🔒
There are new articles available, click to refresh the page.
Today — 18 August 2022Security News

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

18 August 2022 at 03:08
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An
Yesterday — 17 August 2022Security News

China-linked RedAlpha behind multi-year credential theft campaign

17 August 2022 at 22:58

A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide.

Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor tracked RedAlpha. The campaign targeted global humanitarian, think tank, and government organizations.

Experts believe RedAlpha is a group of contractors conducting cyber-espionage activity on behalf of China. Recorded Future identified a link between RedAlpha and a Chinese information security company, whose name appears in the registration of multiple RedAlpha domains. The company called “Nanjing Qinglan Information Technology Co., Ltd.” is now known as “Jiangsu Cimer Information Security Technology Co. Ltd.

“In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.” reads the report published by Recorded Future.

“RedAlpha’s humanitarian and human rights-linked targeting and spoofing of organizations such as Amnesty International and FIDH is particularly concerning given the CCP’s reported human rights abuses in relation to Uyghurs, Tibetans, and other ethnic and religious minority groups in China.”

Since 2019, RedAlpha registering and weaponizing hundreds of domains that were spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations.

Experts also noticed that the attackers used domains spoofing major email and storage service providers like Yahoo (135 typosquat domains), Google (91 typosquat domains), and Microsoft (70 typosquat domains). The domains some cases were hosting fake login pages for popular email providers such as Outlook and Zimbra.

redAlpha

The attackers sent out phishing messages leading victims to phishing pages posing as legitimate email login portals. Experts believe attackers target individuals affiliated with the above organizations rather than imitating these organizations to target other third parties.

The attack vector is phishing emails containing PDF files that embed malicious links that point to the phishing login pages.

“RedAlpha’s activity has expanded over the past several years to include credential-phishing campaigns spoofing ministries of foreign affairs in multiple countries.” continues the report. “We observed phishing pages imitating webmail login portals for Taiwan and Portugal’s MOFAs, as well as multiple domains spoofing Brazil and Vietnam’s MOFAs.”

“Based on these findings and wider activity examined, it is very likely that RedAlpha operators are located within the PRC. Chinese intelligence services’ use of private contractors is also an established trend, with groups such as APT3, APT10, RedBravo (APT31), and APT40 all identified as contractors working for China’s Ministry of State Security (MSS) (1,2,3,4).” concludes the report. “In the case of RedAlpha, the group’s targeting closely aligns with the strategic interests of the Chinese government, such as the observed emphasis on China-focused think tanks, civil society organizations, and Taiwanese government and political entities.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, RedAlpha)

The post China-linked RedAlpha behind multi-year credential theft campaign appeared first on Security Affairs.

Bugdrop dropper includes features to circumvent Google’s security Controls

17 August 2022 at 17:58

Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, that’s still under development.

Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active development and was designed to bypass security features that will be implemented in the next release of the Google OS.

The experts noticed something unusual in the latest sample of the malware family Xenomorph, it was an improved version of the threat that included RAT capabilities by using “Runtime modules”. The Runtime modules allow the malware to perform gestures, touches, and other operations.

The new version of Xenomorph was dropped by the BugDrop malware which is able to defeat security measures that Google will introduce to prevent malware requesting Accessibility Services privileges from victims.

The dropper was developed by a cybercriminal group known as Hadoken Security, which is the same threat actor that is behind Xenomorph and Gymdrop Android malware.

The malicious application spotted by the researchers poses as a QR code reader.

Upon launching the application it will request the Accessibility Services access to the user to perform gestures and touches on behalf of the victim.

bugdrop

“Once granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies on the TOR protocol, obtaining back its configuration and the URL of the payload to download and install.” reads the analysis of the experts. “Throughout the course of our investigation, this URL changed from being one of the samples in the open folder, to an external URL again referring to QR code scanners functionalities, which used a endpoint very similar to what was used by Gymdrop samples that we observed in the wild in the last few months.”

The presence of instructions in the dropper code to send error messages back to the C2 suggests it is still under development.

The experts noticed that starting with Android 13, Google is blocking accessibility API access to apps installed from outside of the official app store.

However, BugDrop, attempts to bypass this security measure by deploying malicious payloads via a session-based installation process.

“In this context, it is important to remind the new security features of Android 13, which will be released in fall of 2022. With this new release, Google introduced the “restricted setting” feauture, which blocks sideloaded applications from requesting Accessibility Services privileges, limiting this kind of request to applications installed with a session-based API (which is the method usually used by app stores).” states the analysis. “With this in mind, it is clear what criminals are trying to achieve. What is likely happening is that actors are using an already built malware, capable of installing new APKs on an infected device, to test a session based installation method, which would then later be incorporated in a more elaborate and refined dropper.”

Upon completing the development of the new features, BugDrop will give attackers new capabilities to target banking institutions and bypass security solutions currently being adopted by Google.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BugDrop)

The post Bugdrop dropper includes features to circumvent Google’s security Controls appeared first on Security Affairs.

Google fixed a new Chrome Zero-Day actively exploited in the wild

17 August 2022 at 17:01

Google addressed a dozen vulnerabilities in the Chrome browser, including the fifth Chrome zero-day flaw exploited this year.

Google this week released security updates to address a dozen vulnerabilities in its Chrome browser for desktops including an actively exploited high-severity zero-day flaw in the wild.

The actively exploited flaw, tracked as CVE-2022-2856, is an Insufficient validation of untrusted input in Intents. The flaw was discovered by Ashley Shen and Christian Resell of Google Threat Analysis Group on 19 July 2022.

“Google is aware that an exploit for CVE-2022-2856 exists in the wild.” reads the advisory published by Google.

Google did not share technical details about the issue to prevent further exploitation in the wild.

The IT giant also fixed a critical issue, tracked as CVE-2022-2852, which is use after free in FedCM. This issue was reported by Google Project Zero researcher Sergei Glazunov on August 2, 2022.

Below is the list of the other issues addressed by the company:

  • [$7000][1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
  • [$7000][1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
  • [$5000][1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
  • [$5000][1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
  • [$NA][1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
  • [$3000][1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
  • [$2000][1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
  • [$TBD][1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21

The CVE-2022-2856 is the fifth zero-day vulnerability in Chrome that Google has addressed this year, the other ones are:

  • CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
  • CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
  • CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
  • CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Users should update to version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome)

The post Google fixed a new Chrome Zero-Day actively exploited in the wild appeared first on Security Affairs.

Cybercriminals Developing BugDrop Malware to Bypass Android Security Features

17 August 2022 at 13:59
In a sign that malicious actors continue to find ways to work around Google Play Store security protections, researchers have spotted a previously undocumented Android dropper trojan that's currently in development. "This new malware tries to abuse devices using a novel technique, not seen before in Android malware, to spread the extremely dangerous Xenomorph banking trojan, allowing criminals

New Google Chrome Zero-Day Vulnerability Being Exploited in the Wild

17 August 2022 at 12:02
Google on Tuesday rolled out patches for Chrome browser for desktops to contain an actively exploited high-severity zero-day flaw in the wild. Tracked as CVE-2022-2856, the issue has been described as a case of insufficient validation of untrusted input in Intents. Security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group have been credited with reporting the flaw on

Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

17 August 2022 at 10:59
A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. "In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations," Recorded Future disclosed in a new

Lean Security 101: 3 Tips for Building Your Framework

17 August 2022 at 10:50
Cobalt, Lazarus, MageCart, Evil, Revil — cybercrime syndicates spring up so fast it's hard to keep track. Until…they infiltrate your system. But you know what's even more overwhelming than rampant cybercrime? Building your organization's security framework.  CIS, NIST, PCI DSS, HIPAA, HITrust, and the list goes on. Even if you had the resources to implement every relevant industry standard and

Malicious Browser Extensions Targeted Over a Million Users So Far This Year

17 August 2022 at 08:44
More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show. "From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said. As many as

North Korea-linked APT targets Job Seekers with macOS malware

17 August 2022 at 08:31

The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets.

ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents.

ESET published a series of tweets detailing the recent attacks, the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 pic.twitter.com/dXg89el5VT

— ESET research (@ESETresearch) August 16, 2022

Malware is compiled for both Intel and Apple Silicon, it drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle http://FinderFontsUpdater.app and a downloader safarifontagent. The discovery is similar to other attacks detected by ESET researches in May.

#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai @marc_etienne_ 1/8 pic.twitter.com/DV7peRHdnJ

— ESET research (@ESETresearch) May 4, 2022

The bundle employed in the attack is signed July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63.

“The application is not notarized and Apple has revoked the certificate on August 12.” states ESET.

North Korea

Experts noticed that unlike May attacks, the downloader safarifontagent connects to a different C&C server (https://concrecapital[.]com/%user%.jpg). The C2 server did not respond at the time ESET experts analyzed this malware.

The researcher @h2jazi also discovered a Windows counterpart of this malware on August 4, it was dropping the exact same decoy.

#Lazarus #APT:
0dab8ad32f7ed4703b9217837c91cca7
Coinbase_online_careers_2022_07.exe

The decoy pdf is "Engineering Manager, Product Security" job description at Coinbase.

Next stage: (gone!)
https://docs.mktrending[.]com/marrketend.pnghttps://t.co/XETUeA5F6B pic.twitter.com/NTFUJ9AiCO

— Jazi (@h2jazi) August 4, 2022

ESET also shared Indicators of compromise (IoCs) for this threat.

IoCs:
FE336A032B564EEF07AFB2F8A478B0E0A37D9A1A6C4C1E7CD01E404CC5DD2853 (Extractor)
798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 (FinderFontsUpdater)
49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 (safarifontagent)
… 6/7

— ESET research (@ESETresearch) August 16, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

The post North Korea-linked APT targets Job Seekers with macOS malware appeared first on Security Affairs.

ÆPIC Leak is the first CPU flaw able to architecturally disclose sensitive data

17 August 2022 at 07:10

Researchers uncovered a new flaw, dubbed ÆPIC, in Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.

The ÆPIC Leak (CVE-2022-21233) is the first architecturally CPU bug that could lead to the disclosure of sensitive data and impacts most 10th, 11th and 12th generation Intel CPUs.

ÆPIC Leak works on the newest Intel CPUs based on Ice Lake, Alder Lake, and Ice Lake SP and does not rely on hyperthreading enabled.

“A potential security vulnerability in some Intel® Processors may allow information disclosure.Intel is releasing firmware updates to address this potential vulnerability.” reads the advisory published by Intel.

“Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.”

The discovery of the flaw is the result of research conducted by boffins from the Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security.

Unlike Meltdown and Spectre, ÆPIC Leak is an architectural bug, which means that the sensitive data are disclosed without relying on side channel attacks

“ÆPIC Leak is like an uninitialized memory read in the CPU itself.” reads the description published by the researchers. “A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.”

The CVE-2022-21233 issue resides in the Advanced Programmable Interrupt Controller (APIC), responsible for accepting, prioritizing, and dispatching interrupts to processors.

“The scan of the I/O address space on Intel CPUs based on the Sunny Cove microarchitecture revealed that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized. As a result, architecturally reading these registers returns stale data from the microarchitecture.” reads the research paper. “As the I/O address space is only accessible to privileged software, ÆPIC Leak targets Intel’s TEE, SGX. ÆPIC Leak can leak data from SGX enclaves that run on the same physical core. While ÆPIC Leak would represent an immense threat in virtualized environments, hypervisors typically do not expose the local APIC registers to virtual machines, eliminating the threat in cloud-based scenarios.”

The experts tested the ÆPIC Leak issue with 100 different random keys and tried to leak the AES keys with a single run of the attack. The results are that full key recovery takes on average 1.35 s
(n = 100, σ = 15.70%) with a success rate of 94 %

The flaw enables an attacker with permissions to execute privileged native code on a target machine to extract the private keys, and worse defeat attestation, a cornerstone of the security primitives used in SGX to ensure the integrity of code and data.

“We show attacks that allow leaking data held in memory and registers. We demonstrate how ÆPIC Leak completely breaks the guarantees provided by SGX, deterministically leaking AES secret keys, RSA private keys, and extracting the SGX sealing key for remote attestation.” concludes the paper.

The researchers also propose several firmware and software mitigations that would prevent ÆPIC Leak from leaking sensitive data or completely prevent ÆPIC Leak.

Intel has already released firmware updates to address the flaw.

The experts published a video demo to show how an attacker can disclose data from a protected SGX enclave.

The development comes as researchers demonstrated what’s the first-ever side channel attack (CVE-2021-46778) on scheduler queues impacting AMD Zen 1, Zen 2, and Zen 3 microarchitectures that could be abused by an adversary to recover RSA keys.

The attack, codenamed SQUIP (short for Scheduler Queue Usage via Interference Probing), entails measuring the contention level on scheduler queues to potentially glean sensitive information.

No security updates have been released to patch the line of attack, but the chipmaker has recommended that “software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ÆPIC Leak)

The post ÆPIC Leak is the first CPU flaw able to architecturally disclose sensitive data appeared first on Security Affairs.

Zoom fixed two flaws in macOS App that were disclosed at DEF CON

17 August 2022 at 06:57

Zoom addressed two high-severity vulnerabilities in its macOS app that were disclosed at the DEF CON conference.

Zoom last week released macOS updates to fix two high-severity flaws in its macOS app that were disclosed at the DEF CON conference. Technical details of the vulnerabilities were disclosed at the DEF CON conference by security researcher Patrick Wardle during its talk “You’re M̶u̶t̶e̶d̶ Rooted.”

In his talk, the expert explored Zoom’s macOS application to uncover several critical security flaws that can be exploited by a local unprivileged attacker to achieve root access to the device.

Mahalo to everybody who came to my @defcon talk "You're M̶u̶t̶e̶d̶ Rooted" 🙏🏽

Was stoked to talk about (& live-demo 😅) a local priv-esc vulnerability in Zoom (for macOS).

Currently there is no patch 👀😱

Slides with full details & PoC exploit: https://t.co/viee0Yd5o2 #0day pic.twitter.com/9dW7DdUm7P

— patrick wardle (@patrickwardle) August 12, 2022

Wardle demonstrated that an attacker could hijack the update mechanism to downgrade the software to an older version that is known to be affected by vulnerabilities.

The experts pointed out that macOS users are not prompted for their admin password when Zoom is updated, because the auto-update feature is enabled by default.

Zoom informed customers last week that macOS updates for the Zoom application patch two high-severity vulnerabilities. Details of the flaws were disclosed on Friday at the DEF CON conference in Las Vegas by macOS security researcher Patrick Wardle.

Wardle, who is the founder of the Objective-See Foundation, a non-profit that provides free and open source macOS security resources, showed at DEF CON how a local, unprivileged attacker could exploit vulnerabilities in Zoom’s update process to escalate privileges to root.

“In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root.” Wardle explained. The first flaw, presents itself subtly in a core cryptographic validation routine, while the second is due to a nuanced trust issue between Zoom’s client and its privileged helper component.”

zoom

Wardle demonstrated that a local attacker abusing the auto-update process and leveraging a cryptographic issue related to insecure update package signature validation can install an update package.

Zoom addressed some related vulnerabilities in the past months, but Wardle explained that he was still able to exploit them in his attack. The day after the talk, the company released Client for Meetings for macOS 5.11.5 that fix the auto-update process vulnerability (CVE-2022-28756). The company also announced Version 5.11.3 which addresses the packet signature validation issue (CVE-2022-28751).

Zoom also addressed other critical and high-severity vulnerabilities:

  • CVE-2022-28753, CVE-2022-28754: Zoom On-Premise Deployments: Improper Access Control Vulnerability (HIGH)
  • CVE-2022-28755: Improper URL parsing in Zoom Clients (CRITICAL)
  • CVE-2022-28752: Local Privilege Escalation in the Zoom Rooms for Windows Client (HIGH)
  • CVE-2022-28750: Zoom On-Premise Deployments: Stack Buffer Overflow in Meeting Connector (HIGH)

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, macOS)

The post Zoom fixed two flaws in macOS App that were disclosed at DEF CON appeared first on Security Affairs.

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

17 August 2022 at 06:20
The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into

RubyGems Makes Multi-Factor Authentication Mandatory for Top Package Maintainers

17 August 2022 at 04:46
RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication (MFA) for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. <!--adsense--> "Users in this category who do not
Before yesterdaySecurity News

Clop gang targeted UK drinking water supplier South Staffordshire Water

16 August 2022 at 17:38

A cyber attack disrupted the IT operations of South Staffordshire Water, a company supplying drinking water to 1.6M consumers daily.

South Staffordshire Water has issued a statement confirming the security breach, the company pointed out that the attack did not impact the safety and water distribution systems.

South Staffordshire Water plc known as South Staffs Water is a UK water supply company owned by a privately owned utilities company serving parts of Staffordshire the West Midlands as well as small areas of surrounding counties in England. South Staffordshire Water plc is part of South Staffordshire plc.

Thanks to security systems in place, the company was able to supply safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water.

“This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.” reads a statement published by the company. “This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”

South Staffordshire Water reassures customers that the cyber attack will not cause an extended outage.

The company is investigating the incident and is working closely with the relevant government and regulatory authorities.

The Clop ransomware gang claimed responsibility for the attack and added the name of the utility to its Tor leak site.

The ransomware gang claims to be able to impact the operations and the safety of the water supply.

The gang also claims to have stolen 5TB of data from the company.

The ransomware group has already published a sample of stolen data that includes passports, ID Cards, and images of SCADA systems.

South Staffordshire Water

Thames Water has denied that the Clop has breached its network and excluded any risk for its customers due to the attack.

“We are aware of reports in the media that Thames Water is facing a cyber attack. We want to reassure you that this is not the case and we are sorry if the reports have caused distress.” reads the statement from Thames Water. “As providers of an essential service, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide you with the services and support you need from us.”

BleepingComputer noticed that sample data published by Clop operators include usernames and passwords, which refer South Staff Water and South Staffordshire email addresses.

One of the leaked documents sent to the targeted firm is explicitly addressed to South Staffordshire PLC.

This circumstance suggests that Clop misidentified the victim.

Cybercriminals don’t pick their targets randomly, as hitting water suppliers during harsh drought periods could apply insurmountable pressure to pay the demanded ransom.

For this to happen, though, Clop has to redirect its threats to the correct entity, but considering the publicity the matter has taken, it’s probably too late for that.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, South Staffordshire Water)

The post Clop gang targeted UK drinking water supplier South Staffordshire Water appeared first on Security Affairs.

When Efforts to Contain a Data Breach Backfire

16 August 2022 at 17:06

Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico’s second-largest bank was fake news and harming the bank’s reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download.

On August 3, 2022, someone using the alias “Holistic-K1ller” posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico’s second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens.

There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto.

But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently hired by Banorte to help respond to the data breach.

“The Group-IB team has discovered a resource containing a fraudulent post offering to buy Grupo Financiero Banorte’s leaked databases,” reads a letter the Breach administrator said they received from Group-IB. “We ask you to remove this post containing Banorte data. Thank you for your cooperation and prompt attention to this urgent matter.”

The administrator of Breached is “Pompompurin,” the same individual who alerted this author in November 2021 to a glaring security hole in a U.S. Justice Department website that was used to spoof security alerts from the FBI. In a post to Breached on Aug. 8, Pompompurin said they bought the Banorte database from Holistic-K1ller’s sales thread because Group-IB was sending emails complaining about it.

“They also attempted to submit DMCA’s against the website,” Pompompurin wrote, referring to legal takedown requests under the Digital Millennium Copyright Act. “Make sure to tell Banorte that now they need to worry about the data being leaked instead of just being sold.”

Group-IB CEO Dmitriy Volkov said the company has seen some success in the past asking hackers to remove or take down certain information, but that making such requests is not a typical response for the security firm.

“It is not a common practice to send takedown notifications to such forums demanding that such content be removed,” Volkov said. “But these abuse letters are legally binding, which helps build a foundation for further steps taken by law enforcement agencies. Actions contrary to international rules in the regulated space of the Internet only lead to more severe crimes, which — as we know from the case of Raidforums — are successfully investigated and stopped by law enforcement.”

Banorte did not respond to requests for comment. But in a brief written statement picked up on Twitter, Banorte said there was no breach involving their infrastructure, and the data being sold is old.

“There has been no violation of our platforms and technological infrastructure,” Banorte said. “The set of information referred to is inaccurate and outdated, and does not put our users and customers at risk.”

That statement may be 100 percent true. Still, it is difficult to think of a better example of how not to do breach response. Banorte shrugging off this incident as a nothingburger is baffling: While it is almost certainly true that the bank balance information in the Banorte leak is now out of date, the rest of the information (tax IDs, phone numbers, email addresses) is harder to change.

“Is there one person from our community that think sending cease and desist letter to a hackers forum operator is a good idea?,” asked Ohad Zaidenberg, founder of CTI League, a volunteer emergency response community that emerged in 2020 to help fight COVID-19 related scams. “Who does it? Instead of helping, they pushed the organization from the hill.”

Kurt Seifried, director of IT for the CloudSecurityAlliance, was similarly perplexed by the response to the Banorte breach.

“If the data wasn’t real….did the bank think a cease and desist would result in the listing being removed?” Seifried wondered on Twitter. “I mean, isn’t selling breach data a worse crime usually than slander or libel? What was their thought process?”

A more typical response when a large bank suspects a breach is to approach the seller privately through an intermediary to ascertain if the information is valid and what it might cost to take it off the market. While it may seem odd to expect cybercriminals to make good on their claims to sell stolen data to only one party, removing sold stolen items from inventory is a fairly basic function of virtually all cybercriminal markets today (apart from perhaps sites that traffic in stolen identity data).

At a minimum, negotiating or simply engaging with a data seller can buy the victim organization additional time and clues with which to investigate the claim and ideally notify affected parties of a breach before the stolen data winds up online.

It is true that a large number of hacked databases put up for sale on the cybercrime underground are sold only after a small subset of in-the-know thieves have harvested all of the low-hanging fruit in the data — e.g., access to cryptocurrency accounts or user credentials that are recycled across multiple websites. And it’s certainly not unheard of for cybercriminals to go back on their word and re-sell or leak information that they have sold previously.

But companies in the throes of responding to a data security incident do themselves and customers no favors when they underestimate their adversaries, or try to intimidate cybercrooks with legal threats. Such responses generally accomplish nothing, except unnecessarily upping the stakes for everyone involved while displaying a dangerous naiveté about how the cybercrime underground works.

Update, Aug. 17, 10:32 a.m.: Thanks to a typo by this author, a request for comment sent to Group-IB was not delivered in advance of this story. The copy above has been updated to include a comment from Group-IB’s CEO.

ÆPIC and SQUIP Vulnerabilities Found in Intel and AMD Processors

16 August 2022 at 14:58
A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors. Dubbed ÆPIC Leak, the weakness is the first-of-its-kind to architecturally disclose sensitive data in a manner that's akin to an "uninitialized memory read in the CPU itself." "In contrast to transient execution

New Evil PLC Attack Weaponizes PLCs to Breach OT and Enterprise Networks

16 August 2022 at 10:57
Cybersecurity researchers have elaborated a novel attack technique that weaponizes programmable logic controllers (PLCs) to gain an initial foothold in engineering workstations and subsequently invade the operational technology (OT) networks. Dubbed "Evil PLC" attack by industrial security firm Claroty, the issue impacts engineering workstation software from Rockwell Automation, Schneider

Unified Threat Management: The All-in-One Cybersecurity Solution

16 August 2022 at 10:50
UTM (Unified threat management) is thought to be an all-in-one solution for cybersecurity. In general, it is a versatile software or hardware firewall solution integrated with IPS (Intrusion Prevention System) and other security services. A universal gateway allows the user to manage network security with one comprehensive solution, which makes the task much easier. In addition, compared to a
❌