Financial Business and Consumer Solutions (FBCS) suffered a data breach that exposed information 2 million individuals.

Debt collection agency Financial Business and Consumer Solutions (FBCS) disclosed a data breach that may have impacted 1,955,385 individuals.

FBCS, a third-party debt collection agency, collects personal information from its clients to facilitate debt collection activities on behalf of those clients.

The agency discovered the unauthorized access on February 26, 2024 and immediately took steps to secure the impacted infrastructure and launched an investigation with the help of third-party forensics experts.

According to the agency, compromised information may include names, dates of birth, Social Security numbers, and account information.

The organization discovered that the unauthorized access occurred between February 14 and February 26, 2024.

“On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network. This incident did not impact computer systems outside of FBCS’s network, including those of its clients.” reads the notice of data breach. “The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”

Financial Business and Consumer Solutions is not aware of misuse of any information exposed after this incident. Starting on April 4, 2024, the agency began notifying impacted customers.

The company is providing potentially impacted individuals with 12 months of free credit monitoring services.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)

A Belarusian group of activist group claims to have infiltrated the network of the country’s main KGB agency.

The Belarusian hacktivist group Cyber-Partisans claims to have infiltrated the network of the country’s main KGB security agency. The hackers had access to personnel files of over 8,600 employees.

#belarus #kgb got hacked by @cpartisans. The KGB website is down for 2months. KGB database leaked on our tg channel https://t.co/64lo0JPf4i pic.twitter.com/gmWeXtj3Xr

— Belarusian Cyber-Partisans (@cpartisans) April 27, 2024

On Friday, the website of the Belarusian KGB showed an empty page that displayed the message “in the process of development”.

The Cyber-Partisans group published on its Telegram channel a series of documents as proof of the hack, including the list of the website’s administrators, the underlying database, and server logs.

“Cyberpartisans and the mystery of the broken KGB website

The official website of the KGB of the Republic of Belarus has not been working for more than 2 months. And all because the Cyber Partisans got there in the fall of 2023 and pumped out all the available information.

Alas, we made a little noise and had to close the site. We are posting a list of admins as proof. See the site database and server logs in a separate post below.” reads the message published by the group on Telegram.

The Cyber-Partisans coordinator Yuliana Shametavets told The Associated Press that the attack on the KGB “was a response” to the agency’s chief Ivan Tertel, who accused the group of preparing attacks on the Belarus’ critical infrastructure, including a nuclear power plant. The group remarked that the target of its attacks are not Belarusians but the county government.

“KGB PROVOKATION: Cyber partisans are planning attacks on a nuclear power plant.” below the message published by the group on Telegram

“We don’t plan to. And we never planned. Because we work to save the lives of Belarusians, not to destroy them. Unlike the Lukashenko regime. But we have already said that in general an attack on the BelNPP is technically possible. While there is a dictator in power, under whom they would rather switch to pieces of paper than provide normal protection against cyber attacks.”

“The KGB is carrying out the largest political repressions in the history of the country and must answer for it,” Shametavets said. “We work to save the lives of Belarusians, and not to destroy them, like the repressive Belarusian special services do.”

Shametavets confirmed that the Cyber-Partisans group exfiltrated the personal files of more than 8,600 KGB employees.

Cyber-Partisans also launched Telegram chatbot that would allow citizens to unmask KGB operatives by uploading their photos.

“We publish interesting entries from the database of citizens’ appeals to the KGB of the Republic of Belarus.” reads another message posted on Telegram. “We even identified some informers for you.

Denunciations from citizens of Poland, Germany, Azerbaijan against Belarusians.
Denunciation of citizens of Lithuania and Ukraine against their compatriots for supporting the Armed Forces of Ukraine.
Complaints about Cyber Partisans, the Black Card of the Occupiers, etc.”

The Belarus Cyber-Partisans is a hacktivist group that has been active since 2020. Formed in the wake of the disputed 2020 election and subsequent crackdown on protests, the Cyber-Partisans target Belarusian government institutions.

The Cyber-Partisans group has conducted numerous attacks on Belarusian state media over the past four years. In 2022, they targeted Belarusian Railways multiple times, seizing control of its traffic lights and control system. This action disrupted the transit of Russian military equipment into Ukraine via Belarus.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Belarus)

The Los Angeles County Department of Health Services reported a data breach that exposed thousands of patients’ personal and health information.

The Los Angeles County Department of Health Services disclosed a data breach that impacted thousands of patients. Patients’ personal and health information was exposed after a phishing attack impacted over two dozen employees.

Los Angeles County Department of Health Services operates the public hospitals and clinics in Los Angeles County, and is the United States’ second largest municipal health system, after NYC Health + Hospitals.

The phishing attack occurred between February 19, 2024, and February 20, 2024. Attackers obtained the credentials of 23 DHS employees.

“A phishing e-mail tries to trick recipients into giving up important information. In this case, the DHS employees clicked on the link located in the body of the e-mail, thinking that they were accessing a legitimate message from a trustworthy sender.” reads the data breach notification sent to the impacted individuals. “Due to the ongoing investigation by law enforcement, we were advised to delay notifying you of this incident until now, as public notice may have hindered their investigation.”

The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

Social Security Numbers (SSN) or financial information was not compromised.

The Los Angeles County Department of Health Services took several steps in response to the security breach, including conducting an administrative review, implementing additional controls to prevent future attacks, and enhancing employee training on identifying and responding to phishing campaigns.

DHS is going to notify affected individuals and relevant regulatory agencies, including the California Department of Public Health and the U.S. Department of Health & Human Services’ Office for Civil Rights, as required by law or contract.

The DHS encourages patients to review the content and accuracy of the information in their medical records with their medical provider. The company is also providing recommendations to patients to protect their information.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Los Angeles County DHS)

Multiple flaws in Brocade SANnav storage area network (SAN) management application can allow to compromise impacted appliances.

Multiple vulnerabilities found in the Brocade SANnav storage area network (SAN) management application could potentially compromise affected appliances.

The following vulnerabilities, discovered by the security researcher Pierre Barre, impact all versions up to 2.3.0 (included):

1. CVE-2024-4159 – Incorrect firewall rules
2. non-assigned CVE vulnerability – Lack of encryption for management protocol (HTTP)
3. CVE-2024-4161 – Syslog traffic sent in clear-text
4. CVE-2024-29966 – Insecure root access
5. non-assigned CVE vulnerability – Insecure sannav access
6. CVE-2024-2859 – Insecure SSH configuration
7. CVE-2024-29961 – Suspicious network traffic (ignite.apache.org)
8. non-assigned CVE vulnerability – Lack of authentication in Postgres
9. CVE-2024-29967 – Insecure Postgres Docker instance
10. CVE-2024-29967 – Insecure Docker instances
11. CVE-2024-29964 – Insecure Docker architecture and configuration
12. CVE-2024-29965 – Insecure Backup process
13. CVE-2024-4159 – Inconsistency in firewall rules
14. CVE-2024-29962 – Insecure file permissions
15. CVE-2024-4173 – Kafka reachable on the WAN interface and Lack of authentication
16. CVE-2024-29960 – Hardcoded SSH Keys
17. CVE-2024-29961 – Suspicious network traffic (www.gridgain.com)
18. CVE-2024-29963 – Hardcoded Docker Keys

The most severe flaw is an Insecure SSH configuration tracked as CVE-2024-2859 (CVSS score of 8.8). An unauthenticated, remote attacker can exploit the vulnerability to log in to a vulnerable device using the root account and execute arbitrary commands.

Another severe issue is related to the presence of Hardcoded Docker Keys tracked as CVE-2024-29963 (CVSS score of 8.6).

Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. According to the advisory published by Broadcom, Brocade SANnav doesn’t have access to remote Docker registries, and knowledge of the keys is a minimal risk as SANnav is prevented from communicating with Docker registries.

“The security assessment was provided in September 2022 to the Brocade support through Dell but it was rejected by Brocade because it didn’t address the latest version of SANnav.” wrote Barre.

“Luckily, I was able to get access to the latest version of SANnav in May 2023 (the latest version was 2.2.2 then) and confirmed that all the previously rejected vulnerabilities were still present in the version 2.2.2 and as a bonus point, I was able to find 3 additional 0-day vulnerabilities while updating the report. An updated report confirming all the vulnerabilities in the 2.2.2 version was sent to Brocade PSIRT in May 2023 and they finally aknowledged the vulnerabilities. The patches were released in April 2024, 19 months after Brocade firstly rejected the vulnerabilities and 11 months after Brocade acknowledged the vulnerabilities. An attacker can compromise a SANNav appliance. After compromising SANNav, it is trivial to compromise Fibre Channel switches. These switches are running Linux and are powerful. They are ideal to host implants.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Brocade)

ICICI Bank, a major private bank in India, mistakenly exposed the sensitive data of thousands of new credit cards to unintended recipients.

ICICI Bank, one of the leading private banks in India, accidentally exposed data of thousands of new credit cards to customers who were not the intended recipients.

ICICI Bank Limited is an Indian multinational bank and financial services company headquartered in Mumbai. It offers a wide range of banking and financial services for corporate and retail customers.

The bank has a network of 6000 branches, and 17000 ATMs across India and has a presence in 17 countries.

The bank blocked 17,000 credit cards due to a technical bug in its mobile banking app, ‘iMobile.’ The glitch allowed users to card details of other customers. Exposed financial information includes credit card numbers, expiry dates, and card verification values (CVV).

This is the Response from @ICICIBank pic.twitter.com/uXcdH3lO9i

— Ravisutanjani (@Ravisutanjani) April 25, 2024

The bank became aware of the glitch after some customers reported it on social media.

“As an immediate measure, we have blocked these cards and are issuing new ones to the customers.” the ICICI Bank spokesperson told the newspaper Times Of India. “We regret the inconvenience caused. No instance of misuse of a card from this set has been reported to us. However, we assure that the Bank will appropriately compensate a customer in case of any financial loss.”

The bank states that the incident impacted about 0.1% of the bank’s credit card portfolio.

ICICI Bank is issuing new credit cards to the impacted customers.

In April 2023, researchers at Cybernews reported that ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data leak)

Identity and access management services provider Okta warned of a spike in credential stuffing attacks aimed at online services.

In recent weeks, Okta observed a surge in credential stuffing attacks against online services, aided by the widespread availability of residential proxy services, lists of previously compromised credentials (“combo lists”), and automation tools.

“Over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (“combo lists”), and scripting tools.” reads the advisory published by Okta.

From March 18, 2024, to April 16, 2024, Duo Security and Cisco Talos observed large-scale brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces and SSH services. 

Below is a list of known affected services: 

• Cisco Secure Firewall VPN 
• Checkpoint VPN  
• Fortinet VPN  
• SonicWall VPN  
• RD Web Services 
• Miktrotik 
• Draytek 
• Ubiquiti 

From April 19, 2024 through to April 26, 2024, the Okta Identity Threat Research team observed a spike in credential stuffing activity against user accounts from what appears to be similar infrastructure.

A credential stuffing attack is a type of cyber attack where hackers use large sets of username and password combinations, typically obtained from previous data breaches, phishing campaigns, or info-stealer infections, to gain unauthorized access to user accounts on various online services. Credential stuffing attacks exploit the widespread practice of using the same login credentials across multiple online accounts. Attackers automate the process of trying these credentials on various websites until they find a match, granting them unauthorized access to compromised accounts. This method poses a risk of exposing sensitive data or enabling fraudulent activities.

The attacks recently observed by Okta route requests through anonymizing services like TOR and residential proxies such as NSOCKS, Luminati, and DataImpulse. The experts noticed that millions of requests have been routed through these services.

Residential proxies (RESIPs) are networks of legitimate user devices used to route traffic for paying subscribers, often without their knowledge. Threat actors use these RESIPs to evade detection. Users may consciously download “proxyware” for payment or other benefits, or their devices may be infected with malware unknowingly, turning them into part of a botnet.

“The net sum of this activity is that most of the traffic in these credential stuffing attacks appear to originate from the mobile devices and browsers of everyday users, rather than from the IP space of VPS providers. For more information on residential proxy services, we recommend this informative summary by CERT Orange Cyberdefense and Sekoia.” continues the advisory.

The advisory includes recommendations to mitigate the risk of account takeovers from credential stuffing attacks along with TTPs used in recent campaigns.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, credential stuffing)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Hackers may have accessed thousands of accounts on the California state welfare platform

Brokewell Android malware supports an extensive set of Device Takeover capabilities

Experts warn of an ongoing malware campaign targeting WP-Automatic plugin

Cryptocurrencies and cybercrime: A critical intermingling

Kaiser Permanente data breach may have impacted 13.4 million patients

Over 1,400 CrushFTP internet-facing servers vulnerable to CVE-2024-4040 bug

Sweden’s liquor supply severely impacted by ransomware attack on logistics company

CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog

CISA adds Microsoft Windows Print Spooler flaw to its Known Exploited Vulnerabilities catalog

DOJ arrested the founders of crypto mixer Samourai for facilitating $2 Billion in illegal transactions

Google fixed critical Chrome vulnerability CVE-2024-4058

Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks

Hackers hijacked the eScan Antivirus update mechanism in malware campaign

US offers a $10 million reward for information on four Iranian nationals

The street lights in Leicester City cannot be turned off due to a cyber attack

North Korea-linked APT groups target South Korean defense contractors

U.S. Gov imposed Visa restrictions on 13 individuals linked to commercial spyware activity

A cyber attack paralyzed operations at Synlab Italia

Hackers threaten to leak a copy of the World-Check database used to assess potential risks associated with entities

Windows DOS-to-NT flaws exploited to achieve unprivileged rootkit-like capabilities

A flaw in the Forminator plugin impacts hundreds of thousands of WordPress sites

Akira ransomware received $42M in ransom payments from over 250 victims

DuneQuixote campaign targets the Middle East with a complex backdoor

International Press Newsletter

Cybercrime    

Malware dev lures child exploiters into honeytrap to extort them

Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist  

Founders And CEO Of Cryptocurrency Mixing Service Arrested And Charged With Money Laundering And Unlicensed Money Transmitting Offenses 

Alcohol sales disrupted in Sweden after reported ransomware attack      

Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme  

Malware

#StopRansomware: Akira Ransomware

Malvertising campaign targeting IT teams with MadMxShell      

GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining  

New Malware Campaign Targets WP-Automatic Plugin  

Brokewell: do not go broke from new banking malware! 

Hacking 

MagicDot: A Hacker’s Magic Show of Disappearing Dots and Spaces

Leicester street lights stuck on all day due to cyber attack  

Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise  

GPT-4 can exploit security flaws on its own, study shows

Hackers accessed more than 19,000 accounts on California state welfare platform     

Android TVs Can Expose User Email Inboxes

Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance   

Intelligence and Information Warfare 

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials   Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials   

North Korea hacking teams hack South Korea defence contractors – police

Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies       

ArcaneDoor – New espionage-focused campaign found targeting perimeter network devices  

Israel Tried to Keep Sensitive Spy Tech Under Wraps. It Leaked Abroad    

Australia’s spy chief warns AI set to inflame radicalisation 

German spy agency warns companies against being too “naive” on China  

Cybersecurity   

Promoting Accountability for the Misuse of Commercial Spyware  

Google Patches Critical Chrome Vulnerability  

2023: A ‘Good’ Year for OT Cyberattacks     

Chaturbate Will Pay Texas $675,000 for Violating New Porn Age Verification Law

UK’s Investigatory Powers Bill to become law despite tech world opposition

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

A hacking campaign targeted Ukraine exploiting a seven-year-old vulnerability in Microsoft Office to deliver Cobalt Strike.

Security experts at Deep Instinct Threat Lab have uncovered a targeted campaign against Ukraine, exploiting a Microsoft Office vulnerability dating back almost seven years to deploy Cobalt Strike on compromised systems.

The researchers found a malicious PPSX (PowerPoint Slideshow signal-2023-12-20-160512.ppsx) file uploaded from Ukraine to VirusTotal at the end of 2023.

The file, although labeled as shared through the Signal app, might not have been originally sent via the application. It’s a PPSX file, seemingly an outdated US Army manual for tank mine clearing blades (MCB).

The PPSX file contains a remote link to an external OLE object. The researchers pointed out that the use of the “script:” prefix demonstrates the exploitation of the vulnerability CVE-2017-8570, a bypass for CVE-2017-0199. The remote script, named “widget_iframe.617766616773726468746672726a6834.html,” was hosted on “weavesilk[.]space,” protected by CloudFlare. Despite this, the true hosting behind the domain was identified as a Russian VPS provider. The scriptlet contents are heavily obfuscated.

The second stage dropper is an HTML file containing JavaScript code executed via Windows cscript.exe. The script sets up persistence, decode, and save the embedded payload to disk disguised as Cisco AnyConnect VPN file.

The payload includes a dynamic-link library (vpn.sessings) that injects the post-exploitation tool Cobalt Strike Beacon into memory and awaits commands from the C2 server. Threat actors used a cracked version of Cobalt Strike.

The DLL also implements features to evade detection and avoid analysis by security experts.

The Deep Instinct Threat Lab could not attribute the attacks to a known threat actor. Evidence collected by the experts demonstrates the sample originated from Ukraine, a Russian VPS provider hosted the second stage, and the Cobalt beacon C&C was registered in Warsaw, Poland.

“The lure contained military-related content, suggesting it was targeting military personnel. But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (http://weavesilk.com) and a popular photography site (https://petapixel.com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.” concludes the report. “As of the day of discovery, the loader was undetectable by most engines, while Deep Instinct prevented it on day 0.”

The report includes Indicators of Compromise (IoCs).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Ukraine)

Threat actors accessed more than 19,000 online accounts on a California state platform for welfare programs.

Threat actors breached over 19,000 online accounts on a California state platform dedicated to welfare programs.

Officials reported that the security breach occurred on February 9, when someone logged into some BenefitsCal users’ accounts. Threat actors exploited reused passwords obtained from third-party websites.

BenefitsCal, a California-based web platform, enables users to apply for and oversee a range of welfare programs, encompassing food stamps, cash assistance, and medical benefits.

“On February 9, 2024, BenefitsCal discovered that someone, that was not allowed, may have logged into accounts of some users of the BenefitsCal website using reused passwords taken from other websites. Your account may have been one of those accessed.” reads the data breach notification filed by officials at the California Statewide Automated Welfare System. “BenefitsCal took immediate steps to protect you by temporarily inactivating your account. Someone that was not allowed may have accessed your account between March 1, 2023 and February 13, 2024. In reviewing your account use during that time, your personal information may have been accessed”

According to the date breach notification, potentially compromised information may have included users name, address, date of birth, full or last four digits of Social Security Number, email address, phone number, EBT card number, case number, Medi-Cal ID number and information about their program eligibility and benefits.

BenefitsCal is notifying impacted users and providing them with instructions on what they can do.

In response to the incident, the agency deactivated accounts and launched an investigation that revealed attackers had access from March 1, 2023 and February 13, 2024. 

“In addition to temporarily inactivating your account, BenefitsCal took additional steps to further secure your account prior to using it again, including requiring you to provide not just your password but confirm that you are the one asking to access the account through either your email or your phone number when logging in.” continues the notification. “We also reissued your EBT card if you have one. BenefitsCal has also added other security changes to reduce the risk of a someone potentially accessing information that is not allowed.”

The California state welfare platforms also implemented additional security measures to protect the accounts, including enabling 2FA.

Users are recommended to use strong passwords and avoid reusing the same credentials for multiple websites.  

It’s unclear if the agency plans to offer free identity protection services to the impacted individuals. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, California state welfare)

ThreatFabric researchers identified a new Android malware called Brokewell, which implements a wide range of device takeover capabilities.

ThreatFabric researchers uncovered a new mobile malware named Brokewell, which is equipped with sophisticated device takeover features. The experts pointed out that this malware is actively evolving and poses a severe risk to the banking sector. The author frequently adds new commands.

The attack chain starts with fake application updates for popular software, such as the Chrome browser and the Austrian digital authentication application.

Brokewell employs overlay attacks to overlap a fake screen over legitimate applications, capturing user credentials. The malicious code also has the capability to steal cookies. By launching its own WebView and overriding the onPageFinished method, Brokewell loads the authentic website, captures session cookies during the login process, and transmits them to the C2 server.

Brokewell malware supports “accessibility logging,” it records any device events such as touches, swipes, displayed information, text input, and opened applications. Then it transmits logs to the C2 server, effectively capturing confidential data displayed or entered on the compromised device. The experts explained that potentially all applications on the device are vulnerable to data compromise as Brokewell logs every event.

The malware also supports multiple “spyware” functionalities, it can gather device information, call history, geolocation, and record audio.

“After stealing the credentials, the actors can initiate a Device Takeover attack using remote control capabilities. To achieve this, the malware performs screen streaming and provides the actor with a range of actions that can be executed on the controlled device, such as touches, swipes, and clicks on specified elements.” reads the report published by ThreatFabric.

Brokewell supports various commands that allow to take full control of the device. The malware can also perform various actions on the screen, including touches, swipes, clicks, scrolls, text input, and more.

Researchers discovered that one of the C2 servers of this malware was hosting a repository called Brokewell Cyber Labs.

The repository contained the source code for a ‘Brokewell Android Loader,’ Brokewell and the loader were both developed by a threat actor called Baron Samedit.

The Brokewell Android Loader can bypass Android 13+ restrictions, experts believe it can be used in the future to spread other malware families.

Analysis of the “Baron Samedit” profile shows that the threat actor has been active for at least two years, initially involving tools for checking stolen accounts across various services.

“The discovery of a new malware family, Brokewell, which implements Device Takeover capabilities from scratch, highlights the ongoing demand for such capabilities among cyber criminals. These actors require this functionality to commit fraud directly on victims’ devices, creating a significant challenge for fraud detection tools that heavily rely on device identification or device fingerprinting.” concludes the report.

“We anticipate further evolution of this malware family, as we’ve already observed almost daily updates to the malware. Brokewell will likely be promoted on underground channels as a rental service, attracting the interest of other cybercriminals and sparking new campaigns targeting different regions.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and web shells into websites

WordPress security scanner WPScan warns that threat actors are exploiting a critical SQL injection vulnerability in the plugin WordPress Automatic to inject malware into websites.

The premium plugin “Automatic” developed by ValvePress enables users to automatically post content from any website to WordPress, including RSS feeds. It has over 38,000 paying customers.

The vulnerability, tracked as CVE-2024-27956 (CVSS score of 9.8), resides in WP‑Automatic plugin’s handling of user authentication in one file. An attacker can exploit the issue to inject code into the site’s database and gain admin‑level privileges.

“A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” reads the advisory.

Threat actors can exploit the flaw by sending specially crafted requests, resulting in the injection of arbitrary SQL code into the site’s database.

The vulnerability was originally reported by PatchStack on March 13, 2024, and since then WPScan researchers observed 5,576,488 attack attempts. The researchers noticed that attack campaign started slowly and reached its peak on March 31, 2024.

Once the attackers have created an admin‑level account can upload malicious files such as web shells or backdoors and compromise the underlying server.

Researchers observed attackers renaming the vulnerable WP-Automatic file to prevent other threat actors from exploiting it, ensuring exclusive access for themselves.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites.” reads the advisory published by WPScan. “Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.”

The vulnerability impacted WP‑Automatic Versions before 3.9.2.0, version 3.92.1 addressed it.

Admins are recommended to update their installs as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement in this sector

Cryptocurrencies have revolutionized the financial world, offering new investment opportunities and decentralized transactions. However, as cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement in this sector.

The natural ambiguity of cryptocurrencies

Cryptocurrencies, like Bitcoin, are decentralized and pseudonymous, which makes them a breeding ground for criminal activities. Indeed, while anonymity provides privacy and security for transactions, it can also be exploited by criminals for illicit activities, such as money laundering, drug trafficking, illegal arms sales, and terrorist financing. Cybercrime is no longer limited to simple cyberattacks, but has evolved into a form of organized crime that exploits cryptocurrencies for activities such as money laundering and corruption, finding vast and attractive new territory in the darkweb. Here, cybercrime can operate with greater freedom, exploiting the anonymity and irreversibility of cryptocurrency transactions.

Cryptocurrency transactions are used by cybercrime for various purposes, taking advantage of certain characteristics inherent in the very nature of cryptocurrencies such as anonymity, irreversibility, difficulty of traceability, ease of transactions, and the variety of cryptocurrencies in circulation.

Emerging threats

Cybercrime often exploits precisely the lack of regulation and centralized controls of cryptocurrencies to deceive investors and embezzle funds through various forms of phishing, investment scams, digital wallet theft, ransomware, and illegal mining. In particular, ransomware, which encrypts users’ data and demands a cryptocurrency ransom for their release or to avoid a dataleak, is becoming increasingly prevalent, causing financial and operational damage to individuals and businesses worldwide.

Money laundering via cryptocurrency

Money laundering through cryptocurrencies has become a worrisome practice followed by cybercrime. Criminals create cryptocurrency wallets using randomly generated digital addresses or services that offer a greater degree of anonymity. They may also use tumbling services (https://en.wikipedia.org/wiki/Cryptocurrency_tumbler) to mix cryptocurrencies from different sources and cryptocurrencies designed to provide greater anonymity, such as Monero or Zcash, which implement advanced techniques to hide transactions.

They may also seek to minimize interaction with exchange platforms that may impose KYC (Know Your Customer, (https://en.wikipedia.org/wiki/Know_your_customer) and AML (Anti Money Laundering, (https://en.wikipedia.org/wiki/Anti%E2%80%93money_laundering) rules. Money laundering can also involve fraudulent investments, where criminals use illegally obtained cryptocurrencies to participate in fake ICOs (https://it.wikipedia.org/wiki/Initial_coin_offering) or to buy digital assets.

Cryptojacking

Cryptojacking, an illicit activity in which third-party resources are exploited without authorization to mine cryptocurrencies, is another significant threat that also jeopardizes the security of the devices involved. Compromised websites and malware are often at the root of these types of attacks. Specifically, the most common forms of cryptojacking involve the use of hidden scripts in websites or online ads, malware, and infected applications.

The fight against cybercrime

Government authorities and financial institutions are stepping up efforts to combat cybercrime in the cryptocurrency sector. Anti-money laundering laws and cybersecurity regulations have been strengthened to monitor and regulate cryptocurrency transactions. In addition, cryptocurrency exchange platforms are implementing more stringent security measures, such as two-factor authentication and advanced encryption, to protect users’ funds.

Educate and protect users and investors

To effectively counter cybercrime, it is essential to understand the nature and techniques used by criminals. Prevention comes through educating users and taking robust security measures to protect their digital assets. Another crucial aspect in the fight against cybercrime in the cryptocurrency world is also investor education. Users must be aware of the risks associated with investing in cryptocurrencies and adopt robust cybersecurity practices, such as using hardware wallets and avoiding sharing sensitive information online. In addition, it is essential that investors do thorough research before making any transactions and consult reliable sources for information on the safety and legality of cryptocurrencies.

Possible mitigations

Cryptocurrencies undoubtedly offer significant benefits, but it is important to recognize and address the challenges associated with cybercrime in this sector. Through a combination of effective regulation, advanced cybersecurity, and investor education, it is possible to mitigate the risks and foster a safer and more reliable environment for cryptocurrency adoption and use.

In this context, therefore, the combination of stricter regulations, advanced technological tools and public awareness can help mitigate the threat. It could be a key strategy to strengthen KYC and AML regulations for platforms and services, regulate ICOs to prevent financial scams, increase information exchange between authorities in different jurisdictions, and collaborate with the financial industry to create security and prevention solutions.

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Nigerian fraud)

Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals in the United States.

Kaiser Permanente is an American integrated managed care consortium, it is made up of three distinct but interdependent groups of entities: the Kaiser Foundation Health Plan, Inc. (KFHP) and its regional operating subsidiaries; Kaiser Foundation Hospitals; and the regional Permanente Medical Groups.

The health giant operates 39 hospitals and more than 700 medical offices, with over 300,000 personnel, including more than 87,000 physicians and nurses.

It operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.

Media reported [1, 2] that the company is notifying millions of current and former members of a data breach. TechCrunch reported that the company confirmed it shared patients’ information with third-party organizations, including Google, Microsoft and X, for advertising purposes.

Shared data include names, IP addresses, and information about members’ operations on the company website and mobile apps. This included search terms used in their health encyclopedia. Kaiser Permanente later removed the tracking code from their platforms. Exposed data does not include usernames, passwords, Social Security Numbers (SSNs), and financial data.

In a notice filed with the US government, the integrated managed care consortium disclosed a data breach impacting 13.4 million residents.

Kaiser Permanente is not aware of any misuse of the exposed information.

In June 2022, Kaiser Permanente disclosed another data breach that exposed the health information of 69,000 people. The company revealed that threat actors gained access to an employee’s emails at the Kaiser Foundation Health Plan of Washington.

The exposed data included names, medical records, dates of service, and lab test results.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability.

Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks targeting the critical severity vulnerability CVE-2024-4040.

CVE-2024-4040 is a CrushFTP VFS sandbox escape vulnerability.

CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options meet the diverse needs of businesses and organizations.

In April, CrushFTP notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.

Simon Garrelou from the Airbus CERT discovered the vulnerability.

Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.

“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.

Security researchers from the Shadowserver reported that at least 1400 vulnerable servers were exposed online as of April 24, 2024. 

Most of the vulnerable servers are in the United States (725), followed by Germany (115), and Canada (108).

We are now sharing CrushFTP CVE-2024-4040 (CrushFTP VFS Sandbox Escape Vulnerability) vulnerable instances. At least 1400 vulnerable on 2024-04-24. CVE-2024-4040 is currently exploited in the wild & on @CISACyber KEV.

Top affected: US, Germany, Canadahttps://t.co/NucoywFO7Y pic.twitter.com/CrNkHttv40

— Shadowserver (@Shadowserver) April 25, 2024

CISA this week added CVE-2024-4040 to its Known Exploited Vulnerabilities catalog.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, zero-day)

A ransomware attack on a Swedish logistics company Skanlog severely impacted the country’s liquor supply. 

Skanlog, a critical distributor for Systembolaget, the Swedish government-owned retail chain suffered a ransomware attack. Systembolaget has a monopoly on the sale of alcoholic beverages containing more than 3.5% alcohol by volume. It operates stores across Sweden and is responsible for the retail sale of wine, spirits, and strong beer.

“It affects about 15% of our sales volume. Wine and liquor most of all,” Sofia Sjöman Waas, a press officer at Systembolaget, told Euronews Next. “We are accustomed to handling small to large scales of disruptions even though they are rarely on this scale,” Waas added. “We have many other items delivered to us as usual via other distributors. Therefore, there will continuously be many alternatives available at our stores,”

Mona Zuko, Skanlog’s chief executive, attributed the cyber attack to a North Korean ransomware gang.

“We have been centrally attacked by a cyber attack, which has caused our entire system to be down until we can fix it and get it back up,” Skanlog’s Swedish CEO Mona Zuko told local newspaper Dagens Industri.

“Our systems, including our central business system, have been affected by the attack. We use a Microsoft financial system, and an inventory system called Dynaman which is critical to our operations.”

Due to the cyber attack’s impact on the logistics company, the media reported it may be difficult to get hold of alcoholic beverages this weekend. Skanlog spokesman warned that certain alcoholic beverages could be sold out within a few days.

SCMagazine reported that Systembolaget, in response to Skanlog’s uncertainty about restoring its operations, plans to implement a backup procedure to address potential delays in deliveries. This decision comes as a precautionary measure to ensure continuity in the distribution of alcoholic beverages.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability
• CVE-2024-20359 Cisco ASA and FTD Privilege Escalation Vulnerability
• CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability

Cisco Talos this week warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.

Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer. 

The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”

Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.

The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.

The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.

The third issue added to the KEV catalog is a CrushFTP VFS sandbox escape vulnerability.

CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options meet the diverse needs of businesses and organizations.

In April, CrushFTP notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.

Simon Garrelou from the Airbus CERT discovered the vulnerability.

Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.

“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 1st, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Cisa added the flaw to the KEV catalog after Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.

Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.

While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.

The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.

APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 14, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer Samourai.

The U.S. Department of Justice (DoJ) has arrested two co-founders of the cryptocurrency mixer Samourai and seized the service. The allegations include claims of facilitating over $2 billion in illicit transactions and laundering more than $100 million in criminal proceeds.

The duo, Keonne Rodriguez (35) and William Lonergan Hill (65), are charged with operating Samourai Wallet, which DoJ states is an unlicensed money-transmitting business.

Keonne Rodriguez was the Chief Executive Officer of Samourai Wallet (“Samourai”), while William Lonergan Hill was the company’s Chief Technology Officer.

“These charges arise from the defendants’ development, marketing, and operation of a cryptocurrency mixer that executed over $2 billion in unlawful transactions and facilitated more than $100 million in money laundering transactions from illegal dark web markets, such as Silk Road and Hydra Market” reads the press release published by the DoJ.

RODRIGUEZ was arrested and is set to appear before a U.S. Magistrate Judge in the Western District of Pennsylvania. HILL was also arrested yesterday in Portugal following U.S. criminal charges. The United States aims to extradite HILL to face trial in the country.

The cryptocurrency mixer operated from about 2015 through February 2024, the DoJ states that both defendants were aware that a substantial portion of the funds that the service processed were criminal proceeds passed through Samourai for purposes of concealment. 

“While offering Samourai as a “privacy” service, the defendants knew that it was a haven for criminals to engage in large-scale money laundering and sanctions evasion.” continues the DoJ. “Indeed, as the defendants intended and well knew, a substantial portion of the funds that Samourai processed were criminal proceeds passed through Samourai for purposes of concealment.”

Rodriguez and Hill implemented features in the platform aimed at aiding individuals involved in criminal activities to obscure the origin of their proceeds. One feature, “Whirlpool,” offers a cryptocurrency mixing service that batches cryptocurrency exchanges among users to hinder law enforcement tracing on the Blockchain. Another feature, “Ricochet,” adds unnecessary intermediate transactions (“hops”) when sending cryptocurrency to obscure its origin.

Both features are aimed at evading detection by law enforcement and making investigations in illicit transactions more difficult.

“Similarly, RODRIGUEZ and HILL possessed and transmitted to potential investors marketing materials that discussed how Samourai’s customer base was intended to include criminals seeking privacy or the subversion of safeguards and reporting requirements by financial institutions.” continues the press release. “For example, in Samourai’s marketing materials, RODRIGUEZ and HILL similarly acknowledge that the individuals most likely to use a service like Samourai include individuals engaged in criminal activities, including “Restricted Markets.”

The DoJ also shared an excerpt from Samourai’s marketing materials showing the founders acknowledging that its revenues will be derived from “Dark/Grey Market participants” seeking to “swap their bitcoins with multiple parties” to avoid detection:

Since the launch of Whirlpool in 2019 and Ricochet in 2017, the mixer processed over 80,000 BTC (equivalent to over $2 billion), generating approximately $3.4 million in fees for Whirlpool transactions and $1.1 million for Ricochet transactions.

The joint operation conducted by US authorities with the help of Europol and law enforcement authorities in Iceland, and Portugal, led to the seizure of Samourai’s web servers and domain (https://samourai.io/).  The police also issued a seizure warrant for Samourai’s mobile application on the Google Play Store, the app was removed from the Google Play Store in the United States.

The authorities charged the defendants with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and one count of conspiracy to operate an unlicensed money transmitting business, which carries a maximum sentence of five years in prison. 

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, mixer)

Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics layer engine.

Google addressed four vulnerabilities in the Chrome web browser, including a critical vulnerability tracked as CVE-2024-4058.

The vulnerability CVE-2024-4058 is a Type Confusion issue that resides in the ANGLE graphics layer engine. An attacker can exploit this vulnerability to execute arbitrary code on a victim’s machine.

This critical flaw was reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02, the researchers have been awarded a $16,000 bounty.

The IT giant also fixed a high-severity flaw tracked as CVE-2024-4059. The flaw is an Out of bounds read that resides in the in V8 API. The vulnerability was discovered by Eirik on 2024-04-08.

Google also fixed another high-severity flaw tracked as CVE-2024-4060. The flaw is Use after free in Dawn, which is an open-source and cross-platform implementation of the WebGPU standard. The vulnerability was reported by wgslfuzz on 2024-04-09.

The Stable channel has been updated to 124.0.6367.78/.79 for Windows and Mac. Linux version 124.0.6367.78 will be rolled out over the coming days/weeks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google)

Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks.

Cisco Talos warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.

Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer. 

The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”

Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.

The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.

The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.” reads the alert published by Cisco, which also includes Indicators of Compromise (IOCs). “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ASA)

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection. 

Below the infection chain described by Avast:

1. The eScan updater triggers the update 
2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart 
5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, eScan antivirus)

The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their role in cyberattacks against the U.S..

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on four Iranian nationals for their involvement in cyberattacks against the U.S. government, defense contractors, and private companies. OFAC has also sanctioned two front companies, Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA) linked to the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC).

The Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is an organization within the Iranian government responsible for cybersecurity and cyber warfare. It is considered a major threat by many countries, including the United States, due to its involvement in various malicious cyber activities.

The Iranian nationals were involved in attacks against more than a dozen U.S. companies and government entities. The individuals launched spear-phishing and malware attacks. The U.S. Department of Justice and the Federal Bureau of Investigation unsealed an indictment against the four individuals for their roles in these cyber operations.

“Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”

Iranian cyber actors persist in targeting the United States through various malicious cyber activities, including ransomware attacks on critical infrastructure and spear phishing campaigns against individuals, companies, and government entities.

The four Iranian nationals are Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab — are accused of participating in a malware operation using spear-phishing and other hacking techniques to harvest hundreds of thousands of corporate employee accounts.

Alireza Shafie Nasab and Reza Kazemifar Rahman targeted the U.S. entities while employed by MASN. Kazemifar was involved in the attacks against the Department of the Treasury. Hosein Mohammad Harooni targeted the Treasury Department and other U.S. entities using spear phishing and social engineering. Komeil Baradaran Salmani operated with several IRGC-CEC front companies and was involved in spear-phishing campaigns targeting various U.S. entities, including the Department of the Treasury.

“As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.” reads the announcement. “In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action.”

The four men are still at large.

The Department of State also announced a $10 million reward for information leading to the arrest of the four Iranian nationals.

Up to $10 Million Reward & Possible Relocation

These individuals conducted malicious cyber ops against U.S. firms and government agencies on behalf of Iran's IRGC.

If you have info on them, contact us. Your tip could be worth millions of $ and a plane ticket to somewhere new. pic.twitter.com/EjOGLXDeJl

— Rewards for Justice (@RFJ_USA) April 23, 2024

In February, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions on six Iranian government officials associated with cyberattacks targeting critical infrastructure organizations in the US and abroad.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Iran)

A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all day and severely impacted the council’s operations

The Leicester City Council suffered a cyber attack that severely impacted the authority’s services in March and led to the leak of confidential documents. The ransomware group behind the attack leaked multiple documents, including rent statements and applications to buy council houses. The attack occurred on March 7 and crippled the city council’s IT systems.

Some lights have been stuck in all day due to the cyber attack and the council is unable to turn them off.

“Beaumont Leys resident Roger Ewens, 65, noticed the street lights in his road were on constantly and asked the city council why. He was surprised when he received a reply blaming the cyber attack for affecting the “central management system” and leading to the streetlights “misbehaving”.” reported the website LeicesterLive.

The issue with street lighting should be fully resolved by the end of next week.

“We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue connected to the recent cyber attack, when we were forced to shut down our IT systems. It means we are currently not able to remotely identify faults in the street lighting system.” said a city council spokesperson. “The default mode for faults is that the lights stay on to ensure that roads are not left completely unlit and become a safety concern. “There are a number of steps required to resolve the problem, and we are working through these as quickly as we can.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Leicester City)

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities.

The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting defense industry entities to steal defense technology information.

North Korea-linked APT groups Lazarus, Andariel, and Kimsuky hacked multiple defense companies in South Korea, reported the National Police Agency.

The state-sponsored hackers hacked into the subcontractors of defense companies by exploiting vulnerabilities in the targeted systems and deployed malware.

“North Korean hacking organizations sometimes infiltrated defense companies directly, and their security is relatively low. Hacking into vulnerable defense industry partners and stealing the defense industry company’s server account information. Afterwards, it was discovered that threat actors had infiltrated major servers without permission and distributed malware.” reads the Police’s advisory shared by BleepingComputer.

The National Police Agency and the Defense Acquisition Program Administration (DAPA) conducted a series of special inspections of the environments of the targeted organizations.

The joint inspections occurred between January 15 and February 16 and impacted organizations implemented protective measures.

The Police states that the attacks are carried out in the form of an all-out war that see the contribution of multiple APT groups. The government experts warned that the attackers employed sophisticated hacking techniques.

The South Korea National Police Agency provided details of multiple attacks carried out by different APT groups.

In one case, the Lazarus APT group successfully breached an organization due poorly protected infrastructure. The group gained access to the network of a defense industry company since November 2022. The hackers deployed a malware and took control of the company’s internal network and exfiltrared important data from, including information stored on the computers of employees in the development team. The hackers breached at least 6 internal computers and stolen data were sent to overseas cloud servers

In a second case attributed to the Andariel APT group, threat actors used an account of an employee of a company that maintains the server of a defense industry company. The attackers stole the account in October 2022 and used it to deploy malware on the servers of defense subcontractors. The malware was used to exfiltrate technical data of valuable defense technology. The Police noticed that the employee was using the same password for personal and work accounts.

In a third attack linked to Kimsuky, the APT group exploited a vulnerability in the email server of a defense subcontractor between April and July 2023. Attackers exploited the flaw to download large files containing technical data without any authentication.

The National Police Agency recommends that defense companies and their subcontractors enhance their cybersecurity.

“North Korea’s hacking attempts targeting defense technology will continue.” concludes the advisory. “The National Police Agency will continue to track and investigate state-sponsored hacking organizations linked to North Korea.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, North Korea)

The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the commercial spyware business.

The US Department of State is imposing visa restrictions on 13 individuals involved in the development and sale of commercial spyware or their immediate family members. The measure aims to counter the misuse of surveillance technology targeting journalists, academics, human rights defenders, dissidents, and US Government personnel, as documented in the Country Reports on Human Rights Practices.

“the Department is taking steps to impose visa restrictions on 13 individuals who have been involved in the development and sale of commercial spyware or who are immediate family members of those involved.” reads the announcement.  “These individuals have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and U.S. Government personnel.”

The announcement doesn’t name the individuals targeted by the visa restrictions.

The visa restrictions are part of a broader initiative launched by the US government aimed at countering the proliferation of commercial spyware. Other measures proposed and adopted by the US authorities include restrictions on the government’s use of such spyware, export controls, and sanctions to promote accountability.

“The US government believes that the engagement of civil society and the private sector in identifying technological solutions to prevent the misuse of spyware, safeguard human rights defenders, and strengthen the resilience of victims is essential.”

In February, the U.S. State Department announced it is implementing a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware.

The policy underscores the U.S. Government’s commitment to addressing the misuse of surveillance software, which poses a significant threat to society

“The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association.  Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.  Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel.” reads the announcement. The United States stands on the side of human rights and fundamental freedoms and will continue to promote accountability for individuals involved in commercial spyware misuse.”

The policy specifically addresses the abuse of commercial spyware for unlawfully surveilling, harassing, suppressing, or intimidating individuals.

Visa restrictions target individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware and also surveillance companies that act on behalf of governments.

The restrictions are extended to the immediate family members of the targeted individuals, including spouses and children of any age.

In March 2023, the US Government issued an Executive Order on the prohibition on use by the United States Government of commercial spyware that poses risks to national security.

In July 2023, the Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems.

The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.

The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.

The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.

The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.

In May 2023, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

In December 2022, a report published by CitizenLab researchers detailed the use of the Predator spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

The exploits were used to initially deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

In November 2021, the Commerce Department’s Bureau of Industry and Security (BIS) sanctioned four companies for the development of spyware or the sale of hacking tools used by nation-state actors.

The surveillance firms were NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru were sanctioned for the development and sale of surveillance software used to spy on journalists and activists. Positive Technologies and Computer Security Initiative Consultancy PTE. LTD. are being sanctioned because both entities traffic in cyber exploits used by threat actors to compromise computer networks of organizations worldwide. The US authorities have added the companies to the Entity List based on their engagement in activities counter to U.S. national security.

In the last couple of years, like NSO Group and Candiru, made the headlines because totalitarian regimes used their spyware to spy on journalists, dissidents, and government opposition.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, commercial spyware)