been able to obtain administrative credentials on the victims’ ZCS email servers.” reads the advisory published by Volexity.

“As a result of the above findings, Volexity initiated more research into determining a means to exploit CVE-2022-27925, and if it was possible to do so without an authenticated administrative session. Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925. This meant that CVE-2022-27925 could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.” reads the post published by Volexity.

Volexity researchers scanned the Internet for compromised Zimbra instances belonging to non-Volexity customers. The security firm identified over 1,000 ZCS instances around the world that were backdoored and compromised. The compromised ZCS installs belongs to a variety of global organizations, including government departments and ministries, military branches, worldwide billionaire businesses, and a significant number of small businesses.

Zimbra

The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.

“CVE-2022-27925 was originally listed as an RCE exploit requiring authentication. When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial. Some organizations may prioritize patching based on the severity of security issues. In this case, the vulnerability was listed as medium—not high or critical—which may have led some organizations to postpone patching.” concludes the post.

A few days ago, CISA added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog.

In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Experts warn of mass exploitation of an RCE flaw in Zimbra Collaboration Suite appeared first on Security Affairs.

❌