During an extensive investigation, Tinexta Cyber’s Zlab Malware Team uncovered a backdoor known as KeyPlug, which hit for months a variety of Italian industries. This backdoor is attributed to the arsenal of APT41,a group whose origin is tied to China.
APT41, known also as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA e WICKED SPIDER originated from China (with possible ties to the government), it’s known for its complex campaigns and variety of targeted sectors, their motivation varies from exfiltration of sensible data to financial gain.
The backdoor has been developed to target both Windows and Linux operative systems and using different protocols to communicate which depend on the configuration of the malware sample itself.
Tinexta Cyber’s team has analyzed both variants for Windows and Linux, showing common elements that makes the threat capable of remaining resilient inside attacked systems, nonetheless, implants of perimetral defense were present, such as Firewalls, NIDS and EDR employed on every endpoint.
The first malware sample is an implant attacking the Microsoft Windows operating systems. The infection doesn’t directly start from the implant itself but from another component working as a loader written in the .NET framework. This loader is designed to decrypt another file simulating an icon type file. The decryption is through AES, a well-known symmetric encryption algorithm, with keys stored directly in the sample itself.
Once all decryption operations are completed, the new payload, with SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf, can be analyzed. Delving deeper into that malware sample, it is possible to detect a direct correspondence with malware structure with Mandiant’s report “Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments”. In this specific case, the XOR key is 0x59.
The Linux version of the Keyplug malware, however, is slightly more complex and appears to use VMProtect. During static analysis, many strings related to the UPX packer were detected, but the automatic decompression routine did not work. This variant is designed to decode the payload code during execution, and once this is complete, it relaunches using the syscall fork. This method interrupts the analyst’s control flow, making malware analysis more difficult.
Pivoting cyber intelligence information in the cybersecurity community, a potential link has emerged between the APT41 group and the Chinese company I-Soon. On Feb. 16, a large amount of sensitive data from China’s Ministry of Public Security was exposed and then spread on GitHub and Twitter, generating great excitement in the cybersecurity community.
In addition, Hector is a possible RAT (Remote Administration Tool) if not KeyPlug itself, among the arsenal of APT41 uncovered through the I-SOON leak, according to which it can be employed on both Windows and Linux, and uses the WSS protocol. WSS (WebSocket Secure) is a network protocol used to establish a secure WebSocket connection between a client and a server. It is the encrypted version of the WS (WebSocket) protocol and relies on TLS (Transport Layer Security) to provide security, similar to how HTTPS is the secure version of HTTP. However, this type of protocol is not widely adopted by attackers for malware threats, making, therefore, the attribution narrow toward this type of threat.
A connection between the APT41 group and the ISOON data leak incident can be hypothesized. The advanced techniques used and the wide range of sectors targeted coincide with APT41’s typical modus operandi, suggesting a possible connection to this cyber espionage campaign. Deepening the investigation of the ISOON data leak, especially about the tools and methodologies employed, could offer further insight into the involvement of APT41 or similar groups.
“APT41, has always been distinguished by its sophistication and ability to conduct global cyber espionage operations. One of the tools it has used and continues to use is KEYPLUG, a modular backdoor capable of evading major detection systems has offered the attacker the ability to be silent within compromised systems for months.” Luigi Martire, Technical Leader at Tinexta Cyber told Security Affairs.
The risks associated with industrial espionage carried out by groups such as APT41 are significant. Their operations can aim to steal intellectual property, trade secrets, and sensitive information that could confer illicit competitive advantages. Companies operating in technologically advanced or strategic industries are particularly vulnerable, and the consequences of such attacks can include large economic losses, reputational damage, and compromised national security”
Technical details about the attacks and indicators of compromise (Ioc) are included in the report published by Tinexta Cyber.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT41)
Ivanti this week rolled out security patches to address multiple critical vulnerabilities in the Endpoint Manager (EPM). A remote attacker can exploit the flaws to gain code execution under certain conditions.
Below is the list of the addressed vulnerabilities:
| CVE | Description | CVSS | Vector |
| CVE-2024-29822 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29823 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29824 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29825 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29826 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29827 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | 9.6 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29828 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | 8.4 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29829 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | 8.4 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29830 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | 8.4 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CVE-2024-29846 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code. | 8.4 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
The vulnerabilities impact 2022 SU5 and earlier versions.
Six out of 10 vulnerabilities (CVE-2024-29822, CVE-2024-29823, CVE-2024-29824, CVE-2024-29825, CVE-2024-29826, CVE-2024-29827) have been rated critical (CVSS score 9.6).
The flaws are SQL injection issues, an unauthenticated attacker within the same network can exploit these vulnerabilities to execute arbitrary code.
The company is not aware of attacks in the wild exploiting these vulnerabilities.
“We are not aware of any customers being exploited by this vulnerability at the time of disclosure.” reads the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ivanti Endpoint Manager)
Bitdefender researchers discovered a previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ that has been targeting military and government entities since 2018. The threat group focuses on entities in countries in the South China Sea, experts noticed TTP overlap with operations attributed to APT41.
Bitdefender identified a troubling trend, attackers repeatedly regained access to compromised systems, highlighting vulnerabilities such as poor credential hygiene and inadequate patching practices.
Unfading Sea Haze remained undetected for over five years, despite extensive artifact cross-referencing and public report analysis, no traces of their prior activities were found.
Unfading Sea Haze’s targets confirms an alignment with Chinese interests. The group utilized various variants of the Gh0st RAT, commonly associated with Chinese actors.
A notable technique involved running JScript code through SharpJSHandler, similar to a feature in the “funnyswitch” backdoor linked to APT41. Both methods involve loading .NET assemblies and executing JScript code, suggesting shared coding practices among Chinese threat actors.
However, these findings indicate a sophisticated threat actor possibly connected to the Chinese cyber landscape.
The researchers cannot determine the initial method used by Unfading Sea Haze to infiltrate victim systems because the initial breach happened over six years ago, making hard to recover forensic evidence.
However, the researchers determined that one of methods used by the threat actors to regaining access to the target organizations are spear-phishing emails. The messages use specially crafted archives containing LNK files disguised as regular documents. When clicked, the LNK files would execute malicious commands. The experts observed multiple spear-phishing attempts between March and May 2023.
Some of the email attachment names used in the attacks are:
The payload employed in the attacks is a backdoor named SerialPktdoor, however, in March 2024, the researchers observed the threat actors using a new initial access archive files. These archives mimicked the installation process of Microsoft Defender or exploited current US political issues.
The backdoor runs PowerShell scripts and performs operations on files and directories.
“These LNK files execute a PowerShell command line” reads the report. “This is a clever example of a fileless attack that exploits a legitimate tool: MSBuild.exe. MSBuild, short for Microsoft Build Engine, is a powerful tool for automating the software build process on Windows. MSBuild reads a project file, which specifies the location of all source code components, the order of assembly, and any necessary build tools.”
Attackers also manipulate local Administrator accounts to maintain persistence, they were spotted enabling the disabled local Administrator account, followed by resetting its password.
Unfading Sea Haze has notably begun using Remote Monitoring and Management (RMM) tools, particularly ITarian RMM, since at least September 2022 to compromise targets’ networks. This approach represents a significant shift from typical nation-state tactics. Additionally, experts collected evidence that they may have established persistence on web servers, such as Windows IIS and Apache httpd, likely using web shells or malicious modules. However, the exact persistence mechanisms remain unclear due to insufficient forensic data.
The Chinese threat actor has developed a sophisticated collection of custom malware and hacking tools. Since at least 2018, they used SilentGh0st, TranslucentGh0st, and three variants of the .NET agent SharpJSHandler supported by Ps2dllLoader. In 2023, they replaced Ps2dllLoader with a new mechanism using msbuild.exe and C# payloads from a remote SMB share. The attackers also replaced fully featured Gh0stRat variants to more modular, plugin-based versions called FluffyGh0st, InsidiousGh0st (available in C++, C#, and Go), and EtherealGh0st.
“One of the payloads delivered by Ps2dllLoader is SharpJSHandler.” reads the report. “SharpJSHandler operates by listening for HTTP requests. Upon receiving a request, it executes the encoded JavaScript code using the Microsoft.JScript library.
Our investigation also uncovered two additional variations that utilize cloud storage services for communication instead of direct HTTP requests. We have found variations for DropBox and for OneDrive. In this case, SharpJSHandler retrieves the payload periodically from a DropBox/OneDrive account, executes it, and uploads the resulting output back to the same location.
These cloud-based communication methods present a potential challenge for detection as they avoid traditional web shell communication channels.”
The threat actors used both custom malware and off-the-shelf tools to gather sensitive data from victim machines.
One of the malware used for data collection is a keylogger called xkeylog, they also used a web browser data stealer, a tool to monitor the presence of portable devices, and a custom tool named DustyExfilTool.
The attackers are also able to target messaging applications like Telegram and Viber. They first terminate the processes for these apps (telegram.exe and viber.exe), then use rar.exe to archive the application data.
“The Unfading Sea Haze threat actor group has demonstrated a sophisticated approach to cyberattacks. Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques.” concludes the report. “The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security approach.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
The security researcher Eric Daigle discovered a commercial spyware app, called pcTattletale, on the check-in systems of at least three Wyndham hotels across the US, TechCrunch first reported. Parents often use the app to monitor their children’s online activities or by employers to keep track of employee productivity and internet usage.
Daigle discovered the commercial surveillance software on the hotel check-in systems while investigating consumer-grade spyware (aka stalkerware).
pcTattletale is a software program designed for monitoring and recording the activities of computer users.
The software was used by someone to capture screenshots of the hotel booking systems, including guest details. Daigle also discovered a vulnerability in the monitoring software that allows anyone to access the screenshots taken by the app.
“PCTattletale is a simple stalkerware app. Rather than the sophisticated monitoring of many similarly insecure competitors it simply asks for permission to record the targeted device (Android and Windows are supported) on infection. Afterward the observer can log in to an online portal and activate recording, at which point a screen capture is taken on the device and played on the target’s browser.” wrote Daigle in a post. “I recently discovered a serious vulnerability in PCTattletale’s API allowing any attacker to obtain the most recent screen capture recorded from any device on which PCTattletale is installed. It is distinct from the IDOR previously discovered by Jo Coscia, and makes it trivial to actually obtain captures from other devices.”
Daigle attempted to report the flaw to pcTattletale, but the company has not responded. He shared limited details about the screenshot bug in a blog post, intentionally omitting specifics to prevent malicious exploitation.
“The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests’ partial payment card numbers.” reported TechCrunch. “Another screenshot showed access to a third Wyndham hotel’s check-in system, which at the time was logged into Booking.com’s administration portal used to manage a guest’s reservation.”
It’s unclear who installed the malware on the hotel systems and what is his motivation.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, consumer-grade spyware app)
A critical vulnerability, tracked as CVE-2024-29849 (CVSS score: 9.8), in Veeam Backup Enterprise Manager could allow attackers to bypass authentication.
Veeam Backup Enterprise Manager is a centralized management and reporting tool designed to simplify the administration of Veeam Backup & Replication environments. It offers a web-based interface that allows users to manage multiple Veeam Backup & Replication servers, monitor backup jobs, and generate reports.
“
The company has addressed the following vulnerabilities in Veeam Backup Enterprise Manager:
The four vulnerabilities have been addressed with the release of version 12.1.2.172. The company also provided the following mitigation:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Veeam)
Resecurity has identified a spike of malicious cyber activity targeting the election in India, which is supported by multiple independent hacktivist groups who arrange cyber-attacks and publication of stolen personal identifiable information (PII) belonging to Indian citizens on the Dark Web.
India, with a population of over 1.4 billion and a GDP of over 3.417 trillion USD, has become a prime target for cyberattacks during its general elections scheduled between 19 April and 1 June 2024.
Multiple independent hacktivist groups are targeting India’s elections with influence and public opinion manipulation campaigns, Resecurity reports. The campaigns are designed to sway voters’ opinions and undermine trust in the democratic process. Attackers have also defaced websites and leaked data to launch influence campaigns against India’s government leaders, said researchers.
Around 16 different independent hacktivist groups are targeting Indian elections, including Anon Black Flag Indonesia, Anonymous Bangladesh, and Morocco Black Cyber Army, among others.
“These 16 groups have targeted multiple law enforcement, government, healthcare, financial, educational, and private sector organizations in India, taking advantage of geopolitical narratives before recent elections,” researchers noted.
Resecurity observed that the Ahadun-Ahad 2.0 Team has published Indian Voter ID cards on Telegram, which are issued by the Election Commission of India to 18+ individuals domiciled in India. The source of the data is unclear, but they suspect it is linked to compromised third-party entities. Earlier, cybercriminals have stolen AADHAAR, PAN, driving licenses, and NOC documents from the Dark Web, including 36 GB of personally identifiable information (PII) belonging to Indian citizens.
The data, primarily in graphic form with victims’ selfies, could be used to spread false information, undermine trust in the electoral process, and profit from selling stolen information on the dark web. Resecurity alerted law enforcement and federal authorities to the leaked data.
Besides graphical data files, including voter registration records and credentials from Voter Portal, the actors also leaked large data sets containing voters’ credentials collected using infostealers. Such malware programs, including Nexus, Medusa, Redline, Lumma, and Racoon, are designed to steal sensitive information such as login credentials and financial data. Specific signatures identified in leaked data sets may confirm that they originate not from any vulnerable election systems, but likely from compromised consumers with malicious code. The compromised credentials could have been obtained by intercepting login forms on popular Internet browsers or by accessing password storage on compromised devices. At some point, threat actors were aiming to leak a big number of voters’ records to create a perception that elections systems are vulnerable. In fact, the origin of these credentials is on the consumer side, as many Internet users are getting infected with malware due to poor network hygiene and lack of cybersecurity awareness.
Researchers also observed public opinion manipulation campaigns targeting Indian government leaders, using data leaks, website defacements, and political narratives. These ‘cyber-guerilla’ tactics blur attribution and operate under the ‘false flag’ of independent hacktivists aiming to create social conflict between Indian and Muslim populations.
Resecurity has summarized the key risk indicators of malicious activity to increase cybersecurity awareness among Indian citizens, encouraging them not to react to any claims or narratives originating from unreliable sources planted by cybercriminals, which could affect their votes.
The full report is available here: https://www.resecurity.com/blog/article/cybercriminals-are-targeting-elections-in-india-with-influence-campaigns
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, India)
Positive Technologies researchers observed while responding to a customer’s incident spotted an unknown keylogger embedded in the main Microsoft Exchange Server page. The keylogger was used to collect account credentials. Further investigation allowed to identify over 30 victims in multiple countries, most of whom were linked to government agencies. According to the researchers, the malware campaign targeting MS Exchange Server has been active since at least 2021. The researchers can’t attribute this campaign to a specific group, however, they observed that most victims are in Africa and the Middle East.
Some of the countries targeted by this campaign are Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
The threat actors exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) in Microsoft Exchange Server to inject an info stealer. They added keylogger code to the server’s main page by embedding it into the clkLgn() function.
The attackers also added a code that processes the results of the stealer in the logon.aspx file, then the code redirects account credentials in a file accessible from the internet.
“You can check for potential compromise by searching for the stealer code on the main page of your Microsoft Exchange server.” concludes the report from Positive Technologies. “If your server has been compromised, identify the account data that has been stolen and delete the file where this data is stored by hackers. You can find the path to this file in the logon.aspx file. Make sure you are using the latest version of Microsoft Exchange Server, or install pending updates.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MS Exchange Server)
GitHub has rolled out security fixes to address a critical authentication bypass issue, tracked as CVE-2024-4985 (CVSS score: 10.0), in the GitHub Enterprise Server (GHES).
GitHub Enterprise Server (GHES) is a self-hosted version of GitHub designed for use within organizations. It provides the full capabilities of GitHub, including source code management, version control, collaboration tools, and continuous integration and delivery (CI/CD), but allows organizations to host the platform on their own infrastructure. This setup is ideal for companies that require more control over their data, enhanced security, and customization to meet internal compliance and regulatory requirements.
The authentication bypass vulnerability impacts GHES when using SAML single sign-on with encrypted assertions. An attacker can trigger the issue to forge SAML responses, granting them site administrator privileges without prior authentication.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” reads the advisory published by the company. “Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”
The company pointed out that encrypted assertions are not enabled by default and that the vulnerability only affects installs using SAML single sign-on (SSO) or those that use SAML SSO authentication with encrypted assertions. Encrypted assertions are a security measure that allows encrypting the messages that the SAML identity provider (IdP) sends SAML SSO.
The vulnerability affected all GHES versions before 3.13.0 and was addressed with the release of versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The issue was reported through the GitHub Bug Bounty program.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GitHub Enterprise Server)
OmniVision Technologies is a company that specializes in developing advanced digital imaging solutions. In 2023, OmniVision employed 2,200 people and had an annual revenue of $1.4 billion. OmniVision Technologies Inc. is an American subsidiary of Chinese semiconductor device and mixed-signal integrated circuit design house Will Semiconductor. The company designs and develops digital imaging products for use in mobile phones, laptops, netbooks and webcams, security and surveillance cameras, entertainment, automotive and medical imaging systems.
In 2023, the imaging sensors manufacturer was the victim of a Cactus ransomware attack.
Last week, OmniVision notified the California Office of the Attorney General. The threat actors had access to the company systems between September 4 and September 30, 2023, when they deployed ransomware.
“On September 30, 2023, OVT became aware of a security incident that resulted in the encryption of certain OVT systems by an unauthorized third party. In response to this incident, we promptly launched a comprehensive investigation with the assistance of third-party cybersecurity experts and notified law enforcement. At the same time, we took proactive measures to remove the unauthorized party and ensure the security of OVT systems.” reads the data Breach Notification. “This in-depth investigation determined that an unauthorized party took some personal information from certain systems between September 4, 2023, and September 30, 2023. On April 3, 2024, after completion of this comprehensive review, we determined that some of your personal information was involved.”
At this time is unclear the number of the impacted individuals.
In October, 2023, the Cactus ransomware group added OmniVision to the list of victims on its Tor leak site. As proof of the data breach, the extortion group published data samples, including passport images, NDAs, contracts, and other documents.
Then, after the failure of the alleged negotiation, the gang released all the stolen data for free, however, OmniVision is currently no longer listed on the Cactus ransom leak site.
As a result of the incident, OmniVision implemented more monitoring solutions to detect suspicious activity and prevent recurrence. The company is also updating security policies, migrating some systems to the cloud, and requiring additional security awareness training. Although there is no evidence of fraudulent use of the personal information of the impacted individuals, the company is offering complimentary credit monitoring and identity restoration services for 24 months.
The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.
Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.
The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.
Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.
Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.
In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a NextGen Healthcare Mirth Connect vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
The issue, tracked as CVE-2023-43208, is a Deserialization of Untrusted Data Vulnerability.
Deserialization of untrusted data vulnerability is a security flaw that occurs when an application deserializes data from an untrusted source without properly validating or sanitizing it. Deserialization is the process of converting serialized data (data formatted for storage or transmission) back into an object or data structure that a program can use.
The flaw impacts NextGen Healthcare Mirth Connect before version 4.4.1, an unauthenticated remote attacker can trigger the issue to achieve code execution.
US CISA also addressed recently disclosed Google Chromium V8 Type Confusion Vulnerability (CVE-2024-4947).
The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix these vulnerabilities by June 10, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Image: Shutterstock.
Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.
At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.
Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.
Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.
With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.
Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.
In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.
That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.
They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.
UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.
Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.
A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.
The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.
The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.
A heatmap of Starlink routers in Ukraine. Image: UMD.
The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.
“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”
In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.
“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”
A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.
Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.
Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.
UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.
They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:
“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”
The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.
“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”
In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.
Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “_nomap” to the network’s name.
Asked about the changes, Apple said they have respected the “_nomap” flag on SSIDs for some time, but that this was only called out in a support article earlier this year.
Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.
“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”
The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.
“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”
The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.
“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”
The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.
“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”
For example, they discovered that certain commonly used travel routers compound the potential privacy risks.
“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”
A copy of the UMD research is available here (PDF).
Update, May 22, 4:54 p.m. ET: Added response from Apple.
Atlas is one of the largest national fuel distributors to 49 continental US States with over 1 billion gallons per year.
The Blackbasta extortion group added the company to the list of victims on its Tor leak site, as the researcher Dominic Alvieri reported.
Atlas Oil allegedly breached by Basta.
— Dominic Alvieri (@AlvieriD) May 20, 2024
Atlas is one of the largest national distributers of fuel to 49 continental US States with over 1 billion gallons per year.
Sunoco is the largest at 8 billion gallons. pic.twitter.com/5OUODUt3fu
The gang claims to have stolen 730GB of data from ATLAS, including Corporate data: Accounts, HR, Finance, Executive, department data, and users and employees’ data.
The gang published a series of documents as proof of the hack, including people’s ID cards, data sheets, payroll payment requesters and a picture of the folder exfiltrated from the victim’s systems.
The oil company has yet to disclose the alleged incident.
Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.
In November 2022, Sentinel Labs researchers reported having found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7.
In November 2022, experts at the Cybereason Global SOC (GSOC) team observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US.
The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links.
The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Atlas Oil)
Login