The Russian national malware developer Vladimir Dunaev was sentenced to more than 5 years in prison for his role in the TrickBot operation.

The Russian national Vladimir Dunaev (40) has been sentenced in the US to 64 months in prison for his role in the development and distribution of the TrickBot malware.

Vladimir Dunaev was extradited to the U.S. in October 2021.

Dunaev, also known as FFX, was involved in the development of a browser injection module for the Trickbot malware.

The man was arrested at the end of August 2021 at the Seoul International Airport, he has remained stuck in the Asian country since February 2020 due to the COVID-19 lockdown imposed by the local government and the cancelation of international travel.

According to The Record, which first reported the news, after the travel restrictions were lifted, the suspect had an ugly surprise, his passport had expired. Mr. A, this is the pseudonym used to identify the individual, was forced to live in Seoul waiting for the replacement of his passport from the local Russian embassy.

The Seoul High Court Criminal Division 20 (Chief Judge Jeong Seon-jae Baek Suk-jong Lee Jun-hyun) charged Mr. A for being a developer for the TrickBot gang since 2016.

Dunaev pleaded guilty on November 30, 2023, he admitted to conspiring to engage in computer fraud and identity theft, as well as conspiring to commit wire fraud and bank fraud.

“Dunaev developed browser modifications and malicious tools that aided in credential harvesting and datamining from infected computers, facilitated and enhanced the remote access used by Trickbot actors, and created a program code to prevent the Trickbot malware from being detected by legitimate security software.” reads the press release published by DoJ. “During Dunaev’s participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by Trickbot.”

TrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities. The malicious code had infected millions of computers worldwide.

TrickBot initially partnered with Ryuk ransomware which used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who had been using Trickbot for the same purpose.

In 2021, the Conti gang used in exclusive the TrickBot to achieve initial access to the network of organizations worldwide.

Financial sanctions were imposed on numerous suspected Trickbot members by the Treasury Department’s Office of Foreign Assets Control (OFAC) in both February and September 2023.

“This case and subsequent sentencing sends a strong message to cybercriminals and other bad actors who target individuals and businesses with malicious intent,” said Special Agent in Charge Greg Nelsen of the FBI Cleveland Field Office. “The complexities of this case required careful coordination among our domestic and international partners and their commitment to meticulous investigative work. I am proud of the synchronized effort to see that justice was served.” 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

Bug bounty hunters earned more than $1.3 million for hacking Teslas, infotainment systems, and electric vehicle chargers at the Pwn2Own Automotive competition.

The Zero Day Initiative’s Pwn2Own Automotive competition has ended, participants demonstrated 49 zero-day vulnerabilities affecting automotive products earning a total of $1,323,750.

The amazing Synacktiv team won the competition and earned a total of $450,000. The team demonstrated successful attacks against Tesla’s modem and the infotainment system.

The first ever #Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to @synacktiv, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March. pic.twitter.com/ov2B1rtA8c

— Zero Day Initiative (@thezdi) January 26, 2024

In second place is the team fuzzware.io with $177,500, followed by the team Midnight Blue/PHP Hooligans with $80,000.

The biggest payout was awarded to the team fuzzware.io that exploited a buffer overflow to hack the EMPORIA EV Charger Level 2. They earned $60,000 and 6 Master of Pwn Points.

Success! Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of https://t.co/ELqV0E3vQ5 used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points. #Pwn2Own pic.twitter.com/H3BphVAlfy

— Zero Day Initiative (@thezdi) January 26, 2024

The team fuzzware.io also chained to flaws to hack the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known, for this reason, the attempt was classified as a a bug collision. They earned $22,500 and 4.5 Master of Pwn Points.

The researcher Connor Ford of Nettitude demonstrated a stack-based buffer overflow to hack the JuiceBox 40 Smart EV Charging Station. He earned $30,000 and 6 Master of Pwn Points.

The full list of the exploits demonstrated on day three of PWN2OWN AUTOMOTIVE 2024 is available here.

https://www.zerodayinitiative.com/blog/2024/1/25/pwn2own-automotive-2024-day-three-results

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own)

The Main Intelligence Directorate of Ukraine’s Ministry of Defense states that pro-Ukraine hackers wiped 2 petabytes of data from a Russian research center.

The Main Directorate of Intelligence of the Ministry of Defense of Ukraine revealed that pro-Ukraine hackers group “BO Team” wiped the database of the Far Eastern Scientific Research Center of Space Hydrometeorology “Planet.”

The Russian center processes data received from satellites and also provides relevant products to more than 50 state entities, including the Ministry of War, the General Staff and the services of the Ministry of Defense of the Russian Federation.

“Cyber ​​volunteers-patriots from the group “BO Team” carried out the attack against the Far Eastern (the largest of the three) branch of NDC space hydrometeorology “planet”.” reads the press release published by Main Directorate of Intelligence of the Ministry of Defense of Ukraine. “The consequences are devastating.”

The hackers wiped 2 petabytes of data from 280 servers with serious consequences for the operations of the center.

The press release speculates that the financial losses for the Russian agency are at least $10 million.

The impact of the incident is devastating, partly exacerbated by sanctions against Russia, which complicates the provision of hardware and software.

The cyberattack also impacted the air conditioning and humidification systems, and the emergency power supply of the center building.

“In general, dozens of strategic companies of the Russian Federation, which work for “defense” and play a key role in supporting the Russian occupation forces, will remain without critically important information and services for a long time.” concludes the press release.

The press release doesn’t include technical details about the attack. It is unclear how the BO Team breached the Russian Agency and if it used malware to wipe the data.

It is unclear if the cyber operation was supported by the Ukrainian intelligence.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Russian research center, Ukraine)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Pro-Ukraine hackers wiped 2 petabytes of data from Russian research center

Participants earned more than $1.3M at the Pwn2Own Automotive competition

A TrickBot malware developer sentenced to 64 months in prison

Russian Midnight Blizzard APT is targeting orgs worldwide, Microsoft warns

Watch out, experts warn of a critical flaw in Jenkins

Pwn2Own Automotive 2024 Day 2 – Tesla hacked again

Yearly Intel Trend Review: The 2023 RedSense report

Cisco warns of a critical bug in Unified Communications products, patch it now!

Russia-linked APT group Midnight Blizzard hacked Hewlett Packard Enterprise (HPE)

CISA adds Atlassian Confluence Data Center bug to its Known Exploited Vulnerabilities catalog

5379 GitLab servers vulnerable to zero-click account takeover attacks

Experts released PoC exploit for Fortra GoAnywhere MFT flaw CVE-2024-0204

Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations

Splunk fixed high-severity flaw impacting Windows versions

Watch out, a new critical flaw affects Fortra GoAnywhere MFT

Australian government announced sanctions for Medibank hacker

LoanDepot data breach impacted roughly 16.6 individuals

Black Basta gang claims the hack of the UK water utility Southern Water

CISA adds VMware vCenter Server bug to its Known Exploited Vulnerabilities catalog

Mother of all breaches – a historic data leak reveals 26 billion records: check what’s exposed

Apple fixed actively exploited zero-day CVE-2024-23222

“My Slice”, an Italian adaptive phishing campaign

Threat actors exploit Apache ActiveMQ flaw to deliver the Godzilla Web Shell

Cybercriminals leaked massive volumes of stolen PII data from Thailand in Dark Web

Backdoored pirated applications targets Apple macOS users

LockBit ransomware gang claims the attack on the sandwich chain Subway

Cybercrime

Dark web threats and dark market predictions for 2024  

Cybercriminals Leaked Massive Volumes Of Stolen PII Data From Thailand In Dark Web  

Update on ransomware attack in Sweden: Restoration work progressing at Tietoevry 

Russian National Sentenced for Involvement in Development and Deployment of Trickbot Malware  

Using Google Search to Find Software Can Be Risky  

Malware

Jamf Threat Labs discovers new malware embedded in pirated applications  

Apache ActiveMQ Vulnerability Leads to Stealthy Godzilla Webshell  

Outsmarting Ransomware’s New Playbook

Global ransomware threat expected to rise with AI, NCSC warns  

Hacking

Hacking Neural Networks  

Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing  

CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive

Over 5,300 GitLab servers exposed to zero-click account takeover attacks  

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins  

In major gaffe, hacked Microsoft test account was assigned admin privileges  

PWN2OWN AUTOMOTIVE 2024 – DAY THREE RESULTS  

Intelligence and Information Warfare 

Tech Giant HP Enterprise Hacked by Russian Hackers Linked to DNC Breach

Midnight Blizzard: Guidance for responders on nation-state attack

They destroyed the enemy “planet” – details of the cyber attack against the center of space hydrometeorology of the Russian Federation  

Russian War against Ukraine Lessons Learned Curriculum Guide  

N. Korea attempts to use generative AI for hacking attacks: spy agency

Cybersecurity

Is artificial intelligence the solution to cyber security threats?  

Apple fixes first zero-day bug exploited in attacks this year

Mother of all breaches – a historic data leak reveals 26 billion records: check what’s exposed

Cyber sanctions in response to Medibank Private cyber attack     

Fortra warns of new critical GoAnywhere MFT auth bypass, patch now

CrowdStrike CEO: Microsoft Explanation For Russia Hack Doesn’t Add Up  

Yearly Intel Trend Review: 2023  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Medusa ransomware gang claimed responsibility for the attack against the Kansas City Area Transportation Authority (KCATA).

On January 23, 2023, the Kansas City Area Transportation Authority (KCATA) suffered a ransomware attack.

The Kansas City Area Transportation Authority (KCATA) is a public transit agency in metropolitan Kansas City. It operates the Metro Area Express (MAX) bus rapid transit service in Kansas City, Missouri, and 78 local bus routes in seven counties of Missouri and Kansas.

As of 2022, the company reported an annual ridership of 10,572,100.

The company disclosed that attack on January 24, it immediately launched an investigation into the incident and notified appropriate authorities. The company hired external experts to restore impacted systems.

“A ransom cyber-attack hit the KCATA early Tuesday, January 23. We have contacted all appropriate authorities including the FBI.” reads the notice published by the company.

The KCATA states that the incident is not affecting its services, including fixed-route buses, as well as the Freedom and Freedom-On-Demand paratransit services.

“The main customer impact is the inability to make calls to regional RideKC call centers, including any KCATA landline.” continues the notice. “KCATA is working around the clock with our outside cyber professionals and will have systems back up and running as soon as possible”

KCATA did not disclose specific information about the attack, including details about the ransomware family that compromised its systems or whether a data breach occurred.

Meantime, the Medusa ransomware gang claimed responsibility for the attack against KCATA.

The ransomware gang added the company to its Tor leak site and published samples of the alleged stolen data as proof of the data breach.

The ransomware gang threatens to release all the stolen data unless the company pays a $2 million ransom. The Medusa group also offers the victims the option to extend the deadline by paying $100,000/day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Kansas City Area Transportation Authority, ransomware)

Multiple proof-of-concept (PoC) exploits for recently disclosed critical Jenkins vulnerability CVE-2024-23897 have been released.

Researchers warn that several proof-of-concept (PoC) exploits targeting the recently disclosed critical Jenkins vulnerability, CVE-2024-23897, have been made public.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The maintainers of the open-source platform have addressed nine security vulnerabilities, including a critical flaw, tracked as CVE-2024-23897, that could lead to remote code execution (RCE). The vulnerability was reported by the researcher Yaniv Nizry from Sonar who wrote a detailed analysis of the issue.

Jenkins has a built-in command line interface (CLI) to access the platform from a script or shell environment. The open-source software uses the args4j library to parse CLI command arguments and options on the Jenkins controller. The parser uses a functionality that replaces the ‘@’ character followed by a file path in an argument with the content of the file (‘expandAtFiles’). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.

An attacker can abuse the default character encoding of the Jenkins controller process to read arbitrary files on the controller file system.

An attacker with “Overall/Read” permission can read entire files, while an attacker without it can read the first three lines of the files depending on the CLI commands.

The maintainers pointed out that exploiting this flaw makes it possible to read binary files containing cryptographic keys used for various Jenkins features, even with some limitations.

The popular cyberesecurity researcher Florian Roth warned of a couple of weaponized PoC exploits have been released.

This vulnerability in #Jenkins is serious CVE-2024-23897

POCs have been published https://t.co/nGtbf8fehdhttps://t.co/pzY0NSL5bA

report by @SonarSource https://t.co/VNAUg2PDN8 pic.twitter.com/vbiWGmj47M

— Florian Roth (@cyb3rops) January 26, 2024

Critical CVE-2024-23897 in Jenkins allows unauthenticated attackers to partially leak files and authenticated attackers to leak entire files – which can lead to RCE in many cases!

Weaponized exploits are already published – https://t.co/j0Ko58YcI4

For remediation – https://t.co/8hCma88vGf

— JFrog Security (@JFrogSecurity) January 28, 2024

The researcher German Fernandez warned of a massive exploitation of the vulnerability, querying Shodan, he found more than 75000 internet-facing instances.

CVE-2024-23897: Unauthenticated Arbitrary File Read vulnerability could lead to RCE on Jenkins servers.

Exploits are already available.https://t.co/xreXZ88kIZ

— Germán Fernández (@1ZRR4H) January 26, 2024

The availability of “PoC exploits” will cause several threat actors to start exploiting the vulnerability in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Jenkins)

Ukraine’s security service (SBU) detained an alleged member of the pro-Russia hacker group “the Cyber Army of Russia.”

Ukraine’s security service, the SBU, announced that it has identified and detained an alleged member of the pro-Russia hacker group known as the Cyber Army of Russia. The news was first reported by The Record Media. The hacktivists group is known for having launched DDoS attacks against Western organizations and Ukrainian government agencies. However, Ukrainian intelligence speculates that the group’s operations are directly controlled by the Kremlin.

The SBU revealed that the man was living in the city of Kharkiv (Ukraine) and was recruited by Russian intelligence via Telegram.

Police searched the man’s apartment and seized three mobile phones, a laptop, and a flash drive containing information that would substantiate the allegations.

Apart from conducting DDoS attacks, the man is suspected of disclosing strategic information to Russian intelligence. The information secretly provided to Moscow includes military secrets such as the locations of Ukrainian troops and military weaponry in the country.

Russian military used this information to coordinate recent missile strikes. If found guilty, the man could face up to 12 years in prison.

In early December, Ukraine’s SBU announced they shut down two surveillance cameras that were allegedly hacked by the Russian intelligence services to spy on air defense forces and critical infrastructure in Kyiv.

The surveillance cameras were located in residential buildings and were used to monitor the surrounding area and a parking lot. Once the state-sponsored hackers hacked the cameras, they used them to spy on the air defense and critical infrastructure in the same area. The camera used to monitor the parking lot was used to spy on the surrounding territory, including critical infrastructure facilities

The hackers changed the viewing angle and connected the cameras to the YouTube streaming platform.

The footage was used by the Russian army to support the missile strike on Kyiv on January 2.

Since the beginning of the Russian invasion of Ukraine, the SBU has disabled about 10,000 IR cameras, which the Russian army could use to adjust missile attacks on Ukraine.

The SBU calls to owners of surveillance cameras to stop online broadcasts from their devices, the agency also urges citizens to report detected footage from such cameras.

In October 2023, the SBU detained a Ukrainian man who had installed cameras on the streets of his city and passed information on Ukrainian military movements to Russian intelligence.

In March 2022, the SBU arrested a hacker who provided technical support to Russian troops during the invasion, the man provided mobile communication services inside the Ukrainian territory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SBU)

The U.S. National Security Agency (NSA) admitted to buying internet browsing records from data brokers to monitor Americans’ activity online without a court order.

U.S. Senator Ron Wyden, D-Ore., released documents that confirmed the National Security Agency (NSA) buys Americans’ internet browsing records without a court order.

The data acquired by the intelligence agency can reveal the websites visited by the US citizens and what apps they use. Wyden called on the US government to order intelligence agencies to stop buying personal data from Americans that has been obtained illegally by data brokers.

The U.S. Senator pointed out that according to a recent FTC order, data brokers cannot sell Americans’ data without informed consent. 

Metadata on browsing activity, which includes information about the websites visited, timestamps, and duration of visits, can be abused for surveillance in several ways, privacy advocated warn.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Senator Wyden urged the DNI to direct intelligence agencies to comply with recent FTC regulations by taking three steps:

1. Conduct an inventory of personal data acquired by the agency concerning Americans: This inventory should encompass, but not be limited to, location and internet metadata.
2. Evaluate each data source identified in the inventory to assess whether it meets FTC standards for legal personal data sales.
3. Promptly eliminate any data purchases that do not meet FTC legal standards for personal data sales.

“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to “government contractors for national security purposes.” I have conducted a broad probe of the data broker industry over the past seven years, and I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industrywide, and not limited to this particular data broker.” reads the letter sent to NSA and Defense Department. “The FTC’s order against X-Mode Social should serve as a much-needed wake-up call for the IC. The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

A flaw in Microsoft Outlook can be exploited to access NTLM v2 hashed passwords by tricking users into opening a specially crafted file.

The vulnerability CVE-2023-35636 impacting Microsoft Outlook is a Microsoft Outlook information disclosure issue that could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords.

NTLMv2, which stands for NT LAN Manager version 2, is an authentication protocol used in Microsoft Windows networks. It is an improvement over the original NTLM protocol and is designed to address some of its security vulnerabilities.

An attacker can trick the victims into clicking a link that can be included in an email or instant message, and then convince them to open the specially crafted file. In an alternative, the malicious file can be hosted on a website under the control of the attackers.

Microsoft addresses the flaw CVE-2023-35636 (CVSS score: 6.5) with the release of Patch Tuesday security updates for December 2023.

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.” reads the advisory published by the IT giant. “In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.”

The vulnerability was discovered by Dolev Taler with Varonis, who also published a technical analysis of the issue.

Taler explained that the issue exploits the calendar sharing function in Microsoft Outlook. Creating a specially crafted message by adding two headers (“Content-Class” and “x-sharing-config-url”) it is possible to share content and contact a designated machine to intercept an NTLM v2 hash.

“Varonis Threat Labs discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hashed passwords by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer.” wrote Taler. “With access to these passwords, attackers can attempt an offline brute-force attack or an authentication relay attack to compromise an account and gain access.”

Taler explained that the issue can be also exploited with Windows Performance Analyzer (WPA) and Windows File Explorer. The security patches don’t address the potential exploitation of this flaw in WPA and Windows File Explorer.

Below are some suggestions to protect organizations against NTLM v2 attacks:

• Using the SMB signing feature prevents SMB traffic from tampering and man-in-the-middle attacks. It works by digitally signing all SMB messages. Every change to digitally signed SMB messages can be detected. SMB signing is turned on Windows Server 2022 and later by default, and on Windows 11 Enterprise edition (starting with the insider preview build 25381).
• Block outgoing NTLM v2, starting with Windows 11 (25951). Microsoft added the option to block outgoing NTLM authentication.
• Force Kerberos authentication whenever possible and block NTLM v2 on both the network and applicative levels.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Outlook)

Researchers discovered that Mercedes-Benz accidentally left a private key online exposing internal data, including the company’s source code.

RedHunt Labs researchers discovered that Mercedes-Benz unintentionally left a private key accessible online, thereby exposing internal data, including the company’s source code. It’s unclear if the data leak exposed customer data,

RedHunt Labs shared its findings with TechCrunch and with the help of the media outlet notified the car maker. The security firm discovered that an authentication token belonging to a Mercedes employee was left exposed in a public GitHub repository. The discovery was made during a routine internet scan in January.

The disclosed token had the potential to provide unrestricted access to Mercedes’s GitHub Enterprise Server, enabling anyone to retrieve the company’s private source code repositories.

“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, told TechCrunch. “The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”

Mittal presented TechCrunch with proof verifying the existence of Microsoft Azure and Amazon Web Services (AWS) credentials, a Postgres database, and Mercedes source code in

The exposed repositories included Microsoft Azure and Amazon Web Services (AWS) credentials, a Postgres database, and Mercedes source code.

Once Mercedes became aware of the data leak, it revoked the exposed token and removed the public repository.

TechCrunch disclosed the security issue to Mercedes on Monday. On Wednesday, Mercedes spokesperson Katja Liesenfeld confirmed that the company “revoked the respective API token and removed the public repository immediately.”

“We can confirm that internal source code was published on a public GitHub repository by human error,” Mercedes spokesperson Katja Liesenfeld told TechCrunch. “The security of our organization, products, and services is one of our top priorities.” “We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures.”

Your sentence is well-written. However, for a slight improvement in clarity, you might consider the following revision:

The investigation into the breach revealed that the token had been exposed online since late September 2023. However, it remains unclear whether other actors gained unauthorized access to the carmaker’s data.

“Mercedes declined to say whether it is aware of any third-party access to the exposed data or whether the company has the technical ability, such as access logs, to determine if there was any improper access to its data repositories. The spokesperson cited unspecified security reasons.” concludes TechCrunch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mercedes)

Energy management and industrial automation firm Schneider Electric suffered a data breach after a Cactus ransomware attack.

Schneider Electric is a multinational company that specializes in energy management, industrial automation, and digital transformation.

BleepingComputer first reported the attack that hit the Sustainability Business division of the company on January 17th. BleepingComputer contacted Schneider Electric which confirmed the data breach.

The attack was carried out by the Cactus ransomware gang, which claims to have stolen terabytes of corporate data from the company.

The attack impacted the services of Schneider Electric’s Resource Advisor cloud platform causing outages.

Schneider Electric said that other divisions of the company were not impacted by the cyber attack.

The company is working to restore the impacted systems and is investigating the incident with the help of leading cybersecurity firms,

The Cactus ransomware operation has been active since March 2023, despite the threat actors use a double-extortion model, their data leak site has yet to be discovered.

Kroll researchers reported that the ransomware strain outstands for the use of encryption to protect the ransomware binary.

Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.

The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.

Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.

Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.

In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Schneider Electric)

Hundreds of compromised credentials of customers of RIPE, APNIC, AFRINIC, and LACNIC are available on the dark web, Resecurity warns.

Resecurity conducted a thorough scan of the Dark Web and identified over 1,572 compromised customers of RIPE, Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC), resulting from infostealer infections. This figure also includes historical records and new artifacts identified in January 2024, following an analysis of Command and Control (C2) servers and underground marketplaces. Following a recent and highly disruptive cyberattack on telecom carrier Orange España, the cybersecurity community needs to rethink its approach to safeguarding the digital identity of staff involved in network engineering and IT infrastructure management.

Resecurity has notified victims whose credentials were compromised by infostealers like Azorult, Redline, Vidar, Lumma, and Taurus and exposed on the Dark Web. Based on the collected feedback, cybersecurity experts were able to build the following statistics:

• 45% were not aware about the identified compromised credentials and acknowledged successful password change and enabled 2FA;
• 16% were already aware about the identified compromised credentials as a result of infection by malicious code and made necessary password changes and enabled 2FA on their accounts;
• 14% were aware about the compromised credentials, but enabled 2FA only after notification (statement received);
• 20% acknowledged the need to perform deeper investigation of the incident leading to credential compromise; for example, some of the recipients acknowledged 2FA enabled, but had a lack of knowledge around how and when exactly the compromise has happened, and what credentials (to other apps and systems) could be exfiltrated by password stealer from the victim;
• 5% of recipients were not able to provide any feedback and/or aim to identify a relevant point of contact in their organization to review this issue.

As an example of compromised accounts, Resecurity outlined exposed access credentials belonging to a major data center and one of the largest vendors providing international-scale network telephony connectivity to governmental and national telecom providers in Africa. Other identified victims were associated with significant organizations, including:

• Scientific research organization from Iran;
• Major financial organization from Kenya;
• One of the largest IT consulting firms in Azerbaijan, known for offering services like telecommunications, integrated network, and cloud solutions to enterprises and government entities;
• A major financial organization in Spain;
• One of the largest gambling providers in EU;
• ICT technology provider based in Saudi Arabia;
• An Israeli communications satellite operator;
• A government agency from Iraq;
• A not-for-profit Internet Exchange (IXP), established in Riffa, located in the Southern Governorate of Bahrain.

Significantly, most of the network administrators (identified as compromised) managing networks utilized emails registered with free providers, including Gmail, GMX, and Yahoo. These details could be highly valuable to cyberespionage groups that are laser-focused on specific targets, such as network administrators and their circle of contacts. Acquiring information about their personal emails could lead to more sophisticated campaigns and enhance the likelihood of successful reconnaissance.

The actions of bad actors extend beyond simple credential theft. With access to network settings, they may alter existing configurations or introduce deceptive elements, potentially creating havoc on enterprise infrastructure. Such unauthorized modifications could lead to severe disruptions in service and security breaches, underscoring the critical need for heightened vigilance and robust security protocols in safeguarding digital assets.

The collected statistics may confirm the staff involved in network engineering and mission critical IT management operations can also be victimized by malicious code. Their accounts (when compromised) have the potential to act as “low-hanging fruit” for massive cyberattacks.

Cybersecurity experts at Resecurity have highlighted the escalating risks stemming from the Dark Web, where malicious actors may exploit compromised credentials of ISP/Telco engineers, Data-Center Technicians, Network Engineers, IT Infrastructure Managers, and Outsourcing companies that manage networks for their enterprise clients. As such, this employee category represents a high-value target for sophisticated threat actors. Highlighting the risk landscape, Resecurity’s Dark Web analysis identified multiple compromised credentials belonging to network engineers that could grant threat actors access to gateways like: enterprise identity and access management (IAM), virtualization systems, various cloud providers, and backup and disaster recovery systems.

Additional information about the investigation conducted by Resecurity are available here:

https://www.resecurity.com/blog/article/hundreds-of-network-operators-credentials-found-circulating-in-dark-web

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dark web)

Juniper Networks released out-of-band updates to fix high-severity flaws in SRX Series and EX Series that can allow attackers to take over unpatched systems.

Juniper Networks has released out-of-band updates to address two high-severity flaws, tracked as CVE-2024-21619 and CVE-2024-21620, in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The flaw CVE-2024-21619 (CVSS score: 5.3) is a Missing Authentication for Critical Function vulnerability. An unauthenticated, network-based attacker can chain this issue with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series to access sensitive system information.

“When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder.” reads the advisory. “An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information.”

The flaw CVE-2024-21620 (CVSS score: 8.8) is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series. An attacker can trigger the flaw to craft a URL that when visited by another user enables the attacker to execute commands with the target’s permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.

The vendor also addressed two other vulnerabilities respectively tracked as CVE-2023-36846 and CVE-2023-36851:

• CVE-2023-36846 (CVSS score: 5.3) – A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
• CVE-2023-36851 (CVSS score: 5.3) – A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. 

The vulnerability was reported by cybersecurity firm watchtowr. As a workaround the company recommends disabling J-Web, or limiting access to only trusted hosts

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Juniper Networks)

Data of 750 million Indian mobile subscribers was offered for sale on dark web hacker forums earlier in January.

CloudSEK researchers warned that a database containing data of 750 million Indian mobile subscribers was offered for sale on dark web hacker forums earlier in January.

According to the researchers, at least two cybercrime gangs, CYBO CREW affiliates known as CyboDevil and UNIT8200, were offering the database for $3,000.

The database is 1.8TB in size and contains Indian mobile subscribers’ names, phone numbers, addresses, and Aadhaar details.

The cyber gangs claim to have “obtained the data through undisclosed asset work within law enforcement channels” rather than as a result of a leak from Indian telcos. CloudSEK told The Register that its initial investigation found that the leak affects all major telecom providers. “The leak of Personally Identifiable Information (PII) poses a huge risk to both individuals and organizations, potentially leading to financial losses, identity theft, reputational damage, and increased susceptibility to cyber attacks,”

CloudSEK notified relevant authorities and potentially impacted organizations.

The data leak exposes mobile subscribers to serious risks; the stolen data can be used to carry out a broad range of malicious activities against them, including financial fraud and identity theft

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, dark web)

Italian data protection authority regulator authority Garante said that ChatGPT violated European Union data privacy regulations.

The Italian data protection authority regulator authority, known as “Garante per la protezione dei dati personali”, announced it has notified OpenAI that ChatGPT violated the EU data protection regulation GDPR.

In early April 2023, the Italian Data Protection Authority temporarily banned ChatGPT due to the illegal collection of personal data and the absence of systems for verifying the age of minors.

The Authority pointed out that OpenAI does not alert users that it is collecting their data.

At the time the privacy watchdog said that there is no legal basis underpinning the massive collection and processing of personal data to ‘train’ the algorithms on which the platform relies.

The Authority carried out some tests on the service and determined that the information it provides does not always match factual circumstances so inaccurate personal data are processed.

The Authority claimed that ChatGPT exposes minors to inappropriate responses for their age despite the service being designed to respond to users aged above 13.

At the time OpenAI declared it had fulfilled the demands of the Italian data protection authority by an April 30 deadline, for this reason, the ban on the chatbot was lifted.

“Following the temporary ban on processing imposed on OpenAI by the Garante on 30 March of last year, and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR.

OpenAI may submit its counterclaims concerning the alleged breaches within 30 days.

“Following the temporary ban on processing imposed on OpenAI by the Garante on 30 March of last year, and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR.” reads the announcement published by the Italian Garante. “OpenAI may submit its counterclaims concerning the alleged breaches within 30 days.”

The Italian privacy watchdog, based on the results of its ‘fact-finding activity,’ has determined that the popular chatbot ChatGPT violated EU privacy rules.

The Italian authority has given OpenAI 30 days to respond to the allegations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ChatGPT)

Qualys researchers discovered a root access flaw, tracked as CVE-2023-6246, in GNU Library C (glibc) affecting multiple Linux distributions.

The Qualys Threat Research Unit discovered four security vulnerabilities in the GNU Library C (glibc), including a heap-based buffer overflow tracked as CVE-2023-6246.

GNU C Library (glibc) is a free software library that provides essential system services for Linux and other Unix-like operating systems.

The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.

The vulnerability was introduced in glibc 2.37 in August 2022.

“We discovered a heap-based buffer overflow in the GNU C Library’s __vsyslog_internal() function, which is called by both syslog() and vsyslog().” reads the advisory published by Qualys. “This vulnerability was introduced in glibc 2.37 (in August 2022) by the following commit: https://sourceware.org/git?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1 and was also backported to glibc 2.36 because this commit was a fix for another, minor vulnerability in __vsyslog_internal() (CVE-2022-39046, an “uninitialized memory [read] from the heap”).”

The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these logging functions. 

The researchers pointed out that glibc is present in the vast majority of Linux operating system distributions. Qualys tested the vulnerability across Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.

The other issues discovered by Qualys are:

• A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. 
• Two remaining two flaws are an off-by-one heap buffer overflow tracked as CVE-2023-6779 and an integer overflow issue tracked as CVE-2023-6780.

More details are available in the post published by Saeed Abbasi, Product Manager, Qualys Threat Research Unit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, glibc)

Sensitive data and trading activity of over 300K traders leaked online by international fintech firm Direct Trading Technologies.

Direct Trading Technologies, an international fintech company, jeopardized over 300K traders by leaking their sensitive data and trading activity, thereby putting them at risk of an account takeover.

On October 27th, the Cybernews research team discovered a misconfigured web server with backups and development code references allegedly belonging to the fintech company Direct Trading Technologies.

Direct Trading Technologies (DTT) is an international fintech company offering trading platforms for stocks, forex, precious metals, energies, indices, Contracts for Difference (CFDs), and cryptocurrencies. Also, DTT offers white-label services for fintech solutions.

While the main clientele is based in Saudi Arabia, the company has offices in the UK, Lithuania, UAE, Kuwait, Colombia, Turkey, Bahrain, Lebanon, and the Republic of Vanuatu.

The discovered directory included multiple database backups, each holding a significant amount of sensitive information about the company’s users and partners. The leak poses a variety of risks, expanding from identity theft to takeover and cashing-out accounts of traders.

Cybernews contacted the company with our findings. While the problem was fixed, an official response from the company is still yet to be received.

Sensitive data leaked

The leaked data included the trading activity of over 300,000 users spanning the past six years, along with names, email addresses, emails sent by the company, and IP addresses.

Users holding the company’s email addresses, potentially the employees, had their passwords exposed in plaintext. Hashed passwords to access user accounts on the DTT trading platform were also leaked. Some clients had their home addresses, phone numbers, and partial credit card details exposed.

Full list of leaked data

• Trading account activity
• Contents of emails sent by DTT
• User IP addresses, emails, usernames, and plaintext passwords
• Notes on outreach calls
• Names
• Email addresses
• Phone numbers
• Home addresses
• Hashed passwords
• Database endpoints and plaintext credentials of white-label customers (endpoints were protected by IP whitelists)
• Locations where KYC documents are stored, filenames, types, expiration dates, and other metadata

While Know Your Customer (KYC) documents were not exposed, the leaked files revealed the locations where the documents are stored and other metadata.

The credentials of clients using the white-label service were exposed in plaintext, along with details of database locations and negotiated commission percentages.

The leaked data also contained internal comments from the company’s outreach team regarding the calls they made. The file shows that some clients are called “idiots” in the company’s system.

Potential takeover of financial accounts

With the fintech industry experiencing rapid growth, this leak stands as a clear reminder of the critical role of robust cybersecurity measures. Fintech companies manage and store exceptionally sensitive customer data.

Traders are prime targets for threat actors because their accounts hold significant value. If you want to know more about the risks for traders take a look at the original post:

Original post: https://cybernews.com/security/direct-trading-technologies-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, fintech)

Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader.

In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

Researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The company is providing mitigation and confirmed it is working on the development of a security patch.

Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.

The researchers also reported that threat actors tracked as UTA0178 (aka UNC5221) are actively exploiting the vulnerabilities and are actively trying to exploit devices.

Targets span across the globe, they include both small businesses and large organizations. The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as:

• Global government and military departments
• National telecommunications companies
• Defense contractors
• Technology firms
• Banking, finance, and accounting institutions
• Worldwide consulting services
• Aerospace, aviation, and engineering entities

After being publicly disclosed, multiple threat actors started exploiting these vulnerabilities to deploy XMRig cryptocurrency miners and Rust-based malware.

Synacktiv researchers noticed that threat actors used the KrustyLoader as a loader to download a Golang-based Sliver backdoor from a remote server and execute it.

“Based on my observations, all the samples download a Sliver (Golang) backdoor, though from different URLs.” reads the report published by Synacktiv. “The Sliver backdoors contact their C2 server using HTTP/HTTPS communication. Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command and control framework.”

Sliver is a post-exploitation framework that is gaining notoriety in the hacking underground as an alternative to the Cobalt Strike framework.

The choice of using Rust language for the development of KrustyLoader introduces additional challenges in obtaining a comprehensive understanding of malware behavior.

The experts published the Yara rule for the detection of similar KrustyLoader samples.

“Rust payloads detected by Volexity team turn out to be pretty interesting Sliver downloaders as they were executed on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. KrustyLoader – as I dubbed it – performs specific checks in order to run only if conditions are met.” concludes the report. “The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior. A script as well as a Yara rule are publicly available to help detection and extraction of indicators.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, KrustyLoader)

Ivanti warns of two new vulnerabilities in its Connect Secure and Policy Secure products, one of which is actively exploited in the wild.

Ivanti is warning of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company also warns that the situation is still evolving and multiple threat actors can rapidly adpat their tactics, tecniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

In early January 2024, software firm Ivanti reported that threat actors were exploiting other two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

Today, researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day CVE-2024-21893)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple improper authentication bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apple improper authentication bug, tracked as CVE-2022-48618, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability can allow an attacker with arbitrary read and write capability to bypass Pointer Authentication.

The IT giant addressed the issue with improved checks. The flaw is fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and iPadOS 16.2, tvOS 16.2.

Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1.” reads the advisory.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 21, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – CISA, Apple)

Crooks stole around $112 million worth of Ripple XRP from the crypto wallet of Ripple’s co-founder Chris Larsen.

This week, crooks stole around $112 million worth of the Ripple-focused cryptocurrency XRP from a crypto wallet belonging to the Ripple’s co-founder and executive chairman Chris Larsen.

Larsen pointed out that the hackers compromised his personal XRP accounts, while the @Ripple was not impacted.

Yesterday, there was unauthorized access to a few of my personal XRP accounts (not @Ripple) – we were quickly able to catch the problem and notify exchanges to freeze the affected addresses. Law enforcement is already involved. https://t.co/T3HtKSlzLg

— Chris Larsen (@chrislarsensf) January 31, 2024

Larsen revealed that his company was able to quickly detect the fraudulent activity and freeze the affected address with the support of other exchanges. The Ripple’s co-founder immediately notified law enforcement.

“Larsen wrote the post less than an hour after the well-known crypto security researcher ZachXBT broke news of the hack.” states Techcrunch.co that first reported the news.

The crypto expert ZachXBT first discovered the hack and reported that the crooks attempted to launder the stolen funds through multiple crypto exchanges and platforms, including MEXC, Gate, Binance, Kraken, OKX, HTX, and HitBTC.

TechCrunch highlighted the impossibility of determining whether the compromised account actually belongs to Ripple.

The post includes an analysis of the hacked wallet through on-chain data from XRPScan and attempts to shed light on its link with Larsen’s account.

However a Ripple’s spokesperson confirmed that Ripple was not impacted.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XRP)

German police seized 50,000 Bitcoin from the former operator of the now-defunct piracy website movie2k.to.

The police in Saxony, Germany, have seized 50,000 Bitcoin (more than $2.1 billion at the current exchange rate) from the former operator of the now-defunct piracy site movie2k.

“This is the most extensive security of Bitcoins by law enforcement authorities in the Federal Republic of Germany to date.” reads the press release published by the German police.

The man voluntarily transferred the crypto funds to wallets under the control of the German authorities.

The seizure is the result of an investigation conducted by the Dresden General Prosecutor’s Office, the Saxony State Criminal Police Office and the tax investigation of the Leipzig II Tax Office as the Saxony Integrated Investigation Unit (INES).

The investigation was also supported by the Federal Criminal Police Office (BKA), the FBI and a Munich forensic IT expert company.

According to German media, one of the two operators was also involved in the operations of the site mega-downloads.net. 

Movie2k was a platform involved in the unauthorized distribution of copyrighted movies, TV shows, and other media content. It was operating between 2008 and 2013. In 2013, the Motion Picture Association of America (MPAA) shut down the website due to concerns related to copyright infringement.

Widely favored among pirates, Movie2k provided an extensive array of content along with user-friendly streaming and download features. Additionally, the website fostered a substantial community of users who actively shared links to pirated content.”

The investigation conducted by the German authorities led to the identification of two operators of the popular platform, a 40-year-old German national and a Polish 37-year-old.

The duo purchased a substantial amount of Bitcoin with the proceeds obtained from subscriptions and advertising through the platform.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – cybercrime, Apple)

Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices.

Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The attackers were observed exploiting CVE-2023-46805 and CVE-2024-21887 to execute arbitrary commands on the unpatched Ivanti devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Mandiant also completed the analysis of another malware family employed in the attacks, the ZIPLINE passive backdoor. The backdoor allows operators to support the authentication of its custom protocol used to establish C2.

Mandiant also reported that threat actors employed several open-source tools to facilitate post-exploitation activities on Ivanti CS appliances. The tools were used to perform internal network reconnaissance, lateral movement, and data exfiltration within a restricted number of victim environments.

Some of the open-source utilities used by the threat actors, include Impacket, CrackMapExec, iodine, and Enum4linux.

“Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.” concludes Mandiant.

Ivanti also warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti)

CISA is ordering federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

For the first time since its establishment, CISA is ordering federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

The CISA’s emergency directive orders to disconnect all instances no later than 11:59PM on Friday February 2, 2024.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.” reads the directive.

The government agency recommends continuing to look for indicators of compromise on any systems connected to—or recently connected to—the affected Ivanti device.

The government experts also ordered to monitor the authentication or identity management services that could be exposed and urged to isolate the systems from any enterprise resources to the greatest degree possible. CISA also warned to continue to audit privilege-level access accounts.

“To bring a product back into service, agencies are required to perform the following actions:

1. Export configuration settings.
2. Complete a factory reset per Ivanti’s instructions.
3. Rebuild the device per Ivanti’s instructions AND upgrade to one of the following supported software versions through Ivanti’s download portal (there is no cost to upgrade): 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, 9.1R17.2.”

IVANTI recently warned of four zero-days, three of which are actively exploited in the wild.

In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

This week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company also warns that the situation is still evolving and multiple threat actors can rapidly adapat their tactics, techniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

Mandiant researchers recently discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IVANTI)

A US man has been sentenced to federal prison for his role in a fraudulent scheme that resulted in the theft of millions of dollars through SIM swapping.

Daniel James Junk (22) of Portland was sentenced to 72 months in federal prison for his role in a scheme that resulted in the theft of millions of dollars of cryptocurrency using a SIM swapping.

The man conducted SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudster. Once hijacked a SIM, the attacker can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones.

Junk was also sentenced to three years’ supervised release and was also ordered to pay more than $3 million in restitution to his victims.

Based on court documents, between December 2019 and March 2022, Junk participated in a fraud scheme to steal funds from the cryptocurrency exchange accounts of his victims.

“Junk actively participated in an online SIM-swapping community where various individuals would partner with one another to play different roles needed to successfully execute a SIM swap scam.” reads the press release published by DoJ. “Throughout his involvement in such schemes, Junk performed some aspects of all the required roles including finding victims to target through breached databases or other exploits, porting victim phone numbers to devices controlled by members of the fraud conspiracy, and physically possessing the phone used for the “swap.” Junk and members of his online community also coordinated with one another to plan and carry out various in-person crimes including attempting to steal a 90-year-old victim’s cell phone and committing fraud at cellular telephone stores.”

On March 3, 2022, the FBI executed a federal search warrant on Junk’s apartment and seized his electronic equipment. The seized computer had an active browser showing that Junk was attempting to illegally access accounts belonging to other people when the FBI arrived at his residence. The FBI seized more than 71 bitcoins worth approximately $3 million. Two months later, Junk turned over an extra 33 bitcoins, valued at around $1 million.

In early January 2024, while awaiting sentencing, Junk was found to possess additional evidence of fraud. The FBI found lists of victims and approximately 25,000 compromised email addresses. “On January 10, 2024, Junk’s release was revoked, and he was ordered into custody pending sentencing.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SIM SWAPPING)

Passports, mobile numbers, and email addresses of Indian travelers who requested COVID e-pass have been leaked, 3.5M individuals at risk of identity theft.

Last year, due to an increase in the number of people with COVID-19, Tamil Nadu, the southernmost state in India with a population of 79 million, made a COVID e-pass mandatory.

This meant that all inter-zone travelers needed to apply for it online and enter a great deal of their personally identifiable information (PII).

Unfortunately, at least 3.5 million people’s sensitive details were exposed to the public, a recent investigation by the Cybernews research team shows. While the data comes from the peak of the pandemic (2020-2021), exposed people are still at risk of identity theft and other malicious activities.

Cybernews discovered the unprotected data during a routine investigation. The culprit was an open S3 bucket that included over 3.5 million records. Our researchers assess that the data was being leaked by a third-party service provider. While we disclosed our findings to the relevant parties following our responsible disclosure procedure, at the time of writing, the dataset is secure.

The leaking data includes:

• Name
• Passport number and/or copy
• Gender
• Mobile number and email address

• Travel details and reasons for traveling (people had to specify due to travel restrictions during the pandemic)
• Vehicle numbers

We’ve contacted the Tamil Nadu government, as well as the third-party service providers that we suspect to be behind the leak, for an on-the-record comment but have yet to receive any kind of reply.

If you want to learn more about the risk for users due to this data leak, take a look at the original post at:

https://cybernews.com/security/indian-covid-passport-data-leak/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The Computer Emergency Response Team in Ukraine (CERT-UA) reported that a PurpleFox malware campaign had already infected at least 2,000 computers in the country.

The Computer Emergency Response Team in Ukraine (CERT-UA) is warning about a malware campaign that has infected at least 2,000 computers in the country with the PurpleFox malware (aka ‘DirtyMoe‘).

“The Government Computer Emergency Response Team of Ukraine CERT-UA, guided by Clause 1 of Article 9 of the Law of Ukraine “On the Basic Principles of Ensuring Cyber ​​Security of Ukraine”, took measures to provide practical assistance to a state-owned enterprise due to the massive damage to the organization’s computers by the malicious program DIRTYMOE (PURPLEFOX).” reads the alert published by CERT-UA. “As part of a detailed study of the cyber threat, a study of the received samples of malicious programs was conducted, the peculiarities of the functioning of the management server infrastructure were established, and more than 2,000 affected computers were identified in the Ukrainian segment of the Internet.”

In June 2021, researchers from Avast warned of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom), which passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system.

The Windows botnet has been active since late 2017, it was mainly used to mine cryptocurrency, but it was also involved in DDoS attacks in 2018. The DirtyMoe rootkit was delivered via malspam campaigns or served by malicious sites hosting the PurpleFox exploit kit that triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.

The operations behind the DirtyMoe botnet rapidly changed since the end of 2020, when the malware authors added a worm module that could increase their activity by spreading via the internet to other Windows systems.

CERT-UA shared technical details about the ongoing campaign, tracked as UAC-0027, due to the complexity of removing the DIRTYMOE components due to the use of the rootkit.

In the attacks observed by the Ukrainian authorities, the infection chain relies on MSI installers to deploy the PurpleFox malware.

The malware uses exploits for known vulnerabilities and password brute-forcing attacks for self-propagation.

Between January 20 and January 31, 2024, CERT-UA identified 486 IP addresses associated with intermediate control servers. The majority of these addresses are linked to (compromised) equipment located in China. Approximately 20 new IP addresses are added daily.

The alert includes indicators of compromise and guidance to remove the malware from the infected systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PurpleFox malware)

Cloudflare revealed that a nation-state actor breached its internal Atlassian server, gaining access to the internal wiki and its bug database (Atlassian Jira).

The incident took place on Thanksgiving Day, November 23, 2023, and Cloudflare immediately began an investigation with the help of CrowdStrike. The company pointed out that no customer data or systems were impacted by this security breach. 

Cloudflare disclosed today that its internal Atlassian server was breached by a suspected ‘nation-state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system.

The nation-state actor first gained access to the company’s Atlassian server on November 14 and then accessed the Confluence and Jira systems.

“From November 14 to 17, a threat actor did reconnaissance and then accessed our internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira). On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity.” reads the blog post published by the company. “They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The threat actor also attempted to gain access to a console server in a new company’s data center in São Paulo, but all attempts failed.

The investigation revealed that the attackers used one access token and three service account credentials that were obtained in Okta compromise of October 2023. Cloudflare admitted having failed to rotate these authentication elements.

The company locked out the threat actor on November 24 and CrowdStrike confirmed that the threat was completely eradicated.

To prevent the attacker from using the obtained technical information, Cloudflare rotated every production credential (more than 5,000 individual credentials), physically segmented test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in its global network including all the systems that were accessed by the intruders.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)

A former software engineer with the U.S. CIA has been sentenced to 40 years in prison for leaking classified documents.

Former CIA employee Joshua Adam Schulte has been sentenced to 40 years in prison for passing classified documents to WikiLeaks and for possessing child pornographic material.

“Damian Williams, the United States Attorney for the Southern District of New York; Matthew G. Olsen, the Assistant Attorney General for National Security; and James Smith, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced today that JOSHUA ADAM SCHULTE was sentenced to 40 years in prison by U.S. District Judge Jesse M. Furman for crimes of espionage, computer hacking, contempt of Court, making false statements to the FBI, and child pornography.” reads the press release published by DoJ. “SCHULTE’s theft is the largest data breach in the history of the CIA, and his transmission of that stolen information to WikiLeaks is one of the largest unauthorized disclosures of classified information in the history of the U.S.”

In July 2022, Schulte was found guilty in a New York federal court of stealing the agency’s hacking tools and leaking them to WikiLeaks in 2017.

The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure. The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.

The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).

The developers at EDG are tasked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses. The CIA has dozens of zero-day exploit codes in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.

In middle May 2018, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged with three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

In November 2018, Joshua Adam Schulte faced new charges, including in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.

In February 2018, the lawyers of the former CIA employee asked the court for a mistrial, in this case, they claimed the prosecutors withheld evidence that could exonerate his client during the trial in the Manhattan federal court.

While SCHULTE was in jail, he obtained access to contraband cell phones and used them to create anonymous, encrypted email and social media accounts.  SCHULTE also attempted these devices to transmit protected discovery materials to WikiLeaks.

In March 2017, during a search of SCHULTE’s apartment in New York the FBI found multiple computers, servers, and other electronic storage devices, including SCHULTE’s personal desktop computer (the “Desktop Computer”), which SCHULTE built while living in Virginia and then transported to New York in November 2016. The personal desktop computer was containing tens of thousands of videos and images of child sexual abuse materials, including approximately 3,400 images and videos of disturbing and horrific child pornography and the rape and sexual abuse of children as young as two years old, as well as images of bestiality and sadomasochism. The man stockpiled these disturbing materials while he was serving the CIA and continued to collect child pornography from the dark web and Russian websites after moving to New York.

On September 13, 2023, SCHULTE was also found guilty at trial on charges of receiving, possessing, and transporting child pornography.

“Today, Joshua Schulte was rightly punished not only for his betrayal of our country, but for his substantial possession of horrific child pornographic material.  The severity of his actions is evident, and the sentence imposed reflects the magnitude of the disturbing and harmful threat posed by his criminal conduct.” FBI Assistant Director in Charge James Smith said: “The FBI will not yield in our efforts to bring to justice anyone who endangers innocent children or threatens our national security.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Joshua Adam Schulte)