Hundreds of compromised credentials of customers of RIPE, APNIC, AFRINIC, and LACNIC are available on the dark web, Resecurity warns.

Resecurity conducted a thorough scan of the Dark Web and identified over 1,572 compromised customers of RIPE, Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC), resulting from infostealer infections. This figure also includes historical records and new artifacts identified in January 2024, following an analysis of Command and Control (C2) servers and underground marketplaces. Following a recent and highly disruptive cyberattack on telecom carrier Orange España, the cybersecurity community needs to rethink its approach to safeguarding the digital identity of staff involved in network engineering and IT infrastructure management.

Resecurity has notified victims whose credentials were compromised by infostealers like Azorult, Redline, Vidar, Lumma, and Taurus and exposed on the Dark Web. Based on the collected feedback, cybersecurity experts were able to build the following statistics:

• 45% were not aware about the identified compromised credentials and acknowledged successful password change and enabled 2FA;
• 16% were already aware about the identified compromised credentials as a result of infection by malicious code and made necessary password changes and enabled 2FA on their accounts;
• 14% were aware about the compromised credentials, but enabled 2FA only after notification (statement received);
• 20% acknowledged the need to perform deeper investigation of the incident leading to credential compromise; for example, some of the recipients acknowledged 2FA enabled, but had a lack of knowledge around how and when exactly the compromise has happened, and what credentials (to other apps and systems) could be exfiltrated by password stealer from the victim;
• 5% of recipients were not able to provide any feedback and/or aim to identify a relevant point of contact in their organization to review this issue.

As an example of compromised accounts, Resecurity outlined exposed access credentials belonging to a major data center and one of the largest vendors providing international-scale network telephony connectivity to governmental and national telecom providers in Africa. Other identified victims were associated with significant organizations, including:

• Scientific research organization from Iran;
• Major financial organization from Kenya;
• One of the largest IT consulting firms in Azerbaijan, known for offering services like telecommunications, integrated network, and cloud solutions to enterprises and government entities;
• A major financial organization in Spain;
• One of the largest gambling providers in EU;
• ICT technology provider based in Saudi Arabia;
• An Israeli communications satellite operator;
• A government agency from Iraq;
• A not-for-profit Internet Exchange (IXP), established in Riffa, located in the Southern Governorate of Bahrain.

Significantly, most of the network administrators (identified as compromised) managing networks utilized emails registered with free providers, including Gmail, GMX, and Yahoo. These details could be highly valuable to cyberespionage groups that are laser-focused on specific targets, such as network administrators and their circle of contacts. Acquiring information about their personal emails could lead to more sophisticated campaigns and enhance the likelihood of successful reconnaissance.

The actions of bad actors extend beyond simple credential theft. With access to network settings, they may alter existing configurations or introduce deceptive elements, potentially creating havoc on enterprise infrastructure. Such unauthorized modifications could lead to severe disruptions in service and security breaches, underscoring the critical need for heightened vigilance and robust security protocols in safeguarding digital assets.

The collected statistics may confirm the staff involved in network engineering and mission critical IT management operations can also be victimized by malicious code. Their accounts (when compromised) have the potential to act as “low-hanging fruit” for massive cyberattacks.

Cybersecurity experts at Resecurity have highlighted the escalating risks stemming from the Dark Web, where malicious actors may exploit compromised credentials of ISP/Telco engineers, Data-Center Technicians, Network Engineers, IT Infrastructure Managers, and Outsourcing companies that manage networks for their enterprise clients. As such, this employee category represents a high-value target for sophisticated threat actors. Highlighting the risk landscape, Resecurity’s Dark Web analysis identified multiple compromised credentials belonging to network engineers that could grant threat actors access to gateways like: enterprise identity and access management (IAM), virtualization systems, various cloud providers, and backup and disaster recovery systems.

Additional information about the investigation conducted by Resecurity are available here:

https://www.resecurity.com/blog/article/hundreds-of-network-operators-credentials-found-circulating-in-dark-web

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dark web)

Juniper Networks released out-of-band updates to fix high-severity flaws in SRX Series and EX Series that can allow attackers to take over unpatched systems.

Juniper Networks has released out-of-band updates to address two high-severity flaws, tracked as CVE-2024-21619 and CVE-2024-21620, in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The flaw CVE-2024-21619 (CVSS score: 5.3) is a Missing Authentication for Critical Function vulnerability. An unauthenticated, network-based attacker can chain this issue with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series to access sensitive system information.

“When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder.” reads the advisory. “An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information.”

The flaw CVE-2024-21620 (CVSS score: 8.8) is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series. An attacker can trigger the flaw to craft a URL that when visited by another user enables the attacker to execute commands with the target’s permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives.

The vendor also addressed two other vulnerabilities respectively tracked as CVE-2023-36846 and CVE-2023-36851:

• CVE-2023-36846 (CVSS score: 5.3) – A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
• CVE-2023-36851 (CVSS score: 5.3) – A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. 

The vulnerability was reported by cybersecurity firm watchtowr. As a workaround the company recommends disabling J-Web, or limiting access to only trusted hosts

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Juniper Networks)

Data of 750 million Indian mobile subscribers was offered for sale on dark web hacker forums earlier in January.

CloudSEK researchers warned that a database containing data of 750 million Indian mobile subscribers was offered for sale on dark web hacker forums earlier in January.

According to the researchers, at least two cybercrime gangs, CYBO CREW affiliates known as CyboDevil and UNIT8200, were offering the database for $3,000.

The database is 1.8TB in size and contains Indian mobile subscribers’ names, phone numbers, addresses, and Aadhaar details.

The cyber gangs claim to have “obtained the data through undisclosed asset work within law enforcement channels” rather than as a result of a leak from Indian telcos. CloudSEK told The Register that its initial investigation found that the leak affects all major telecom providers. “The leak of Personally Identifiable Information (PII) poses a huge risk to both individuals and organizations, potentially leading to financial losses, identity theft, reputational damage, and increased susceptibility to cyber attacks,”

CloudSEK notified relevant authorities and potentially impacted organizations.

The data leak exposes mobile subscribers to serious risks; the stolen data can be used to carry out a broad range of malicious activities against them, including financial fraud and identity theft

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, dark web)

Italian data protection authority regulator authority Garante said that ChatGPT violated European Union data privacy regulations.

The Italian data protection authority regulator authority, known as “Garante per la protezione dei dati personali”, announced it has notified OpenAI that ChatGPT violated the EU data protection regulation GDPR.

In early April 2023, the Italian Data Protection Authority temporarily banned ChatGPT due to the illegal collection of personal data and the absence of systems for verifying the age of minors.

The Authority pointed out that OpenAI does not alert users that it is collecting their data.

At the time the privacy watchdog said that there is no legal basis underpinning the massive collection and processing of personal data to ‘train’ the algorithms on which the platform relies.

The Authority carried out some tests on the service and determined that the information it provides does not always match factual circumstances so inaccurate personal data are processed.

The Authority claimed that ChatGPT exposes minors to inappropriate responses for their age despite the service being designed to respond to users aged above 13.

At the time OpenAI declared it had fulfilled the demands of the Italian data protection authority by an April 30 deadline, for this reason, the ban on the chatbot was lifted.

“Following the temporary ban on processing imposed on OpenAI by the Garante on 30 March of last year, and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR.

OpenAI may submit its counterclaims concerning the alleged breaches within 30 days.

“Following the temporary ban on processing imposed on OpenAI by the Garante on 30 March of last year, and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR.” reads the announcement published by the Italian Garante. “OpenAI may submit its counterclaims concerning the alleged breaches within 30 days.”

The Italian privacy watchdog, based on the results of its ‘fact-finding activity,’ has determined that the popular chatbot ChatGPT violated EU privacy rules.

The Italian authority has given OpenAI 30 days to respond to the allegations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ChatGPT)

Qualys researchers discovered a root access flaw, tracked as CVE-2023-6246, in GNU Library C (glibc) affecting multiple Linux distributions.

The Qualys Threat Research Unit discovered four security vulnerabilities in the GNU Library C (glibc), including a heap-based buffer overflow tracked as CVE-2023-6246.

GNU C Library (glibc) is a free software library that provides essential system services for Linux and other Unix-like operating systems.

The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.

The vulnerability was introduced in glibc 2.37 in August 2022.

“We discovered a heap-based buffer overflow in the GNU C Library’s __vsyslog_internal() function, which is called by both syslog() and vsyslog().” reads the advisory published by Qualys. “This vulnerability was introduced in glibc 2.37 (in August 2022) by the following commit: https://sourceware.org/git?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1 and was also backported to glibc 2.36 because this commit was a fix for another, minor vulnerability in __vsyslog_internal() (CVE-2022-39046, an “uninitialized memory [read] from the heap”).”

The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these logging functions. 

The researchers pointed out that glibc is present in the vast majority of Linux operating system distributions. Qualys tested the vulnerability across Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.

The other issues discovered by Qualys are:

• A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. 
• Two remaining two flaws are an off-by-one heap buffer overflow tracked as CVE-2023-6779 and an integer overflow issue tracked as CVE-2023-6780.

More details are available in the post published by Saeed Abbasi, Product Manager, Qualys Threat Research Unit.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, glibc)

Sensitive data and trading activity of over 300K traders leaked online by international fintech firm Direct Trading Technologies.

Direct Trading Technologies, an international fintech company, jeopardized over 300K traders by leaking their sensitive data and trading activity, thereby putting them at risk of an account takeover.

On October 27th, the Cybernews research team discovered a misconfigured web server with backups and development code references allegedly belonging to the fintech company Direct Trading Technologies.

Direct Trading Technologies (DTT) is an international fintech company offering trading platforms for stocks, forex, precious metals, energies, indices, Contracts for Difference (CFDs), and cryptocurrencies. Also, DTT offers white-label services for fintech solutions.

While the main clientele is based in Saudi Arabia, the company has offices in the UK, Lithuania, UAE, Kuwait, Colombia, Turkey, Bahrain, Lebanon, and the Republic of Vanuatu.

The discovered directory included multiple database backups, each holding a significant amount of sensitive information about the company’s users and partners. The leak poses a variety of risks, expanding from identity theft to takeover and cashing-out accounts of traders.

Cybernews contacted the company with our findings. While the problem was fixed, an official response from the company is still yet to be received.

Sensitive data leaked

The leaked data included the trading activity of over 300,000 users spanning the past six years, along with names, email addresses, emails sent by the company, and IP addresses.

Users holding the company’s email addresses, potentially the employees, had their passwords exposed in plaintext. Hashed passwords to access user accounts on the DTT trading platform were also leaked. Some clients had their home addresses, phone numbers, and partial credit card details exposed.

Full list of leaked data

• Trading account activity
• Contents of emails sent by DTT
• User IP addresses, emails, usernames, and plaintext passwords
• Notes on outreach calls
• Names
• Email addresses
• Phone numbers
• Home addresses
• Hashed passwords
• Database endpoints and plaintext credentials of white-label customers (endpoints were protected by IP whitelists)
• Locations where KYC documents are stored, filenames, types, expiration dates, and other metadata

While Know Your Customer (KYC) documents were not exposed, the leaked files revealed the locations where the documents are stored and other metadata.

The credentials of clients using the white-label service were exposed in plaintext, along with details of database locations and negotiated commission percentages.

The leaked data also contained internal comments from the company’s outreach team regarding the calls they made. The file shows that some clients are called “idiots” in the company’s system.

Potential takeover of financial accounts

With the fintech industry experiencing rapid growth, this leak stands as a clear reminder of the critical role of robust cybersecurity measures. Fintech companies manage and store exceptionally sensitive customer data.

Traders are prime targets for threat actors because their accounts hold significant value. If you want to know more about the risks for traders take a look at the original post:

Original post: https://cybernews.com/security/direct-trading-technologies-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, fintech)

Threat actors are exploiting recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) VPN devices to deliver KrustyLoader.

In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

Researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The company is providing mitigation and confirmed it is working on the development of a security patch.

Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.

The researchers also reported that threat actors tracked as UTA0178 (aka UNC5221) are actively exploiting the vulnerabilities and are actively trying to exploit devices.

Targets span across the globe, they include both small businesses and large organizations. The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as:

• Global government and military departments
• National telecommunications companies
• Defense contractors
• Technology firms
• Banking, finance, and accounting institutions
• Worldwide consulting services
• Aerospace, aviation, and engineering entities

After being publicly disclosed, multiple threat actors started exploiting these vulnerabilities to deploy XMRig cryptocurrency miners and Rust-based malware.

Synacktiv researchers noticed that threat actors used the KrustyLoader as a loader to download a Golang-based Sliver backdoor from a remote server and execute it.

“Based on my observations, all the samples download a Sliver (Golang) backdoor, though from different URLs.” reads the report published by Synacktiv. “The Sliver backdoors contact their C2 server using HTTP/HTTPS communication. Sliver 11 is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command and control framework.”

Sliver is a post-exploitation framework that is gaining notoriety in the hacking underground as an alternative to the Cobalt Strike framework.

The choice of using Rust language for the development of KrustyLoader introduces additional challenges in obtaining a comprehensive understanding of malware behavior.

The experts published the Yara rule for the detection of similar KrustyLoader samples.

“Rust payloads detected by Volexity team turn out to be pretty interesting Sliver downloaders as they were executed on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. KrustyLoader – as I dubbed it – performs specific checks in order to run only if conditions are met.” concludes the report. “The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior. A script as well as a Yara rule are publicly available to help detection and extraction of indicators.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, KrustyLoader)

Ivanti warns of two new vulnerabilities in its Connect Secure and Policy Secure products, one of which is actively exploited in the wild.

Ivanti is warning of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company also warns that the situation is still evolving and multiple threat actors can rapidly adpat their tactics, tecniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

In early January 2024, software firm Ivanti reported that threat actors were exploiting other two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

Today, researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day CVE-2024-21893)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple improper authentication bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apple improper authentication bug, tracked as CVE-2022-48618, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability can allow an attacker with arbitrary read and write capability to bypass Pointer Authentication.

The IT giant addressed the issue with improved checks. The flaw is fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and iPadOS 16.2, tvOS 16.2.

Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1.

“An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1.” reads the advisory.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 21, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – CISA, Apple)

Crooks stole around $112 million worth of Ripple XRP from the crypto wallet of Ripple’s co-founder Chris Larsen.

This week, crooks stole around $112 million worth of the Ripple-focused cryptocurrency XRP from a crypto wallet belonging to the Ripple’s co-founder and executive chairman Chris Larsen.

Larsen pointed out that the hackers compromised his personal XRP accounts, while the @Ripple was not impacted.

Yesterday, there was unauthorized access to a few of my personal XRP accounts (not @Ripple) – we were quickly able to catch the problem and notify exchanges to freeze the affected addresses. Law enforcement is already involved. https://t.co/T3HtKSlzLg

— Chris Larsen (@chrislarsensf) January 31, 2024

Larsen revealed that his company was able to quickly detect the fraudulent activity and freeze the affected address with the support of other exchanges. The Ripple’s co-founder immediately notified law enforcement.

“Larsen wrote the post less than an hour after the well-known crypto security researcher ZachXBT broke news of the hack.” states Techcrunch.co that first reported the news.

The crypto expert ZachXBT first discovered the hack and reported that the crooks attempted to launder the stolen funds through multiple crypto exchanges and platforms, including MEXC, Gate, Binance, Kraken, OKX, HTX, and HitBTC.

TechCrunch highlighted the impossibility of determining whether the compromised account actually belongs to Ripple.

The post includes an analysis of the hacked wallet through on-chain data from XRPScan and attempts to shed light on its link with Larsen’s account.

However a Ripple’s spokesperson confirmed that Ripple was not impacted.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XRP)

German police seized 50,000 Bitcoin from the former operator of the now-defunct piracy website movie2k.to.

The police in Saxony, Germany, have seized 50,000 Bitcoin (more than $2.1 billion at the current exchange rate) from the former operator of the now-defunct piracy site movie2k.

“This is the most extensive security of Bitcoins by law enforcement authorities in the Federal Republic of Germany to date.” reads the press release published by the German police.

The man voluntarily transferred the crypto funds to wallets under the control of the German authorities.

The seizure is the result of an investigation conducted by the Dresden General Prosecutor’s Office, the Saxony State Criminal Police Office and the tax investigation of the Leipzig II Tax Office as the Saxony Integrated Investigation Unit (INES).

The investigation was also supported by the Federal Criminal Police Office (BKA), the FBI and a Munich forensic IT expert company.

According to German media, one of the two operators was also involved in the operations of the site mega-downloads.net. 

Movie2k was a platform involved in the unauthorized distribution of copyrighted movies, TV shows, and other media content. It was operating between 2008 and 2013. In 2013, the Motion Picture Association of America (MPAA) shut down the website due to concerns related to copyright infringement.

Widely favored among pirates, Movie2k provided an extensive array of content along with user-friendly streaming and download features. Additionally, the website fostered a substantial community of users who actively shared links to pirated content.”

The investigation conducted by the German authorities led to the identification of two operators of the popular platform, a 40-year-old German national and a Polish 37-year-old.

The duo purchased a substantial amount of Bitcoin with the proceeds obtained from subscriptions and advertising through the platform.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – cybercrime, Apple)

Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices.

Mandiant researchers discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The attackers were observed exploiting CVE-2023-46805 and CVE-2024-21887 to execute arbitrary commands on the unpatched Ivanti devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Mandiant also completed the analysis of another malware family employed in the attacks, the ZIPLINE passive backdoor. The backdoor allows operators to support the authentication of its custom protocol used to establish C2.

Mandiant also reported that threat actors employed several open-source tools to facilitate post-exploitation activities on Ivanti CS appliances. The tools were used to perform internal network reconnaissance, lateral movement, and data exfiltration within a restricted number of victim environments.

Some of the open-source utilities used by the threat actors, include Impacket, CrackMapExec, iodine, and Enum4linux.

“Additionally, Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories. As noted in our previous blog post, UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.” concludes Mandiant.

Ivanti also warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti)

CISA is ordering federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

For the first time since its establishment, CISA is ordering federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

The CISA’s emergency directive orders to disconnect all instances no later than 11:59PM on Friday February 2, 2024.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.” reads the directive.

The government agency recommends continuing to look for indicators of compromise on any systems connected to—or recently connected to—the affected Ivanti device.

The government experts also ordered to monitor the authentication or identity management services that could be exposed and urged to isolate the systems from any enterprise resources to the greatest degree possible. CISA also warned to continue to audit privilege-level access accounts.

“To bring a product back into service, agencies are required to perform the following actions:

1. Export configuration settings.
2. Complete a factory reset per Ivanti’s instructions.
3. Rebuild the device per Ivanti’s instructions AND upgrade to one of the following supported software versions through Ivanti’s download portal (there is no cost to upgrade): 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, 9.1R17.2.”

IVANTI recently warned of four zero-days, three of which are actively exploited in the wild.

In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

This week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company also warns that the situation is still evolving and multiple threat actors can rapidly adapat their tactics, techniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

Mandiant researchers recently discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IVANTI)

A US man has been sentenced to federal prison for his role in a fraudulent scheme that resulted in the theft of millions of dollars through SIM swapping.

Daniel James Junk (22) of Portland was sentenced to 72 months in federal prison for his role in a scheme that resulted in the theft of millions of dollars of cryptocurrency using a SIM swapping.

The man conducted SIM swapping attacks to take control of victims’ phone numbers tricking the mobile operator employees into porting them to SIMs under the control of the fraudster. Once hijacked a SIM, the attacker can steal money, cryptocurrencies and personal information, including contacts synced with online accounts. The criminals could hijack social media accounts and bypass 2FA services based on SMS used by online services, including financial ones.

Junk was also sentenced to three years’ supervised release and was also ordered to pay more than $3 million in restitution to his victims.

Based on court documents, between December 2019 and March 2022, Junk participated in a fraud scheme to steal funds from the cryptocurrency exchange accounts of his victims.

“Junk actively participated in an online SIM-swapping community where various individuals would partner with one another to play different roles needed to successfully execute a SIM swap scam.” reads the press release published by DoJ. “Throughout his involvement in such schemes, Junk performed some aspects of all the required roles including finding victims to target through breached databases or other exploits, porting victim phone numbers to devices controlled by members of the fraud conspiracy, and physically possessing the phone used for the “swap.” Junk and members of his online community also coordinated with one another to plan and carry out various in-person crimes including attempting to steal a 90-year-old victim’s cell phone and committing fraud at cellular telephone stores.”

On March 3, 2022, the FBI executed a federal search warrant on Junk’s apartment and seized his electronic equipment. The seized computer had an active browser showing that Junk was attempting to illegally access accounts belonging to other people when the FBI arrived at his residence. The FBI seized more than 71 bitcoins worth approximately $3 million. Two months later, Junk turned over an extra 33 bitcoins, valued at around $1 million.

In early January 2024, while awaiting sentencing, Junk was found to possess additional evidence of fraud. The FBI found lists of victims and approximately 25,000 compromised email addresses. “On January 10, 2024, Junk’s release was revoked, and he was ordered into custody pending sentencing.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SIM SWAPPING)

Passports, mobile numbers, and email addresses of Indian travelers who requested COVID e-pass have been leaked, 3.5M individuals at risk of identity theft.

Last year, due to an increase in the number of people with COVID-19, Tamil Nadu, the southernmost state in India with a population of 79 million, made a COVID e-pass mandatory.

This meant that all inter-zone travelers needed to apply for it online and enter a great deal of their personally identifiable information (PII).

Unfortunately, at least 3.5 million people’s sensitive details were exposed to the public, a recent investigation by the Cybernews research team shows. While the data comes from the peak of the pandemic (2020-2021), exposed people are still at risk of identity theft and other malicious activities.

Cybernews discovered the unprotected data during a routine investigation. The culprit was an open S3 bucket that included over 3.5 million records. Our researchers assess that the data was being leaked by a third-party service provider. While we disclosed our findings to the relevant parties following our responsible disclosure procedure, at the time of writing, the dataset is secure.

The leaking data includes:

• Name
• Passport number and/or copy
• Gender
• Mobile number and email address

• Travel details and reasons for traveling (people had to specify due to travel restrictions during the pandemic)
• Vehicle numbers

We’ve contacted the Tamil Nadu government, as well as the third-party service providers that we suspect to be behind the leak, for an on-the-record comment but have yet to receive any kind of reply.

If you want to learn more about the risk for users due to this data leak, take a look at the original post at:

https://cybernews.com/security/indian-covid-passport-data-leak/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)

The Computer Emergency Response Team in Ukraine (CERT-UA) reported that a PurpleFox malware campaign had already infected at least 2,000 computers in the country.

The Computer Emergency Response Team in Ukraine (CERT-UA) is warning about a malware campaign that has infected at least 2,000 computers in the country with the PurpleFox malware (aka ‘DirtyMoe‘).

“The Government Computer Emergency Response Team of Ukraine CERT-UA, guided by Clause 1 of Article 9 of the Law of Ukraine “On the Basic Principles of Ensuring Cyber ​​Security of Ukraine”, took measures to provide practical assistance to a state-owned enterprise due to the massive damage to the organization’s computers by the malicious program DIRTYMOE (PURPLEFOX).” reads the alert published by CERT-UA. “As part of a detailed study of the cyber threat, a study of the received samples of malicious programs was conducted, the peculiarities of the functioning of the management server infrastructure were established, and more than 2,000 affected computers were identified in the Ukrainian segment of the Internet.”

In June 2021, researchers from Avast warned of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom), which passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system.

The Windows botnet has been active since late 2017, it was mainly used to mine cryptocurrency, but it was also involved in DDoS attacks in 2018. The DirtyMoe rootkit was delivered via malspam campaigns or served by malicious sites hosting the PurpleFox exploit kit that triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.

The operations behind the DirtyMoe botnet rapidly changed since the end of 2020, when the malware authors added a worm module that could increase their activity by spreading via the internet to other Windows systems.

CERT-UA shared technical details about the ongoing campaign, tracked as UAC-0027, due to the complexity of removing the DIRTYMOE components due to the use of the rootkit.

In the attacks observed by the Ukrainian authorities, the infection chain relies on MSI installers to deploy the PurpleFox malware.

The malware uses exploits for known vulnerabilities and password brute-forcing attacks for self-propagation.

Between January 20 and January 31, 2024, CERT-UA identified 486 IP addresses associated with intermediate control servers. The majority of these addresses are linked to (compromised) equipment located in China. Approximately 20 new IP addresses are added daily.

The alert includes indicators of compromise and guidance to remove the malware from the infected systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PurpleFox malware)

Cloudflare revealed that a nation-state actor breached its internal Atlassian server, gaining access to the internal wiki and its bug database (Atlassian Jira).

The incident took place on Thanksgiving Day, November 23, 2023, and Cloudflare immediately began an investigation with the help of CrowdStrike. The company pointed out that no customer data or systems were impacted by this security breach. 

Cloudflare disclosed today that its internal Atlassian server was breached by a suspected ‘nation-state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system.

The nation-state actor first gained access to the company’s Atlassian server on November 14 and then accessed the Confluence and Jira systems.

“From November 14 to 17, a threat actor did reconnaissance and then accessed our internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira). On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity.” reads the blog post published by the company. “They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The threat actor also attempted to gain access to a console server in a new company’s data center in São Paulo, but all attempts failed.

The investigation revealed that the attackers used one access token and three service account credentials that were obtained in Okta compromise of October 2023. Cloudflare admitted having failed to rotate these authentication elements.

The company locked out the threat actor on November 24 and CrowdStrike confirmed that the threat was completely eradicated.

To prevent the attacker from using the obtained technical information, Cloudflare rotated every production credential (more than 5,000 individual credentials), physically segmented test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in its global network including all the systems that were accessed by the intruders.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)

A former software engineer with the U.S. CIA has been sentenced to 40 years in prison for leaking classified documents.

Former CIA employee Joshua Adam Schulte has been sentenced to 40 years in prison for passing classified documents to WikiLeaks and for possessing child pornographic material.

“Damian Williams, the United States Attorney for the Southern District of New York; Matthew G. Olsen, the Assistant Attorney General for National Security; and James Smith, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced today that JOSHUA ADAM SCHULTE was sentenced to 40 years in prison by U.S. District Judge Jesse M. Furman for crimes of espionage, computer hacking, contempt of Court, making false statements to the FBI, and child pornography.” reads the press release published by DoJ. “SCHULTE’s theft is the largest data breach in the history of the CIA, and his transmission of that stolen information to WikiLeaks is one of the largest unauthorized disclosures of classified information in the history of the U.S.”

In July 2022, Schulte was found guilty in a New York federal court of stealing the agency’s hacking tools and leaking them to WikiLeaks in 2017.

The huge trove of data, called “Vault 7,” exposed the hacking capabilities of the US Intelligence Agency and its internal infrastructure. The archive includes confidential information, malicious codes, and exploits specifically designed to target popular products from various IT companies, including Samsung, Apple, Google, and Microsoft.

The hacking tools developed by the US cyber spies can target mobile devices, desktop computers, and IoT devices such as routers and smart TVs.

The arsenal used by the Central Intelligence Agency hackers was composed of hacking tools developed by the CCI’s Engineering Development Group (EDG).

The developers at EDG are tasked for developing and testing any kind of malicious code, including implants, backdoors, exploits, Trojans and viruses. The CIA has dozens of zero-day exploit codes in its arsenal that can be used to target almost any platform, from Windows and Linux PC, to Android and iOS mobile devices.

In middle May 2018, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged with three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

In November 2018, Joshua Adam Schulte faced new charges, including in a new indictment filed in Manhattan federal court, he was charged with the unlawful transmission and attempted unlawful transmission of national defense secrets from prison.

In February 2018, the lawyers of the former CIA employee asked the court for a mistrial, in this case, they claimed the prosecutors withheld evidence that could exonerate his client during the trial in the Manhattan federal court.

While SCHULTE was in jail, he obtained access to contraband cell phones and used them to create anonymous, encrypted email and social media accounts.  SCHULTE also attempted these devices to transmit protected discovery materials to WikiLeaks.

In March 2017, during a search of SCHULTE’s apartment in New York the FBI found multiple computers, servers, and other electronic storage devices, including SCHULTE’s personal desktop computer (the “Desktop Computer”), which SCHULTE built while living in Virginia and then transported to New York in November 2016. The personal desktop computer was containing tens of thousands of videos and images of child sexual abuse materials, including approximately 3,400 images and videos of disturbing and horrific child pornography and the rape and sexual abuse of children as young as two years old, as well as images of bestiality and sadomasochism. The man stockpiled these disturbing materials while he was serving the CIA and continued to collect child pornography from the dark web and Russian websites after moving to New York.

On September 13, 2023, SCHULTE was also found guilty at trial on charges of receiving, possessing, and transporting child pornography.

“Today, Joshua Schulte was rightly punished not only for his betrayal of our country, but for his substantial possession of horrific child pornographic material.  The severity of his actions is evident, and the sentence imposed reflects the magnitude of the disturbing and harmful threat posed by his criminal conduct.” FBI Assistant Director in Charge James Smith said: “The FBI will not yield in our efforts to bring to justice anyone who endangers innocent children or threatens our national security.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Joshua Adam Schulte)

An international law enforcement operation, named Synergia, led to the arrest of 31 individuals involved in ransomware, banking malware, and phishing attacks.

Operation Synergia was led by Interpol and ran from September to November 2023 involving law enforcement agencies from 50 countries.

The international law enforcement operation was launched to curb the escalation and professionalisation of transnational cybercrime.

Authorities detained 31 individuals, 26 of whom were in Europe, and identified an additional 70 suspects. Four people were arrested in South Sudan and Zimbabwe.

The law enforcement agencies identified more than 1,300 suspicious IP addresses associated with C2 servers, 70% of which have been taken down. Most of the C2 servers taken down were in Europe, while other servers were taken down in Hong Kong (153) and Singapore (86).

“Operation Synergia demonstrated how cybersecurity is most effective when international law enforcement, national authorities, and private sector partners cooperate to share best practices and pro-actively combat cybercrime. INTERPOL and its Gateway Partners Group-IB, Kaspersky, TrendMicro, Shadowserver and Ad hoc partner Team Cymru provided analysis and intelligence support throughout the operation.” reads the press release published by Interpol.

The police carried out house searches and seized multiple servers, along with electronic devices.

“The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space. By dismantling the infrastructure behind phishing, banking malware, and ransomware attacks, we are one step closer to protecting our digital ecosystems and a safer, more secure online experience for all.” said Bernardo Pillot, Assistant Director to INTERPOL Cybercrime Directorate.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Synergia)

Albania’s Institute of Statistics (INSTAT) announced that it was targeted by a sophisticated cyberattack that affected some of its systems.

A sophisticated cyberattack on Wednesday hit Albania’s Institute of Statistics (INSTAT). The institute confirmed that the attack affected some of its systems.

Albania’s Institute of Statistics (INSTAT) promptly activated emergency protocols to respond to the incident. The organization launched an investigation into the cyberattack and determined that only “some of INSTAT systems were affected.” The attack did not impact systems employed in the 2013 census.

“INSTAT assures the public that the 2023 Census data are not the subject of this attack. INSTAT’s technical team immediately activated emergency protocols to protect the data and prevent further damage.
INSTAT will continue its statistical activity and will use alternative means of communication such as the email address [email protected] and the official social media channels, Instagram and Facebook.” reads the statement published by INSTAT on Facebook.

NSTAT notified local authorities and is working to resume normal operations.

Albania’s cyber agency (AKCESK), along with state police, is helping INSTAT recover the affected systems and attribute the attack to a specific threat actor.

The Record Media reported that the Iran-linked hacking group Homeland Justice claimed responsibility for the attack. The hackers added that they have stolen over a 100 Terabytes of GIS and census data from the INSTAT.

“We now have full access to over a 100 Terabytes of your GIS and census data. The data have also been copied and removed from the servers. We will bring Justice back to our Homeland
All the statistics are against you
DestroyDurresMilitaryCamp (#DDMC)” states the message published by the group on its Telegram channel.

Despite claims, it's yet to be verified if any data was compromised. While INSTAT insists recent census data was unaffected, Homeland Justice claims they copied over 100 terabytes of geographic and population data. Albania's cyber agency AKCESK is now collaborating with state…

— The Record From Recorded Future News (@TheRecord_Media) February 2, 2024

In December 2023, Albania’s National Authority for Electronic Certification and Cyber Security (AKCESK) revealed that cyber attacks hit the Assembly of the Republic of Albania and telecom company One Albania.

The telecom carrier disclosed the cyber attack with a post published on Facebook, the company also added that the cyber attack did not interrupt its services.

The Iranian hacker group Homeland Justice also claimed responsibility for this attack on its Telegram channel. The group also claimed to have hacked Air Albania.

In September 2022, Albania blamed Iran for another cyberattack that hit computer systems used by the state police.

Albania interrupted diplomatic ties with Iran and expelled the country’s embassy staff over the massive cyber attack that hit the country in mid-July 2022.

The cyberattack hit the servers of the National Agency for Information Society (AKSHI), which handles many government services. Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, were working because they are provided by servers not targeted in the attack. Albania reported the attack to the NATO Member States and other allies.

The relations between Albania and Iran have deteriorated since the government of Tirana offered asylum to thousands of Iranian dissidents.

The United States government issued a statement condemning Iran for attacking Albania.

“The United States strongly condemns Iran’s cyberattack against our NATO Ally, Albania. We join in Prime Minister Rama’s call for Iran to be held accountable for this unprecedented cyber incident. The United States will take further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace.” U.S. National Security Council spokesperson Adrienne Watson said. “We have concluded that the Government of Iran conducted this reckless and irresponsible cyberattack and that it is responsible for subsequent hack and leak operations.”

NATO, and the U.K. also formally blamed the Iranian government for the cyberattacks against Albania.

The U.S. Treasury Department announced sanctions against Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the cyber attack that hit Albania in July.

MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Albania)

A vulnerability impacting the decentralized social network Mastodon can be exploited by threat actors to impersonate and take over any account.

A security flaw, tracked as CVE-2024-23832 (CVSS score 9.4), in the decentralized social network Mastodon can be exploited to impersonate and take over any account.

The issue is caused by insufficient origin validation in all Mastodon.

“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account.” reads the advisory.

The issue impacts Mastodon version prior to 3.5.17, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

The vulnerability was discovered by security researcher arcanicanis.

Mastodon plans to release technical details about the vulnerability after February 15, 2024, to give admins ample time to update their server instances.

Maintainers of the project fear that threat actors can start massive exploitation of the issue in the wild.

“This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.” continues the advisory.

In July 2023, Mastodon addressed a critical flaw, tracked as CVE-2023-36460, in the media attachments feature, that allowed attackers to create and overwrite files in any accessible location within an instance.

This vulnerability could potentially lead to Denial of Service (DoS) and arbitrary remote code execution.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, social network)

Cleaning products giant Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million.

The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household and professional cleaning, health, and personal care products.

The cleaning product giant announced in mid-August it was the victim of a cybersecurity incident that forced it to take some systems offline.

At this time, Clorox has yet to share technical details of the cyberattack. The described impacts suggest that the company was likely a ransomware attack.

According to a filing with SEC, Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million.

The costs include losses caused by disruptions, as well as expenses for third-party forensics and consultants assisting the company in investigating and remediating the attack.

The company also expects a negative on the fiscal year 2024 results.

“The effects of the cyberattack are expected to negatively impact fiscal year 2024 results, though some of the anticipated net sales not recognized in the first quarter as a result of the disruptions were recognized in the second quarter, and some are expected to be recognized in subsequent quarters of fiscal year 2024 as customers rebuild inventories.” reads the SEC filing. “The Company also incurred incremental expenses of approximately $25 and $49 as a result of the cyberattack for the three and six months ended December 31, 2023, respectively. These costs relate to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company’s business operations. The Company expects to incur lessening costs related to the cyberattack in future periods.”

The company added that it did not record any insurance proceeds in the three and six months ending on December 31, 2023, associated with the cyberattack. The recognition of insurance recoveries, if applicable, may not align with the timing of recognizing the associated expenses.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Clorox)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Clorox estimates the costs of the August cyberattack will exceed $49 Million

Mastodon fixed a flaw that can allow the takeover of any account

Iranian hackers breached Albania’s Institute of Statistics (INSTAT)

Operation Synergia led to the arrest of 31 individuals

Ex CIA employee Joshua Adam Schulte sentenced to 40 years in prison

Cloudflare breached on Thanksgiving Day, but the attack was promptly contained

PurpleFox malware infected at least 2,000 computers in Ukraine

Multiple malware used in attacks exploiting Ivanti VPN flaws

Police seized 50,000 Bitcoin from operator of the now-defunct piracy site movie2k

Crooks stole around $112 million worth of XRP from Ripple’s co-founder

CISA adds Apple improper authentication bug to its Known Exploited Vulnerabilities catalog

Ivanti warns of a new actively exploited zero-day

Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware

Data leak at fintech giant Direct Trading Technologies

Root access vulnerability in GNU Library C (glibc) impacts many Linux distros

Italian data protection authority said that ChatGPT violated EU privacy laws

Juniper Networks released out-of-band updates to fix high-severity flaws

Hundreds of network operators’ credentials found circulating in Dark Web

Cactus ransomware gang claims the Schneider Electric hack

Mercedes-Benz accidentally exposed sensitive data, including source code

Experts detailed Microsoft Outlook flaw that can leak NTLM v2 hashed passwords

NSA buys internet browsing records from data brokers without a warrant

Ukraine’s SBU arrested a member of Pro-Russia hackers group ‘Cyber Army of Russia’

Multiple PoC exploits released for Jenkins flaw CVE-2024-23897

Medusa ransomware attack hit Kansas City Area Transportation Authority

Cybercrime

Who is Alleged Medibank Hacker Aleksandr Ermakov?

Ransomware Revenue Down As More Victims Refuse to Pay  

Energy giant Schneider Electric hit by Cactus ransomware attack

Hundreds Of Network Operators’ Credentials Found Circulating In Dark Web  

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Data of 750 Million Indian Mobile Subscribers Sold on Hacker Forums     

Hackers steal $112 million of XRP Ripple cryptocurrency  

movie2k.to: Ex-operator hands over BTC worth 2 billion euros 

Portland Man Sentenced to Federal Prison for Role in SIM Swapping Identity Theft and Fraud Scheme  

INTERPOL-led operation targets growing cyber threats  

Malware

New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying  

KRUSTYLOADER – RUST MALWARE LINKED TO COMPROMISED IVANTI CONNECTSECURE  

Evolution of UNC4990: Uncovering USB Malware’s Hidden Depths  

China’s Hackers Have Entire Nation in Their Crosshairs, FBI Director Warns  

Outsmarting Ransomware’s New Playbook

UAC-0027: DIRTYMOE (PURPLEFOX) affected more than 2000 computers in Ukraine  

Hacking

Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes 

Thanksgiving 2023 security incident

Exclusive: US disabled Chinese hacking network targeting critical infrastructure   

Iran-linked hackers claim attack on Albania’s Institute of Statistics     

Intelligence and Information Warfare 

Ukraine’s security service detains member of Russian ‘Cyber Army’  

Wyden Releases Documents Confirming the NSA Buys Americans’ Internet Browsing Records

The Bear and The Shell: New Campaign Against Russian Opposition   

Spying From Space 

Wikileaks source and former CIA worker Joshua Schulte sentenced to 40 years jail

Former Cia Officer Joshua Adam Schulte Sentenced To 40 Years In Prison For Espionage And Child Pornography Crimes  

Cybersecurity

How a mistakenly published password exposed Mercedes-Benz source code

Zero-day, supply-chain attacks drove data breach high for 2023      

ChatGPT violated European privacy laws, Italy tells chatbot maker OpenAI

ENISA Single Programming Document 2024 – 2026

Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog()   

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities         

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Resecurity identified bad actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

Such information being available for cybercriminals could act as a catalyst for new attacks, including targeted phishing campaigns. Having additional context about a particular customer, the probability of a successful compromise could increase significantly. For example, one possible scenario could involve these details being used in malicious emails sent on behalf of the software vendor, managed services providers (MSPs), or IT outsourcing companies with the goal of acquiring sensitive information – in such case, downstream damage may be significant. The sources and methods for acquiring data of this nature may vary depending on threat actors’ unique Tactics, Techniques, and Procedures (TTPs). While this credential leak is widely believed to be the result of infostealer infections, this uncertainty nevertheless creates a new area of concern. Assuming the prevailing infostealer hypothesis is correct and considering the latest incident disclosure, timely password resets would be a mandatory mitigation measure for all AnyDesk customers. The end-users of AnyDesk include IT administrators, who are often targeted by threat actors. Thus, it is critical that AnyDesk ensures this cyberattack hasn’t impacted access to any other critical systems to which their IT admins may have privileged access.. By gaining access to the AnyDesk portal, bad actors could learn meaningful details about the customers – including but not limited to the used license key, number of active connections, duration of sessions, customer ID and contact information, email associated with the account, and the total number of hosts with remote access management software activated, along with their online or offline status and IDs.

 It is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web acquired from different sources, understanding that AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.

Notably, the timestamps visible on the shared screenshots by the actor illustrate successful unauthorized access with sessions dated Feb 3, 2024 (post-incident disclosure). Some users may not have changed their password, or this process might still be ongoing. Handling remediation, especially for a large customer base, is complex and may not be instantly executed.

Per a public statement from AnyDesk on February 2, 2024, “as a precaution, we (AnyDesk) are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.” However, there seems to be an issue with it. Other cybersecurity experts, such as Alon Gal, Co-Founder & CTO of Hudson Rock, have also noticed the issue and alerted the broader community. According to Gal, over 30,000 user credentials could be circulating on the Dark Web due to infostealer activity. Proper mechanisms should be considered to mitigate the risk of customer compromise, regardless of the past incident announcement.

Dark Web actors have expressed a strong interest in AnyDesk customer credentials. The opportunity to acquire them in bulk will be extremely attractive for actors involved in spam, online banking theft, scam, business email compromise (BEC), and account takeover (ATO) activities. The spectrum of cyber risks associated with this new development transforms proportionally, ranging from the use of this information in further fraudulent and scam campaigns to targeted phishing and malicious cyber activity.

Resecurity informed AnyDesk and notified multiple consumers and enterprises whose credentials have been exposed on the Dark Web.

Notably, the activity with AnyDesk comes right after Cloudflare announced it was targeted, along with Microsoft and Hewlett Packard Enterprise disclosing cybersecurity incidents conducted by a suspected nation-state attacker.

Additional details are available in the analysis published by cybersecurity firm Resecurity:

https://www.resecurity.com/blog/article/following-the-anydesk-incident-customer-credentials-leaked-and-published-for-sale-on-the-dark-web

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, AnyDesk)

A cyber attack forced Lurie Children’s Hospital in Chicago to take IT systems offline with a severe impact on its operations.

The Lurie Children’s Hospital in Chicago took IT systems offline after a cyberattack. The security incident severely impacted normal operations also causing the delay of medical care.

Lurie Children’s Hospital is one of the top pediatric hospitals in the United States. Formerly known as Children’s Memorial Hospital, it was renamed in recognition of Ann and Robert H. Lurie, who made a significant donation to the hospital.

Lurie Children’s Hospital offers a wide range of specialized medical services, including pediatric surgery, oncology, cardiology, neurology, and neonatology.

In addition to its clinical services, Lurie Children’s Hospital is actively involved in pediatric research, striving to advance medical knowledge and develop innovative treatments for childhood diseases and disorders.

Lurie Children’s is a Chicago-based pediatric acute care hospital with 360 beds, it is located on the university’s Streeterville campus with more than 1,665 physicians on its medical staff and 4,000 employees.

The hospital announced this week that it promptly started the incident response procedure. The healthcare organization notified law enforcement agencies and is working with leading experts to investigate the incident.

pic.twitter.com/4Smx7S3POj

— Lurie Children's (@LurieChildrens) February 2, 2024

“Lurie Children’s is actively responding to a cybersecurity matter. We are taking this very seriously, are investigating with the support of leading experts, and are working in collaboration with law enforcement agencies. As part of our response to this matter, we have taken network systems offline.” states a first update provided by the hospital. “We recognize the concern and inconvenience the systems outage may cause our patient families and community providers, and are working diligently to resolve this matter as quickly and effectively as possible.”

Lurie confirmed that the attack disrupted the hospital’s access to the internet, email, phone services, and the MyChat platform.

“The incident has impacted phones, emails, internet service, some elective surgeries and procedures even had to be canceled.” reported the website Abc7chicago.

pic.twitter.com/fVdZ9cOcO2

— Lurie Children's (@LurieChildrens) February 3, 2024

A dedicated helpline has been set up to address various requirements, such as handling non-urgent patient inquiries, addressing care-related questions, providing details about scheduled patient appointments, and processing requests for prescription refills.

At this time, no ransomware group has claimed responsibility for the cyber attack on Lurie Children’s Hospital.

Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lurie Hospital)

The US government issued sanctions against six Iranian government officials linked to cyberattacks against critical infrastructure organizations. 

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions on six Iranian government officials associated with cyberattacks targeting critical infrastructure organizations in the US and abroad.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization responsible for a series of malicious cyber activities against critical infrastructure in the United States and other countries.” reads the announcement published by the US OFAC.

The six members of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) are Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.

Reza Lashgarian is also the head of the IRGC-CEC. The Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is an organization within the Iranian government responsible for cybersecurity and cyber warfare. It is considered a major threat by many countries, including the United States, due to its involvement in various malicious cyber activities.

The announcement states that these individuals were involved in cyber operations against critical infrastructure, they hacked and posted images on the screens of programmable logic controllers manufactured by the Israeli firm Unitronics. 

The OFAC states that ICS and SCADA systems used in critical infrastructure environments, are sensitive targets. 

“The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.  “The United States will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.”

While this specific operation did not lead to the disruption of critical services, their effects can jeopardize public welfare and result in severe humanitarian consequences.

Iran-linked threat actors are known for their cyber activities against U.S. critical infrastructure, including ransomware attacks. They also targeted entities in European countries and Israel.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

Remote desktop software company AnyDesk announced that threat actors compromised its production environment.

Remote desktop software company AnyDesk announced on Friday that threat actors had access to its production systems.

The security breach was discovered as a result of a security audit, the company immediately notified relevant authorities. AnyDesk did not reveal if it has suffered a data breach.

AnyDesk is a remote desktop software that allows users to connect to a computer or device remotely. It enables users to access and control a computer from another location as if they were sitting in front of it. AnyDesk is commonly used for remote technical support, online collaboration, and accessing files or applications on a remote computer.

The company started a remediation and response plan with the help of cyber security firm CrowdStrike. AnyDesk pointed out that this security breach is not related to ransomware.

“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware.” reads the incident response notice published by the company.

In response to the security breach, the company revoked all security-related certificates and systems have been remediated or replaced where necessary.

The company is going to revoke the existing code signing certificate used to sign its binaries.

AnyDesk remarked that its systems don’t store private keys, security tokens or passwords that could be exploited by threat actors to target end-user devices. As a precaution, the company also revoked all passwords to the web portal my.anydesk.com, and recommended that users change their passwords if the same credentials are used elsewhere.

Researchers at cybersecurity firm Resecurity identified threat actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

Resecurity experts pointed out that it is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web acquired from different sources, understanding that AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.

“The samples provided by the threat actors were related to compromised access credentials that belong to various consumers and enterprises, and which grant access to the AnyDesk customer portal. As a security measure, the threat actor sanitized some of the passwords. The threat actor offered 18,317 accounts for $15,000 to be paid in cryptocurrency.” reported Resecurity. “He also agreed to make a deal via escrow on Exploit. Resecurity reached out to the majority of the contacts identified as potential victims and confirmed they had used AnyDesk products recently or long ago. The threat actor didn’t share any additional information.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AnyDesk)

What is Data Security Posture Management (DSPM) and how you can mitigate the risks of data leaks such as the ‘Mother of All Breaches’

Cybersecurity researchers recently uncovered what is now being dubbed the ‘Mother of all Breaches.’ With over 26 billion personal records exposed, this data leak has set a new, unfortunate record in the world of cybersecurity. Platforms such as Twitter, LinkedIn, and Dropbox were among the victims, highlighting the pervasive nature of the breach that has sent shockwaves across the digital landscape.

The leaked information includes a staggering amount of sensitive personal details, making users susceptible to identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts. What makes this breach particularly alarming is the inclusion of records from various government organizations across the United States, Brazil, Germany, the Philippines, Turkey, and more.

As the cybersecurity community grapples with the aftermath of this massive data leak, it’s essential to reflect on the implications and consider proactive measures to avoid such catastrophes in the future. One key aspect that emerges from this incident is the growing security gap in the cloud, where the data housed within the infrastructure becomes a vulnerable target.

The Cloud Data Security Gap and the Rise of DSPM

The increasing reliance on cloud storage for sensitive data has given rise to a significant security gap, commonly referred to as the cloud data security gap. According to a recent report, in 2023, cloud-based data breaches made up 45% of all breaches. This gap represents the disparity between the security measures implemented for cloud infrastructure and the actual security of the data residing within it. It is in response to this challenge that the concept of Data Security Posture Management (DSPM) has gained prominence.

DSPM diverges from traditional Cloud Security Posture Management (CSPM) solutions by focusing on the data itself rather than just identifying vulnerabilities in the cloud infrastructure. CSPM may be effective in pinpointing weaknesses in the infrastructure, but it often falls short in addressing the unique challenges posed by securing sensitive data in dynamic and distributed cloud environments.

How DSPM Mitigates the Risk of Catastrophic Data Breaches

Finding and Eliminating Shadow Data:

Shadow data, scattered across various locations without adhering to organizational data management frameworks and security policies, poses a significant risk. DSPM solutions excel in locating shadow data, providing actionable guidance for deletion or remediation. They identify sensitive information across different security postures, discover duplicate copies, and scrutinize privileges, mitigating the risk of unauthorized access.

Identifying Over-Privileged Users and Third Parties:

Controlling access to data is a fundamental principle of cybersecurity, but traditional access controls are tied to specific data stores. DSPM extends access control policies across cloud environments, ensuring that access control travels with the data, even when it is copied or moved. This prevents situations where copied data no longer adheres to the original access control policies.

Identifying Data Movement and Ensuring Security Posture Follows:

In the dynamic landscape of cloud computing, data moves seamlessly, but its security posture may not necessarily follow. DSPM solutions monitor data movement, detect changes in security posture, and alert relevant teams for remediation. By focusing on securing sensitive data rather than just cloud infrastructure, DSPM provides a comprehensive solution to the challenges posed by the distributed nature of cloud computing.

Conclusion

The recent ‘Mother of all Breaches’ serves as a stark reminder of the evolving threats in cyberspace. As organizations grapple with the fallout, adopting a data-centric approach through DSPM emerges as a crucial step in fortifying against catastrophic data breaches. By ensuring that sensitive data always maintains the correct security posture, DSPM not only reduces the risk of breaches but also instills confidence in users and administrators regarding data security in the cloud. As the digital landscape continues to evolve, proactive measures like DSPM are essential for safeguarding the integrity of sensitive information in an increasingly interconnected world.

About the author,  Ron Reiter, CTO and cofounder of Sentra.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mother of all Breaches)

Scammers stole HK$200 million (roughly $25,5 million) from a multi-national company using a deepfake conf call to trick an employee into transferring the funds.

Scammers successfully stole HK$200 million (approximately $25.5 million) from a multinational company in Hong Kong by employing a deepfake video call to deceive an employee into transferring the funds.

The employee attended a video conference call with deepfake recreations of the company’s chief financial officer (CFO) and other employees who instructed him to transfer the funds.

The news was reported by The South China Morning Post, however the local authorities did not name the company.

“Everyone present on the video calls except the victim was a fake representation of real people. The scammers applied deepfake technology to turn publicly available video and other footage into convincing versions of the meeting’s participants.” reads the post published by The South China Morning Post.

The scammers used publicly available footage of the company employees and used deepfake technology to create fake versions of the participants of the meeting.

Crooks targeted an employee in the finance department of the company. They send an email to the employee urging him to participate in a video call with the UK-based CFO to receive instructions for transactions to be performed.

The employee executed the money transfers during the meeting and transferred around HK$200 million to five bank accounts, with 15 transactions.

The employee discovered the scam a week later and notified the company and local authorities.

“Hong Kong police senior superintendent Baron Chan said that during the video call, the employee was asked to do a self-introduction, but did not interact with anyone else.” reported the website The Star.

“The “fake” colleagues gave orders to the victim, and the meeting ended abruptly after, added Chan.”

The police revealed that the scammers also targeted other employees of the company with the same technique, but the attempts failed.

The investigation is still ongoing, the police have yet to identify the gang behind the scam

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, deepfake)