Researchers at Insikt Group observed Russian GRU’s unit APT28 targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine’s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers.
In some attackers, threat actors created specially-crafted web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the provided credentials.
The compromise of networks associated with Ukraine’s Ministry of Defence and European railway systems could allow attackers to gather intelligence to influence battlefield tactics and broader military strategies. Additionally, their interest in the Azerbaijan Center for Economic and Social Development indicates a potential agenda to understand and possibly influence regional policies.
Insikt Group speculates the operation is aimed at influencing regional and military dynamics.
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
The attack chain used in the attacks detailed by Insikt Group has seven distinct infrastructure stages to filter out sandboxes, incompatible operating systems, and non-targeted countries. Victims who failed these checks downloaded a benign file and were redirected to Microsoft’s web portal, msn.com. Those who passed the checks downloaded a malicious Windows BAT script, which connected to a free API service to execute successive shell commands.
In December 2023, researchers from Proofpoint and IBM detailed a new wave of APT spear-phishing attacks relying on multiple lure content to deliver Headlace malware. The campaigns targeted at least thirteen separate nations.
“Upon analyzing Headlace geofencing scripts and countries targeted by credential harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen separate countries were targeted by BlueDelta. As expected, Ukraine topped the list, accounting for 40% of the activity.” reads the report published by the Insikt Group. “Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting.”
Researchers call on organizations within government, military, defense, and related sectors, to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting access to non-essential internet services, and enhancing surveillance of critical network infrastructure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
According to research conducted by Proton and Constella Intelligence, the email addresses and other sensitive information of 918 British MPs, European Parliament members, and French deputies and senators are available in the dark web marketplaces. 40% of 2,280 official government email addresses from the British, European, and French Parliaments were exposed, including passwords, birth dates, and other details.
Most leaked data email addresses belong to British MPs (68%), followed by EU MEPs (44%).
The researchers pointed out that French deputies and senators had the best security, with only 18% of searched emails in cybercrime forums and dark marketplaces.
Many of these MPs, MEPs, deputies, and senators hold senior positions, including heads of committees, government ministers, and senior opposition leaders. These politicians have access to highly sensitive information, and particularly alarming is that several of them are currently, or have previously been, members of committees tasked with overseeing and enforcing national and international digital strategies.
The presence of the emails on dark web shows that politicians used their official emails to create an account on third-party web services that suffered a data breach.
“The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, European, or French parliaments.” reads the report. “Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.”
Even more concerning is that researchers were able to match these email addresses with 697 plain text passwords. The experts notified impacted politician, they pointed out that if a politician reused one of these exposed passwords for their official email account, it could also be at risk.
It’s a miracle if British MPs were not involved in major scandals due to account takeovers, because 68% of searched email addresses were found on the dark web, including senior figures from both the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, the researchers noticed that the most frequently targeted MP experiencing up to 30 breaches. On average, breached MPs had their details show up in 4.7 breaches.
The member of the European Parliament experienced fewer breaches compared to their British counterparts, but nearly half of the emails searched were found on the dark web. Out of 309 MEPs exposed, 92 were involved in 10 or more leaks. EU politicians had their email addresses exposed 2,311 times, along with 161 plaintext passwords. This raises concerns, as the European Parliament has increasingly become a target of state-sponsored attacks and acknowledges its lack of preparedness.
Impacted politicians have used their official email addressed to create accounts several sites, including LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites.
“Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.” concludes the report.
“And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication), it could let attackers into government systems. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, dark web)
Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149) targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.
At the beginning of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system.
The threat actors exploited the WinRAR vulnerability CVE-2023-38831 to infect targets with malware.
Cloudflare states that FlyingYeti’s tactics, techniques, and procedures (TTPs) are similar to the ones detailed by Ukraine CERT while analyzing UAC-0149 cluster.
UAC-0149 targeted Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.
“The threat actor uses dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2).” reads the report published by Cloudflare. “Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities.”
Threat actors targeted users with a spoofed version of the Kyiv Komunalka communal housing site (https://www.komunalka.ua), hosted on an actor-controlled GitHub page (hxxps[:]//komunalka[.]github[.]io). Komunalka is a payment processor for utilities and other services in the Kyiv region.
FlyingYeti likely directed targets to this page via phishing emails or encrypted Signal messages. On the spoofed site, a large green button prompted users to download a document named “Рахунок.docx” (“Invoice.docx”), which instead downloaded a malicious archive titled “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).
Once the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.
The RAR archive contains multiple files, including one with the Unicode character “U+201F,” which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.
“The CMD file contains the Flying Yeti PowerShell malware known as COOKBOX. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.” continues the report. “Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the Canary Tokens service.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FlyingYeti)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press – Newsletter
Cybercrime
Into the Lion’s Den Inside the Growing Risk of Gift Card Fraud
Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling
Christie’s Confirms Data Breach After Ransomware Group Claims Attack
Breach Forums Return to Clearnet and Dark Web Despite FBI Seizure
Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet
911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation
Largest ever operation against botnets hits dropper malware ecosystem
Hackers steal $305M from DMM Bitcoin crypto exchange
Ticketmaster confirms data hack which could affect 560m globally
How a Nigerian influencer, North Korean hacker and Canadian scammer committed fraud worldwide
Malware
New ATM Malware Threatens European Banking Security
Server Side Credit Card Skimmer Lodged in Obscure Plugin
Hacking
Remote Command Execution on TP-Link Archer C5400X
CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive
Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)
Detecting Cross-Origin Authentication Credential Stuffing Attacks
Recent ‘MFA Bombing’ Attacks Targeting Apple Users
Intelligence and Information Warfare
NATO holds first meeting of Critical Undersea Infrastructure Network
CERT-UA warns: Ukrainian finances targeted with SmokeLoader malware
How the DOJ is using a Civil War-era law to enforce corporate cybersecurity
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader
GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns
OpenAI models used in nation-state influence campaigns, company says
Cybersecurity
Stop Using “SLA” When Discussing Vulnerabilities
How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors
Multiple botnets dismantled in largest international ransomware operation ever
HUGE Google Search document leak reveals inner workings of ranking algorithm
NIST Getting Outside Help for National Vulnerability Database
Cybersecurity Education Maturity Assessment
Could the Next War Begin in Cyberspace?
OpenAI’s Altman Sidesteps Questions About Governance, Johansson at UN AI Summit
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
ShinyHunters, the current administrator of BreachForums, recently claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.
This week Ticketmaster owner Live Nation confirmed the data breach that compromised the data of 560 million customers.
On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.
As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.
Threat actors had access to a third-party cloud database environment containing company data. The company discovered the intrusion on May 20, 2024, and immediately launched an investigation with industry-leading forensic investigators.
The stolen data were offered for sale on the dark web a week later.
“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.” reads the form 8-K filing to the US Securities and Exchange Commission.
“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”
Live Nation notified regulatory authorities and impacted users.
Bleeping Computer reported that ShinyHunters told Hudson Rock Co-Founder Alon Gal that he breached both Santander and Ticketmaster. The threat actor revealed that the data was stolen from cloud storage company Snowflake by using credentials obtained through information-stealing malware to access a Snowflake employee’s ServiceNow account. The threat actors used to credential to exfiltrate data, including auth tokens for accessing customer accounts. The threat actor also claimed to have used this method to steal data from other companies.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ShinyHunters)
The independent cyber threat intelligence analyst Anis Haboubi warns of a severe logging configuration flaw that could dramatically impact the financial industry.
— Anis Haboubi |₿| (@HaboubiAnis) May 31, 2024
A severe logging configuration flaw could collapse finance. Sisense, ISO-certified and trusted by top financial groups, is at the center of this crisis.
“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.” reads the advisory.
The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27, 2020. The Apache Software Foundation released Log4j 2.17.1 version to address the flaw a couple of days later.
The recent breaches at Sisense and Snowflake, both ISO/IEC 27001 certified companies, highlight a critical vulnerability that still threatens the entire finance industry. Despite adhering to stringent security standards, the flaws in their infrastructure have exposed sensitive financial data to unauthorized access, potentially leading to catastrophic consequences, Haboubi told SecurityAffairs.
Why does this old flaw still threaten the Finance industry?
The critical flaw in logging configurations allows attackers with write access to exploit a JDBC Appender with a JNDI URI, enabling remote code execution. This can lead to complete system compromise, allowing attackers to execute malicious code remotely and gain unauthorized access to sensitive financial data. Sisense and Snowflake are trusted by top international financial groups.
“These companies rely on their services for critical operations, including data analytics and cloud storage. A breach in these systems can disrupt financial activities on a global scale, causing significant financial and reputational damage.” said Haboubi.
“The breaches have resulted in the exfiltration of several terabytes of customer data, including access tokens, email account passwords, and SSL certificates. This data can be exploited by attackers to gain further access to financial systems and conduct fraudulent activities. Interconnected Financial Systems: The financial industry is highly interconnected. A vulnerability in one system can lead to a domino effect, compromising other systems and services. The potential for widespread disruption makes this flaw particularly dangerous.”
The breaches have raised questions about whether Sisense and Snowflake were doing enough to protect sensitive data. The stolen data, which was apparently not encrypted while at rest, underscores the need for more robust security measures.
In conclusion, the flaws in the infrastructure of Sisense and Snowflake, combined with their extensive use in the finance sector, pose a significant threat. Immediate action is required to mitigate these vulnerabilities and protect the integrity of financial operations globally. Enhanced security measures, such as the integration of PEM key-based authentication, are crucial to prevent future breaches and ensure the safety of sensitive financial data.
— Anis Haboubi |₿| (@HaboubiAnis) May 31, 2024
It's crucial to update your logging configurations and implement robust SSH security measures immediately. Ensure all access points are secure to protect against potential exploits. Stay vigilant and secure! pic.twitter.com/yn6QLUL4zW
“It’s quite impressive. I believe the attackers breached the systems several months, or perhaps even years, ago. They likely waited for the right moment to exfiltrate the data, and Sisense only recently discovered the breach. One of the biggest issues for me is that Sisense allowed “Connecting to a Private Network with an SSH Tunnel” without a PEM key. This is what they discreetly fixed in the commit I shared with you. The attackers clearly exploited the Log4j vulnerability from the outset to gain privileged access to critical infrastructures. They then hid for months to see if they could maintain persistence” concludes the expert. “even today 30% of log4J installations are vulnerable to log4hell”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Log4j2)
The Japanese cryptocurrency exchange DMM Bitcoin announced that crooks stole 4,502.9 Bitcoin (BTC), approximately $304 million (48.2 billion yen), from the its wallets.
“
We deeply apologize for any inconvenience caused to our customers.” reads a message published by the exchange on its website. The page is currently unavailable.
The company assured that the customers’ Bitcoin (BTC) deposits will be fully guaranteed.
In response to the heist, DMM Bitcoin limited the following services:
・ Screening of new account openings
・ Processing of cryptocurrency withdrawals
・ Suspension of buying orders for spot trading (only selling orders accepted)
・ Suspension of new open positions for leveraged trading (only settlement orders accepted)
The company added that limit orders for spot trading and leveraged trading that have already been placed will not be canceled and that withdrawals of Japanese Yen may take longer than usual.
DMM Bitcoin has yet to provide details about the attack.
Cryptocurrency security firm Elliptic reported that this incident would be the eighth-largest crypto heist of all time, and the largest since the $477 million hack suffered by FTX, in November 2022. Elliptic also confirmed it has identified the wallets involved in the attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bitcoin)
Login