Normal view

There are new articles available, click to refresh the page.
Yesterday — 18 March 2024Security Affairs

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

18 March 2024 at 20:41

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product.

Fortra has released updates to address a critical vulnerability, tracked as CVE-2024-25153 (CVSS score 9.8) impacting its FileCatalyst file transfer solution.

A remote, unauthenticated attacker can exploit their vulnerability to execute arbitrary code on impacted servers.

“A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request.” reads the advisory. “In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.”

According to the advisory, the vulnerability was reported in August 2023 by Tom Wedgbury from LRQA Nettitude, before Fortra joining the CNA program and the company fixed it in August 2023.

“We are issuing a CVE now at the request of the individual who initially reported the vulnerability” continues the advisory.

The vulnerability was fixed with the release of FileCatalyst Workflow version 5.1.6 Build 114.

Researchers from Nettitude released on GitHub a full proof-of-concept exploit for this vulnerability. The PoC exploit demonstrates how to upload a web shell on vulnerable instances to execute operating system commands.

The exploit will:

  1. Automatically detect whether anonymous login is enabled.
  2. Get a valid session token.
  3. Upload a command shell with a pseudo-randomly generated file name.
  4. Execute the OS command.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it’s recommended that users have applied the necessary updates to mitigate potential threats.

fortra filecatalyst

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortra Filecatalyst)

Fujitsu suffered a malware attack and probably a data breach

18 March 2024 at 19:05

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the theft of customer information.

Japanese technology giant Fujitsu on Friday announced it had suffered a malware attack, threat actors may have stolen personal and customer information.

The company revealed that multiple work computers were infected with malware, in response to the compromise the security staff disconnected impacted systems from the network. The company launched an investigation into the incident and discovered that threat actors may have exfiltrated files containing personal and customer information.

“We confirmed the presence of malware on multiple work computers at our company, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out.” reads the notice published by the Japanese company.

“After confirming the presence of malware, we immediately disconnected the affected business computers and took measures such as strengthening monitoring of other business computers. Additionally, we are currently continuing to investigate the circumstances surrounding the malware’s intrusion and whether information has been leaked.”

The company is reporting the impacted individuals and has notified the Personal Information Protection Commission in anticipation of a data breach. The notice states that Fujitsu has not received any reports that personal information or information about its customers has been misused.

The investigation continues and the company hasn’t provided details about the attack, such as the malware that infected its computers.

It is also unclear which is the scope of the incident, how many individuals have been impacted and which information was accessed by the threat actors.

In May 2021, threat actors breached offices of multiple Japanese agencies after gaining access to projects using Fujitsu‘s ProjectWEB information-sharing tool.

ProjectWEB is a software-as-a-service (SaaS) platform for enterprise collaboration and file-sharing that was provided by Fujitsu

At the time, Fujitsu confirmed the security breach and revealed that the attackers had also stolen some customer data belonging to multiple government entities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fujitsu)

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

18 March 2024 at 12:48

A critical vulnerability in WordPress miniOrange’s Malware Scanner and Web Application Firewall plugins can allow site takeover.

On March 1st, 2024, WordPress security firm Wordfence received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner as part of the company Bug Bounty initiative Extravaganza.

This WordPress plugin has more than 10,000+ active installations. The researchers at the Wordfence Threat Intelligence team also identified the same vulnerability in miniOrange’s Web Application Firewall plugin that has more than 300+ active installations.

An unauthenticated attacker can exploit this vulnerability to gain administrative privileges by updating the user password.

The research urge WordPress administrators to remove the impacted plugins.

“Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately!” reads the advisory.

“This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.”

“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” Wordfence said.

The vulnerability, tracked as CVE-2024-2172 (CVSS score 9.8) impacts the following versions of the plugins:

The maintainers have closed both plugins since March 7, 2024.

The privilege escalation vulnerability is caused by a missing capability check on the mo_wpns_init() function in the vulnerable plugins.

The issue can lead to complete site compromise, once an attacker gains administrative user access to a WordPress site, they can manipulate it just like any normal administrator. The attacker can upload plugin and theme files, which may contain malicious backdoors, and modifying posts and pages to redirect users to malicious sites or inject spam content.

The researchers who reported this issue, Stiofan, earned a bounty of $1,250.00 under the Wordfence Bug Bounty Program.

“The plugins have been permanently closed, and there are no patches available or forthcoming for them. We encourage WordPress users to delete these plugins from their sites.” concludes the report

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress miniOrange plugins)

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

18 March 2024 at 10:32

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.

The experts emphasized the importance of rigorous cybersecurity risk assessments for airports and proactive threat intelligence in the context of the activity of major ransomware groups and advanced threat actors.

As geopolitical tensions rise globally, there’s a heightened risk of destructive cyberattacks in the civil aviation industry and aerospace sector. Resecurity has detailed recent notable activities of threat actors targeting these sectors.

Lockbit 3.0, one of the most active ransomware groups targeting these sectors, has launched attacks on several notable companies. It attacked Bangkok Airways, a major airline company in Thailand, in September 2021, Israeli aerospace and defense firm E.M.I.T Aviation Consulting in October 2021, Kuwait Airlines in June 2022 and Air Albania in 2023 with the most recent update in March 2024.

In an increasingly fragmented geopolitical landscape, influenced by the war in Ukraine and rising tensions in the Middle East, the aerospace sector’s designation as critical infrastructure has become a double-edged sword. At last year’s Aviation Week conference, United Airlines Director of Cybersecurity Jen Miosi highlighted this issue, stating that being labeled as critical infrastructure makes the aerospace sector more visible and vulnerable to cyber threats. This heightened visibility inevitably paints a target on the sector’s back, attracting threat actors who aim to exploit this critical infrastructure for their agendas.

The label of ‘critical infrastructure’ has not only raised the profile of the aviation sector but has also made it a more enticing target for advanced persistent threat groups and hacktivist collectives. Speaking at last year’s conference, Jeffrey Troy, the CEO of the Aviation Information Sharing and Analysis Center (Aviation ISAC), highlighted the escalating threat from hacktivist groups. These attackers engage in cyber activities to support specific political agendas, and according to Troy, this threat is undoubtedly on the rise. He noted that the outbreak of war in Gaza has particularly intensified hacktivist activities targeting the aviation sector.

The modern aviation sector’s attack surface has significantly expanded, largely due to the integration of various remote systems. According to a report published last year by Aerospace Testing International, the sector’s vulnerability has grown with the adoption of technologies like IoT sensors, actuators, biometric readers, robotics, and cloud applications, all of which require web connectivity. The report also highlighted additional security risks stemming from the use of mobile phones and the implementation of bring-your-own-device (BYOD) policies. Critical systems such as reservation systems, flight history servers, ticket booking portals, flight management systems, and cabin crew devices have been identified as key targets for hackers.

Resecurity’s recent report sheds light on the alarming increase in malicious cyber activities targeting the aerospace sector, revealing a 68% rise compared to last year. The report underscores the critical role of comprehensive cybersecurity risk assessments in preventing cyberattacks. Furthermore, it discusses the essential threat-modeling approaches necessary for industry stakeholders to develop a robust security posture within their organizations. By anticipating and preparing for potential cyber threats, the aerospace sector can better safeguard itself against the evolving landscape of cyber risks.

Additional details are included in the report published by Resecurity:

https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Aviation and Aerospace Sectors)

Email accounts of the International Monetary Fund compromised

18 March 2024 at 08:20

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year, the organization revealed.

The International Monetary Fund (IMF) disclosed a security breach, threat actors compromsed 11 email accounts earlier this year. The agency discovered the incident on February 16, 2024, and immediately launched an investigation with the help of cybersecurity experts.

The International Monetary Fund (IMF) is a major financial agency of the United Nations, and an international financial institution funded by 190 member countries. Its stated mission is “working to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty around the world.”

“The investigation determined that eleven (11) IMF email accounts were compromised. The impacted email accounts were re-secured. We have no indication of further compromise beyond these email accounts at this point in time. The investigation into this incident is continuing.” reads a statement published by the organization.

“The IMF takes prevention of, and defense against, cyber incidents very seriously and, like all organizations, operates under the assumption that cyber incidents will unfortunately occur. The IMF has a robust cybersecurity program in place to respond quickly and effectively to such incidents.”

The agency has already secured the compromised email accounts and added that it is not aware of further compromise beyond them.

Bleeping computer contacted IMF, which confirmed that that despite it uses the Microsoft 365, the incident does not appear to be part of Microsoft targeting recently disclosed.

This isn’t the first incident suffered by IMF, the agency suffered a major security breach in 2011.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, International Monetary Fund)

Before yesterdaySecurity Affairs

Threat actors leaked 70,000,000+ records allegedly stolen from AT&T

17 March 2024 at 17:08

Researchers at vx-underground first noticed that more than 70,000,000 records from AT&T were leaked on the Breached hacking forum.

More than 70,000,000 records from an unspecified division of AT&T were leaked onto Breached, vx-underground researchers reported.

Today 70,000,000+ records from an unspecified division of AT&T were leaked onto Breached. No information is available to indicate whether it is a 3rd party compromise, or which 'division' this data is from.

Regardless, upon review we can confirm the stolen data is legitimate.

— vx-underground (@vxunderground) March 17, 2024

The researchers confirmed that the leaked data is legitimate, however, it is still unclear if the information was stolen from a third-party organization linked to AT&T.

The seller, who goes online with the moniker MajorNelson, claims that the data was obtained from an unamed AT&T division by @ShinyHunters in 2021. The archive contains 73.481.539 records.

AT&T

“It should be noted before anyone hits us with an “aktschually” – the data was stolen in 2021. It was leaked online today.” said vx-underground.

It should be noted before anyone hits us with an "aktschually" – the data was stolen in 2021. It was leaked online today.

— vx-underground (@vxunderground) March 17, 2024

In August 2021, the ShinyHunters group claimed to have a database containing private information on roughly 70 million AT&T customers, but the company denied that they had been stolen from its systems.

ShinyHunters is a popular hacking crew that is known to have offered for sale data stolen from tens of major organizations, including TokopediaHomechefChatbooks.comMicrosoft, and Minted.

In August 2021, the group asked $1 million for the entire database, or $200,000 for access, according to the RestorePrivacy website that examined a sample that appears authentic.

“While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid.” reads the RestorePrivacy website. “Here is the data that is available in this leak:

  • Name
  • Phone number
  • Physical address
  • Email address
  • Social security number
  • Date of birth”

The threat actors claimed that data belonged to AT&T customers in the United States, the group told RestorePrivacy that they were available to support AT&T in securing its systems for a reward.

AT&T denied any data breach, below is the statement from the telecomunication giant:

“Based on our investigation Thursday, the information that appeared in an internet chat room does not appear to have come from our systems,”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

“gitgub” malware campaign targets Github users with RisePro info-stealer

17 March 2024 at 15:01

Cybersecurity researchers discovered multiple GitHub repositories hosting cracked software that are used to drop the RisePro info-stealer.

G-Data researchers found at least 13 such Github repositories hosting cracked software designed to deliver the RisePro info-stealer. The experts noticed that this campaign was named “gitgub” by its operators.

The researchers started the investigation following Arstechnica’s story about malicious Github repositories. The experts created a threat-hunting tool that allowed them to identify the repositories involved in this campaign. The researchers noticed that all the repositories were newly created repos leading to the same download link.

“We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. Green and red circles are commonly used on Github to display the status of automatic builds.” reads the report published by G-Data. “Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.” 

RisePro info-stealer

Below is the list of Github repositories used in this campaign, which were already taken down by Github:

  • andreastanaj/AVAST
  • andreastanaj/Sound-Booster 
  • aymenkort1990/fabfilter 
  • BenWebsite/-IObit-Smart-Defrag-Crack 
  • Faharnaqvi/VueScan-Crack 
  • javisolis123/Voicemod  
  • lolusuary/AOMEI-Backupper 
  • lolusuary/Daemon-Tools 
  • lolusuary/EaseUS-Partition-Master 
  • lolusuary/SOOTHE-2 
  • mostofakamaljoy/ccleaner 
  • rik0v/ManyCam 
  • Roccinhu/Tenorshare-Reiboot 
  • Roccinhu/Tenorshare-iCareFone 
  • True-Oblivion/AOMEI-Partition-Assistant 
  • vaibhavshiledar/droidkit 
  • vaibhavshiledar/TOON-BOOM-HARMONY  

All the repositories used the same download link: 

hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar.

The researchers noticed that the users must unpack several layers of archives using the password “GIT1HUB1FREE,” which is provided in the README.md file, to access the installer named “Installer_Mega_v0.7.4t.msi.” 

Threat actors used this MSI installer to unpack the next stage using the password “LBjWCsXKUz1Gwhg”. The resulting file is named Installer-Ultimate_v4.3e.9b.exe.

The binary has a size of 699 MB, which causes IDA and ResourceHacker to crash.

The analysis of the content used to inflate the file allowed the researcher to determine its actual size of 3.43 MB. The file is utilized as a loader for the RisePro info-stealer (version 1.6).

Upon executing the loader, it connects to hxxp://176.113.115(dot)227:56385/31522 and injects its payload into either AppLaunch.exe or RegAsm.exe.

RisePro is a C++ info-stealer that has been active since at least 2022, it allows to gathering sensitive data from the infected system. The malware exfiltrates gathered data to two Telegram channels.

“The malware collects a variety of valuable information. All unique passwords are stored in a file named “brute.txt”. In the file “password.txt” we discovered a big RISEPRO banner and the link to the public Telegram channel.” concludes the report that also provides indicators of compromise for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RisePro info-stealer)

Security Affairs newsletter Round 463 by Pierluigi Paganini – INTERNATIONAL EDITION

17 March 2024 at 12:23

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

France Travail data breach impacted 43 Million people
Scranton School District in Pennsylvania suffered a ransomware attack
Lazarus APT group returned to Tornado Cash to launder stolen funds
Moldovan citizen sentenced in connection with the E-Root cybercrime marketplace case
UK Defence Secretary jet hit by an electronic warfare attack in Poland
Cisco fixed high-severity elevation of privilege and DoS bugs
Recent DarkGate campaign exploited Microsoft Windows zero-day
Nissan Oceania data breach impacted roughly 100,000 people
Researchers found multiple flaws in ChatGPT plugins
Fortinet fixes critical bugs in FortiOS, FortiProxy, and FortiClientEMS
Acer Philippines disclosed a data breach after a third-party vendor hack
Stanford University announced that 27,000 individuals were impacted in the 2023 ransomware attack
Microsoft Patch Tuesday security updates for March 2024 fixed 59 flaws
Russia’s Foreign Intelligence Service (SVR) alleges US is plotting to interfere in presidential election
First-ever South Korean national detained for espionage in Russia
Insurance scams via QR codes: how to recognise and defend yourself
BianLian group exploits JetBrains TeamCity bugs in ransomware attacks
Experts released PoC exploit for critical Progress Software OpenEdge bug
Magnet Goblin group used a new Linux variant of NerbianRAT malware
Hackers exploited WordPress Popup Builder plugin flaw to compromise 3,300 sites
Lithuania security services warn of China’s espionage against the country

Cybercrime

Data breaches caused by insiders can cost you over $15 million  

Stanford says data from 27,000 people leaked in September ransomware attack

A Close Up Look at the Consumer Data Broker Radaris

Binance’s Top Crypto Crime Investigator Is Being Detained in Nigeria 

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.  

Moldovan National Sentenced To Federal Prison For Operating Websites Involved In The Illicit Sale Of Compromised Computer Credentials     

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms 

Pennsylvania’s Scranton School District dealing with ransomware attack 

Cybercriminals Evolve Tooling For Remote Access Compromise  

France Travail: the CNIL investigates the data leak and gives advice on how to protect yourself  

Malware

MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES 

New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3

BianLian GOs for PowerShell After TeamCity Exploitation  

CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign  

Hacking  

AUTOATTACKER: A Large Language Model Guided System to Implement Automatic Cyber-attacks

CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive  

French state services hit by ‘intense’ cyberattack, PM’s office says  

Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data  

Intelligence and Information Warfare 

China intensifies intelligence activities against Lithuania from its territory      

First-ever South Korean citizen arrested for espionage in Russia  

Russia’s spy service accuses US of trying to meddle in presidential election

THE MARCH 2024 SECURITY UPDATE REVIEW     

Rubio warns Chinese cyberattack ‘will be 100 times worse’ than AT&T outage: ‘Your power, your water’  

North Korean Hackers Return to Tornado Cash Despite Sanctions  

Safeguarding EU elections amidst cybersecurity challenges 

Nation-state threat actors using LLMs to boost cyber operations 

Cybersecurity          

Nissan to let 100,000 Aussies and Kiwis know their data was stolen in cyberattack

China could use TikTok to influence US elections, spy chief says 

Stealing Part of a Production Language Model  

US Senator Urges Microsoft to Pull Bing Out of China 

How to verify a data breach

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

France Travail data breach impacted 43 Million people

16 March 2024 at 22:23

Unemployment agency France Travail (Pôle Emploi) recently suffered a data breach that could impact 43 million people.

On August 2023, the French government employment agency Pôle emploi suffered a data breach and notified 10 million individuals impacted by the security breach.

The press release published by the agency states that its information systems are not impacted.

“In accordance with its obligations under the General Data Protection Regulation (GDPR), Pôle emploi has notified the CNIL today. The establishment will also file a complaint with the judicial authorities.” reads the press release published by the agency. “Jobseekers registered in February 2022 and former users of Pôle Emploi are potentially affected by this theft of personal data.” 

The security breach exposed the surnames, first names and social security numbers of impacted individuals. Email addresses, phone numbers, passwords and financial data are not exposed. 

The agency recommends job seekers remain vigilant on any potential fraudulent activity, it also added that there is no risk on the compensation and support offered by the agency, nor on access to the personal space of pole-emploi.fr.

The investigation conducted by France’s Cybermalveillance cybercrime prevention initiative revealed that threat actors stole the personal information of 43 million people between February 6 and March 5, 2024.

“The database allegedly extracted illicitly contains the personal identification data of people currently registered, people previously registered over the last 20 years as well as people not registered on the list of job seekers but having a candidate space on francetravail.fr. It is therefore potentially the personal data of 43 million people which have been infiltrated.” reads the press release published by France Travail.

The company notified the French data protection authority CNIL (Commission nationale de l’informatique et des libertés) and filed a complaint with the judicial authorities.

French authorities did not attribute the attack to a known ransomware group, however, Bleeping Computer observed that the French government agency was listed by the security firm Emsisoft on its MOVEit page.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, France Travail)

Scranton School District in Pennsylvania suffered a ransomware attack

16 March 2024 at 20:20

School districts continue to be under attack, schools in Scranton, Pennsylvania, are suffering a ransomware attack.

This week, schools in Scranton, Pennsylvania, experienced a ransomware attack, resulting in IT outages. The Scranton School District is working with third-party forensic specialists to investigate the security breach and restore impacted systems.

“The attack is causing a temporary disruption to some of our computer systems and services. We are working diligently with third party forensic specialists, that we engaged last evening, to investigate the source of this incident, confirm its impact on our systems, and to restore full functionality to the system as soon as possible,” reads a post published by the Scranton School District on Facebook they wrote.  

“Scranton School District’s computer system was recently hacked and infected with ransomware, according to acting Superintendent Patrick Laffey.” reported The Time Tribune.

The district ordered school staff not to use any electronic devices and uninstall any school-related apps from their mobile devices, said Rosemary Boland, president of the Scranton Federation of Teachers.

“As you know, some files may be inaccessible during this period as we, and the third-party forensic specialists, continue the investigation. Due to the increased security measures placed in our systems, some functions may be slower than usual.”

The Scranton School District website is not reachable and their Facebook account is not available at the time of this writing.

The Scranton School District is a large, urban school district located in Scranton, Pennsylvania in the Wyoming Valley region. The district encompasses approximately 26 square miles. According to the 2020 census, the Scranton School District serves a resident population of 76,997.

The school district includes 15 schools and serves more than 9000 students.

The Scranton School District reported “network-related issues” on Thursday, the problems caused a disruption for computer systems and services in the District. The issues caused the school district to delay classes by two hours on Thursday.

“We are working diligently to investigate this matter with the assistance of third-party forensic specialists and intend to restore full functionality to our affected systems as quickly and securely as possible,” according to a statement from the Acting Superintendent Patrick Laffey. “We have significant resources devoted to this process and our work to resolve this issue is ongoing.”

“We asked people to cooperate anyway they can,” Boland said. “The sooner we get to the bottom of this the better, and we can get on with our lives.”

The schools normally operated on Friday, but students completed their tasks using pencil and paper instead of their Chromebooks.

The school district has yet to share details about the ransomware attack, it’s unclear if who is the ransomware family that targeted the organization and if the schools suffered a data breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Scranton School District)

Lazarus APT group returned to Tornado Cash to launder stolen funds

16 March 2024 at 13:41

North Korea-linked Lazarus APT group allegedly using again the mixer platform Tornado Cash to launder $23 million. 

North Korea-linked Lazarus APT group allegedly has reportedly resumed using the mixer platform Tornado Cash to launder $23 million.

Blockchain cybersecurity firm Elliptic linked the theft of $112.5 million from exchange HTX, which took place in November 2023, to the North Korea’s group. Now Elliptic reported that over the past day, the group laundered more than $23 million from this attack through Tornado Cash.

In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korean-linked Lazarus APT Group.

The mixers are essential components for cybercriminals that use them for money laundering, it was used to launder the funds stolen from the victims.

At the time of the announcement of the sanctions by OFAC, Tornado Cash was used to launder more than $7 billion worth of virtual currency since its creation in 2019. The Lazarus APT group laundered over $455 million stolen during the largest known virtual currency heist to date. Tornado Cash was also used to launder more than $96 million of malicious cyber actors’ funds derived from the June 24, 2022 Harmony Bridge Heist, and at least $7.8 million from the recent Nomad crypto heist. However, Tornado Cash has never interrupted its operations despite sanctions.

In response to the sanctions, Lazarus turned to the mixer Sinbad.io, but this service was seized by US authorities in November 2023.

The researchers noted that the mixer operates through smart contracts on decentralized blockchains, making it immune to seizure and shutdown such as the one that lead to the seizure of the centralized mixer Sinbad.io.

“Lazarus Group now appear to have returned to using Tornado Cash as a way to launder funds at scale and obfuscate their transaction trail. Since March 13 2024, more than $23 million in ETH from the HTX/HECO thefts have been sent to Tornado Cash, across more than 60 transactions.” reads the report published by Elliptic.

“This change in behavior and return to the use of Tornado Cash likely reflects the limited number of large-scale mixers now operating, thanks to law enforcement takedowns of services such as Sinbad.io and Blender.io.”

Lazarus APT Tornado Cash
A screenshot from Elliptic Investigator, showing the primary flow of funds from the HTX/HECO Bridge hacker wallet to Tornado Cash, as of March 15, 2024. (Not all transaction flows are displayed) (Source Elliptic)

Cryptocurrency exchanges and financial institutions are recommended to use tools such as wallet screening solutions to prevent transactions with sanctioned entities like Tornado Cash and the Lazarus Group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

Moldovan citizen sentenced in connection with the E-Root cybercrime marketplace case

15 March 2024 at 18:46

US DoJ sentenced a Moldovan national (31) to 42 months in federal prison for operating the E-Root cybercrime marketplace.

U.S. District Court sentenced the Moldovan national (31) Sandu Boris Diaconu to 42 months in federal prison for conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices.

Diaconu was operating the E-Root cybercrime marketplace. The man operated a series of websites used to sell access to compromised computers worldwide, including servers belonging to companies and individuals in the United States. 

E-Root
Source Hackread.com

Diaconu was arrested in May 2021 while attempting to leave the United Kingdom 2021 and was extradited to the United States on October 13, 2023. Diaconu pleaded guilty on December 1, 2023.

E-Root customers could search for credentials of compromised computers that granted access to remote computers, enabling buyers to either steal sensitive data or manipulate the contents stored on the remote computer.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers.” reads the press release published by DoJ. “Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer. Buyers could search for credentials by desired criteria, such as price, geographic location, internet service provider, and operating system.”    

The marketplace allowed buyers to pay using cryptocurrency exchange and online payment system Perfect Money. The platform provided an illicit cryptocurrency exchange service for converting Bitcoin to Perfect Money and vice versa. The authorities also seized the exchange platform.

Authorities reported that over 350,000 credentials were advertised for sale on the marketplace.

The victims belong to multiple industries, according to court documents the platform also offered for sale access to at least one local government agency in Tampa. Many ransomware operations targeted victims of the marketplace, while some of the stolen credentials offered through the E-Root were linked to stolen identity tax fraud schemes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

UK Defence Secretary jet hit by an electronic warfare attack in Poland

15 March 2024 at 12:26

Russian hackers have knocked down the GPS and communications of Defence Secretary Grant Shapps RAF Dassault Falcon 900 jet with electronic warfare attack.

Defence Secretary Grant Shapps RAF Dassault Falcon 900 jet flew from Poland, where he visited British troops in Steadfast Defender, to the UK. The UK defence chief confirmed the complete support of his country for Ukraine.

A Sun’s defence editor onboard the RAF Dassault Falcon 900 jet reported that the GPS and communications were disabled by a jamming attack allegedly launched by Russia.

RAF pilots confirmed that the GPS and other signals were blocked for almost 30 minutes while the Grant Shapps was flying near Kaliningrad, which is a Russian exclave neighboring Poland.

If confirmed an electronic warfare attack hit the jet, but did not impact the safety of the aircraft.

According to British officials, the Shapps’ plane was not the target of a surgical attack, instead, it was impacted by large-scale Russian interference with satellite communications and signals which can affect all aircraft and GPS devices.

electronic warfare jet RAF
Source The SUN

“The Sun’s Defence Editor Jerome Starkey was onboard the RAF Dassault Falcon 900 at the time.” reads the article published by The SUN. “Shapps – a qualified pilot – was assured the electronic warfare attack did not affect the aircraft’s safety. He was flying back from Poland’s Szymany airport after visiting British troops taking part in Steadfast Defender, the largest Nato war games since the end of the Cold War.”

Steadfast Defender 2024 is NATO’s largest military exercise since the Cold War aimed at testing the alliance’s readiness and ability to defend itself across multiple domains. The exercise is held from January 22nd to May 31st, 2024.

It is a multi-domain exercise, meaning that the participants will be engaged in war operations in multiple environments, including land, air, sea, cyber, and space, and cyberattacks on avionics systems.

The jamming is “wildly irresponsible,” a defence source told The Sun. “While the RAF are well prepared to deal with this, it still puts an unnecessary risk on civilian aircraft and could potentially endanger people’s lives. There is no excuse for this and it’s widely irresponsible on Russia’s part.”

Since the beginning of the Russian invasion of Ukraine, experts reported multiple electronic warfare attacks in Eastern Europe [1, 2]

“The weapon has reportedly been jamming GPS technology on flights and ships across the eastern flank of Nato, causing severe disruption.” reported The Sun in February.

Western intelligence is aware of Russia’s electronic warfare capabilities located in Kaliningrad and used to target commercial airliners and sea vessels.

The Sun pointed out that RAF pilots were able to revert to alternative fail-safe systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, electronic warfare)

❌
❌