Researchers devised a “lightweight method,” called iShutdown, to determine whether Apple iOS devices have been infected with spyware.

Cybersecurity researchers from Kaspersky have identified a “lightweight method,” called iShutdown, to identify the presence of spyware on Apple iOS devices. The method allow to discover stealthy and poweful surveillance software like NSO Group‘s Pegasus, Intellexa‘s Predator, QuaDream‘s Reign.

The researchers focused on an unexpected system log, Shutdown.log, which is present in any mobile iOS device. The analysis revealed that the infections left traces in the Shutdown.log, which is a text-based log file. The iOS devices log any reboot event in this file along with multiple environment information.

The experts noticed some log entry notes related to processes that prevented a normal reboot.

“When a user initiates a reboot, the operating system attempts to gracefully terminate running processes before rebooting. If a “client” process is still running when the reboot activity begins, it is logged with its process identifier (PID) and corresponding filesystem path.” reads the analysis published by Kaspersky. “The log entry notes that these processes prevented a normal reboot and that the system is waiting for them to terminate.”

The researchers pointed out that retrieving the Shutdown.log file is easy and allows for time savings compared to other forensic techniques. The log file is stored in a sysdiagnose (sysdiag) archive.

The experts identified entries in the Shutdown.log file that logged instances where “sticky” processes, such as those associated with the spyware, were delaying the reboot.

The analysis of the infections also revealed other similarities such as the path associated with malware execution (“/private/var/db/”).

“Comparing the Shutdown.log for the Pegasus infections we analyzed and the artifacts for the Reign path above, we noticed other similarities with such infections. Malware execution originating from “/private/var/db/” seems to be consistent across all the infections we’ve seen, even if the process names are different.” continues the report. “This is also true for another mobile malware family, Predator, where a similar path, “/private/var/tmp/”, is often used.”

Kaspersky researchers have created a set of Python3 scripts that allow to automate the analysis of the Shutdown.log file. According to Kaspersky, the user needs to generate a sysdiag dump and extract the archive to the analysis machine as a prerequisite

“In conclusion, we’ve analyzed and confirmed the reliability of detecting a Pegasus malware infection using the Shutdown.log artifact stored in a sysdiag archive. The lightweight nature of this method makes it readily available and accessible. Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries. Again, this is not a silver bullet that can detect all malware, and this method relies on the user rebooting the phone as often as possible.” concludes Kaspersky. “We’ll continue to analyze the Shutdown.log file in more detail and on different platforms. We expect to be able to create more heuristics from the entries in it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, iShutdown)

Experts found multiple flaws, collectively named PixieFail, in the network protocol stack of an open-source reference implementation of the UEFI.

Quarkslab researchers discovered nine vulnerabilities, collectively tracked as e PixieFAIL, affecting the IPv6 network protocol stack of EDK II, TianoCore’s open source reference implementation of UEFI.

Unified Extensible Firmware Interface (UEFI) is a specification that defines the architecture of the platform firmware used for booting the computer hardware and its interface for interaction with the operating system. Examples of firmware that implement the specification are AMI Aptio, Phoenix SecureCore, TianoCore EDK II, InsydeH2O.

The researchers discovered the vulnerabilities while analyzing NetworkPkg, Tianocore’s EDK II PXE implementation. The severity and potential for exploitation of these flaws vary based on the particular firmware build and the default PXE boot configuration.

PixieFail issues can be exploited to achieve remote code execution and leakage of sensitive information, and carry out denial-of-service (DoS), and network session hijacking attacks.

NetworkPkg is a set of modules that implements networking capabilities within the UEFI environment. The NetworkPkg in UEFI may include modules that facilitate the initialization and management of network-related functions during the pre-boot phase. This can involve protocols for interacting with network devices, such as the Preboot eXecution Environment (PXE) protocol used for network booting.

“In order to boot from the network, a client system must be able to locate, download, and execute code that sets up, configures, and runs the operating system. This is usually done in several stages, starting with a minimal program that is downloaded from a network server using a simple protocol, such as TFTP, which then downloads and runs a second booting stage or the full operating system image.” reads the advisory. “To locate this minimal program, called Network Bootstrap Program (NBP), the PXE client relies on a DHCP server to both obtain the configuration parameters to configure its network interface with a valid IP address and to receive a list of Boot Servers to query for the NBP file. Since the DHCP server must provide such a list and other special parameters, the PXE client has to send some mandatory PXE-releated DHCP Options, consequently, the DHCP server must be “PXE enabled”, i.e. configured appropriately to recognize PXE client options and to reply with the proper DHCP server options. “

Below is the list of PixieFAIL flaws discovered by the experts:

• CVE-2023-45229 – Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
• CVE-2023-45230 – Buffer overflow in the DHCPv6 client via a long Server ID option
• CVE-2023-45231  – Out-of-bounds read when handling a ND Redirect message with truncated options
• CVE-2023-45232 – Infinite loop when parsing unknown options in the Destination Options header
• CVE-2023-45233 – Infinite loop when parsing a PadN option in the Destination Options header
• CVE-2023-45234 – Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
• CVE-2023-45235 – Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
• CVE-2023-45236 – Predictable TCP Initial Sequence Numbers
• CVE-2023-45237 – Use of a weak pseudorandom number generator

The CERT Coordination Center (CERT/CC) also published an advisory about these vulnerabilities.

“An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.” states CERT/CC.

CERT/CC also published Vulnerability Note VU#132380 with a comprehensive list of affected vendors, and guidance to mitigate the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

Google warns that the Russia-linked threat actor COLDRIVER expands its targeting and is developing a custom malware.

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

Google TAG researchers warn that COLDRIVER is evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.

Recently, TAG has observed COLDRIVER delivering custom malware via phishing campaigns using PDFs as lure documents. Google experts uncovered and disrupted these attacks by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG spotted COLDRIVER sending targets benign PDF documents from impersonation accounts. The lure documents are new op-ed or other types of articles that the impersonation account is looking to publish, and threat actors were asking for feedback from the recipient. When the victims opens the PDF, an encrypted text is displayed.

If the target contacts the threat actors because it cannot read the content, the cyberspies send it a link where is hosted a decryption tool. Upon downloading and executing the tool, a decoy document is displayed while a backdoor, tracked as SPICA, is installed.

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.” reads TAG’s analysis.

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as:

• Executing arbitrary shell commands
• Stealing cookies from Chrome, Firefox, Opera and Edge
• Uploading and downloading files
• Perusing the filesystem by listing the contents of it
• Enumerating documents and exfiltrating them in an archive
• There is also a command called “telegram,” but the functionality of this command is unclear

The malware maintains persistence via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

The researchers observed the use of SPICA since early September 2023, but believe that the Russian APT is employing it since at least November 2022.

“While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA. This sample, ​​named “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August and September 2023.” concludes the report.

“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”

In December, the UK National Cyber Security Centre (NCSC) and Microsoft reported that the Russia-linked APT group Callisto Group is targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Chrome and Citrix flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

• CVE-2023-6548 – Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability.
• CVE-2023-6549 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability.
• CVE-2024-0519 – Google Chromium V8 Out-of-Bounds Memory Access Vulnerability.

This week Citrix warned customers to install security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, impacting Netscaler ADC and Gateway appliances.

“Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the advisory.

Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.

An attacker can trigger the flaw to gain remote code execution or cause a denial-of-service condition.

The vulnerability CVE-2023-6548 is an authenticated (low privileged) remote code execution affecting Management Interface. In order to exploit this issue, an attacker must have access to NSIP, CLIP or SNIP with management interface access.

The company pointed out that CVE- 2023- 6548 only impacts the management interface. Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. The vendor recommends that customers do not expose the management interface to the internet, as explained in the secure deployment guide.

The vulnerability CVE-2023-6549 is a Denial of Service. To be exploited the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

This week, Google released security updates to address the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.

The high-serverity vulnerability, tracked as CVE-2024-0519, is an out of bounds memory access in the Chrome JavaScript engine. The flaw was reported by Anonymous on January 11, 2024.

“The Stable channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 to Windows which will roll out over the coming days/weeks.” reads the security advisory published by the IT giant. “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.”

A remote attacker can exploit the flaw by tricking a user into visiting a crafted HTML page to potentially exploit heap corruption.

As usual, Google did not share details of the attacks that exploited the CVE-2024-0519 zero-day in the wild.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 2, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Kansas State University (K-State) suffered a cybersecurity incident that has disrupted part of its network and services.

Kansas State University (K-State) suffered a cybersecurity incident that impacted a portion of its network and services.

On January, 16, 2023, the University K-State announced it was experiencing a disruption to certain network systems, including VPN, K-State Today emails, and videos on Canvas, or Mediasite.

The university immediately launched an investigation into the incident.

“We are able to confirm that these disruptions are the result of a recent cybersecurity incident, and as such, we want you to know that these impacted systems were taken offline and will remain offline for the immediate future as the investigation continues.” reads the message post by the University on its website. “This will also include select shared drives and printers, as well as university listservs.” 

Kansas State University (KSU, Kansas State, or K-State) is a public land-grant research university with its main campus in Manhattan, Kansas. The university is classified among “R1: Doctoral Universities – Very high research activity”. Kansas State’s academic offerings are administered through nine colleges, including the College of Veterinary Medicine and the College of Technology and Aviation in Salina. Graduate degrees offered include 65 master’s degree programs and 45 doctoral degrees.

At present, Kansas State University enrolls 20,000 students and has a faculty comprising over 1,400 academic staff members.

KSU recommends its personnel and students to report any suspicious activity.

On January 17, the university announced that emails would return in a temporary format on Thursday, Jan. 18.

On January 18, KSU Wireless was still unavailable, the university recommends the use of KSU Guest to connect wirelessly during this time.

At this time, K-State has yet to provide details about the security breach.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, KSU)

Can quantum computing break cryptography? Can it do it within a person’s lifetime? Will it be a cryptopocalypse, as some experts suggest?

Can quantum computing break cryptography? Sure, it can. Can it do it within a person’s lifetime? Yes. In fact, it will likely achieve this sometime within your career. Will it be a cryptopocalypse, as some experts suggest? Possibly. Advances in quantum computing mean that we don’t necessarily have to wait for a large quantum computer running at supercooled strengths at sufficient qubits to run Shor’s algorithm (the best-known algorithm for factoring large numbers). There are newer, more sophisticated techniques on the table, such as combinations of attacks that can do what one brute force thing can’t. So, it might not be time to panic, but it certainly is time to recognize that the threats and the benefits of quantum computing are here now, and security professionals need to ensure that they and the organization they work for are fully prepared.

These are just some of the thoughts that Johna Till Johnson, CEO at Nemertes Research, and Bob Burns, Chief Product Security Officer at Thales, shared with me on the latest episode of the Security Sessions podcast. Quantum has been discussed and theorized for years, and like the “sudden” rise of AI and generative technology that seemed to happen in early 2023, efficient and cost-effective use of quantum computing may also jump to a critical mass, and sooner than expected, despite its long voyage of research and development.

Bob asks, for example, “What happens if we find that quantum computing actually can be used as a multistage step to break the factoring that doesn’t involve Shor’s algorithm? What if we make incremental improvements or chain multiple results from a quantum computer that’s realizable today?” Those are the types of thoughts that keep him up at night. They are a testament to people’s relentless desire for innovation, as well as their abilities to advance by developing techniques, products, and solutions that weren’t even foreseen when the technology was first introduced.

Are we closer to Q-Day than we estimate?

You can say such things about almost any technology, of course – the personal computer, the internet, and the smartphone – they all became much more versatile than their inventors ever foresaw. But Johna provides an example of how this evolution in breaking cryptography happened just recently: researchers from the KTH Royal Institute of Technology in Stockholm used recursive training AI combined with side-channel attacks to crack one of NIST’s quantum-resistant algorithms. In this case, it measured out-of-band information, specifically temperature changes corresponding to the processing inside the machine.

This has direct and ominous implications on what is known as a Q-Day – that point in time “when quantum computers can render all current encryption methods meaningless,” as PCMagazine succinctly puts it. But as Bob points out, for calculating a Q-Day, “I look at all my data, and I take the biggest amount of data that I want to keep the longest amount of time, and I predict how long it might take me to make that transition. But when my Q-Day ends up being, let’s say, ten years away, my concern will be that someone forces that up to three of four years.”

For the hard to solve problems, an improved answer is good enough

But both Johna and Bob point out that quantum computing is not all doom and gloom. There are lots of good reasons to deploy quantum computing, and many aren’t what most people think they are. Basically, Johna says they can solve problems for which the answer isn’t the best or the only, but good enough by some consistent definition of good enough, for example, policy hardening. Whether this refers to a technical policy, a cybersecurity policy, or even a geopolitical policy, it’s helpful to know all the answers. In the latter case, a government might need to identify all the possible things it can do that will not result in war with a particular country. That’s the kind of thing that a classical computer with AI can’t answer very well, but a quantum computer can because it effectively computes all the possible scenarios and outcomes at once. It’s not great at telling you which of those scenarios is the absolute best, but it can help decision-makers draw a line to say, anything above this line, we don’t go to war, and that’s good enough.

Essentially, this is about taking on the category of problems that we don’t even try to solve right now because they’re too hard; they require a technique of solving all possible scenarios at once and cherry-picking the ones that come above some definition of good enough. And those are all the problems that quantum can solve. Johna concludes, “Once you let your imagination go with that, policy hardening is just kind of the tip of the iceberg.”

About the author: Steve Prentice

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, quantum computing)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM flaw CVE-2023-35082 to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Ivanti EPMM flaw CVE-2023-35082 (CVSS score: 9.8) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

At the end of July, Ivanti disclosed a security vulnerability impacting Endpoint Manager Mobile (EPMM), tracked as CVE-2023-35078 (CVSS score: 7.8), that was exploited in the wild as part of an exploit chain by threat actors.

In early August, Rapid7 researchers discovered a bypass for the CVE-2023-35078 vulnerability in Ivanti Endpoint Manager Mobile (EPMM).

The new vulnerability, tracked as CVE-2023-35082 (CVSS score: 10.0), can be exploited by unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). Ivanti addressed the vulnerability with the release of the MobileIron Core 11.3 version.

“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti reported in August 2023.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 8, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti EPMM)

Ransomware groups claimed that they successfully targeted 4191 victims in 2023, Cybernews researchers report.

According to the Ransomlooker tool, the number of ransomware attack victims increased by 128.17% compared to the previous year (2022), with 1837 additional incidents.

Based on Ransomlooker, a free Cybernews tool for monitoring the dark web and other hidden areas of the internet, more ransomware attacks occurred in spring and summer, with 1253 and 1275 victims, compared to winter and autumn, which had 611 and 1052 incidents, respectively. Winter was the least active time (14.6% of attacks in 2023), while summer was the most active for ransomware attacks (30.4%).

Furthermore, based on findings from the Ransomlooker tool, there were an average of 36 successful ransomware attacks per day in 2023, or more than one successful ransomware attack claim against a company per hour.

The most targeted country in the world: the USA

Ransomlooker data shows that the most targeted countries over the past four years are the same top five countries: the United States, United Kingdom, Canada, Germany, and France.

The US consistently takes the first position, significantly surpassing other countries, with a victim count sometimes nearly ten times greater than the second-ranked country. Other economically and technologically advanced countries consistently maintaining a presence in the top ten include Italy, Australia, and Spain.

What is more unexpected is the continued inclusion of India and Brazil on the top 12 list despite their less progressive economies. However, this correlation aligns with their comparatively limited ability to invest in advanced cybersecurity practices and greater susceptibility to successful ransom attacks.

The most active group in 2023: LockBit

According to the data presented by the Cybernews research team, 66 active ransomware groups were identified and operating within the digital landscape in 2023. The top 10 groups, based on the number of victims, collectively account for 59% of the total victims in 2023.

LockBit remained the most active group through 2023. They claimed responsibility for most victims, with 1009 incidents constituting nearly a quarter of all ransomware victims in 2023. This group primarily focused its attacks on the construction, manufacturing/industrial, and retail industries.

Top targeted companies: Stanford University, Volt, CoinBase

According to data from Ransomlooker, the top 10 industries targeted by ransomware groups in 2023 were IT services and IT consulting, construction, manufacturing and industrial, retail, hospitals and health care, insurance, law practice, real estate, software development, and machinery manufacturing.

The data shows a shift in ransomware targets over the past three years. Previously dominated by the construction industry, the IT sector now claims the top spot in 2023.

In the IT service and consulting sector, Stanford University, Volt, and CoinBase were reportedly identified by the Ransomlooker tool as the top companies targeted by ransomware gangs based on their annual revenue in 2023.

You can read the full report here, the data provided in the report have been collected up to December 19th, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

China-linked group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.

Mandiant researchers reported that China-linked APT group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.

vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.

In October, VMware addressed a critical out-of-bounds write vulnerability, tracked as CVE-2023-34048 (CVSS score 9.8), that impacts vCenter Server.

The company updated its advisory on January 18, 2023, revealing that it is aware of exploitation “in the wild.”

“As of January 18, 2024 VMware is aware of exploitation “in the wild.”” reads the advisory.

In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.

Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.

The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.

The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.

In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions. 

The cyberespionage group was observed harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance.  The threat actors are exploiting the zero-day vulnerability CVE-2023-20867 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs. 

The CVE-2023-20867 flaw is exclusively exploitable by an attacker with root access to the ESXi server.

Then the attackers deploy backdoors on ESXi hosts using an alternative socket address family, use VMCI, for lateral movement and maintain persistence.

In recent attacks, Chinese hackers were also spotted modifying and disabling logging services on compromised systems.

At the time, Mandiant had now evidence to discover how the attackers were deploying the backdoors to vCenter systems.

In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.

“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” reads the report published by Mandiant.

Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.

The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.

“VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks.” concludes the report. “As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UNC3886)

American global apparel and footwear company VF Corp revealed that the December data breach impacted 35.5 million customers.

VF Corporation is an American global apparel and footwear company that owns 13 brands. In 2015, the company controlled 55% of the U.S. backpack market with the JanSport, Dickies, Eastpak, Timberland, Smartwool, Vans, and The North Face brands.

In December 2023, VF Corp announced it was the victim of a ransomware attack and was forced to take some systems down to contain the threat.

Now the company confirmed attackers stole corporate and personal information impacting 35.5 million customers.

On December 13, 2023, VF Corp detected unauthorized access to a portion of its infrastructure. VF immediately began taking measures to remediate the attack and launched an investigation into the security breach.

“Based on VF’s preliminary analysis from its ongoing investigation, VF currently estimates that the threat actor stole personal data of approximately 35.5 million individual consumers.” reads a Form 8-K filed with the Securities and Exchange Commission (SEC) on January 18, 2024. “However, VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.”

The company pointed out that it does not store Social Security numbers and financial information in its systems. VF Corp also added that it has found no evidence that customer passwords were stolen.

Following the shutdown of certain systems, VF encountered disruptions in its operations. The incident interrupted retail store inventory replenishment and delayed order fulfillment. These issues resulted in customer and consumer cancellations of product orders, reduced demand on certain brand e-commerce sites, and delays in some wholesale shipments.

The company has restored all impacted systems, however, it is still experiencing minor issues.

“VF believes that the material impact or reasonably likely material impact on VF is limited to the material impacts on VF’s business operations disclosed in the Original Report which are no longer ongoing at this time. As of the date of this Amendment, VF also believes the impacts of the cyber incident are not material and are not reasonably likely to be material to its financial condition and results of operations.” concludes the Form 8-K.

“VF will be seeking reimbursement of costs, expenses and losses stemming from the cyber incident by submitting claims to VF’s cybersecurity insurers. The timing and amount of any such reimbursements is not known at this time.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VF Corp)

Microsoft revealed that the Russia-linked APT Midnight Blizzard has compromised some of its corporate email accounts. 

Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. Microsoft notified law enforcement and relevant regulatory authorities.

The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more that 18,000 customer organizations, including Microsoft.

Microsoft discovered the intrusion on January 12, 2024, and immediately launched an investigation into the security breach. The IT giant confirmed to have locked out the threat actors and mitigated the attack.

“On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis.” reads a Form 8-K filing with the SEC. “We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident.”

The company attributed the attack to the Russian cyberespionage group Midnight Blizzard.

The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attack. Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.

Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.  

The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” wrote Microsoft. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

According to the Form 8-K, the incident has not had a material impact on the Company’s operations.

“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” reads the document.

The lesson from the incident is that the compromised accounts were not adequately protected against brute force attacks. Effective techniques to mitigate brute-force attacks include enabling Multi-factor Authentication (MFA), using strong passwords, utilizing CAPTCHAs, IP rate limiting, implementing account lockout, log monitoring.

Italian readers can listen to my podcast on the importance of enabling 2FA to protect our accounts.

https://tg24.sky.it/tecnologia/2024/01/17/cybersecurity-quella-porta-blindata-che-puo-salvare-un-account

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

Conor Brian Fitzpatrick, the admin of the BreachForums hacking forum, has been sentenced to 20 years supervised release.

Conor Brian Fitzpatrick, the admin of the BreachForums hacking forum, was sentenced to 20 years of supervised release.

In July, Conor Brian Fitzpatrick agreed to plead guilty to a three-count criminal information charging the defendant with conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child pornography.

BreachForums functioned as a cybercrime marketplace, enabling its members to engage in the solicitation, sale, purchase, and exchange of illicitly obtained or compromised data, along with various contraband items. Traded goods included stolen access devices, cybercrime tools, compromised databases, and services aimed at gaining unauthorized access to targeted systems.

In March 2023, U.S. law enforcement arrested Pompompurin, the agents spent hours inside and outside the suspect’s home and were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices. Fitzpatrick was released on a $300,000 bond signed by his parents.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET. pompompurin always declared that he was ‘not affiliated with RaidForums in any capacity.’

In a memorandum filed by U.S. prosecutors on January 16th, the U.S. government recommended to the courts that Fitzpatric was sentenced to 15 years in prison.

Today the United States government recommended to the courts that Conor Fitzpatrick, the previous administrator of BreachedForum, receive 15 years in prison. pic.twitter.com/HP5fl4tbBe

— vx-underground (@vxunderground) January 17, 2024

VX-Underground and BleepingComputer first revealed that the man was finally sentenced to time served and 20 years of supervised release.

Today we spoke with individuals from the US Eastern District Court of Virginia. We requested information from the Clerks office on the official sentencing of Mr. Conor Fitzpatrick, the previous administrator of BreachedForum.

He was sentenced to 20 years supervised release

— vx-underground (@vxunderground) January 19, 2024

A federal judge ruled that the initial two years of the 20-year sentence will be served under home confinement, as outlined in a sentencing document published on Friday and shared by CyberScoop. During the first year of home confinement, Fitzpatrick will be restricted from accessing the internet and is required to register with state sex offender registries.

“The defendant shall serve his first two (2) years of supervised release on HOME ARREST with GPS location monitoring with the following outings and permission given in advance by the probation officer: Therapy sessions, meetings with the probation officer, medical appointments, and religious observances.” reads the sentence. “The defendant shall comply with the requirements of the computer monitoring program as administered by the probation office. The defendant shall allow the probation officer to install computer monitoring software on any computer the defendant uses. defendant shall allow the probation officer to install computer monitoring software on any computer the defendant uses”

Fitzpatrick was also ordered to pay restitution for the losses incurred by the victims, with the specific amount that has yet to be decided.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Admin of the BreachForums hacking forum sentenced to 20 years supervised release

Russia-linked Midnight Blizzard APT hacked Microsoft corporate emails

VF Corp December data breach impacts 35 million customers

China-linked APT UNC3886 exploits VMware zero-day since 2021

Ransomware attacks break records in 2023: the number of victims rose by 128%

U.S. CISA warns of actively exploited Ivanti EPMM flaw CVE-2023-35082

The Quantum Computing Cryptopocalypse – I’ll Know It When I See It

Kansas State University suffered a serious cybersecurity incident

CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog

Google TAG warns that Russian COLDRIVER APT is using a custom backdoor

PixieFail: Nine flaws in UEFI open-source reference implementation could have severe impacts

iShutdown lightweight method allows to discover spyware infections on iPhones

Pro-Russia group hit Swiss govt sites after Zelensky visit in Davos

Github rotated credentials after the discovery of a vulnerability

FBI, CISA warn of AndroxGh0st botnet for victim identification and exploitation

Citrix warns admins to immediately patch NetScaler for actively exploited zero-days

Google fixed the first actively exploited Chrome zero-day of 2024

Atlassian fixed critical RCE in older Confluence versions

VMware fixed a critical flaw in Aria Automation. Patch it now!

Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws

Experts warn of a vulnerability affecting Bosch BCC100 Thermostat

Over 178,000 SonicWall next-generation firewalls (NGFW) online exposed to hack

Phemedrone info stealer campaign exploits Windows smartScreen bypass

Balada Injector continues to infect thousands of WordPress sites

Attackers target Apache Hadoop and Flink to deliver cryptominers

Apple fixed a bug in Magic Keyboard that allows to monitor Bluetooth traffic

Attacks against Denmark ‘s energy sector were not carried out by Russia-linked APT

Mastermind behind 1.8 million cryptojacking scheme arrested in Ukraine

Cybercrime

Cryptojacker arrested in Ukraine over EUR 1.8 million mining scheme  

3 Ransomware Group Newcomers to Watch in 2024

E-Crime Rapper ‘Punchmade Dev’ Debuts Card Shop  

Ransomware landscape overview 2023  

Jailed BreachForums creator, admin sentenced to 20 years of supervised release  

Malware

Medusa Ransomware Turning Your Files into Stone      

Thousands of Sites with Popup Builder Compromised by Balada Injector

CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign  

Why Join The Navy If You Can Be A Pirate?  

Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims

CISA and FBI Release Known IOCs Associated with Androxgh0st Malware  

A lightweight method to detect potential iOS malware  

Hacking

Cockpit door lock auto-unlock is no surprise  

Apache Applications Targeted by Stealthy Attacker  

It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable  

Hacking IoT & RF Devices with BürtleinaBoard  

Vulnerabilities identified in Bosch BCC100 Thermostat  

Ivanti Connect Secure VPN Exploitation Goes Global   

Citrix warns of new Netscaler zero-days exploited in attacks

PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack

Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021    

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity 

Intelligence and Information Warfare 

Clearing the Fog of War – A critical analysis of recent energy sector cyberattacks in Denmark and Ukraine    

From artificial intelligence to cybersecurity: how Brazil prepares for the challenge of the elections of the future

When You Roam, You’re Not Alone

Swiss Govt Websites Hit by Pro-Russia Hackers After Zelensky Visit 

Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Details Emerge on Alleged MI6 Spy in China  

Cybersecurity

Analysis of Android settings during a forensic investigation  

Google fixes first actively exploited Chrome zero-day of 2024

Rotating credentials for GitHub.com and new GHES patches  

JPMorgan Chase says hacking attempts are increasing

PSA: Anyone can tell if you are using WhatsApp on your computer      

Cyber attacks reveal fragility of financial markets  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The LockBit ransomware gang claimed to have hacked Subway, the American multinational fast food restaurant franchise. 

Subway IP LLC is an American multinational fast-food restaurant franchise that specializes in submarine sandwiches (subs), wraps, salads, and drinks.

The Lockbit ransomware group added Subway to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 02, 2024 at 21:44:16 UTC. The group claims to have stolen hundreds of gigabytes of sensitive data. The gang said that stolen data includes employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, and more

“The biggest sandwich chain is pretending that nothing happened. We exfiltrated their SUBS internal system which includes hundreds of gigabytes of data and all financial expects of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers etc. We are giving some time for them to come and protect this data, if no we are open to sell to competitors.” reads the message published on the Tor leak site.

At this time, it is unknown what ransom the Lockbit group has demanded from the victim.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Researchers warned that pirated applications have been employed to deliver a backdoor to Apple macOS users.

Jamf Threat Labs researchers warned that pirated applications have been utilized to distribute a backdoor to Apple macOS users.

The researchers noticed that the apps appear similar to ZuRu malware, they allow operators to download and execute multiple payloads to compromise machines in the background.

The pirated applications discovered by Jamf Threat Labs are being hosted on Chinese pirating websites.

During their investigation, the researchers detected an executable name .fseventsd. The executable attempts to avoid detection by starting with a period and using the name of a process built into the operating system. It’s not signed by Apple, however, at the time of the research it was not detected by any anti-virus on VirusTotal.

Using VirusTotal, Jamf Threat Labs researchers discovered that the .fseventsd binary was initially uploaded as part of a larger DMG file. Further investigation on VirusTotal revealed three pirated applications that contained the same malware. The experts also discovered many pirated applications hosted on the Chinese website macyy[.]cn. The experts also identified two more trojanized DMGs following a similar pattern that had not been reported on VirusTotal.

The malware-laced DMG files include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

Each pirated application included the following components:

• Malicious dylib, a library loaded by the application that acts as a dropper.
• Backdoor: a binary downloaded by dylib that uses the Khepri open-source C2 and post-exploitation tool
• Persistent downloader: a binary downloaded by dylib that is used to maintain persistence and downloads additional payloads

“Each application bundle has had its Mach-O executable modified with an additional load command.” reads the analysis published by Jamf. “This technique of hooking malware in via malicious dylib is considered fairly advanced as far as macOS malware goes. However, it does result in breaking the application signature. As a result, the apps are being distributed online as unsigned applications — a detail that many users who are downloading pirated applications likely don’t care about.“

Upon executing the FinalShell.dmg application, the dylib library loads the backdoor “bd.log” and the downloader “fl01.log” from a remote server.

The bd.log backdoor is written to the path “/tmp/.test”, this executable remains hidden in the temporary directory and storing the malware in this folder will cause the deletion of the backdoor when the system shuts down.

The backdoor is written in this path every time the pirated application is loaded and the dropper is executed.

“The executable found at the directory /Users/Shared/.fseventsd acts as a persistent downloader, enabling the execution of arbitrary payloads retrieved from the attacker’s server.” continues the analysis.

The malware creates a LaunchAgent to maintain persistence and sends an HTTP GET request to the attacker’s server.

The researchers discovered many similarities between this malware and the ZuRu malware that has been active since at least 2021 [1], [2].

Both malware primarily targets victims in China.

“The ZuRu malware was originally found in pirated applications iTerm, SecureCRT, Navicat Premium and Microsoft Remote Desktop Client. Upon opening the infected application, the user was presented with an operational app, but logic held within an added dylib would execute a Python script in the background to grab sensitive files and upload them to an attacker server.” concludes the report. “It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, pirated applications)

Resecurity researchers warn of massive leak of stolen Thai personally identifiable information (PII) on the dark web by cybercriminals.

Resecurity has detected a noticeable increase in data leaks from consumer-focused platforms in Thailand, confirming that threat actors are actively targeting the personal data of citizens now at the beginning of 2024. Thailand is swiftly becoming a key player in the digital arena, particularly in the field of Information and Communication Technology (ICT), within the Asia-Pacific region. Notably, from the latter part of 2022 to the early months of 2023, there has been a significant drop in incidents of data breaches in the country.

But as we step into 2024, this trend might see a change. There are reports of cybercriminals, one known in the shadowy corners of the Dark Web as Naraka, circulating large amounts of stolen personal identifiable information (PII) of Thai citizens. It’s believed that these sensitive details were sourced from various breached platforms.

Threat actors target Thai-based e-commerce, fintech and government resources due to a large presence of personal documents both in text and graphical form used for KYC (“Know Your Customer”). Compared to 2023, there has been an increase in the frequency of attacks, as evidenced by the rising number of leaked data incidents involving consumers and businesses from Thailand on the Dark Web. In the early part of January 2024 alone, at least 14 significant data breaches exposing citizens’ information were posted on cybercriminal forums, nearly surpassing the annual volume of compromised records identified last year.

Threat actors use stolen PII data to defraud Thai citizens and attack financial organizations, which are actively developing and cultivating digitization in the region to service 71.6 million people population

More details are available in the report published by REsecurity:

https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – dark web, Thailand)

Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell.

Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla.

Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.

In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ.

Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.

Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.

CVE-2023-46604 (CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

Apache addressed the flaw with the release of new versions of ActiveMQ on October 25, 2023. The researchers pointed out that the proof-of-concept exploit code and vulnerability details are both publicly available.

The vulnerability affects the following versions –

• ActiveMQ 5.18.0 before 5.18.3
• ActiveMQ 5.17.0 before 5.17.6
• ActiveMQ 5.16.0 before 5.16.7
• ActiveMQ before 5.15.16
• ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.

“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the analysis published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”

Once the web shell has been deployed, the threat actor can connect to it through the Godzilla management user interface and achieve complete control over the target system.

The Godzilla Web Shell supports multiple functionalities including:

• Viewing network details
• Conducting port scans
• Executing Mimikatz commands
• Running Meterpreter commands
• Executing shell commands
• Remotely managing SQL databases
• Injecting shellcode into processes
• Handling file management tasks

The report includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ActiveMQ) 

Adaptive phishing campaigns are emerging as an increasingly sophisticated threat in the cybersecurity landscape.

The phenomenon

This phenomenon represents an evolution of traditional phishing tactics, as attackers seek to overcome defenses using more personalized and targeted approaches. In an adaptive phishing campaign, attackers gather specific information about victims through various sources, such as social media, public websites, and previous data breaches. This data is then used to tailor attacks, making them more convincing and harder to detect.

One of the key elements of these campaigns is social engineering, which aims to psychologically manipulate victims. Attackers may use personal information, such as names, job roles, or company details, to create fake messages that appear to come from trusted sources.

This significantly increases the likelihood that victims will fall into phishing traps. Adaptive phishing campaigns can be delivered through e-mail, text messages, social media, or even phone calls. Attackers often exploit current events or emergency situations to elicit emotional responses and induce victims to act hastily without carefully evaluating the legitimacy of the communications.

As Cert-AgiD (https://t.me/certagid/599) has also recently put the spotlight on this issue, I take this opportunity to tell you about the “My Slice” campaign which I have personally taken over.

“My slice”, the details of the Italian campaign

Last year, a highly targeted phishing campaign that I renamed “My slice” (derived from the name of a variable in the javascript code of the landing page) targeted e-mail account holders of Italian organisations.

The e-mail message attempts to pass itself off as support from its company, which warns the caller that the memory limit of his e-mail account has been exceeded. This would prevent e-mails from being sent and received. To remedy the problem, the message invites you to check the status of your e-mail account via the proposed support page, otherwise the box will be deleted from the management servers.

The propounded web page is highly customized (https://elinajaguar[.]com/wp-admin/index.html) and looks like a form with logos and names of the targeted organization with a preset e-mail address and a password field to be typed.

Following the request, you end up handing over your login information to the scammers while being redirected to your organization’s home page. In fact, the information entered in the form is sent via a “POST” method to a manned server listening on the same domain.

To setup the highly targeted phishing campaign, the attackers:

• First they pass the target’s e-mail address as a parameter to the phishing page. The “Clicca qui” link (https://elinajaguar[.]com/wp-admin/index.html#[[email protected]]) passes the targeted e-mail address by pointing to it after the “#” character;

• with a JS function they extract the e-mail domain name and invoke the http://logo.clearbit[.]com/[domain name] service to derive the company logo. The organisation’s domain name is extracted, based on the victim’s e-mail address, from the string following the @ symbol (in this case from “[email protected]” the domain name obtained is example.com);
• Finally with another JS function they plan to redirect the user after form submission to the home page of the target organization. The home page address is created by putting the string “http://www.” before the domain name obtained in the previous step (in this case from “example.com” the home page address is www.example.com).

How to Protect Yourself

To protect against these evolving threats, it is crucial to adopt good cybersecurity practices. Organizations and individuals should be aware of adaptive phishing techniques and implement cybersecurity training to educate users on how to recognize and avoid online scams.

In addition, the use of advanced security solutions, such as anti-phishing filters and AI-based threat detection systems, can help mitigate the risk of falling victim to these sophisticated campaigns.

In conclusion, the phenomenon of adaptive phishing campaigns underscores the need for a proactive approach to cybersecurity. Only through awareness, training and the adoption of advanced defense measures can we effectively protect our personal and business information from this growing digital threat.

Below are the IoCs of the campaign:

https://urlscan.io/result/08e72fcf-0f89-46c2-864c-f4d404764358/

https://urlscan.io/result/232d8b5f-aead-4064-8451-2b4d37d5c2a3/

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

Apple addressed the first zero-day vulnerability that impacts iPhones, Macs, and Apple TVs. The issue is actively exploited in the wild.

Apple released security updates to address a zero-day vulnerability, tracked as CVE-2024-23222, that impacts iPhones, Macs, and Apple TVs. This is the first actively exploited zero-day vulnerability fixed by the company this year.

The vulnerability is a type confusion issue that resides in the WebKit, an attacker can exploit this issue by tricking the victims into visiting maliciously crafted web content to achieve arbitrary code execution. 

“Processing maliciously crafted web content may lead to arbitrary code execution.” reads the advisory published by the company. “Apple is aware of a report that this issue may have been exploited.”

The IT giant addressed the vulnerability with improved checks. The issue has been fixed in iOS 16.7.5 and later, iPadOS 16.7.5 and later, and macOS Monterey 12.7.3 and later, and with tvOS 17.3 and later.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-23222)

Cybersecurity researcher Bob Dyachenko and CyberNews researchers discovered the largest data leak ever discovered.

The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak is almost certainly the largest ever discovered.

There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, has discovered billions upon billions of exposed records on an open instance whose owner is unlikely ever to be identified.

• You can check if your data was exposed in historic data breaches using the Cybernews data leak checker. Our team is working hard to update the tool and provide you with means to check if your data was exposed in the MOAB.

However, the researchers believe that the owner has a vested interest in storing large amounts of data and, therefore, could be a malicious actor, data broker, or some service that works with large amounts of data.

“The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” the researchers said.

The supermassive MOAB does not appear to be made up of newly stolen data only and is most likely the largest compilation of multiple breaches (COMB).

While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.

A quick run through the data tree reveals an astoundingly large number of records compiled from previous breaches. The largest number of records, 1.4 billion, comes from Tencent QQ, a Chinese instant messaging app.

However, there are supposedly hundreds of millions of records from Weibo (504M), MySpace (360M), Twitter (281M), Deezer (258M), Linkedin (251M), AdultFriendFinder (220M), Adobe (153M), Canva (143M), VK (101M), Daily Motion (86M), Dropbox (69M), Telegram (41M), and many other companies and organizations.

The leak also includes records of various government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries.

According to the team, the consumer impact of the supermassive MOAB could be unprecedented. Since many people reuse usernames and passwords, malicious actors could embark on a tsunami of credential-stuffing attacks.

“If users use the same passwords for their Netflix account as they do for their Gmail account, attackers can use this to pivot towards other, more sensitive accounts. Apart from that, users whose data has been included in supermassive MOAB may become victims of spear-phishing attacks or receive high levels of spam emails,” the researchers said.

The leak’s scale is of yet unseen proportions. For example, in 2021, Cybernews reported a COMB that contained 3.2 billion records – only 12% of the supermassive MOAB of 2024.

The full and searchable list of the leaks composing the MOAB is available in the original post published by CyberNews:

https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds VMware vCenter Server Out-of-Bounds Write bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a VMware vCenter Server Out-of-Bounds Write bug, tracked as CVE-2023-34048, to its Known Exploited Vulnerabilities (KEV) catalog.

vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.

In October, VMware addressed the flaw CVE-2023-34048 (CVSS score 9.8). Recently, the virtualization giant updated its advisory on January 18, 2023, revealing that it is aware of exploitation “in the wild.”

“As of January 18, 2024 VMware is aware of exploitation “in the wild.”” reads the advisory.

This week, Mandiant researchers reported that China-linked APT group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021.

In June 2023, Mandiant researchers observed the cyberespionage group UNC3886 exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.

Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.

The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.

The highly targeted and evasive nature of this attack leads the experts to believe that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.

In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.

Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions. 

In late 2023, Mandiant noticed that a VMware vmdird service crashed minutes prior to the deployment of the backdoors being deployed.

“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048, the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” reads the report published by Mandiant.

Mandiant observed crashes across multiple UNC3886 cases between late 2021 and early 2022.

The researchers also noticed that most environments where these crashes were observed had log entries preserved, however, the ‘vmdird’ core dumps were removed.

“VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks.” concludes the report. “As mentioned in the VMware advisory, this vulnerability has since been patched in vCenter 8.0U2 and Mandiant recommends VMware users updating to the latest version of vCenter to account for this vulnerability seeing exploitation in the wild.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 12, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The Black Basta ransomware gang claimed to have hacked the UK water utility Southern Water, a major player in the UK water industry.

Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area.

The company is a major player in the UK water industry, it employs over 6,000 people and has an annual turnover of over £1 billion. It is committed to providing its customers with high-quality water and wastewater services.

The Black Basta ransomware group added Southern Water to the list of victims on its Tor data leak site and threatened to leak the stolen data on February 29, 2024.

Black Basta posts UK water utility Southern Water.

/southernwater.co[.]uk@GossiTheDog @UK_Daniel_Card @SOSIntel @joetidy pic.twitter.com/erEvd0DtBT

— Dominic Alvieri (@AlvieriD) January 22, 2024

The group claims to have stolen 750 gigabytes of sensitive data, including users’ personal documents and corporate documents.

The gang published some screenshots as proof of the attack, including passports, ID cards, and personal information of some employees.

At this time, it is unknown what ransom the group has demanded from the victim.

The Black Basta ransomware group has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.

In early January, independent security research and consulting team SRLabs discovered a vulnerability in Black Basta ransomware’s encryption algorithm and exploited it to create a free decryptor.

A joint research by Elliptic and Corvus Insurance revealed that the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.

The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.

SRLabs analyzed the encryption algorithm used by the ransomware and discovered a specific weakness in the variant used by the gang around April 2023. The ransomware employs encryption based on a ChaCha keystream, which is utilized to perform XOR operations on 64-byte-long chunks of the file.

The researchers determined that the position of the encrypted blocks is determined by the file size, as indicated in the mentioned ranges.py. Depending on the file size, the ransomware encrypts the initial 5000 bytes.

The position of the encrypted blocks is determined by the file size. Depending on the file size, the ransomware encrypts the first 5000 bytes.

“Our analysis suggests that files can be recovered if the plaintext of 64 encrypted bytes is known. Whether a file is fully or partially recoverable depends on the size of the file. Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.” reads the post published by the researchers. “The recovery hinges on knowing the plaintext of 64 encrypted bytes of the file. In other words, knowing 64 bytes is not sufficient in itself since the known plaintext bytes need to be in a location of the file that is subject to encryption based on the malware’s logic of determining which parts of the file to encrypt. For certain file types knowing 64 bytes of the plaintext in the right position is feasible, especially virtual machine disk images.”

The experts pointed out that the weakness doesn’t impact the encryption process for the first 5,000 bytes of a file, for this reason, these bytes cannot be recovered. This means that files below the size of 5000 bytes cannot be recovered.

SRLabs developed tools that enable users to analyze encrypted files and determine if decryption is possible.

The decryptauto tool may allow to recover files containing encrypted zero bytes.

“Depending on how many times and to what extent the malware encrypted the file, manual review is required to fully recover a file.” continues the researchers.

The bad news is that Black Bast has fixed the issue. The decryptor only allows to recover files encrypted before December 2023.

“The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for free. However, BleepingComputer has learned that the Black Basta developers fixed the bug in their encryption routine about a week ago, preventing this decryption technique from being used in newer attacks.” reported Bleeping Computer.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta)

Financial services company LoanDepot disclosed a data breach that impacted roughly 16.6 million individuals.

LoanDepot is a financial services company that primarily operates as a mortgage lender. It is one of the largest nonbank lenders in the United States. The company provides a range of mortgage and non-mortgage loan products and services.

LoanDepot disclosed this week a data breach that impacted roughly 16.6 million individuals. The data breach is the result of a ransomware attack that was detected earlier this month. The Company shut down certain systems to prevent the threat from spreading.

“The Company has been working diligently with outside forensics and security experts to investigate the incident and restore normal operations as quickly as possible. The Company has made significant progress in restoring our loan origination and loan servicing systems, including our MyloanDepot and Servicing customer portals.” reads an update on cyber incident provided by the company. “Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems.”

The company immediately launched an investigation into the incident with the help of cybersecurity experts. LoanDepot also notified law enforcement and regulators.

“loanDepot, Inc. (the “Company”) recently identified a cybersecurity incident affecting certain of the Company’s systems. Upon detecting unauthorized activity, the Company promptly took steps to contain and respond to the incident, including launching an investigation with assistance from leading cybersecurity experts, and began the process of notifying applicable regulators and law enforcement.” reads the Form 8-K filing with the Securities and Exchange Commission (SEC) on January 4, 2024.

“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data. In response, the Company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident.”

The company is offering credit monitoring and identity protection services for free to the impacted individuals.

“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” said loanDepot CEO Frank Martell. “The entire loanDepot team has worked tirelessly throughout this incident to support our customers, our partners and each other. I am pleased by our progress in quickly bringing our systems back online and restoring normal business operations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The Australian government announced sanctions for a member of the REvil ransomware group for the Medibank hack that occurred in 2022.

The Australian government announced sanctions for Aleksandr Gennadievich Ermakov (aka GustaveDore, aiiis_ermak, blade_runner, JimJones), a Russian national who is a member of the REvil ransomware group. The man is responsible for the cyber attacks that in 2022 hit the Australian insurance provider Medibank.

“This morning I can announce that Australia has used cyber sanctions powers for the very first time on a Russian individual for his role in the breach of the Medibank Private network. As you might recall, more than 9 million records of Australians, including names, dates of birth, Medicare numbers and sensitive information were stolen in the 2022 attack, and the majority published on the dark web. It was an egregious violation, it impacted some of the most vulnerable members of the Australian community. I can confirm that thanks to the hard work of the Australian Signals Directorate and the AFP we have linked Russian citizen and cyber criminal Aleksandr Ermakov to the attack.” said Penny Wong, Foreign Minister. “The sanctions imposed are targeted financial sanctions and a travel ban. This will mean it is a criminal offence punishable with up to 10 years’ imprisonment to provide assets to Ermakov, or to use or deal with his assets including through cryptocurrency wallets or ransomware payments. This is the first time Australia’s autonomous cyber sanctions have been used. It sends a clear message that there are costs and consequences for targeting Australia and for targeting Australians. “

In November 2022, Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed as a result of a recent ransomware attack.

Medibank is one of the largest Australian private health insurance providers with approximately 3.9 million customers.

The company discovered the ransomware attack on October 12, the attackers had access to data belonging to around 5.1 million Medibank customers, around 2.8 million ahm customers, and around 1.8 million international customers.

In early November 2022, the threat actors leaked stolen data associated with roughly 10 million individuals.

Australian police investigated the case and discovered that Ermakov had a crucial role in the hack of the company. The Home Affairs and Cyber Security Minister of Australia has affirmed that Ermakov was not apprehended by Russian authorities in connection with the police operation targeting the REvil group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Fortra addressed a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) product.

Fortra warns customers of a new authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT (Managed File Transfer) product.

Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization’s network.

An unauthorized user can exploit the flaw CVE-2024-0204 to create admin users using the administration portal of the appliance. The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023.

The vulnerability impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier. Fortra addressed the issue with the release of GoAnywhere MFT 7.4.1.

“Upgrade to version 7.4.1 or higher.” reads the advisory published by the vendor. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. “

Fortra is not aware of attacks in the wild exploiting this vulnerability.

In February, 2023, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting another zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortra)

Splunk addressed multiple vulnerabilities in Splunk Enterprise, including a high-severity flaw impacting Windows installs.

Splunk addressed multiple vulnerabilities in Splunk Enterprise, including a high-severity flaw, tracked as CVE-2024-23678 (CVSS score 7.5), impacting the Windows version.

According to the advisory, Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3 does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine.

Deserialization of untrusted data can allow malicious code to be executed on the system. This is because the serialized data can contain instructions that the application will execute when it deserializes the data. For example, if an application deserializes a malicious JSON object, the object could contain JavaScript code that would be executed when the application parses the JSON object.

This vulnerability only affects Splunk Enterprise for Windows.

Customers are recommended to upgrade versions 9.0.8, 9.1.3, or higher. The vendor pointed out that the vulnerability does not affect the Cloud Platform.

The issue was discovered by Danylo Dmytriiev (DDV_UA).

The company did not reveal if it is aware of attacks in the wild exploiting this vulnerability.

Below are other vulnerabilities addressed by the company:

SVD-2024-0107	2024-01-22	Server Response Disclosure in RapidDiag Salesforce.com Log File	Medium	CVE-2024-23677
SVD-2024-0106	2024-01-22	Sensitive Information Disclosure of Index Metrics through “mrollup” SPL Command	Medium	CVE-2024-23676
SVD-2024-0105	2024-01-22	Splunk App Key Value Store (KV Store) Improper Handling of Permissions Leads to KV Store Collection Deletion	Medium	CVE-2024-23675

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-23678)

A ransomware attack against the Finnish IT services provider Tietoevry disrupted the services of some Swedish government agencies and shops.

The online services of multiple Swedish government agencies, universities, and commercial activities were disrupted by an Akira ransomware attack that hit the Finnish IT services and enterprise cloud hosting Tietoevry.

Tietoevry is a Finnish multinational information technology (IT) and consulting company that provides managed services and cloud hosting for the enterprise.

The company said that the ransomware attack took place on Friday night and impacted only one data center in Sweden. The company immediately launched an investigation into the incident and is working to restore its services. Tietoevry notified law enforcement and impacted customers. Impacted customers include Sweden’s largest cinema chain Filmstaden (the attack disrupted its online ticket system) and the discount retail chain Rusta.

“The attack was limited to one part of one of our Swedish datacenters, impacting Tietoevry’s services to some of our customers in Sweden. Tietoevry immediately isolated the affected platform, and the ransomware attack has not affected other parts of the company’s infrastructure. Tietoevry has taken highest level of action to investigate, mitigate and resolve the situation.” reads a press release published by the company. “A large team of experts are working on several tracks in parallel around the clock on this. We have notified the directly affected customers and are in dialogue with them for updates on the situation.”

BleepingComputer first reported that the security breach was the result of an Akira ransomware attack.

The company later confirmed the news of an Akira ransomware attack.

“The malicious attack based on Akira ransomware on one of our datacenters in Sweden took place during the night of January 19-20. Tietoevry takes the situation very seriously and has an extensive team of experts and technicians working around the clock to minimize the impact and restore services.” reads an update published by the services provider.

The attack impacted the company’s managed Payroll and HR system named Primula, which is used by Sweden government agencies, including the centralized human resources system used by Sweden’s national government service center (Statens Servicecenter).

At present, Tietoevry cannot provide a definite timeframe for the complete restoration process due to the complexity of the security breach. The overall duration may span several days, possibly weeks.

“Currently, Tietoevry cannot say how long the restoration process as a whole will take – considering the nature of the incident and the number of customer-specific systems to be restored, the total timespan may extend over several days, even weeks. We are focused on resolving this as soon as technically possible, in close collaboration with the customers in question.” concludes the update.

The company did not disclose details about the attack, it is unclear if threat actors also stolen data from its systems.

In January 2024, the Finish National Cybersecurity Center (NCSC-FI) reported an increase in Akira ransomware attacks, targeting organizations in the country. Threat actors are wiping NAS and backup devices.

Akira ransomware infections were first reported in Finland in June 2023, however, in December the number of attacks increased. According to the NCSC-FI, six out of seven infections were caused by Akira family malware.

The ransomware attack reported in late 2023, targeted organizations’ networks using poorly secured VPN gateway on Cisco ASA or FTD devices. The attackers exploited the vulnerability CVE-2023-20269 in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). An unauthenticated, remote attacker can exploit the vulnerability to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Akira ransomware attack)

Researchers released PoC exploit code for a recently disclosed critical authentication bypass flaw in Fortra’s GoAnywhere MFT (Managed File Transfer).

Researchers with cybersecurity firm Horizon3’s Attack Team published technical details of the recently disclosed vulnerability CVE-2024-0204 impacting Fortra GoAnywhere MFT.

The security experts also published a proof-of-concept (PoC) exploit that allows the creation of new admin users on vulnerable instances exposed online.

“The advisory mentions that the endpoint /InitialAccountSetup.xhtml can be deleted and the service restarted to mitigate the issue. Looking through the application directories, we find that this endpoint is mapped to the com.linoma.ga.ui.admin.users.InitialAccountSetupForm class by inspecting the file GoAnywhere/adminroot/WEB-INF/forms-faces.xml.” reads the analysis published by Horizon3.

Yesterday, Fortra warned customers of a new authentication bypass vulnerability tracked as CVE-2024-0204 (CVSS score 9.8), impacting the GoAnywhere MFT (Managed File Transfer) product.

Fortra GoAnywhere Managed File Transfer is a comprehensive solution for secure file transfer, data encryption, and compliance management. It provides a centralized platform for managing and automating file transfers between disparate systems and applications, enabling secure and controlled data movement across an organization’s network.

An unauthorized user can exploit the flaw CVE-2024-0204 to create admin users using the administration portal of the appliance. The flaw was reported by Mohammed Eldeeb & Islam Elrfai from Spark Engineering Consultants on December 1, 2023.

Fortra initially issued private advisories to customers on December 4, recommending them of applying mitigations immediately.

we @IslamRalsaid1 got some zero-days vulnerabilities in "goanywhere" product , patch your instance ASAP#0day #bugbounty pic.twitter.com/pazqDpYKmZ

— mohammed eldeeb (@malcolmx0x) December 5, 2023

The vulnerability impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier. Fortra addressed the issue with the release of GoAnywhere MFT 7.4.1.

“Upgrade to version 7.4.1 or higher.” reads the advisory published by the vendor. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. “

Fortra is not aware of attacks in the wild exploiting this vulnerability.

Horizon3 researchers created an exploit using a path traversal issue to gain access to the vulnerable endpoint (/InitialAccountSetup.xhtml). Once reached the endpoint, they were able to start the procedure for the account creation.

“We considered the patches we observed and this logic, and without a way to pass the isAdminUserCreated check we were unsure exactly how this bypass could occur. Instead of using logic, and instead using our spidey senses, we considered if possibly there was a path normalization issue.” continues the analysis. “Classically for Tomcat based applications, there exist path traversal issues when the request contains /..;/. Trying to request the supposed vulnerable endpoint now with a request that looks like https://192.168.1.1:8001/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml leads to the application now routing us to the setup page again!”

Organizations should check for any new additions to the ‘Admin users’ group in the GoAnywhere administrator portal as an indicator of compromise. Once a suspicious Admin user has been found, it is essential to analyze the log to determine its activity.

The availability of Horizon3’s PoC exploit code can trigger hacking campaigns targeting unpatched GoAnywhere MFT instances.

In February, 2023, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting another zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer secure file transfer tool.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortra)

Thousands of GitLab servers are vulnerable to zero-click account takeover attacks exploiting the flaw CVE-2023-7028.

GitLab has recently released security updates to address two critical vulnerabilities impacting both the Community and Enterprise Edition.

The most critical vulnerability, tracked as CVE-2023-7028 (CVSS score 10), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the advisory published by GitLab.

The flaws impact the following versions:

• 16.1 prior to 16.1.5
• 16.2 prior to 16.2.8
• 16.3 prior to 16.3.6
• 16.4 prior to 16.4.4
• 16.5 prior to 16.5.6
• 16.6 prior to 16.6.4
• 16.7 prior to 16.7.2

GitLab addressed the flaw with the releases 16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.

The company is not aware of attacks in the wild exploiting the vulnerability CVE-2023-7028. Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:

• Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.

Researchers from ShadowServer reported that 5,379 instances exposed online are vulnerable to this flaw.

Running GitLab? We are sharing instances vulnerable to CVE-2023-7028 (Account Takeover via Password Reset without user interactions) – 5379 instances found worldwide (on 2024-01-23). Top: US (964) & Germany (730)

Check for signs of compromise and patch: https://t.co/XqIbXO5GBp pic.twitter.com/6f3v9oHaOG

— Shadowserver (@Shadowserver) January 24, 2024

Most of the vulnerable servers are in the United States (964), Germany (730), and Russia (721).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2023-7028)