Normal view
Notorious Finnish Hacker sentenced to more than six years in prison
Finnish hacker was sentenced to more than six years in prison for hacking into an online psychotherapy clinic and attempted extortion.
A popular 26-year-old Finnish hacker Aleksanteri Kivimäki was sentenced to more than six years in prison for hacking into the online psychotherapy clinic Vastaamo Psychotherapy Center, exposing tens of thousands of patient therapy records, and trying to extort the clinic and its clients.
The man was arrested near Paris on February 2023, where he was living under a false identity. Kivimäki was deported to Finland and his trial concluded in March 2024.
In October 2020, the Vastaamo Psychotherapy Center was the victim of an extortion attempt. Threat actors hacked the clinic and stole a database containing information of some 33,000 clients. A threat actor that goes online with moniker “ransom_man” demanded 40 bitcoin (approximately 450,000 euros at the time) to avoid leaking sensitive therapy information stolen for the clinic, which refused to pay.
“Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.” reads the post published by Brian Krebs. “Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.”
The hacker demanded a ransom of 200 euros or 500 euros to each patient, and about 20 clients paid it.
The man was found guilty of several offenses, which included aggravated data breach, 21,000 counts of aggravated blackmail attempts, and 9,200 counts of aggravated dissemination.
Kivimäki denied all charges and may appeal, according to his lawyer. Prosecutors aimed for the maximum sentence of seven years, given the nature of the crimes.
Kivimäki was involved in multiple criminal cases in the past, he was a member of the hacker group Hack the Planet (HTP).
Kivimäki is also known as a member of the notorious hacker group Lizard Squad.
In 2013, investigators discovered malicious code on devices seized from Kivimäki, which was used by HTP to compromise over 60,000 servers exploiting an Adobe ColdFusion zero-day. This exploit was reported by Brian Krebs in September 2013, after the hackers breached the servers of LexisNexis, Kroll, and Dun & Bradstreet.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Finnish Hacker)
CISA guidelines to protect critical infrastructure against AI-based threats
The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure against AI-based attacks.
CISA collaborated with Sector Risk Management Agencies (SRMAs) and regulatory agencies to conduct sector-specific assessments of AI risks to U.S. critical infrastructure, as mandated by Executive Order 14110 Section 4.3(a)(i). The analysis categorized AI risks into three categories:
- Attacks Using AI;
- Attacks Targeting AI Systems;
- Failures in AI Design and Implementation.
AI risk management for critical infrastructure is an ongoing process throughout the AI lifecycle.
These guidelines integrate the AI Risk Management Framework into enterprise risk management programs for critical infrastructure. The AI RMF Core consists of the Govern, Map, Measure, and Manage functions.
The Govern function within the AI RMF establishes an organizational approach to AI Risk Management within existing Enterprise Risk Management (ERM). Recommended actions for addressing risks throughout the AI lifecycle are integrated into the Map, Measure, and Manage functions. These guidelines improve AI safety and security risk management practices proposed by the NIST AI RMF.
CISA highlights that the risks are context-dependent, this implies that critical infrastructure operators should consider sector-specific and context-specific factors when assessing and mitigating AI risks. Specific sectors may need to define their own tailored guidelines for managing AI risk. Stakeholders may focus on different aspects of the AI lifecycle depending on their sector or role, whether they are involved in the design, development, procurement, deployment, operation, management, maintenance, or retirement of AI systems.
“Critical infrastructure owners and operators can foster a culture of risk management by aligning AI safety and security priorities with their own organizational principles and strategic priorities. This organizational approach follows a “secure by design” philosophy where leaders prioritize and take ownership of safety and security outcomes and build organizational structures that make security a top priority.” read the guidelines.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Millions of Malicious 'Imageless' Containers Planted on Docker Hub Over 5 Years
Man Who Mass-Extorted Psychotherapy Patients Gets Six Years
A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.
“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”
But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.
“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).
Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over SSNDOB, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.
U.S. Government Releases New AI Security Guidelines for Critical Infrastructure
NCSC: New UK law bans default passwords on smart devices
The UK National Cyber Security Centre (NCSC) orders smart device manufacturers to ban default passwords starting from April 29, 2024.
The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.
The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.
“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”
The U.K. is the first country in the world to ban default credentia from IoT devices.
The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.
The law applies to the following products:
- Smart speakers, smart TVs, and streaming devices
- Smart doorbells, baby monitors, and security cameras
- Cellular tablets, smartphones, and game consoles
- Wearable fitness trackers (including smart watches)
- Smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines)
Threat actors could use them to access a local network or launch cyber attacks.
Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.
The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, smart device manufacturers)
- Security Affairs
- The FCC imposes $200 million in fines on four US carriers for unlawfully sharing user location data
The FCC imposes $200 million in fines on four US carriers for unlawfully sharing user location data
The Federal Communications Commission (FCC) fined the largest U.S. wireless carriers $200 million for sharing customers’ real-time location data without consent.
The FCC has fined four major U.S. wireless carriers nearly $200 million for unlawfully selling access to real-time location data of their customers without consent. The fines come as a result of the Notices of Apparent Liability (NAL) issued by the FCC against AT&T, Sprint, T-Mobile, and Verizon in February 2020.
T-Mobile is facing a proposed fine exceeding $91 million, while AT&T is looking at one over $57 million. Verizon, on the other hand, faces a proposed fine exceeding $48 million, and Sprint faces a proposed fine of more than $12 million due to the actions taken by the FCC.
“The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” reads the announcement published by FCC. “As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”
The FCC’s Enforcement Bureau launched an investigation after Missouri Sheriff Cory Hutcheson misused a “location-finding service” provided by Securus, a communications service provider for correctional facilities, to access the location data of wireless carrier customers without their consent from 2014 to 2017. Hutcheson allegedly provided irrelevant documents, such as health insurance and auto insurance policies, along with pages from sheriff training manuals, as evidence of authorization to access the data.
FCC added that the carriers continued to sell access to the customers’ location information and did not sufficiently guard it from further unauthorized access even after discovering irregular procedures.
All four carriers condemned the FCC’s decision and announced they would appeal it.
The Communications Act mandates that telecommunications carriers safeguard the confidentiality of specific customer data, including location information, about telecommunications services. Carriers must adopt reasonable measures to prevent unauthorized access to customer data. Furthermore, carriers or their representatives must typically secure explicit consent from customers before utilizing, disclosing, or permitting access to such data. Carriers bear responsibility for the actions of their representatives in this regard.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Federal Communications Commission)
New U.K. Law Bans Default Passwords on Smart Devices Starting April 2024
FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
Last Week in Security (LWiS) - 2024-04-29
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.
News
- Trusted Signing is in Public Preview - Code sign your payloads with Microsoft? Note that your company will need "3 years of tax history" to use the service.
- Multi-tenant organization capabilities now available in Microsoft 365 - This is AD forests for Entra ID with the ability to connect single tenants together. Let the games begin!
- HashiCorp joins IBM to accelerate multi-cloud automation - HashiCorp joins IBM. This comes on the heels of their license changes for Terraform and Vault. 🤔
- FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users' Cameras - The FTC charged Ring with privacy violations, including unauthorized employee access to customer videos and inadequate security measures, leading to a proposed order requiring Ring to improve privacy protocols and pay $5.8 million in refunds. Consider using home assistant and Frigate NVR to keep all your security camera footage local.
- FTC Announces Rule Banning Noncompetes - This likely affects many technology workers in the US.
- Google Lays off the Python Team? - It seems they are moving the Python team to Germany? Unclear what the motivations were for these actions.
- How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me) - Another blatant privacy violation that will probably go unpunished.
Techniques and Write-ups
- Hello: I'm your Domain Admin and I want to authenticate against you - A method for exploiting default Distributed COM permissions on DCs to intercept and relay the authentication of users, leading to privilege escalation and RCE (maybe) by leveraging "SilverPotato."
- ETW-ByeBye: Disabling ETW-TI Without PPL - A vulnerability that allows disabling ETW-TI (Event Tracing for Windows Threat Intelligence) logging without Protected Process Light (PPL) requirements, using SeDebug or SeTcb privileges on certain Windows versions. PoC code and detection guidance is provided. Note: this only works on Windows 10, Windows 11 patched this bug.
- JA4T: TCP Fingerprinting - JA4 scanner released. Certainly worth adding to your recon worfklow and automation.
- NetNTLM is still a thing? - Yes. Yes it is. This post gives a good recap of how you can still relay NetNTLM via various methods. Details some less common techniques like leveraging HTTP.SYS for setting up a listener without admin privileges, bypassing the Windows firewall, and using SSH for port forwarding to relay. You aren't checking emails or doing day to day activities with a highly privileged account, right?
- Adversaries sometimes compute gradients. Other times, they rob you. This blog post discusses the concept of an "adversary flywheel," which involves attackers using data science to adapt and optimize their methods based on defensive responses, enhancing their ability to exploit security vulnerabilities efficiently.
- Not the Access You Asked For: How Azure Storage Account Read/Write Permissions Can Be Abused for Privilege Escalation and Lateral Movement This post discusses unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation and lateral movement. Grab the tool: Find-SensitiveAzStorageAccounts.
- Loading DLLs Reflections - Simple article discussing reflective DLL loading to load a DLL into memory without it being written to disk.
- Nemesis 1.0.0 - "...from host modeling, to a streamlined installation process, dashboard improvements, and more!"
- Offensive SaaS Security - Exfiltrating Cleartext Credentials via LogonUserW Hooking - This post details a technique exploiting IAM providers like Azure AD, Okta, and OneLogin using LogonUserW hooking to capture cleartext credentials and insert backdoors in authentication flows.
- Arbitrary 1-click Azure tenant takeover via MS application - Blog post on how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim into clicking on a link. Another disappointing bug bounty case unfortunately.
- Laundering C2 Traffic by FuzzySecurity Good recap of using high-reputation services as your C2 channel.
- Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR - The kernel address space layout randomization (KASLR) cat and mouse game heats up with a bypass for the new Windows 11 24H2 hardened kernel.
- So I Became a Node: Exploiting Bootstrap Tokens in Azure Kubernetes Service - What can you do if you retrieve a Kubernetes bootstrap token from an AKS pod? This post explore the bootstrap tokens, how they work, and how to exploit them.
- CVE-2024-21111 - Local Privilege Escalation in Oracle VirtualBox - An arbitrary file move vulnerability in the VirtualBox system service service can facilitate privilege escalation on a Windows host.
- How to Crack the Perfect Egg - Some great password cracking methodology.
Tools and Exploits
- GoogleRecaptchaBypass - Solve Google reCAPTCHA in less than 5 seconds! 🚀
- ASPJinjaObfuscator - Heavily obfuscated ASP web shell generation tool.
- ja4tscan - JA4TScan is an active TCP server fingerprinting tool.
- tiny-gpu - A minimal GPU design in Verilog to learn how GPUs work from the ground up.
- AutoAppDomainHijack - Automated .NET AppDomain hijack payload generation.
- ReadWriteDriverSample - Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
- PartyLoader - Threadless shellcode injection tool.
- 24h2-nt-exploit - Exploit targeting NT kernel in 24H2 Windows Insider Preview.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- ics-forensics-tools - Microsoft ICSpector (ICS Forensics Tools framework) is an open-source forensics framework that enables the analysis of Industrial PLC metadata and project files.
- Evidence Collection Environment - This environment is intended to be useful for when you have multiple investigators or external parties adding data for evaluation. Some key features (hopefully) implemented in this setup leverage the Azure Storage legal hold, Azure Storage analytics logging for validation of access by which parties, Azure Key Vault logging with the logs going to a Log Analytics workspace in the resource group.
- DLHell - Local & remote Windows DLL Proxying.
- MS-DOS - The original sources of MS-DOS 1.25, 2.0, and 4.0 for reference purposes.
- cdncheck - A utility to detect various technology for a given IP address.
- CloudInject - This is a simple tool which can be used to inject a DLL into third-party AD connectors to harvest credentials.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
- Security Affairs
- Google prevented 2.28 million policy-violating apps from being published on Google Play in 2023
Google prevented 2.28 million policy-violating apps from being published on Google Play in 2023
Google announced they have prevented 2.28 million policy-violating apps from being published in the official Google Play.
Google announced that in 2023, they have prevented 2.28 million policy-violating apps from being published on Google Play. This amazing result was possible thanks to the introduction of enhanced security features, policy updates, and advanced machine learning and app review processes.
Additionally, Google Play strengthened its developer onboarding and review procedures, requesting a more accurate identification during account setup. These efforts resulted in the ban of 333,000 accounts for confirmed malware and repeated severe policy breaches.
Google also rejected or remediated approximately 200K app submissions to ensure proper use of sensitive permissions such as background location or SMS access. Google has closely worked with SDK providers to protect users’ privacy and prevent sensitive data access and sharing. Over 31 SDKs have enhanced their posture impacting 790K+ apps.
“We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem.” states Google. “This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks.”
Google continues to work on improving the Android environment. In November, 2023, it moved the App Defense Alliance (ADA) under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. The Alliance encourages widespread adoption of best practices and guidelines for app security across the industry, while also developing countermeasures to address emerging security threats.
Google enhanced Google Play Protect’s security capabilities to provide stronger protection for users installing apps from outside the Play Store. The company implemented real-time scanning at the code-level to detect new malicious apps. The company revealed that this measure has already identified over 5 million new malicious apps outside of the Play Store, enhancing Android users’ global security.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google Play)
Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023
China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale
- Security Affairs
- Financial Business and Consumer Solutions (FBCS) data breach impacted 2M individuals
Financial Business and Consumer Solutions (FBCS) data breach impacted 2M individuals
Financial Business and Consumer Solutions (FBCS) suffered a data breach that exposed information 2 million individuals.
Debt collection agency Financial Business and Consumer Solutions (FBCS) disclosed a data breach that may have impacted 1,955,385 individuals.
FBCS, a third-party debt collection agency, collects personal information from its clients to facilitate debt collection activities on behalf of those clients.
The agency discovered the unauthorized access on February 26, 2024 and immediately took steps to secure the impacted infrastructure and launched an investigation with the help of third-party forensics experts.
According to the agency, compromised information may include names, dates of birth, Social Security numbers, and account information.
The organization discovered that the unauthorized access occurred between February 14 and February 26, 2024.
“On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network. This incident did not impact computer systems outside of FBCS’s network, including those of its clients.” reads the notice of data breach. “The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”
Financial Business and Consumer Solutions is not aware of misuse of any information exposed after this incident. Starting on April 4, 2024, the agency began notifying impacted customers.
The company is providing potentially impacted individuals with 12 months of free credit monitoring services.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
New R Programming Vulnerability Exposes Projects to Supply Chain Attacks
- The Hacker News
- Navigating the Threat Landscape: Understanding Exposure Management, Pentesting, Red Teaming and RBVM
Navigating the Threat Landscape: Understanding Exposure Management, Pentesting, Red Teaming and RBVM
Cyber-Partisans hacktivists claim to have breached Belarus KGB
A Belarusian group of activist group claims to have infiltrated the network of the country’s main KGB agency.
The Belarusian hacktivist group Cyber-Partisans claims to have infiltrated the network of the country’s main KGB security agency. The hackers had access to personnel files of over 8,600 employees.
On Friday, the website of the Belarusian KGB showed an empty page that displayed the message “in the process of development”.
The Cyber-Partisans group published on its Telegram channel a series of documents as proof of the hack, including the list of the website’s administrators, the underlying database, and server logs.
“Cyberpartisans and the mystery of the broken KGB website
The official website of the KGB of the Republic of Belarus has not been working for more than 2 months. And all because the Cyber Partisans got there in the fall of 2023 and pumped out all the available information.
Alas, we made a little noise and had to close the site. We are posting a list of admins as proof. See the site database and server logs in a separate post below.” reads the message published by the group on Telegram.
The Cyber-Partisans coordinator Yuliana Shametavets told The Associated Press that the attack on the KGB “was a response” to the agency’s chief Ivan Tertel, who accused the group of preparing attacks on the Belarus’ critical infrastructure, including a nuclear power plant. The group remarked that the target of its attacks are not Belarusians but the county government.
“KGB PROVOKATION: Cyber partisans are planning attacks on a nuclear power plant.” below the message published by the group on Telegram
“We don’t plan to. And we never planned. Because we work to save the lives of Belarusians, not to destroy them. Unlike the Lukashenko regime. But we have already said that in general an attack on the BelNPP is technically possible. While there is a dictator in power, under whom they would rather switch to pieces of paper than provide normal protection against cyber attacks.”
“The KGB is carrying out the largest political repressions in the history of the country and must answer for it,” Shametavets said. “We work to save the lives of Belarusians, and not to destroy them, like the repressive Belarusian special services do.”
Shametavets confirmed that the Cyber-Partisans group exfiltrated the personal files of more than 8,600 KGB employees.
Cyber-Partisans also launched Telegram chatbot that would allow citizens to unmask KGB operatives by uploading their photos.
“We publish interesting entries from the database of citizens’ appeals to the KGB of the Republic of Belarus.” reads another message posted on Telegram. “We even identified some informers for you.
Denunciations from citizens of Poland, Germany, Azerbaijan against Belarusians.
Denunciation of citizens of Lithuania and Ukraine against their compatriots for supporting the Armed Forces of Ukraine.
Complaints about Cyber Partisans, the Black Card of the Occupiers, etc.”
The Belarus Cyber-Partisans is a hacktivist group that has been active since 2020. Formed in the wake of the disputed 2020 election and subsequent crackdown on protests, the Cyber-Partisans target Belarusian government institutions.
The Cyber-Partisans group has conducted numerous attacks on Belarusian state media over the past four years. In 2022, they targeted Belarusian Railways multiple times, seizing control of its traffic lights and control system. This action disrupted the transit of Russian military equipment into Ukraine via Belarus.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Belarus)
Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover
The Los Angeles County Department of Health Services disclosed a data breach
The Los Angeles County Department of Health Services reported a data breach that exposed thousands of patients’ personal and health information.
The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.
Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.
The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.
“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
Social Security Numbers (SSN) or financial information was not compromised.
The Los Angeles County Department of Health Services took several steps in response to the security breach, including conducting an administrative review, implementing additional controls to prevent future attacks, and enhancing employee training on identifying and responding to phishing campaigns.
DHS is going to notify affected individuals and relevant regulatory agencies, including the California Department of Public Health and the U.S. Department of Health & Human Services’ Office for Civil Rights, as required by law or contract.
The DHS encourages patients to review the content and accuracy of the information in their medical records with their medical provider. The company is also providing recommendations to patients to protect their information.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Los Angeles County DHS)
Multiple Brocade SANnav SAN Management SW flaws allow device compromise
Multiple flaws in Brocade SANnav storage area network (SAN) management application can allow to compromise impacted appliances.
Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.
The following vulnerabilities, discovered by the security researcher Pierre Barre, impact all versions up to 2.3.0 (included):
- CVE-2024-4159 – Incorrect firewall rules
- non-assigned CVE vulnerability – Lack of encryption for management protocol (HTTP)
- CVE-2024-4161 – Syslog traffic sent in clear-text
- CVE-2024-29966 – Insecure root access
- non-assigned CVE vulnerability – Insecure sannav access
- CVE-2024-2859 – Insecure SSH configuration
- CVE-2024-29961 – Suspicious network traffic (ignite.apache.org)
- non-assigned CVE vulnerability – Lack of authentication in Postgres
- CVE-2024-29967 – Insecure Postgres Docker instance
- CVE-2024-29967 – Insecure Docker instances
- CVE-2024-29964 – Insecure Docker architecture and configuration
- CVE-2024-29965 – Insecure Backup process
- CVE-2024-4159 – Inconsistency in firewall rules
- CVE-2024-29962 – Insecure file permissions
- CVE-2024-4173 – Kafka reachable on the WAN interface and Lack of authentication
- CVE-2024-29960 – Hardcoded SSH Keys
- CVE-2024-29961 – Suspicious network traffic (www.gridgain.com)
- CVE-2024-29963 – Hardcoded Docker Keys
The most severe flaw is an Insecure SSH configuration tracked as CVE-2024-2859 (CVSS score of 8.8). An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands.
Another severe issue is related to the presence of Hardcoded Docker Keys tracked as CVE-2024-29963 (CVSS score of 8.6).
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. According to the advisory published by Broadcom, Brocade SANnav doesn’t have access to remote Docker registries, and knowledge of the keys is a minimal risk as SANnav is prevented from communicating with Docker registries.
“The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.
“Luckily, I was able to get access to the latest version of SANnav in May 2023 (the latest version was 2.2.2 then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 and as a bonus point, I was able to find 3 additional 0-day vulnerabilities while updating the report. An updated report confirming all the vulnerabilities in the 2.2.2 version was sent to Brocade PSIRT in May 2023 and they finally aknowledged the vulnerabilities. The patches were released in April 2024, 19 months after Brocade firstly rejected the vulnerabilities and 11 months after Brocade acknowledged the vulnerabilities. An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Brocade)
ICICI Bank exposed credit card data of 17000 customers
ICICI Bank, a major private bank in India, mistakenly exposed the sensitive data of thousands of new credit cards to unintended recipients.
ICICI Bank, one of the leading private banks in India, accidentally exposed data of thousands of new credit cards to customers who were not the intended recipients.
ICICI Bank Limited is an Indian multinational bank and financial services company headquartered in Mumbai. It offers a wide range of banking and financial services for corporate and retail customers.
The bank has a network of 6000 branches, and 17000 ATMs across India and has a presence in 17 countries.
The bank blocked 17,000 credit cards due to a technical bug in its mobile banking app, ‘iMobile.’ The glitch allowed users to card details of other customers. Exposed financial information includes credit card numbers, expiry dates, and card verification values (CVV).
The bank became aware of the glitch after some customers reported it on social media.
“As an immediate measure, we have blocked these cards and are issuing new ones to the customers.” the ICICI Bank spokesperson told the newspaper Times Of India. “We regret the inconvenience caused. No instance of misuse of a card from this set has been reported to us. However, we assure that the Bank will appropriately compensate a customer in case of any financial loss.”
The bank states that the incident impacted about 0.1% of the bank’s credit card portfolio.
ICICI Bank is issuing new credit cards to the impacted customers.
In April 2023, researchers at Cybernews reported that ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data leak)
- Security Affairs
- Okta warns of unprecedented scale in credential stuffing attacks on online services
Okta warns of unprecedented scale in credential stuffing attacks on online services
Identity and access management services provider Okta warned of a spike in credential stuffing attacks aimed at online services.
In recent weeks, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.
“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.” reads the advisory published by Okta.
From March 18, 2024, to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services.
Below is a list of known affected services:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.
A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.
The attacks recently observed by Okta route requests through anonymizing services like TOR and residential proxies such as NSOCKS, Luminati, and DataImpulse. The experts noticed that millions of requests have been routed through these services.
Residential proxies (RESIPs) are networks of legitimate user devices used to route traffic for paying subscribers, often without their knowledge. Threat actors use these RESIPs to evade detection. Users may consciously download “proxyware” for payment or other benefits, or their devices may be infected with malware unknowingly, turning them into part of a botnet.
“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this informative summary by CERT Orange Cyberdefense and Sekoia.” continues the advisory.
The advisory includes recommendations to mitigate the risk of account takeovers from credential stuffing attacks along with TTPs used in recent campaigns.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, credential stuffing)
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
- Security Affairs
- Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press Newsletter
Cybercrime
Malware dev lures child exploiters into honeytrap to extort them
Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist
Alcohol sales disrupted in Sweden after reported ransomware attack
Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
Malware
#StopRansomware: Akira Ransomware
Malvertising campaign targeting IT teams with MadMxShell
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
New Malware Campaign Targets WP-Automatic Plugin
Brokewell: do not go broke from new banking malware!
Hacking
MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces
Leicester street lights stuck on all day due to cyber attack
Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise
GPT-4 can exploit security flaws on its own, study shows
Hackers accessed more than 19,000 accounts on California state welfare platform
Android TVs Can Expose User Email Inboxes
Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
Intelligence and Information Warfare
DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
North Korea hacking teams hack South Korea defence contractors – police
Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies
ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
Israel Tried to Keep Sensitive Spy Tech Under Wraps. It Leaked Abroad
Australia’s spy chief warns AI set to inflame radicalisation
German spy agency warns companies against being too “naive” on China
Cybersecurity
Promoting Accountability for the Misuse of Commercial Spyware
Google Patches Critical Chrome Vulnerability
2023: A ‘Good’ Year for OT Cyberattacks
Chaturbate Will Pay Texas $675,000 for Violating New Porn Age Verification Law
UK’s Investigatory Powers Bill to become law despite tech world opposition
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Targeted operation against Ukraine exploited 7-year-old MS Office bug
A hacking campaign targeted Ukraine exploiting a seven-year-old vulnerability in Microsoft Office to deliver Cobalt Strike.
Security experts at Deep Instinct Threat Lab have uncovered a targeted campaign against Ukraine, exploiting a Microsoft Office vulnerability dating back almost seven years to deploy Cobalt Strike on compromised systems.
The researchers found a malicious PPSX (PowerPoint Slideshow signal-2023-12-20-160512.ppsx) file uploaded from Ukraine to VirusTotal at the end of 2023.
The file, although labeled as shared through the Signal app, might not have been originally sent via the application. It’s a PPSX file, seemingly an outdated US Army manual for tank mine clearing blades (MCB).
The PPSX file contains a remote link to an external OLE object. The researchers pointed out that the use of the “script:” prefix demonstrates the exploitation of the vulnerability CVE-2017-8570, a bypass for CVE-2017-0199. The remote script, named “widget_iframe.617766616773726468746672726a6834.html,” was hosted on “weavesilk[.]space,” protected by CloudFlare. Despite this, the true hosting behind the domain was identified as a Russian VPS provider. The scriptlet contents are heavily obfuscated.
The second stage dropper is an HTML file containing JavaScript code executed via Windows cscript.exe. The script sets up persistence, decode, and save the embedded payload to disk disguised as Cisco AnyConnect VPN file.
The payload includes a dynamic-link library (vpn.sessings) that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike.
The DLL also implements features to evade detection and avoid analysis by security experts.
The Deep Instinct Threat Lab could not attribute the attacks to a known threat actor. Evidence collected by the experts demonstrates the sample originated from Ukraine, a Russian VPS provider hosted the second stage, and the Cobalt beacon C&C was registered in Warsaw, Poland.
“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (http://weavesilk.com) and a popular photography site (https://petapixel.com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.” concludes the report. “As of the day of discovery, the loader was undetectable by most engines, while Deep Instinct prevented it on day 0.”
The report includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
- Security Affairs
- Hackers may have accessed thousands of accounts on the California state welfare platform
Hackers may have accessed thousands of accounts on the California state welfare platform
Threat actors accessed more than 19,000 online accounts on a California state platform for welfare programs.
Threat actors breached over 19,000 online accounts on a California state platform dedicated to welfare programs.
Officials reported that the security breach occurred on February 9, when someone logged into some BenefitsCal users’ accounts. Threat actors exploited reused passwords obtained from third-party websites.
BenefitsCal, a California-based web platform, enables users to apply for and oversee a range of welfare programs, encompassing food stamps, cash assistance, and medical benefits.
“On February 9, 2024, BenefitsCal discovered that someone, that was not allowed, may have logged into accounts of some users of the BenefitsCal website using reused passwords taken from other websites. Your account may have been one of those accessed.” reads the data breach notification filed by officials at the California Statewide Automated Welfare System. “BenefitsCal took immediate steps to protect you by temporarily inactivating your account. Someone that was not allowed may have accessed your account between March 1, 2023 and February 13, 2024. In reviewing your account use during that time, your personal information may have been accessed”
According to the date breach notification, potentially compromised information may have included users name, address, date of birth, full or last four digits of Social Security Number, email address, phone number, EBT card number, case number, Medi-Cal ID number and information about their program eligibility and benefits.
BenefitsCal is notifying impacted users and providing them with instructions on what they can do.
In response to the incident, the agency deactivated accounts and launched an investigation that revealed attackers had access from March 1, 2023 and February 13, 2024.
“In addition to temporarily inactivating your account, BenefitsCal took additional steps to further secure your account prior to using it again, including requiring you to provide not just your password but confirm that you are the one asking to access the account through either your email or your phone number when logging in.” continues the notification. “We also reissued your EBT card if you have one. BenefitsCal has also added other security changes to reduce the risk of a someone potentially accessing information that is not allowed.”
The California state welfare platforms also implemented additional security measures to protect the accounts, including enabling 2FA.
Users are recommended to use strong passwords and avoid reusing the same credentials for multiple websites.
It’s unclear if the agency plans to offer free identity protection services to the impacted individuals.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, California state welfare)
Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw
- Security Affairs
- Brokewell Android malware supports an extensive set of Device Takeover capabilities
Brokewell Android malware supports an extensive set of Device Takeover capabilities
ThreatFabric researchers identified a new Android malware called Brokewell, which implements a wide range of device takeover capabilities.
ThreatFabric researchers uncovered a new mobile malware named Brokewell, which is equipped with sophisticated device takeover features. The experts pointed out that this malware is actively evolving and poses a severe risk to the banking sector. The author frequently adds new commands.
The attack chain starts with fake application updates for popular software, such as the Chrome browser and the Austrian digital authentication application.
Brokewell employs overlay attacks to overlap a fake screen over legitimate applications, capturing user credentials. The malicious code also has the capability to steal cookies. By launching its own WebView and overriding the onPageFinished method, Brokewell loads the authentic website, captures session cookies during the login process, and transmits them to the C2 server.
Brokewell malware supports “accessibility logging,” it records any device events such as touches, swipes, displayed information, text input, and opened applications. Then it transmits logs to the C2 server, effectively capturing confidential data displayed or entered on the compromised device. The experts explained that potentially all applications on the device are vulnerable to data compromise as Brokewell logs every event.
The malware also supports multiple “spyware” functionalities, it can gather device information, call history, geolocation, and record audio.
“After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities. To achieve this, the malware performs screen streaming and provides the actor with a range of actions that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements.” reads the report published by ThreatFabric.
Brokewell supports various commands that allow to take full control of the device. The malware can also perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.
Researchers discovered that one of the C2 servers of this malware was hosting a repository called Brokewell Cyber Labs.
The repository contained the source code for a ‘Brokewell Android Loader,’ Brokewell and the loader were both developed by a threat actor called Baron Samedit.
The Brokewell Android Loader can bypass Android 13+ restrictions, experts believe it can be used in the future to spread other malware families.
Analysis of the “Baron Samedit” profile shows that the threat actor has been active for at least two years, initially involving tools for checking stolen accounts across various services.
“The discovery of a new malware family, Brokewell, which implements Device Takeover capabilities from scratch, highlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting.” concludes the report.
“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android)