A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Cybersecurity firm ESET has addressed a high-severity elevation of privilege vulnerability in its Windows security solution.
ESET addressed a high-severity vulnerability, tracked as CVE-2024-0353 (CVSS score 7.8), in its Windows products.
The vulnerability is a local privilege escalation issue that was submitted to the company by the Zero Day Initiative (ZDI). According to the advisory, an attacker can misuse ESET’s file operations, as performed by the Real-time file system protection, to delete files without having the proper permission.
“The vulnerability in file operations handling, performed by the Real-time file system protection feature on the Windows operating system, potentially allowed an attacker with an ability to execute low-privileged code on the target system to delete arbitrary files as NT AUTHORITY\SYSTEM, escalating their privileges.” reads the advisory.
ESET is not aware of attacks in the wild exploiting this vulnerability.
Below is the list of impacted programs and versions:
ESET NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate 16.2.15.0 and earlier
ESET Endpoint Antivirus for Windows and Endpoint Security for Windows 10.1.2058.0, 10.0.2049.0, 9.1.2066.0, 8.1.2052.0 and earlier from the respective version family
ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server) 10.0.12014.0, 9.0.12018.0, 8.0.12015.0, 7.3.12011.0 and earlier from the respective version family
ESET Mail Security for Microsoft Exchange Server 10.1.10010.0, 10.0.10017.0, 9.0.10011.0, 8.0.10022.0, 7.3.10014.0 and earlier from the respective version family
ESET Mail Security for IBM Domino 10.0.14006.0, 9.0.14007.0, 8.0.14010.0, 7.3.14004.0 and earlier from the respective version family
ESET Security for Microsoft SharePoint Server 10.0.15004.0, 9.0.15005.0, 8.0.15011.0, 7.3.15004.0 and earlier from the respective version family
ESET File Security for Microsoft Azure (all versions)
The cybersecurity firm has released patches to address the issues in NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus and Endpoint Security for Windows, Server Security for Windows Server, Mail Security for Exchange Server and IBM Domino, Security for SharePoint Server, File Security for Microsoft Azure.
The security firm hasn’t provided security patches for products that reached their end-of-life (EoL) status.
The company recommended customers patch their products as soon as possible.
Vulnerabilities in security solutions are very dangerous because these issues are difficult to detect and because these software solutions run with high privileges.
In December 2023, the cybersecurity firm addressed a vulnerability (CVE-2023-5594, CVSS score 7.5) in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms.
SolarWinds addressed three critical vulnerabilities in its Access Rights Manager (ARM) solution, including two RCE bugs.
SolarWinds has fixed several Remote Code Execution (RCE) vulnerabilities in its Access Rights Manager (ARM) solution.
Access Rights Manager (ARM) is a software solution designed to assist organizations in managing and monitoring access rights and permissions within their IT infrastructure. This type of tool is crucial for maintaining security, compliance, and efficient administration of user access to various resources, systems, and data.
Below is the list of flaws addressed by the company:
The three critical remote code execution flaws are:
CVE-2023-40057 (CVSS score 9.0): A deserialization of untrusted data issue. An authenticated user can exploit this vulnerability to abuse a SolarWinds service resulting in remote code execution.
CVE-2024-23479 (CVSS score 9.6): A Directory Traversal Remote Code Execution Vulnerability. An unauthenticated user can exploit this issue to achieve the Remote Code Execution.
CVE-2024-23476 (CVSS score 9.6) Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
SolarWinds made the headlines in 2020, when Russia-linked APT group carried out a supply chain attack that compromised the Orion software provided by the company.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting, the experts found several tokens impersonating major brands, government organizations and national fiat currencies.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting. Ongoing brand protection for Fortune 100 companies by cybersecurity company uncovered several tokens impersonating major brands, government organizations and even national fiat currencies.
As in any other booming industry, the decentralized finance (DeFi) and crypto space has attracted its fair share of scammers and bad actors. These individuals seek to lure investors into fake projects known as rug pulls, only to abscond with their funds.
A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates.
Besides scamming, bad actors also released misinformation about new countries joining the alliance, which didn’t confirm their membership. This is a great example of how bad actors capitalize on geopolitical narratives to profit from investment scams. Likely, unverified news stating BRICS countries adopting a gold-backed money to compete with the US dollar and Euro inspired bad actors with this idea which later transitioned into creative crypto-scam.
Leveraging a global international umbrella of the organization, fraudsters launched an initial coin offering (ICO) promoting the fake token offering various rewards.
This type of fraud was prominently observed on platforms such as Lobstr.co, which allows the creation of tokens on the Stellar network. Due to their flexibility in allowing users to offer their own tokens for trading, such platforms are especially susceptible to exploitation by cybercriminals.
The common fraudulent tactics they employ include ‘cryptocurrency counterfeiting’, where scammers create tokens with names like those of legitimate ones, and the aforementioned ‘rug pulls’.
As for today, the token was still available for trading attracting victims:
The offer already generated some interest and led to first victims:
Resecurity warns Internet users to perform due diligence of new cryptocurrency offerings and contact your local regulators to make sure they are legitimate.
Resecurity has identified and reported similar cryptocurrency counterfeit tokens promoted at the same platform impersonating:
one of the major oil corporations
national financial regulator
national currency
major real estate development
Some of these scams involved misleading information referencing Monetary Authority of Singapore and Central Bank of one of the countries in the Middle East.
According to Solidus Labs, ‘rug pull’ scams have defrauded over 2 million investors, surpassing the number of victims from major crypto failures like FTX, Celsius, and Voyager.
These scams typically manifest in two forms:
DeFi scams involve altering a token’s smart contract to defraud investors. Tactics used include making the token unsellable, enabling the creation of an unlimited number of new tokens, or imposing high trading fees
Exit scams are characterized by extensive promotion of a token, followed by the scammers betraying investors. Methods include creating fake marketing websites, announcing non-existent partnerships, or using bots for wash trading.
The low barrier to entry for executing these scams makes them accessible to a broad range of malicious actors, eliminating the need for advanced programming skills. Utilizing platforms like Stellar to create misleadingly named tokens is a common strategy in these ‘rug pulls’.
The cryptocurrency landscape faces significant challenges in combating such fraudulent activities, highlighting the urgent need for increased vigilance and more robust regulatory frameworks.
More details are included in the analysis published by Resecurity:
An APT group, tracked as TAG-70, linked to Belarus and Russia exploited XSS flaws in Roundcube webmail servers to target over 80 organizations.
Researchers from Recorded Future’s Insikt Group identified a cyberespionage campaign carried out by an APT group, tracked as TAG-70, linked to Belarus and Russia. The nation-state actors are known to carry out cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020.
Between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in attacks aimed at over 80 organizations, primarily in Georgia, Poland, and Ukraine.
“TAG70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, successfully bypassing the defenses of government and military organizations.” reads the report published Recorded Future’s Insikt Group.
The researchers noticed similarities between this campaign and other activities conducted by other Russia-linked groups, such as BlueDelta (APT28) and Sandworm. These APT groups previously targeted email solutions, including Roundcube and Zimbra.
The compromise of email servers poses a substantial risk, especially during a conflict such as Russia-Ukraine. Threat actors can target email servers to gather intelligence about adversaries’ war efforts, diplomatic relationships, and coalition partnerships.
The attacks aimed at Iranian embassies in Russia and the Netherlands demonstrate a broader geopolitical interest in assessing Iran’s diplomatic activities, particularly its support for Russia in the context of the Ukrainian conflict. Similarly, the espionage against Georgian government entities reflects an interest in monitoring Georgia’s pursuits to access the European Union (EU) and NATO.
On July 27, 2023, the researchers a malicious JavaScript that was acting as a second-stage loader used by TAG70 previous to the exploitation of Roundcube issue. ESET researchers also detailed the same attack chain.
The JavaScript is loaded through cross-site scripting (XSS) from a malicious email and it decoded a Base64-encoded JavaScript payload (jsBodyBase64). Then the payload is inserted into the Document Object Model (DOM) of the Roundcube webpage within a newly created script tag.
The researchers recommend reading the detailed analysis of the recent TAG-70 campaign here.
The Raccoon Infostealer operator, Mark Sokolovsky, was extradited to the US from the Netherlands to appear in a US court.
In October 2020, the US Justice Department charged a Ukrainian national, Mark Sokolovsky (28), with computer fraud for allegedly infecting millions of computers with the Raccoon Infostealer.
The man was held in the Netherlands, and he was charged for his alleged role in the international cybercrime operation known as Raccoon Infostealer. He appealed the decision of a Dutch Court for granting his extradition to the United States, but it was finally extradited to the US from the Netherlands to appear in a US court.
The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.
Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.
The Raccoon stealer is written in C++ by Russian-speaking developers who initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speaking hacking forums, it works on both 32-bit and 64-bit operating systems.
The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.
The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email client like Thunderbird, Outlook, and Foxmail.
Dutch authorities arrested Sokolovsky in March 2022, concurrent with his arrest, the FBI and law enforcement partners in Italy and the Netherlands dismantled the C2 infrastructure used by the Raccoon Infostealer operation.
FBI identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data. While the exact number of victims has yet to be verified, experts believe that millions of potential victims around the world were targeted by the operation.
The credentials appear to include over four million email addresses. The United States does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.
Sokolovsky is charged with computer fraud, wire fraud, money laundering and aggravated identity theft.
Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.
He appeared in a US court on February 9 and is currently awaiting trial.
The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia.
In November 2023, researchers from ThreatFabric observed a resurgence of the Anatsa banking Trojan, aka TeaBot and Toddler. Between November and February, the experts observed five distinct waves of attacks, each focusing on different regions.
The malware previously focused its activities on the UK, Germany, and Spain, but the latest campaigns targeted Slovakia, Slovenia, and Czechia, which suggests a shift in its operational strategy.
The researchers classified Anatsa’s activity as “targeted,” threat actors were observed focusing on 3-5 regions at a time. According to ThreatFabric, the dropper applications were uploaded on Google Play in the targeted regions. The attackers noticed that the applications often reached the Top-3 in the “Top New Free” category, in an attempt to trick users into believing that the application was legitimate and downloaded by a large number of users.
“Throughout this campaign, Anatsa’s Modus Operandi has evolved, displaying more sophisticated tactics such as AccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13’s restricted settings.” reads the report published by ThreatFabric.
The researchers pointed out that some of the droppers successfully exploited the accessibility service and bypassed Google Play’s enhanced detection and protection mechanisms.
The avoid detection, the droppers adopted a multi-staged methodology, dynamically retrieving configuration and malicious executable files from their C2 server.
“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” continues the report.
The experts observed five droppers in the latest campaign with over 100,000 total installations.
Anatsa was first detected by the Italian cybersecurity firm Cleafy in March 2021 while it was targeting banks in Spain, Germany, Italy, Belgium, and the Netherlands.
TeaBot supports common features of Android banking Trojan and like other similar malware families it abuses Accessibility Services. Below is a list of features implemented by the malware:
Ability to perform Overlay Attacks against multiple bank applications to steal login credentials and credit card information
Ability to send / intercept / hide SMS messages
Enabling keylogging functionalities
Ability to steal Google Authentication codes
Ability to obtain full remote control of an Android device (via Accessibility Services and realtime screen-sharing)
The Anatsa banking Trojan allows operators to take over the infected devices and execute actions on a victim’s behalf.
“Effective detection and monitoring of malicious applications, along with observing unusual customer account behaviour, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa.” concludes the report.
Below a statement sent by Google spokesperson to Security Affairs:
“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
An international law enforcement operation codenamed ‘Operation Cronos’ led to the disruption of the LockBit ransomware operation.
A joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries has disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA’s announced that more information will be published tomorrow, February 20, 2024.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
The Cactus ransomware gang claims the theft of 1.5TB of data from the Energy management and industrial automation firm Schneider Electric.
The Cactus ransomware group claims responsibility for pilfering 1.5TB of data from the Energy management and industrial automation giant Schneider Electric.
Schneider Electric is a multinational company that specializes in energy management, industrial automation, and digital transformation.
In January, BleepingComputer first reported the attack that hit the Sustainability Business division of the company on January 17th. At the time, BleepingComputer contacted Schneider Electric which confirmed the data breach.
The attack impacted the services of Schneider Electric’s Resource Advisor cloud platform causing outages.
Schneider Electric said that other divisions of the company were not impacted by the cyber attack.
Today The Cactus ransomware gang published 25MB of allegedly stolen data on its Tor leak site.
The gang also published several pictures of passports and company documents as proof of the hack.
The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.
Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.
The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.
Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.
Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.
In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.
Law enforcement provided additional details about the international Operation Cronos that led to the disruption of the Lockbit ransomware operation.
Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.
“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ.
“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”
Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
ConnectWise addressed two critical vulnerabilities in its ScreenConnect remote desktop access product and urges customers to install the patches asap.
ConnectWise warns of the following two critical vulnerabilities in its ScreenConnect remote desktop access product:
CWE-288 Authentication bypass using an alternate path or channel (CVSS score 10)
CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”) (CVSS score 8.4)
Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center. The company is not aware of attacks in the wild exploiting these vulnerabilities, however, due to the higher risk of being targeted by exploits, ConnectWise recommends installing updates as emergency changes within days.
The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:
Cloud
There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.
On-premise
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch.
Researchers from Shadowserver Foundation identified roughly 28,000 internet-facing Microsoft Exchange servers vulnerable to CVE-2024-21410.
The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft also updated its advisory to label the flaw as actively exploited in the wild.
On 2024-02-17 Shadowserver researchers identified around 97K vulnerable or possibly vulnerable (vulnerable version but may have mitigation applied).
Out of 97,000 servers, 28,500 have been verified to be vulnerable to CVE-2024-21410.
Most of these servers are in Germany, followed by the United States. Below are the data shared by Shadowserver:
However, the researchers warn that the above results were calculated by summing counts of unique IPs, which means that a “unique” IP may have been counted more than once.
VMware urges customers to uninstall the deprecated Enhanced Authentication Plugin (EAP) after the disclosure of a critical flaw CVE-2024-22245.
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) after the discovery of an arbitrary authentication relay flaw CVE-2024-22245 (CVSS score: 9.6).
A threat actor could trick a domain user with EAP installed in its web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
“Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware.” reads the advisory published by the virtualization giant. “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).”
According to the advisory, there are no workarounds for this vulnerability.
The VMware Enhanced Authentication Plugin (EAP) was a software plugin designed to enable seamless login to vSphere’s management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems. The plugin was deprecated in 2021 with the release of vCenter Server 7.0u2.
The company also addressed an important severity session hijack vulnerability in EAP, tracked as CVE-2024-22250 (CVSS score 7.8).
“A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.” continues the advisory.
The vulnerabilities were both reported by Ceri Coburn from Pen Test Partners.
A new malware campaign targets Redis servers to deploy the mining crypto miner Migo on compromised Linux hosts.
Caro Security researchers have observed a new malware campaign targeting Redis servers with a crypto miner dubbed Migo. The campaign stands out for the use of several novel system weakening techniques against the data store itself.
Migo is a Golang ELF binary with compile-time obfuscation, it is also able to maintain persistence on Linux hosts.
The researchers also observed the malware using a new version of a popular user mode rootkit to evade detection by hiding processes and on-disk artifacts.
The researchers initially discovered that new ‘Redis system weakening commands’ have been used in attacks in the wild, and then they noticed that these commands were used in a recent malware campaign aimed at Redis systems.
One of the honeypots used by Cado was targeted by an attack originating from the IP 103[.]79[.]118[.]221 which disabled the following configuration options using the Redis command line interface’s (CLI) config set feature:
set protected-mode;
replica-read-only;
aof-rewrite-incremental-fsync;
rdb-save-incremental-fsync;
The attackers disabled these options to send additional commands to the Redis server and allow future intrusion evading defense.
“After disabling these configuration parameters, the attacker uses the set command to set the values of two separate Redis keys.” reads the report published by Cado Security. “One key is assigned a string value corresponding to a malicious attacker-controlled SSH key, and the other to a Cron job that retrieves the malicious primary payload from Transfer.sh (a relatively uncommon distribution mechanism previously covered by Cado) via Pastebin.”
The main Migo payload (/tmp/.migo) is distributed as an ELF file packed with UPX, statically linked and stripped. This ELF file can target x86_64 architecture. The sample employs standard UPX packing, preserving the UPX header, and can be easily unpacked using the command upx -d.
Upon execution, the Migo binary checks the presence of a file at /tmp/.migo_running. If this file doesn’t exist, the malicious code creates it, determines its own process ID and writes it out the file. The file is a sort of infection market for the attacker.
Then the binary downloads an XMRig installer hosted on GitHub, terminates competing miners and establishes persistence, then it launches the miner.
Below a series of actions performed by the binary:
In summary, they perform the following actions:
Make the copied version of the binary executable, to be executed via a persistence mechanism
Disable SELinux and search for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud
Execute the miner and pass the dropped configuration into it
Configure iptables to drop outbound traffic to specific IPs
Kill competing miners and payloads from similar campaigns
Register persistence via the systemd timer system-kernel.timer
Migo demonstrates the interest of threat actors in targeting cloud infrastructure for mining purposes. The attackers continue to improve their capability to exploit web-facing services.
Researchers believe that the Migo developers possess knowledge of the malware analysis process, implementing extra measures to obscure symbols and strings within the pclntab structure, thereby complicating reverse engineering.
U.S. government offers rewards of up to $15 million for information that could lead to the identification or location of LockBit ransomware gang members and affiliates.
The U.S. Department of State is offering a reward of up to $15 million for information leading to the identification or location of members of the Lockbit ransomware gang and their affiliates.
“The Department of State is announcing reward offers totaling up to $15 million for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group.” reads the press release published by the U.S. Department of State.
According to the press release published by the Department of State , the Lockbit ransomware operators carried out over 2,000 attacks against victims worldwide since January 2020. LockBit ransomware attacks have resulted in ransom payments exceeding $144 million for recovery.
The rewards are provided under the Transnational Organized Crime Rewards Program (TOCRP) which already targeted other ransomware operations.
The Department of State has set up a Tor website that can be used to anonymously provide information on LockBit’s operation.
Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.
“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ.
“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”
Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
China-linked APT group Mustang Panda targeted various Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.
Trend Micro researchers uncovered a cyberespionage campaign, carried out by China-linked APT group Mustang Panda, targeting Asian countries, including Taiwan, Vietnam, and Malaysia.
Mustang Panda has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.
In the recent campaign, threat actors used a customized PlugX malware that includes a completed backdoor command module, the researchers named it DOPLUGS.
“This kind of customized PlugX malware has been active since 2022, with related research being published by Secureworks, Recorded Future, Check Point, and Lab52. During analysis, we observed that the piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter.” reads the report published by Trend Micro. “Due to its different functionality, we decided to give this piece of customized PlugX malware a new name: DOPLUGS.”
The malware analysis revealed the use of the KillSomeOne module that supports USB worm capability. KillSomeOne was first disclosed by a Sophos report in November 2020.
Threat actors conducted spear-phishing attacks, using files related to current events as bait, such as the Taiwanese presidential election that took place in January 2024.
The spear-phishing emails sent by the threat actors include a Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware.
DOPLUGS acts as a downloader and supports four backdoor commands. One of the commands allows the malware to download a generic version of the PlugX malware.
The DOPLUGS samples included the KillSomeOne module and used a launcher component that executes the legitimate executable to perform DLL-sideloading. The launcher also downloads the next-stage malware from a remote server.
“Earth Preta has primarily focused on targeting government entities worldwide, particularly within the Asia-Pacific region and Europe.” concludes the report. “Based on our observations, we believe Earth Preta tends to use spear-phishing emails and Google Drive links in its attacks.”
Joomla maintainers have addressed multiple vulnerabilities in the popular content management system (CMS) that can lead to execute arbitrary code.
The maintainers of the Joomla! Project released Joomla 5.0.3 and 4.4.3 versions that addressed the following vulnerabilities in the popular content management system (CMS):
[20240201] –CVE-2024-21722 Core – Insufficient session expiration in MFA management views: The MFA management features did not properly terminate existing user sessions when a user’s MFA methods have been modified
[20240202] – CVE-2024-21723 Core – Open redirect in installation application: Inadequate parsing of URLs could result into an open redirect.
[20240203] – CVE-2024-21724 Core – XSS in media selection fields: Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
[20240204] – CVE-2024-21725 Core – XSS in mail address outputs: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
[20240205] – CVE-2024-21726 Core – Inadequate content filtering within the filter code: Inadequate content filtering leads to XSS vulnerabilities in various components.
The impact of these flaws can be widespread because roughly 2% of all websites use Joomla, millions of websites worldwide use this CMS.
“The widespread usage of Joomla and the fact that most deployments are publicly accessible makes it a valuable target for threat actors. Just recently, Joomla was targeted in an attack against different organizations via an improper access control vulnerability (CVE-2023-23752).” reported cybersecurity firm Sonarsource which discovered an issue that led to the XSS vulnerabilities in the popular Content Management System.
The researchers pointed out that an attacker can exploit these issues to gain remote code execution by tricking an administrator into clicking on a malicious link.
“While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk. We strongly advise all Joomla users to update to the latest version. The first release known to address the vulnerability is Joomla version 5.0.3/4.4.3.” states Sonarsource which did not disclose technical details about the issues to avoid massive exploitation in the wild.
Security researcher Salvatore Lombardo shared details about a new instance of Nigerian fraud that he called ‘Beyond the border scam.’
The 419 scam is a form of scam that requires the recipient to pay an upfront sum to receive a much larger reward later. The name derives from article 419 of the Nigerian penal code which punishes this type of fraud and is therefore also known as Nigerian fraud. The 419 scam is based on deception and psychological manipulation, exploiting the greed, pity, or curiosity of victims. Here is an example of the new Nigerian scam to which I have given the name ” Beyond the border scam ” and which is carried out entirely online and via email. In the following description, I have omitted the names mentioned, so as not to potentially involve real names that have nothing to do with the ongoing scam.
The desperate cry for help
It all begins with a desperate, very direct request for help via email from an alleged Ukrainian widow residing in a refugee camp, to receive a large sum of money bequeathed by her husband who died in the war. during the Russian invasion of Ukraine that began in 2022.
Following up on the electronic letter, the alleged widow begins a copious correspondence in which she says she was left completely alone after the death of her husband and children and without a home or money and hosted in a border refugee camp, where she feeds herself. barely and cannot afford to leave the camp, nor to operate his own bank account but only to survive miserably.
“ I am writing to you from an old desktop computer in the tent of the chaplain who works on behalf of a refugee agency, because here there is no internet point or effective means of communication. […]. I have here with me access to my late husband’s online bank account and a paper copy of his last foreign bank statement, but I can no longer access the bank account and cannot make withdrawals or transfers because the account is frozen . ”
Lavish compensation and conditions
In this dramatic scenario here is the real request: “ The bank manager, due to my refugee status, advised me to find a partner or representative anywhere in the world who will take care of me and receive the money on my behalf[ …]”, obviously for a generous fee , “ Please, I really need your kind-hearted help and I am willing to offer you a part of the money if you help me .”. Under the following conditions: “ Do you accept my proposal to offer a quarter of the money as compensation for your help? Will you make sure to help me out of my unfortunate situation, receive the money and send me some to purchase my travel documents and start a new life? Do you ensure that you do not run away with the money once it is received in your bank account? ”.
“ For security reasons ,” the email continues, “ the bank manager advised me to always remind my representative to keep this transaction confidential until the money successfully arrives in your checking account, in so as to avoid the unjustified interception of our communications with their bank by some hacker on the internet .”
Sample of the request for the mandate that the representative must sign and send to the bank for the transfer of the inheritance
Here’s the scam
But to do all this, the representative should take responsibility for sending a letter requesting the transfer of funds to the indicated bank manager, attaching a series of documents that only the lady possesses but in paper format. ” I only have the paper copy of my late husband’s last bank statement with the death certificate and I should scan them, attach them and send them to you now because it is important that you have a copy of these documents because the bank may request them, but there is no document scanning machine in our refugee camp. In order to scan, attach and send the copies, I will have to go to a center very far from our camp .”
And here is the request for money. To be able to afford the trip and pay for the document scanning service, the widow would need financial support from her representative which could be paid into an account made available by an elusive official of the usual refugee agency in service at the same tent city, justifying it by saying that “ […]Refugees are not allowed to operate a bank account because we do not have legal immigration documents here. ”
Pay attention to the typical pattern
Obviously the account does not belong to a refugee agency but to an impostor owner and any sending of money would only end up in the hands of the scammer who will ask for more money to be sent to also pay for the legal assistance necessary for issuing the authorization to the transfer of inheritance. Therefore pay attention to the typical scheme:
The scam begins with an email received from an alleged widow in difficulty asking for help in receiving the inheritance of her husband who died in the war, in exchange for a large fee;
once responded, other emails will arrive, with other information and the intermediation of a bank and refugee official;
Finally, personal details and financial support will be requested as well as all instructions to prepare the necessary documentation for the transfer of the fund, to be paid to an account of a refugee agency.
The 419 scam is very widespread and dangerous, and can cause serious economic and psychological damage to victims. To protect yourself in these cases it is important to be cautious and skeptical when receiving requests for money from strangers and even from foreign countries. Furthermore, it is best to never provide your personal or banking details and always report scam attempts and cases to the competent authorities .
For the moment the fraudulent account (probably not the only one) into which all the proceeds flow has collected approximately €1,371.00.
About the author: Salvatore Lombardo (Twitter @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
US FTC charged cyber security firm Avast with harvesting consumer web browsing data through its browser extension and antivirus and sold it.
The US Federal Trade Commission (FTC) has filed charges against cybersecurity firm Avast, accusing it of collecting and selling consumer web browsing data gathered through its browser extension and antivirus services. The antivirus firm is accused of selling the data to advertising companies without user consent.
According to the complaint, the cybersecurity firm was advertising its products as privacy-friendly. The company claimed their software would “block[] annoying tracking cookies that collect data on your browsing activities” and “[p]rotect your privacy by preventing . . . web services from tracking your online activity.”
“Since at least 2014, Respondents have collected consumers’ browsing information through browser extensions and antivirus software installed on consumers’ computers and mobile devices.” reads the FTC’s complaint.“Respondents sold the browsing information that they purported to protect, in many instances without notice to users.”
Avast subsidiary Jumpshot sold the collected information to over 100 third parties between 2014 and 2020.
FTC will also fine Avast $16.5 million and order to stop selling or licensing any web browsing data for advertising purposes.
FTC says despite its promises to protect consumers from online tracking, Avast sold consumers' browsing data to third parties /2
Data collected by Avast could allow third parties to profile users and their habits, the cybersecurity firm could have combined this type of information with persistent identifiers that they created and that allowed identification of each consumer’s device uniquely.
Collected browsing information, including web searches and webpages visited, revealed consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content.
The Czech security company claimed to have anonymized the data before selling them to third parties, but FTC believes that the process did not prevent the identification of the users.
“Using a proprietary algorithm developed by Avast, Avast and Jumpshot purported to find and remove identifying information prior to each transfer of consumer browsing information to Jumpshot’s servers. But this process was not sufficient to anonymize consumers’ browsing information, which Jumpshot then sold, in non-aggregate form, through a variety of different products to third parties.” state the complaint.
Below is the statement shared by Avast in response to the FTC:
“Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
The vulnerability is an authentication bypass vulnerability issue that an attacker with network access to the management interface can exploit to create a new, administrator-level account on affected devices.
The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:
Cloud
There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.
On-premise
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch.
Cybersecurity researchers from Huntress published a technical analysis of the ConnectWise vulnerability. The security firm is aware that the issue is actively exploited in attacks in the wild, the experts also recreated the exploit and attack chain.
The researchers concluded that the exploitation of this flaw is trivial and embarrassingly easy for this reason there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors.
Below is a video PoC of the exploit created by Huntress researchers, it performs the simple authentication bypass and demonstrates how to achieve remote code execution.
CISA is aware that this vulnerability is exploited in ransomware attacks, Sophos researchers also confirmed this circumstance.
“In the last 24 hours, we’ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709).” said Sophos. “Two things of interest here: first, as noted by others, the ScreenConnect vulnerabilities are being actively exploited in the wild. Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running”
Microsoft has released an open-access automation framework, called PyRIT, to proactively identify risks in generative artificial intelligence (AI) systems.
Microsoft has released a Python Risk Identification Tool for generative AI (PyRIT), it is an open-access automation framework to proactively find risks in generative AI systems.
The tool aims at helping red teaming activity of AI systems, Microsoft states that the development of the PyRIT demonstrates its commitment to democratize securing AI for its customers, partners, and peers.
Unlike traditional red teaming activities, red teaming of generative AI systems must include the identification of both security risks as well as responsible AI risks such as fairness issues to producing ungrounded or inaccurate content.
The design of PyRIT ensures abstraction and extensibility to allow future enhancement of PyRIT’s capabilities. The tool implements five interfaces: target, datasets, scoring engine, attack strategies and memory.
PyRIT supports integrating with models from Microsoft Azure OpenAI Service, Hugging Face, and Azure Machine Learning Managed Online Endpoint.
The tool supports two attack strategy styles, the single-turn strategy and the multi-turn strategy. The former strategy consists of sending a combination of jailbreak and harmful prompts to the AI system and scores the response. In the multi-turn strategy, the system sends a combination of jailbreak and harmful prompts to the AI system, and subsequently responds to the AI system based on the scored score. The first approach if faster while the the second is a more realistic adversarial behavior and the implementation of more advanced attack strategies.
“PyRIT is more than a prompt generation tool; it changes its tactics based on the response from the generative AI system and generates the next input to the generative AI system. This automation continues until the security professional’s intended goal is achieved.” reads the announcement published by Microsoft.
Microsoft pointed out that the tool is not a replacement for the manual red teaming of generative AI systems.
“PyRIT was created in response to our belief that the sharing of AI red teaming resources across the industry raises all boats. We encourage our peers across the industry to spend time with the toolkit and see how it can be adopted for red teaming your own generative AI application.” concludes the announcement
Australian telecommunications provider Tangerine disclosed a data breach that impacted roughly 230,000 individuals.
Tangerine suffered a data breach that exposed the personal information of roughly 230,000 individuals.
The security breach occurred on Sunday 18 February 2024, but Tangerine management became aware of the incident on Tuesday 20 February 2024.
The telco notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
The telecommunications provider pointed out that no financial information (credit or debit card numbers, banking details) has been compromised. The company also confirmed that the attack did not affect the availability or operation of their nbn® or mobile services.
“We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s licence numbers, ID documentation details, banking details or passwords have been disclosed as a result of this incident.” reads the statement published by the company.
The exposed information includes full name, date of birth, mobile number, email address, postal address and Tangerine account number.
Upon becoming aware of the security breach, the company launched an investigation, which is still ongoing, into the incident.
The company hired cyber specialists to investigate the incident, the experts discovered that attackers gained access to an unsecured legacy database.
“We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed.”continues the statement.
The company already notified impacted individuals by email on Wednesday 21 February 2024.
The incident did not impact customer accounts, which are protected with multi-factor authentication (MFA).
A Russian national (49) was charged with a cyberattack on a local power plant that caused a widespread blackout.
The news agency TASS reported that a Russian national (49) is set to face trial on charges of carrying out a cyberattack on a local power plant that left 38 villages in the Vologda region in the dark.
The attack took place one year ago, the man faces up to eight years in prison.
“The criminal investigation has been completed against a hacker who cut off power to 38 settlements in the Vologda region. The Russian FSB Directorate for the Vologda Region established that in February 2023, a resident of the region born in 1975 gained unlawful access to technological control systems for power grids and cut off power to 38 settlements Vologda region in the Sheksninsky district, Ustyuzhensky and Babayevsky districts,” the press service of the Russian FSB department for the Vologda region told TASS.
TASS reported that the Russian authorities have opened a criminal case was opened into the incident under Part 4 of Article 274.1 of the local Criminal Code.
The local authorities have completed the investigation and sent the evidence to the court for a final judgment.
The suspect is currently obligated to remain at the specified location, as stated by the FSB Directorate to TASS.
It is unclear if the defendant was a member of a hacker group or if the attack was an act of hacktivism against the Russian government for its invasion of Ukraine.
Apple announced the implementation of a post-quantum cryptographic protocol called PQ3 will be integrated into iMessage.
Apple announced a new post-quantum cryptographic protocol called PQ3 that will be integrated into the company messaging application iMessage to secure communications against highly sophisticated quantum attacks.
Apple said that PQ3 is the first messaging protocol to reach what they call Level 3 security, which is the most secure protocol for messaging apps today.
Messaging services use classical public key cryptography, such as RSA, Elliptic Curve signatures, and Diffie-Hellman key exchange, to establish secure end-to-end encrypted connections between devices. However, researchers believe that a sufficiently powerful quantum computer could compromise of end-to-end encrypted communications.
Post-quantum computing refers to events that follow the development of quantum computers. Traditional cryptographic methods, which are widely used to secure data today, rely on mathematical problems that can be solved efficiently by classical computers. However, quantum computers have the potential to solve certain mathematical problems exponentially faster than classical computers, posing a threat to the security of current cryptographic systems.
Post-quantum cryptography refers to cryptographic algorithms and techniques that are designed to remain secure against attacks launched by quantum computers.
“Although quantum computers with this capability don’t exist yet, extremely well-resourced attackers can already prepare for their possible arrival by taking advantage of the steep decrease in modern data storage costs. The premise is simple: such attackers can collect large amounts of today’s encrypted data and file it all away for future reference.” states the announcement. “Even though they can’t decrypt any of this data today, they can retain it until they acquire a quantum computer that can decrypt it in the future, an attack scenario known as Harvest Now, Decrypt Later.”
The company announced it has rebuilt the iMessage cryptographic protocol from the ground up to advance the state of the art in end-to-end encryption.
PQ3 introduces a new post-quantum encryption key in the set of public keys generated locally by each device. The devices send the keys to Apple servers as part of the iMessage registration process. The company used Kyber post-quantum public keys, because the algorithm is recommended by NIST.
This implementation allows sender devices to acquire receiver public keys and generate post-quantum encryption keys for the initial message, even if the receiver is offline, a process referred to as initial key establishment.
PQ3 also incorporates a periodic post-quantum rekeying mechanism within conversations.
PQ3 is designed to implement a hybrid approach, combining Elliptic Curve cryptography with post-quantum encryption during both the initial key establishment and rekeying processes.
“With PQ3, iMessage continues to rely on classical cryptographic algorithms to authenticate the sender and verify the Contact Key Verification account key, because these mechanisms can’t be attacked retroactively with future quantum computers. To attempt to insert themselves in the middle of an iMessage conversation, an adversary would require a quantum computer capable of breaking one of the authentication keys before or at the time the communication takes place. In other words, these attacks cannot be performed in a Harvest Now, Decrypt Later scenario — they require the existence of a quantum computer capable of performing the attacks contemporaneously with the communication being attacked.” concludes the announcement. “We believe any such capability is still many years away, but as the threat of quantum computers evolves, we will continue to assess the need for post-quantum authentication to thwart such attacks.”
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
On February 23, researchers at blockchain cybersecurity firm PeckShield alerted about a “whale wallet” compromise over the Ronin Bridge. The experts reported that the attackers stole about 3,248 ETH (roughly $9.7 million). Cyber thieves transferred the stolen funds to the Tornado Cash cryptocurrency mixer.
“PeckShield’s investigation of the compromised wallets from Ronin Bridge v2 suggests that the 3,248-ETH loot was initially split and moved to three different wallets. The funds eventually made their way into Tornado Cash, a service often used by hackers to anonymize the funds’ ownership and traceability.” reported CoinTelegraph.
Zirlin confirmed the theft with a message published on X, he pointed out that the attack is limited to his two personal accounts, and is not linked to the operations of the Ronin chain.
This has been a tough morning for me.
Two of my addresses have been compromised.
The attack is limited to my personal accounts, and has nothing to do with validation or operations of the Ronin chain.
Additionally, the leaked keys have nothing to do with Sky Mavis operations.…
The Record Media highlighted that another Ronin Network co-founder, Aleksander Larsen, confirmed that the cyber heist is not linked to the operations of the Ronin chain.
The bridge has no issue and Ronin is not compromised.
Extremely misleading title.
A wallet has clearly been compromised like what happens on every chain, and the funds are being tornado cashed.
The bridge itself has top security, been through many audits and goes on pause when…
In March 2022, in a separate incident, threat actors stole approximately $625 million worth of Ethereum and USDC tokens from Axie Infinity‘s Ronin network bridge.
In April, the U.S. government attributed the recent $600 million Ronin Validator cryptocurrencty heist to the North Korea-linked APT Lazarus.
A cyber attack hit the Royal Canadian Mounted Police (RCMP), the federal and national law enforcement agency of Canada.
The Royal Canadian Mounted Police (RCMP), the federal and national law enforcement agency of Canada, confirmed that it was the target of a cyber attack. RCMP also notified the Office of the Privacy Commissioner (OPC).
The police have launched an investigation into the cyber attack and urged its staff to stay vigilant.
“The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson for the RCMP said in a statement issued to CBC News. “While a breach of this magnitude is alarming, the quick work and mitigation strategies put in place demonstrate the significant steps the RCMP has taken to detect and prevent these types of threats.”
The RCMP said that it is not aware of any impact on foreign police and intelligence services.
The Canadian law enforcement agency did not provide details about the cyber attack.
In November 2023, the Canadian government disclosed a data breach after threat actors hacked two of its contractors.
The Canadian government declared that two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, have been hacked, resulting in the exposure of sensitive information belonging to an undisclosed number of government employees.
Data belonging to current and former Government of Canada employees, members of the Canadian Armed Forces and Royal Canadian Mounted Police personnel have been also exposed.
The LockBit gang is back and set up a new infrastructure after the recent attempt by law enforcement to disrupt their operation.
Last week, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
Now the LockBit gang is attempting to relaunch its RaaS operation, the group has set up a new infrastructure and is threatening to carry out cyber attacks on the government sector.
“Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not.” wrote the gang.
In a couple of days, the gang added 12 entries to its website, five of them are new victims of the group. It seems that the group is re-populating its tor leak site.
The new leak site also includes an entry for the FBI that contains a long message to the law enforcement agency. According to the message, the FBI hacked the gang’s infrastructure because they didn’t want to leak information Fulton County. The ransomware gang claimed to have stolen documents containing a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.
Below is the entire message published by the gang:
"What happened. On February 19, 2024 penetration testing of two of my servers took place, at 06:39 UTC I found an error on the site 502 Bad Gateway, restarted nginx - nothing changed, restarted mysql - nothing changed, restarted PHP - the site worked. I didn't pay much attention to it, because for 5 years of swimming in money I became very lazy, and continued to ride on a yacht with titsy girls. At 20:47 I found that the site gives a new error 404 Not Found nginx, tried to enter the server through SSH and could not, the password did not fit, as it turned out later all the information on the disks was erased. Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully penetration tested most likely by this CVE https://www.cvedetails.com/cve/CVE-2023-3824/ , as a result of which access was gained to the two main servers where this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed. The new servers are now running the latest version of PHP 8.3.3. If anyone recognizes a CVE for this version, be the first to let me know and you will be rewarded. The problem doesn't just affect me. Anyone who has used a vulnerable version of PHP keep in mind that your server may have been compromised, I'm sure many competitors may have been hacked in the same way, but they didn't even realize how it happened. I'm sure the forums I know are also hacked in the same way via PHP, there are good reasons to be sure, not only because of my hack but also because of information from whistleblowers. I noticed the PHP problem by accident, and I'm the only one with a decentralized infrastructure with different servers, so I was able to quickly figure out how the attack happened, if I didn't have backup servers that didn't have PHP on them, I probably wouldn't have figured out how the hack happened. The FBI decided to hack now for one reason only, because they didn't want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election. Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet. If it wasn't for the FBI attack, the documents would have been released the same day, because the negotiations stalled, right after the partner posted the press release to the blog, the FBI really didn't like the public finding out the true reasons for the failure of all the systems of this city. Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked, because you do not cause any critical damage, you bring only benefit. What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not. Even if you updated your PHP version after reading this information, it will not be enough, because you have to change the hoster, server, all possible passwords, user passwords in the database, audit the source code and migrate everything, there is no guarantee that you have not been hardened on the server. There is no guarantee that the FBI does not have 0day for your servers about which they have already learned enough information to re-hack, so only a complete change of everything that can only be replaced will help. All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies. As a result of hacking the servers, the FBI obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors, they claim 1000 decryptors, although there were almost 20000 decryptors on the server, most of which were protected and cannot be used by the FBI. Thanks to the database they found out the generated nicknames of the partners, which have nothing to do with their real nicknames on forums and even nicknames in messengers, not deleted chats with the attacked companies and accordingly wallets for money, which will be investigated and searched for all those who do not launder crypto, and possibly arrest people involved in laundering and accuse them of being my partners, although they are not. All of this information has no value because it is all passed to the FBI and without hacking the panel, after every transaction by insurance agents or negotiators. The only thing that is of value and potential threat is the source code of the panel, because of it is probably possible future hacks if you let everyone into the panel, but now the panel will be divided into many servers, for verified partners and for random people, up to 1 copy of the panel for 1 partner on a separate server, before there was one panel for everyone. Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced. Leak of the panel source code was also happening at competitors, it didn't stop them from continuing their work, it won't stop me either. The FBI says they received about 1000 decryptors, a nice figure, but it doesn't look like the truth, yes they received some unprotected decryptors, those builds of the locker that were made without the "maximum decryptor protection" checkbox could only be received by the FBI in the last 30 days, it's not known on what day the FBI got access to the server, but we know exactly the date of CVE disclosure and the date when PHP generated an error, before Feb 19th the attacked companies were regularly paying even for unprotected decryptors, so there is a chance the FBI were only on the server for 1 day, it would be nice if the FBI released all the decryptors to the public, then you could trust them that they really own the decryptors, not bluffing and praising their superiority, not the superiority of 1 smart pentester with a public CVE. Note that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransoms, i.e. even if the FBI has 1000 decryptors, they are of little use, the main thing is that they didn't get all the decryptors for the entire 5 years of operation, which number is about 40000. It turns out that the FBI were only able to get hold of 2.5% of the total number of decryptors, yes it's bad, but it's not fatal. - From this significant moment, when the FBI cheered me up, I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free. Probably, everyone has already noticed how beautifully the FBI has changed the design of the blog, no one has ever been given such honors, usually everyone just put the usual plug with the praise of all the special services of the world. Although in fact only one person from all over the planet deserves praise, the one who pentest my site and picked up the right public CVE, I wonder how much he was paid, how much was his bonus? If less than a million dollars, then come work for me, you'll probably make more with me. Or just come talk to me at tox 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 remember that I always have an active bug bounty program and I pay money for bugs found. FBI doesn't appreciate your talents, but I do and am willing to pay generously. I wonder why the alpha, revil, hive blogs were not designed so nicely? Why weren't their deanons published? Even though the FBI knows their identities? Strange isn't it? Because with such stupid methods FBI is trying to intimidate me and make me stop working. The FBI designer should work for me, you have good taste, I especially liked the new preloader, in the new update I should do something similar, USA, UK and Europe revolve around my logo, brilliant idea, right there made me feel very good, thanks. A couple of my partners were arrested, to be honest I doubt that very much, they are probably just people who are laundering cryptocurrencies, maybe they were working for some mixers and exchangers with drops, that's why they were arrested and considered my partners, it would be interesting to see the video of the arrest, where at their homes, Lamborghinis and laptops with evidence of their involvement in our activities, but I somehow think we will not see it, because the FBI arrested random people to get a certificate of merit from the management, say look there are arrests, we are not getting money for nothing, we are honestly working off taxes and imprisoning random people, when real pentesters quietly continue their work. Basssterlord is not caught, I know Basssterlord's real name, and it's different than the poor guy the FBI caught. I don't know any military journalist from Sevastopol Colonel Cassad, and I never donated to anyone, it would be nice if the FBI showed the transaction so I could check on the blockchain where they drew such conclusions from and why they claim it was me who did it, I never do any transaction without a bitcoin mixer. If I may have used the same cryptocurrency exchange service that someone from Evil Corp used it absolutely does not mean I have anything to do with Evil Corp, again where are the transactions? How do I know who is using which exchanger? I use different exchangers and I don't concentrate all my money on one cryptocurrency exchanger. Let's blame the hundreds of other people who use publicly available exchanges on Evil Corp. I really dislike that all such throw-ins are made without publishing transactions and wallets, thus it is impossible to verify what is true. You can accuse me of anything without proving anything, and there is no way I can refute it, because there are no transactions and bitcoin wallets. The FBI states that my income is over 100 million dollars, this is true, I am very happy that I deleted chats with very large payouts, now I will delete more often and small payouts too. These numbers show that I am on the right track, that even if I make mistakes it doesn't stop me and I correct my mistakes and keep making money. This shows that no hack from the FBI can stop a business from thriving, because what doesn't kill me makes me stronger. All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid. I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete. With competitors who will make more money and attack more companies, and with the FBI whether they can catch me or not, and I'm sure they can't, looking at the way they work. The FBI promised to publish my deanon but they didn't fulfill their promise, these people dare to lie about me supposedly not deleting stolen information of companies after paying the ransom, clowning around. It turns out that the FBI officially recognized themselves as liars and they lie very often, as my familiar lawyers Arkady Buch, Dmitry Naskavets and Victor Smilyanets stated, now I believe them 100%. They made a foolish attempt to discredit me by claiming that I work for the FBI, a man who encrypts US companies every day and makes hundreds of millions of dollars does it with the approval of the FBI? Is that how it works? Very clever. You're thinking, why would I work for hundreds of millions of dollars? And I will answer that I am just bored, I love my work, it brings me joy from life, money and luxury do not bring such joy as my work, that's why I am ready to risk my life for the sake of my work, that's how bright, rich and dangerous life should be in my opinion. *when I write the word FBI I mean not only FBI, but also all their assistants, who know how to arrest servers of partners, which act as the first lining after stealing data from the attacked company and do not represent any value: South West Regional Organized Crime Unit in the U.K., Metropolitan Police Service in the U.K., Europol, Gendarmerie-C3N in France, the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany, Fedpol and Zurich Cantonal Police in Switzerland, the National Police Agency in Japan, the Australian Federal Police in Australia, the Swedish Police Authority in Sweden, the National Bureau of Investigation in Finland, the Royal Canadian Mounted Police in Canada, and the National Police in the Netherlands. So please don't take offense, I haven't forgotten about you, you were also very helpful in this operation. But let me remind you that personally I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from Prodaft."
The message concludes with a list of backup blog domains that cannot be shut down by the FBI because Lockbit admins have addressed the PHP issues exploited by feds in the Operation Cronos.
The FBI breached two main servers of the gang that were running outdated PHP versions vulnerable to the flaw CVE-2023-3824.
The popular hacker IntelBroker announced that it had hacked the Los Angeles International Airport by exploiting a flaw in one of its CRM systems.
The website Hackread first reported that the popular hacker IntelBroker had breached one of the CRM systems used by the Los Angeles International Airport. IntelBroker announced it had exploited a vulnerability in the target system, the attack took place this month.
“IntelBroker informed Hackread.com that they successfully executed the data breach by exploiting a vulnerability within one of the CRM systems utilized by the Los Angeles International Airport.” reads the post published by Hackread.
The hacker claims to have gained access to a database containing confidential data of the owners of private planes. The database contained 2.5 million records, containing the following data:
Full names
CPA numbers
Email addresses (1.9 million emails – total 15,8000 emails after removing duplicates).
Company names
Plane model numbers
Tail numbers (Refers to an identification number painted on an aircraft tail).
The security breach did not impact travelers.
IntelBroker announced the hack on BreachForumsm the post states that in February 2024, a user named ‘kwillsy’ breached a database of the Los Angeles International Airport. However, IntelBroker told HackRead that “kwillsy” is not associated with the security breach, and they claimed full responsibility for the data breach.
Login
(@Jihoz_Axie) 
