A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
On October 21, 2020, the Vastaamo Psychotherapy Center in Finland became the target of blackmail when a tormentor identified as “ransom_man” demanded payment of 40 bitcoins (~450,000 euros at the time) in return for a promise not to publish highly sensitive therapy session notes Vastaamo had exposed online.
Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.
Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.
Antti Kurittu is a former criminal investigator who worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).
Kurittu said the prosecution had demanded at least seven years in jail, and that the sentence handed down was six years and three months. Kurittu said prosecutors knocked a few months off of Kivimäki’s sentence because he agreed to pay compensation to his victims, and that Kivimäki will remain in prison during any appeal process.
“I think the sentencing was as expected, knowing the Finnish judicial system,” Kurittu told KrebsOnSecurity. “As Kivimäki has not been sentenced to a non-suspended prison sentence during the last five years, he will be treated as a first-timer, his previous convictions notwithstanding.”
But because juvenile convictions in Finland don’t count towards determining whether somebody is a first-time offender, Kivimäki will end up serving approximately half of his sentence.
“This seems like a short sentence when taking into account the gravity of his actions and the life-altering consequences to thousands of people, but it’s almost the maximum the law allows for,” Kurittu said.
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).
Kivimäki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software. KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.
The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over SSNDOB, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Ville Tapio, the former CEO of Vastaamo, was fired and also prosecuted following the breach. Ransom_man bragged about Vastaamo’s sloppy security, noting the company had used the laughably weak username and password “root/root” to protect sensitive patient records.
Investigators later found Vastaamo had originally been hacked in 2018 and again in 2019, but that Tapio never told anyone about the intrusions until ransom_man began his extortion spree. In April 2023, a Finnish court handed down a three-month sentence for Tapio, but that sentence was suspended because he had no previous criminal record.
The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.
The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.
“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”
The U.K. is the first country in the world to ban default credentia from IoT devices.
The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.
The law applies to the following products:
Threat actors could use them to access a local network or launch cyber attacks.
Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.
The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, smart device manufacturers)
The FCC has fined four major U.S. wireless carriers nearly $200 million for unlawfully selling access to real-time location data of their customers without consent. The fines come as a result of the Notices of Apparent Liability (NAL) issued by the FCC against AT&T, Sprint, T-Mobile, and Verizon in February 2020.
T-Mobile is facing a proposed fine exceeding $91 million, while AT&T is looking at one over $57 million. Verizon, on the other hand, faces a proposed fine exceeding $48 million, and Sprint faces a proposed fine of more than $12 million due to the actions taken by the FCC.
“The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” reads the announcement published by FCC. “As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”
The FCC’s Enforcement Bureau launched an investigation after Missouri Sheriff Cory Hutcheson misused a “location-finding service” provided by Securus, a communications service provider for correctional facilities, to access the location data of wireless carrier customers without their consent from 2014 to 2017. Hutcheson allegedly provided irrelevant documents, such as health insurance and auto insurance policies, along with pages from sheriff training manuals, as evidence of authorization to access the data.
FCC added that the carriers continued to sell access to the customers’ location information and did not sufficiently guard it from further unauthorized access even after discovering irregular procedures.
All four carriers condemned the FCC’s decision and announced they would appeal it.
The Communications Act mandates that telecommunications carriers safeguard the confidentiality of specific customer data, including location information, about telecommunications services. Carriers must adopt reasonable measures to prevent unauthorized access to customer data. Furthermore, carriers or their representatives must typically secure explicit consent from customers before utilizing, disclosing, or permitting access to such data. Carriers bear responsibility for the actions of their representatives in this regard.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Federal Communications Commission)
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
Google announced that in 2023, they have prevented 2.28 million policy-violating apps from being published on Google Play. This amazing result was possible thanks to the introduction of enhanced security features, policy updates, and advanced machine learning and app review processes.
Additionally, Google Play strengthened its developer onboarding and review procedures, requesting a more accurate identification during account setup. These efforts resulted in the ban of 333,000 accounts for confirmed malware and repeated severe policy breaches.
Google also rejected or remediated approximately 200K app submissions to ensure proper use of sensitive permissions such as background location or SMS access. Google has closely worked with SDK providers to protect users’ privacy and prevent sensitive data access and sharing. Over 31 SDKs have enhanced their posture impacting 790K+ apps.
“We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem.” states Google. “This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks.”
Google continues to work on improving the Android environment. In November, 2023, it moved the App Defense Alliance (ADA) under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. The Alliance encourages widespread adoption of best practices and guidelines for app security across the industry, while also developing countermeasures to address emerging security threats.
Google enhanced Google Play Protect’s security capabilities to provide stronger protection for users installing apps from outside the Play Store. The company implemented real-time scanning at the code-level to detect new malicious apps. The company revealed that this measure has already identified over 5 million new malicious apps outside of the Play Store, enhancing Android users’ global security.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google Play)
Debt collection agency Financial Business and Consumer Solutions (FBCS) disclosed a data breach that may have impacted 1,955,385 individuals.
FBCS, a third-party debt collection agency, collects personal information from its clients to facilitate debt collection activities on behalf of those clients.
The agency discovered the unauthorized access on February 26, 2024 and immediately took steps to secure the impacted infrastructure and launched an investigation with the help of third-party forensics experts.
According to the agency, compromised information may include names, dates of birth, Social Security numbers, and account information.
The organization discovered that the unauthorized access occurred between February 14 and February 26, 2024.
“On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network. This incident did not impact computer systems outside of FBCS’s network, including those of its clients.” reads the notice of data breach. “The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”
Financial Business and Consumer Solutions is not aware of misuse of any information exposed after this incident. Starting on April 4, 2024, the agency began notifying impacted customers.
The company is providing potentially impacted individuals with 12 months of free credit monitoring services.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
The Belarusian hacktivist group Cyber-Partisans claims to have infiltrated the network of the country’s main KGB security agency. The hackers had access to personnel files of over 8,600 employees.
#belarus #kgb got hacked by @cpartisans. The KGB website is down for 2months. KGB database leaked on our tg channel https://t.co/64lo0JPf4i pic.twitter.com/gmWeXtj3Xr
— Belarusian Cyber-Partisans (@cpartisans) April 27, 2024
On Friday, the website of the Belarusian KGB showed an empty page that displayed the message “in the process of development”.
The Cyber-Partisans group published on its Telegram channel a series of documents as proof of the hack, including the list of the website’s administrators, the underlying database, and server logs.
“Cyberpartisans and the mystery of the broken KGB website
The official website of the KGB of the Republic of Belarus has not been working for more than 2 months. And all because the Cyber Partisans got there in the fall of 2023 and pumped out all the available information.
Alas, we made a little noise and had to close the site. We are posting a list of admins as proof. See the site database and server logs in a separate post below.” reads the message published by the group on Telegram.
The Cyber-Partisans coordinator Yuliana Shametavets told The Associated Press that the attack on the KGB “was a response” to the agency’s chief Ivan Tertel, who accused the group of preparing attacks on the Belarus’ critical infrastructure, including a nuclear power plant. The group remarked that the target of its attacks are not Belarusians but the county government.
“KGB PROVOKATION: Cyber partisans are planning attacks on a nuclear power plant.” below the message published by the group on Telegram
“We don’t plan to. And we never planned. Because we work to save the lives of Belarusians, not to destroy them. Unlike the Lukashenko regime. But we have already said that in general an attack on the BelNPP is technically possible. While there is a dictator in power, under whom they would rather switch to pieces of paper than provide normal protection against cyber attacks.”
“The KGB is carrying out the largest political repressions in the history of the country and must answer for it,” Shametavets said. “We work to save the lives of Belarusians, and not to destroy them, like the repressive Belarusian special services do.”
Shametavets confirmed that the Cyber-Partisans group exfiltrated the personal files of more than 8,600 KGB employees.
Cyber-Partisans also launched Telegram chatbot that would allow citizens to unmask KGB operatives by uploading their photos.
“We publish interesting entries from the database of citizens’ appeals to the KGB of the Republic of Belarus.” reads another message posted on Telegram. “We even identified some informers for you.
Denunciations from citizens of Poland, Germany, Azerbaijan against Belarusians. Denunciation of citizens of Lithuania and Ukraine against their compatriots for supporting the Armed Forces of Ukraine. Complaints about Cyber Partisans, the Black Card of the Occupiers, etc.”
The Belarus Cyber-Partisans is a hacktivist group that has been active since 2020. Formed in the wake of the disputed 2020 election and subsequent crackdown on protests, the Cyber-Partisans target Belarusian government institutions.
The Cyber-Partisans group has conducted numerous attacks on Belarusian state media over the past four years. In 2022, they targeted Belarusian Railways multiple times, seizing control of its traffic lights and control system. This action disrupted the transit of Russian military equipment into Ukraine via Belarus.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Belarus)
The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.
Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.
The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.
“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
Social Security Numbers (SSN) or financial information was not compromised.
The Los Angeles County Department of Health Services took several steps in response to the security breach, including conducting an administrative review, implementing additional controls to prevent future attacks, and enhancing employee training on identifying and responding to phishing campaigns.
DHS is going to notify affected individuals and relevant regulatory agencies, including the California Department of Public Health and the U.S. Department of Health & Human Services’ Office for Civil Rights, as required by law or contract.
The DHS encourages patients to review the content and accuracy of the information in their medical records with their medical provider. The company is also providing recommendations to patients to protect their information.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Los Angeles County DHS)
Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.
The following vulnerabilities, discovered by the security researcher Pierre Barre, impact all versions up to 2.3.0 (included):
The most severe flaw is an Insecure SSH configuration tracked as CVE-2024-2859 (CVSS score of 8.8). An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands.
Another severe issue is related to the presence of Hardcoded Docker Keys tracked as CVE-2024-29963 (CVSS score of 8.6).
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. According to the advisory published by Broadcom, Brocade SANnav doesn’t have access to remote Docker registries, and knowledge of the keys is a minimal risk as SANnav is prevented from communicating with Docker registries.
“The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.
“Luckily, I was able to get access to the latest version of SANnav in May 2023 (the latest version was 2.2.2 then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 and as a bonus point, I was able to find 3 additional 0-day vulnerabilities while updating the report. An updated report confirming all the vulnerabilities in the 2.2.2 version was sent to Brocade PSIRT in May 2023 and they finally aknowledged the vulnerabilities. The patches were released in April 2024, 19 months after Brocade firstly rejected the vulnerabilities and 11 months after Brocade acknowledged the vulnerabilities. An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Brocade)
ICICI Bank, one of the leading private banks in India, accidentally exposed data of thousands of new credit cards to customers who were not the intended recipients.
ICICI Bank Limited is an Indian multinational bank and financial services company headquartered in Mumbai. It offers a wide range of banking and financial services for corporate and retail customers.
The bank has a network of 6000 branches, and 17000 ATMs across India and has a presence in 17 countries.
The bank blocked 17,000 credit cards due to a technical bug in its mobile banking app, ‘iMobile.’ The glitch allowed users to card details of other customers. Exposed financial information includes credit card numbers, expiry dates, and card verification values (CVV).
This is the Response from @ICICIBank pic.twitter.com/uXcdH3lO9i
— Ravisutanjani (@Ravisutanjani) April 25, 2024
The bank became aware of the glitch after some customers reported it on social media.
“As an immediate measure, we have blocked these cards and are issuing new ones to the customers.” the ICICI Bank spokesperson told the newspaper Times Of India. “We regret the inconvenience caused. No instance of misuse of a card from this set has been reported to us. However, we assure that the Bank will appropriately compensate a customer in case of any financial loss.”
The bank states that the incident impacted about 0.1% of the bank’s credit card portfolio.
ICICI Bank is issuing new credit cards to the impacted customers.
In April 2023, researchers at Cybernews reported that ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data leak)
In recent weeks, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.
“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.” reads the advisory published by Okta.
From March 18, 2024, to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services.
Below is a list of known affected services:
From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.
A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.
The attacks recently observed by Okta route requests through anonymizing services like TOR and residential proxies such as NSOCKS, Luminati, and DataImpulse. The experts noticed that millions of requests have been routed through these services.
Residential proxies (RESIPs) are networks of legitimate user devices used to route traffic for paying subscribers, often without their knowledge. Threat actors use these RESIPs to evade detection. Users may consciously download “proxyware” for payment or other benefits, or their devices may be infected with malware unknowingly, turning them into part of a botnet.
“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this informative summary by CERT Orange Cyberdefense and Sekoia.” continues the advisory.
The advisory includes recommendations to mitigate the risk of account takeovers from credential stuffing attacks along with TTPs used in recent campaigns.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, credential stuffing)
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Cybercrime
Malware dev lures child exploiters into honeytrap to extort them
Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist
Alcohol sales disrupted in Sweden after reported ransomware attack
Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
Malware
#StopRansomware: Akira Ransomware
Malvertising campaign targeting IT teams with MadMxShell
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
New Malware Campaign Targets WP-Automatic Plugin
Brokewell: do not go broke from new banking malware!
Hacking
MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces
Leicester street lights stuck on all day due to cyber attack
Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise
GPT-4 can exploit security flaws on its own, study shows
Hackers accessed more than 19,000 accounts on California state welfare platform
Android TVs Can Expose User Email Inboxes
Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
Intelligence and Information Warfare
DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
North Korea hacking teams hack South Korea defence contractors – police
Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies
ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices
Israel Tried to Keep Sensitive Spy Tech Under Wraps. It Leaked Abroad
Australia’s spy chief warns AI set to inflame radicalisation
German spy agency warns companies against being too “naive” on China
Cybersecurity
Promoting Accountability for the Misuse of Commercial Spyware
Google Patches Critical Chrome Vulnerability
2023: A ‘Good’ Year for OT Cyberattacks
Chaturbate Will Pay Texas $675,000 for Violating New Porn Age Verification Law
UK’s Investigatory Powers Bill to become law despite tech world opposition
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Security experts at Deep Instinct Threat Lab have uncovered a targeted campaign against Ukraine, exploiting a Microsoft Office vulnerability dating back almost seven years to deploy Cobalt Strike on compromised systems.
The researchers found a malicious PPSX (PowerPoint Slideshow signal-2023-12-20-160512.ppsx) file uploaded from Ukraine to VirusTotal at the end of 2023.
The file, although labeled as shared through the Signal app, might not have been originally sent via the application. It’s a PPSX file, seemingly an outdated US Army manual for tank mine clearing blades (MCB).
The PPSX file contains a remote link to an external OLE object. The researchers pointed out that the use of the “script:” prefix demonstrates the exploitation of the vulnerability CVE-2017-8570, a bypass for CVE-2017-0199. The remote script, named “widget_iframe.617766616773726468746672726a6834.html,” was hosted on “weavesilk[.]space,” protected by CloudFlare. Despite this, the true hosting behind the domain was identified as a Russian VPS provider. The scriptlet contents are heavily obfuscated.
The second stage dropper is an HTML file containing JavaScript code executed via Windows cscript.exe. The script sets up persistence, decode, and save the embedded payload to disk disguised as Cisco AnyConnect VPN file.
The payload includes a dynamic-link library (vpn.sessings) that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike.
The DLL also implements features to evade detection and avoid analysis by security experts.
The Deep Instinct Threat Lab could not attribute the attacks to a known threat actor. Evidence collected by the experts demonstrates the sample originated from Ukraine, a Russian VPS provider hosted the second stage, and the Cobalt beacon C&C was registered in Warsaw, Poland.
“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (http://weavesilk.com) and a popular photography site (https://petapixel.com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.” concludes the report. “As of the day of discovery, the loader was undetectable by most engines, while Deep Instinct prevented it on day 0.”
The report includes Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ukraine)
Threat actors breached over 19,000 online accounts on a California state platform dedicated to welfare programs.
Officials reported that the security breach occurred on February 9, when someone logged into some BenefitsCal users’ accounts. Threat actors exploited reused passwords obtained from third-party websites.
BenefitsCal, a California-based web platform, enables users to apply for and oversee a range of welfare programs, encompassing food stamps, cash assistance, and medical benefits.
“On February 9, 2024, BenefitsCal discovered that someone, that was not allowed, may have logged into accounts of some users of the BenefitsCal website using reused passwords taken from other websites. Your account may have been one of those accessed.” reads the data breach notification filed by officials at the California Statewide Automated Welfare System. “BenefitsCal took immediate steps to protect you by temporarily inactivating your account. Someone that was not allowed may have accessed your account between March 1, 2023 and February 13, 2024. In reviewing your account use during that time, your personal information may have been accessed”
According to the date breach notification, potentially compromised information may have included users name, address, date of birth, full or last four digits of Social Security Number, email address, phone number, EBT card number, case number, Medi-Cal ID number and information about their program eligibility and benefits.
BenefitsCal is notifying impacted users and providing them with instructions on what they can do.
In response to the incident, the agency deactivated accounts and launched an investigation that revealed attackers had access from March 1, 2023 and February 13, 2024.
“In addition to temporarily inactivating your account, BenefitsCal took additional steps to further secure your account prior to using it again, including requiring you to provide not just your password but confirm that you are the one asking to access the account through either your email or your phone number when logging in.” continues the notification. “We also reissued your EBT card if you have one. BenefitsCal has also added other security changes to reduce the risk of a someone potentially accessing information that is not allowed.”
The California state welfare platforms also implemented additional security measures to protect the accounts, including enabling 2FA.
Users are recommended to use strong passwords and avoid reusing the same credentials for multiple websites.
It’s unclear if the agency plans to offer free identity protection services to the impacted individuals.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, California state welfare)
ThreatFabric researchers uncovered a new mobile malware named Brokewell, which is equipped with sophisticated device takeover features. The experts pointed out that this malware is actively evolving and poses a severe risk to the banking sector. The author frequently adds new commands.
The attack chain starts with fake application updates for popular software, such as the Chrome browser and the Austrian digital authentication application.
Brokewell employs overlay attacks to overlap a fake screen over legitimate applications, capturing user credentials. The malicious code also has the capability to steal cookies. By launching its own WebView and overriding the onPageFinished method, Brokewell loads the authentic website, captures session cookies during the login process, and transmits them to the C2 server.
Brokewell malware supports “accessibility logging,” it records any device events such as touches, swipes, displayed information, text input, and opened applications. Then it transmits logs to the C2 server, effectively capturing confidential data displayed or entered on the compromised device. The experts explained that potentially all applications on the device are vulnerable to data compromise as Brokewell logs every event.
The malware also supports multiple “spyware” functionalities, it can gather device information, call history, geolocation, and record audio.
“After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities. To achieve this, the malware performs screen streaming and provides the actor with a range of actions that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements.” reads the report published by ThreatFabric.
Brokewell supports various commands that allow to take full control of the device. The malware can also perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.
Researchers discovered that one of the C2 servers of this malware was hosting a repository called Brokewell Cyber Labs.
The repository contained the source code for a ‘Brokewell Android Loader,’ Brokewell and the loader were both developed by a threat actor called Baron Samedit.
The Brokewell Android Loader can bypass Android 13+ restrictions, experts believe it can be used in the future to spread other malware families.
Analysis of the “Baron Samedit” profile shows that the threat actor has been active for at least two years, initially involving tools for checking stolen accounts across various services.
“The discovery of a new malware family, Brokewell, which implements Device Takeover capabilities from scratch, highlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting.” concludes the report.
“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Android)
WordPress security scanner WPScan warns that threat actors are exploiting a critical SQL injection vulnerability in the plugin WordPress Automatic to inject malware into websites.
The premium plugin “Automatic” developed by ValvePress enables users to automatically post content from any website to WordPress, including RSS feeds. It has over 38,000 paying customers.
The vulnerability, tracked as CVE-2024-27956 (CVSS score of 9.8), resides in WP‑Automatic plugin’s handling of user authentication in one file. An attacker can exploit the issue to inject code into the site’s database and gain admin‑level privileges.
“A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
Threat actors can exploit the flaw by sending specially crafted requests, resulting in the injection of arbitrary SQL code into the site’s database.
The vulnerability was originally reported by PatchStack on March 13, 2024, and since then WPScan researchers observed 5,576,488 attack attempts. The researchers noticed that attack campaign started slowly and reached its peak on March 31, 2024.
Once the attackers have created an admin‑level account can upload malicious files such as web shells or backdoors and compromise the underlying server.
Researchers observed attackers renaming the vulnerable WP-Automatic file to prevent other threat actors from exploiting it, ensuring exclusive access for themselves.
“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites.” reads the advisory published by WPScan. “Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.”
The vulnerability impacted WP‑Automatic Versions before 3.9.2.0, version 3.92.1 addressed it.
Admins are recommended to update their installs as soon as possible.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WordPress)
Login