The FBI is informing victims of LockBit ransomware it has obtained over 7,000 LockBit decryption keys that could allow some of them to decrypt their data.

The FBI is inviting victims of LockBit ransomware to come forward because it has obtained over 7,000 LockBit decryption keys that could allow them to recover their encrypted data for free.

“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online.” said Bryan Vorndran, the Assistant Director at the FBI Cyber Division, during the 2024 Boston Conference on Cyber Security. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.” 

In February, a joint law enforcement action code-named Operation Cronos conducted by law enforcement agencies from 11 countries temporarily disrupted the LockBit ransomware operation.

This call to action comes after law enforcement took down LockBit’s infrastructure in February 2024 in an international operation dubbed “Operation Cronos.”

The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.

The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.

The NCA seized the Tor leak site and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.

The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.

Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.

“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”

The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA reached out to victims based in the UK providing support to help them recover encrypted data.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”

The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.

The FBI, UK National Crime Agency, and Europol have also unmasked the identity of the admin of the LockBit ransomware operation, aka ‘LockBitSupp’ and ‘putinkrab’ , and issued sanctions against him. It was the first time that the admin of the notorious group was identified by law enforcement.

The man is a Russian national named Dmitry Yuryevich Khoroshev (31) of Voronezh, Russia.

“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.” reads the press release published by NCA.

The NCA states that Khoroshev will now be subject to a series of asset freezes and travel bans.

“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.” continues the NCA.

According to the UK agency, data retrieved from the systems belonging to the ransomware gang revealed that from June 2022 to February 2024, the criminals gave orchestrated over 7,000 attacks. The most targeted countries included the US, UK, France, Germany, and China.

However, despite the law enforcement operation, the LockBit group is still active and targeted tens of organizations since February.

LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.

According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Researchers believe the RansomHub ransomware-as-a-service is a rebranded version of the Knight ransomware operation.

Cybersecurity experts who analyzed the recently emerged ransomware operation RansomHub speculate that is is a rebranded version of Knight ransomware.

Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.

Knight ransomware-as-a-service operation shut down in February 2024, and the malware’s source code was likely sold to the threat actor who relaunched the RansomHub operation. RansomHub claimed responsibility for attacks against multiple organizations, including Change Healthcare, Christie’s, and Frontier Communications.

Researchers at Symantec, part of Broadcom, discovered multiple similarities between the RansomHub and Knight ransomware families, suggesting a common origin:

• Both are written in Go and use Gobfuscate for obfuscation.
• They share extensive code overlaps.
• The command-line help menus used by the two malware are identical, except for a ‘sleep’ command on RansomHub.
• Both employ a unique obfuscation technique with uniquely encoded important strings.
• The ransom notes from both Knight and RansomHub show significant similarities, with many phrases from Knight’s note appearing verbatim in RansomHub’s, indicating that the developers likely edited and updated the original note.
• Both payloads restart endpoints in safe mode before encryption.
• The sequence and method of command execution are the same, though RansomHub now uses cmd.exe for execution.

However, despite the two malware share origins, it is unlikely that the authors of Knight are now operating RansomHub. 

“One main difference between the two ransomware families is the commands run through cmd.exe. While the specific commands may vary, they can be configured either when the payload is built or during configuration. Despite the differences in commands, the sequence and method of their execution relative to other operations remain the same.” states the report published by Symantec.

Although RansomHub only emerged in February 2024, it has rapidly grown and, over the past three months, has become the fourth most prolific ransomware operator based on the number of publicly claimed attacks.

“One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack.” concludes the report that also provides Indicators of Compromise. “The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall tool.

The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and privacy concerns among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.

Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.

However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.

The popular cybersecurity expert Kevin Beaumont explained that an attacker can gain remote access to a device running Recall using a malware.

“When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.” reads a post published by Beaumont. “For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.”

Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.

Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.

HT detective pic.twitter.com/Njv2C9myxQ

— Kevin Beaumont (@GossiTheDog) May 30, 2024

Re the second paragraph in this BBC News piece about Copilot+ Recall – I don’t know if it’s a BBC error or a Microsoft misstatement, but the line is not true.

If you gain remote access to a device running Recall (eg a trojan) you can access Recall.https://t.co/ebGjiVyVsI pic.twitter.com/QDMRC0xuud

— Kevin Beaumont (@GossiTheDog) May 23, 2024

Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.

Watch as Microsoft staff gain access to the Recall database files at the 24 second mark here, you'll be shocked by their elite hacking skills. pic.twitter.com/RxBQ8iTixw

— Kevin Beaumont (@GossiTheDog) May 30, 2024

The cybersecurity researcher Alex Hagenah has released a PoC tool, named TotalRecall, that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.

“The database is unencrypted. It’s all plain text,” Hagenah says.⁩” told Wired.

“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” Hagenah explained “Here’s where you can find them:

C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}

The images are all stored in the following subfolder

.\ImageStore\

The IT researcher Marc-André Moreau explained that an info-stealing malware can easily steal temporarily visible passwords from Remote Desktop Manager, which are captured by the Recall tool, from a local SQLite database.

The full OCR text with the temporarily visible password is available in the %LocalAppData%CoreAIPlatform.00UKP{<UUID>}ukg.db SQLite database, nicely gift wrapped for infostealer malware to exfiltrate: pic.twitter.com/UKRjSPdUNs

— Marc-André Moreau (@awakecoding) June 3, 2024

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” concludes Wired.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, AI)

Cisco addressed vulnerabilities that were exploited to compromise the Webex meetings of the German government.

In early May, German media outlet Zeit Online revealed that threat actors exploited vulnerabilities in the German government’s implementation of the Cisco Webex software to access internal meetings.  

In March, the German authorities admitted the hack by Russia-linked actors of a military meeting where participants discussed giving military support to Ukraine.

“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center.” reads the advisory published by the company.

Experts believe threat actors exploited an insecure direct object reference (IDOR) vulnerability to access internal Webex meetings. Threat actors gained access to information about the meeting, such as topics and participants, and spied on sensitive meetings, despite the German government decided to use an on-premises version of Webex.

The experts also discovered that some meeting rooms of high-ranking officials were not password-protected.

The IT giant now confirmed that the vulnerability exploited by the nation-state actors has been addressed.

“These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024.” continues the advisory.

Cisco notified customers who experienced observable attempts to access meeting information and metadata. Since the flaws were addressed, the company hasn’t observed any other attempts to exploit the vulnerabilities. The company added that the investigation is still ongoing and that they continuing to monitor for unauthorized activity, providing updates as needed through regular channels.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Germany)

A vulnerability in the popular video-sharing platform TikTok allowed threat actors to take over the accounts of celebrities.

Threat actors exploited a zero-day vulnerability in the video-sharing platform TikTok to hijack high-profile accounts. The vulnerability resides in the direct messages feature implemented by the platform, reported Forbes.

The malware spreads through direct messages within the app and only requires the user to open a message. The compromised accounts did not post content, and the extent of the impact is unclear. TikTok spokesperson Alex Haurek stated that their security team is aware of the exploit and has taken measures to stop the attack and prevent future incidents. The company is also working with affected account owners to restore access.

The list of compromised accounts includes CNN, Paris Hilton, and Sony, however, it’s still unclear how many accounts have been impacted.

The company did not share technical details about the vulnerability exploited by the attackers.

“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.” TikTok spokesperson Alex Haurek told Forbes.

Haurek pointed out that the attacks compromised a very small number of accounts.

Semafor first reported that CNN’s TikTok account had been hacked, forcing the broadcaster to take down its account for several days.

The TikTok spokesperson also added that their security team was recently alerted of malicious actors targeting CNN’s account.

TikTok remarked that it is committed to maintaining the platform’s integrity and will continue to monitor for any further fraudulent activity.

In August 2022, Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts stated that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February 2022, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, zero-day)

Zyxel Networks released an emergency security update to address critical vulnerabilities in end-of-life NAS devices.

Zyxel Networks released an emergency security update to address three critical flaws in some of its NAS devices that have reached end-of-life.

An attacker can exploit the vulnerabilities to perform command injection attacks and achieve remote code execution. Two flaws can also allow attackers to elevate privileges.

The Outpost24 researcher Timothy Hjort reported the flaw to the manufacturer and published a detailed analysis and PoC exploit codes for the flaws.

Below is the list impacting the Zyxel NAS devices:

• CVE-2024-29972: This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
• CVE-2024-29973: This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.
• CVE-2024-29974: This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
• CVE-2024-29975: This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.
• CVE-2024-29976:This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

The vulnerabilities affect NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

The vendor did not address CVE-2024-29975 and CVE-2024-29976 in its end-of-life products.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support.” reads the advisory published by the company. “Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.”

Zyxel is not aware of attacks in the wild exploiting these vulnerabilities.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)

A ransomware attack that hit the provider of pathology and diagnostic services Synnovis severely impacted the operations of several London hospitals.

A ransomware attack on pathology and diagnostic services provider Synnovis has severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

The pathology and diagnostic services provider has launched an investigation into the security breach with the help of experts from the NHS. The experts are working to fully assess the impact of the attack and to take the appropriate action to contain the incident. The company also announced they are working closely with NHS Trust partners to minimise the impact on patients and other service users.

NEW: Operations across 2 major London hospitals @GSTTnhs & @KingsCollegeNHS have been cancelled due to a cyber attack, with all transplant surgery at @RBandH axed. Problem is affecting pathology labs incl blood transfusions. Trauma cases at Kings being sent to other sites: pic.twitter.com/zmtsq6c0zL

— Shaun Lintern (@ShaunLintern) June 4, 2024

Below is the message sent by Professor Ian Abbs, Chief Executive Officer Guy’s and St Thomas’ NHS Foundation Trust:Dear Colleague

"I am writing to update you about the ongoing critical incident that is currently affecting our pathology services. I can confirm that our pathology partner  Synnovis experienced a major IT incident earlier
today, which is ongoing and means that we are not currently connected to the Synnovis IT
servers. This incident is also affecting King’s College Hospital NHS Foundation Trust and primary care across south east London. 
This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out.
I recognise how upsetting this is for patients and families whose care has been affected, and how difficult and frustrating this is for you all. I am very sorry for the disruption this is causing. An incident response structure has been stood up, with colleagues from across the Trust meeting regularly to assess the situation and put contingency plans into place. All clinical groups are represented on this, so please do direct any clinical or operational questions to your clinical group or directorate leadership as your clinical group or directorate leadership as appropriate. While we do not yet know all the details or how long this issue will take to resolve we will keep you updated through the usual routes, including through the clinical alert system."

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement.

“Emergency care continues to be available, so patients should access services in the normal way by dialling 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise. We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need.”

At this time, the company has yet to provide details on the attack, such as the malware family that infected its systems and if it has suffered a data breach.

In April, Synlab Italia, the Italian branch of the SYNLAB group, experienced disruptions due to a Blackbasta cyber attack. The company suspended all activities at sampling points, medical centers, and laboratories in Italy.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

The RansomHub ransomware group added the American telecommunications company Frontier Comunications to the list of victims on its Tor leak site.

The RansomHub ransomware group claimed to have stolen the information of over 2 million customers from the American telecommunications company Frontier Communications. The RansomHub group claims to have stolen 5GB of data from the telecommunications giant.

Stolen data include names, email addresses, SSNs, credits, scores, dates of birth, and phone numbers.

“Data is more than 2 million customer with address name email ssn credit score date of birth and phone number. We gave frontier 2 months to contact us but they don’t care about clients data. Below is screenshot of some of the data.” reads the message published by the group. “Now anyone who wants to buy this data can contact our blog support, we only sell it once.”

In April, Frontier Communications notified the Securities and Exchange Commission (SEC) that it had to shut down certain systems following a cyberattack. The incident was identified on April 14 after that an unauthorized threat actor gained unauthorized access to parts of its IT environment.

The company launched an investigation into the security breach and started operations to contain the incident.

“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. “While we do not believe the incident is reasonably likely to materially impact our financial condition or results of operations, we continue to investigate the incident, have engaged cybersecurity experts, and have notified law enforcement authorities.”

The company did not provide details about the attack and has yet to disclose the number of the impacted people.

RansomHub has published an image of the stolen records as proof of the data breach and threatens to publish the stolen data if the victim will not pay the ransom within nine days.

At the end of May, Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred in the same month.

The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Resecurity uncovered a cybercriminal group that is providing a sophisticated phishing kit, named V3B, to target banking customers in the EU.

Resecurity has uncovered a new cybercriminal group providing Phishing-as-a-Service (PhaaS) platform that is equipping fraudsters with sophisticated kit (known as “V3B”) to target banking customers in the EU.

“Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts. Their Telegram channel has over 1,255 members, a significant indicator of the scale and scope of the malicious activity being promoted by the group.” reads the report published Resecurity. “The majority of members on this Telegram channel are skilled cybercriminals who specialize in various forms of fraud. These include:

• Social engineering tactics
• SIM swapping schemes
• Banking and credit card fraud”

The attackers use various social engineering and spoofing tactics to trick victims into revealing their sensitive information, which supports real-time interaction to abuse and bypass MFA (Multi-Factor Authentication).

The kit is designed to intercept sensitive information, including banking credentials, credit card and personal information, and OTP/TAN codes. Besides traditional tokens (such as SMS code), the kit supports QR Codes and PhotoTAN method (widely used in Germany and Switzerland), which may indicate that fraudsters are monitoring the latest MFA/2FA technologies implemented by banks and seeking to exploit possible bypass methods to defraud their customers.

V3B phishing kit supports over 54 financial institutions (based in Austria, Belgium, France, Finland, Greece, Germany, Italy, Netherlands, Norway, Poland, Spain), featuring customized and localized templates to mimic authentication and verification processes of major online banking, e-commerce, cryptocurrency providers and payment systems in the EU.

Technical details about the phishing kit are included in the report published by Resecurity: https://www.resecurity.com/blog/article/cybercriminals-attack-banking-customers-in-eu-with-v3b-phishing-kit

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, V3B)

Researchers published a PoC exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers.

Researchers published a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers. Telerik Report Server is an end-to-end report management solution developed by Progress® Telerik.

Cybersecurity researcher Sina Kheirkha started his research from an advisory published by Progress for a deserialization issue tracked as CVE-2024-4358 (CVSS score: 9.8). The experts noticed that the exploitation required authentication, so shortly after the release of the patch, he managed to find an authentication bypass. With the help of Soroush Dalili (@irsdl), the expert chained the deserialization issue with an auth bypass to achieve full unauthenticated RCE.

The researchers chained the issue with the deserialization flaw CVE-2024-1800 (CVSS score: 8.8) to execute arbitrary code on vulnerable servers.

Here is the Exploit Chain targeting Telerik Report Server CVE-2024-4358/CVE-2024-1800 that allows pre-authenticated Remote Code Execution by chaining a deserialization and an interesting authentication bypass https://t.co/ZkPL8vggcH pic.twitter.com/Og7n4qRoXN

— SinSinology (@SinSinology) June 3, 2024

An unauthenticated attacker can exploit the flaw to gain access Telerik Report Server restricted functionality via an authentication bypass vulnerability.

The researchers demonstrated how to create an admin account by exploiting the bypass flaw CVE-2024-4358.

“The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process.” wrote the expert. “The following method is where the vulnerability occurs Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register”

An unauthenticated attacker can invoke the Register method and use the received parameters to create a user with the “System Administrator” role.

“This method is available unauthenticated and will use the received parameters to create a user first, and then it will assign the “System Administrator” role to the user, this allows a remote unauthenticated attacker to create an administrator user and login :))))))” continues the expert.

The vulnerability impacts Telerik Report Server 2024 Q1 (10.0.24.305) and earlier and Progress addressed it with the release of Telerik Report Server 2024 Q2 10.1.24.514 on May 15.

“Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.” states the vendor.

The experts urge organizations to update their installs as soon as possible due to the availability of PoC exploit code.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)

Researcher discovered several authorization bypass vulnerabilities in Cox modems that potentially impacted millions of devices.

The security researcher Sam Curry discovered multiple issues in Cox modems that could have been exploited to modify the settings of the vulnerable modem and run malicious commands on them.

Cox is the largest private broadband provider in the United States, the third-largest cable television provider, and the seventh-largest telephone carrier in the country. The company has millions of customers.

“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team.” wrote Curry.

Curry described a potential attack scenario where a threat actor could exploit exposed APIs to target Cox business customers.

The attack involves searching for a specific target using their identifiable information, such as name, phone number, email address, or account number. Upon finding a match, the attacker uses the returned UUID to query the API for the target’s full PII, including device MAC addresses, email, phone number, and physical address. With the hardware MAC address, the attacker can retrieve the WiFi password and a list of connected devices, allowing them to execute arbitrary commands, update device properties, and ultimately take over the victim’s account. This compromises the security of the target’s network and endangers their personal and business data.

The researchers reported the flaws on March 4, 2024, via the company’s responsible disclosure program. Cox addressed the vulnerabilities within 24 hours.

The company also investigated if the vulnerabilities had ever been exploited in attacks in the wild, however, they found no evidence of previous abuses.

“They had also informed me that they had no affiliation with the DigitalOcean IP address, meaning that the device had definitely been hacked, just not using the method disclosed in this blog post.” added Curry.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Cox modems)

CISA adds Oracle WebLogic Server OS command injection vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Oracle WebLogic Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2017-3506 (CVSS score 7.4), is an OS command injection.

The vulnerability resides in the Oracle WebLogic Server component of Oracle Fusion Middleware. The flaw impacts versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. An unauthenticated attacker with network access can exploit the flaw via HTTP to compromise Oracle WebLogic Server.

Successful exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all data accessible by the Oracle WebLogic Server.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 24, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)

Spanish police dismantled a pirated TV streaming network that allowed its operators to earn over 5,300,000 euros since 2015.

The Spanish National Police dismantled a network that illicitly distributed audiovisual content, earning over 5,300,000 euros since 2015. The police arrested eight individuals in Las Palmas de Gran Canaria, Madrid, Oviedo, and Málaga, and searched two homes. The police also blocked 16 IPTV content distribution websites. According to the announcement, the investigation began in November 2022, following a complaint by the Alliance for Creativity and Entertainment against those responsible for two websites allegedly marketing videographic content that violated intellectual property rights.

The international criminal organization was using advanced technology to capture and decrypt satellite signals to distribute over 130 international TV channels and thousands of movies and series illegally. The illicitly distributed the content to over 14,000 subscribers. The authorities arrested the key members of the organization and seized two computers, a vehicle, and 80,000 euros in bank accounts. The police identified servers used by the gang and blocked 16 web pages, redirecting users to a National Police website informing them of the law enforcement operation.

“This international criminal organization used the latest technology and the most advanced technical devices to capture signals emitted via satellite in many countries. They subsequently amplified them and decrypted the multimedia content they transported, content that they then distributed publicly and illegally.” reads the press release published by the Spanish Police. “In total, more than 130 international television channels and thousands of movies and series that they made available to citizens around the world, a service for which they charged each of their more than 14,000 subscribers between 10 and 19 euros per month, or between 90 and 169 euros per year – depending on the type of subscription -, with the consequent damage to the rights of the authors, producers and distributors of these artistic works.”

The Alliance for Creativity and Entertainment (ACE), the world’s leading anti-piracy coalition, applauded the Spanish National Police for the operation against the large-scale illegal IPTV service TVMucho (also known as Teeveeing). This is the first criminal action in Spain against an operation of this size and scope.

TVMucho/Teeveeing had more than 4 million visits in 2023 and offered more than 125 channels, including major networks like BBC, ITV, Sky, and RTL.

“We commend the Spanish National Police for protecting the intellectual property rights of dozens of ACE members through this successful raid,” said Karyn Temple, Senior Executive Vice President and Global General Counsel for the Motion Picture Association (MPA). “The operation reinforces ACE’s commitment to partnering with regional authorities in identifying and confronting digital copyright infringement. We look forward to continuing our joint mission to protect the creative economy in Spain and beyond.”

Let me remind you that also subscribers to illegal streaming services could be investigated and fined by law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Spanish police)

Russia-linked APT28 used the HeadLace malware and credential-harvesting web pages in attacks against networks across Europe.

Researchers at Insikt Group observed Russian GRU’s unit APT28 targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine’s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers.

In some attackers, threat actors created specially-crafted web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the provided credentials.

The compromise of networks associated with Ukraine’s Ministry of Defence and European railway systems could allow attackers to gather intelligence to influence battlefield tactics and broader military strategies. Additionally, their interest in the Azerbaijan Center for Economic and Social Development indicates a potential agenda to understand and possibly influence regional policies.

Insikt Group speculates the operation is aimed at influencing regional and military dynamics.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The attack chain used in the attacks detailed by Insikt Group has seven distinct infrastructure stages to filter out sandboxes, incompatible operating systems, and non-targeted countries. Victims who failed these checks downloaded a benign file and were redirected to Microsoft’s web portal, msn.com. Those who passed the checks downloaded a malicious Windows BAT script, which connected to a free API service to execute successive shell commands.

In December 2023, researchers from Proofpoint and IBM detailed a new wave of APT spear-phishing attacks relying on multiple lure content to deliver Headlace malware. The campaigns targeted at least thirteen separate nations.

“Upon analyzing Headlace geofencing scripts and countries targeted by credential harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen separate countries were targeted by BlueDelta. As expected, Ukraine topped the list, accounting for 40% of the activity.” reads the report published by the Insikt Group. “Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting.”

Researchers call on organizations within government, military, defense, and related sectors, to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting access to non-essential internet services, and enhancing surveillance of critical network infrastructure. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

Personal information of hundreds of British and EU politicians is available on dark web marketplaces.

According to research conducted by Proton and Constella Intelligence, the email addresses and other sensitive information of 918 British MPs, European Parliament members, and French deputies and senators are available in the dark web marketplaces. 40% of 2,280 official government email addresses from the British, European, and French Parliaments were exposed, including passwords, birth dates, and other details.

Most leaked data email addresses belong to British MPs (68%), followed by EU MEPs (44%).

The researchers pointed out that French deputies and senators had the best security, with only 18% of searched emails in cybercrime forums and dark marketplaces.

Many of these MPs, MEPs, deputies, and senators hold senior positions, including heads of committees, government ministers, and senior opposition leaders. These politicians have access to highly sensitive information, and particularly alarming is that several of them are currently, or have previously been, members of committees tasked with overseeing and enforcing national and international digital strategies.

The presence of the emails on dark web shows that politicians used their official emails to create an account on third-party web services that suffered a data breach.

“The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, European, or French parliaments.” reads the report. “Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.” 

Even more concerning is that researchers were able to match these email addresses with 697 plain text passwords. The experts notified impacted politician, they pointed out that if a politician reused one of these exposed passwords for their official email account, it could also be at risk.

It’s a miracle if British MPs were not involved in major scandals due to account takeovers, because 68% of searched email addresses were found on the dark web, including senior figures from both the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, the researchers noticed that the most frequently targeted MP experiencing up to 30 breaches. On average, breached MPs had their details show up in 4.7 breaches.

The member of the European Parliament experienced fewer breaches compared to their British counterparts, but nearly half of the emails searched were found on the dark web. Out of 309 MEPs exposed, 92 were involved in 10 or more leaks. EU politicians had their email addresses exposed 2,311 times, along with 161 plaintext passwords. This raises concerns, as the European Parliament has increasingly become a target of state-sponsored attacks and acknowledges its lack of preparedness.

Impacted politicians have used their official email addressed to create accounts several sites, including LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites.

“Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.” concludes the report.

“And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication), it could let attackers into government systems. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, dark web)

Russia-linked threat actor FlyingYeti is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX.

Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149) targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity. 

At the beginning of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system.

The threat actors exploited the WinRAR vulnerability CVE-2023-38831 to infect targets with malware.

Cloudflare states that FlyingYeti’s tactics, techniques, and procedures (TTPs) are similar to the ones detailed by Ukraine CERT while analyzing UAC-0149 cluster.

UAC-0149 targeted Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.

“The threat actor uses dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2).” reads the report published by Cloudflare. “Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities.”

Threat actors targeted users with a spoofed version of the Kyiv Komunalka communal housing site (https://www.komunalka.ua), hosted on an actor-controlled GitHub page (hxxps[:]//komunalka[.]github[.]io). Komunalka is a payment processor for utilities and other services in the Kyiv region.

FlyingYeti likely directed targets to this page via phishing emails or encrypted Signal messages. On the spoofed site, a large green button prompted users to download a document named “Рахунок.docx” (“Invoice.docx”), which instead downloaded a malicious archive titled “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Once the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.

The RAR archive contains multiple files, including one with the Unicode character “U+201F,” which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.

“The CMD file contains the Flying Yeti PowerShell malware known as COOKBOX. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.” continues the report. “Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the Canary Tokens service.”

The report also provide recommendations and Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FlyingYeti)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Ticketmaster confirms data breach impacting 560 million customers

Critical Apache Log4j2 flaw still threatens global finance

Crooks stole more than $300M worth of Bitcoin from the exchange DMM Bitcoin

ShinyHunters is selling data of 30 million Santander customers

Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours

LilacSquid APT targeted organizations in the U.S., Europe, and Asia since at least 2021

BBC disclosed a data breach impacting its Pension Scheme members

CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

Experts found a macOS version of the sophisticated LightSpy spyware

Operation Endgame, the largest law enforcement operation ever against botnets

Law enforcement operation dismantled 911 S5 botnet

Okta warns of credential stuffing attacks targeting its Cross-Origin Authentication feature Check Point released hotfix for actively exploited VPN zero-day

BreachForums resurrected after FBI seizure

ABN Amro discloses data breach following an attack on a third-party provider

Christie disclosed a data breach after a RansomHub attack

Experts released PoC exploit code for RCE in Fortinet SIEM

WordPress Plugin abused to install e-skimmers in e-commerce sites

TP-Link Archer C5400X gaming router is affected by a critical flaw

Sav-Rx data breach impacted over 2.8 million individuals

The Impact of Remote Work and Cloud Migrations on Security Perimeters

New ATM Malware family emerged in the threat landscape

A high-severity vulnerability affects Cisco Firepower Management Center

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

Malware-laced JAVS Viewer deploys RustDoor implant in supply chain attack

International Press – Newsletter

Cybercrime  

Into the Lion’s Den Inside the Growing Risk of Gift Card Fraud  

Phishing with Cloudflare Workers: Transparent Phishing and HTML Smuggling  

Christie’s Confirms Data Breach After Ransomware Group Claims Attack  

Breach Forums Return to Clearnet and Dark Web Despite FBI Seizure

Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet  

911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation  

Largest ever operation against botnets hits dropper malware ecosystem   

Hackers steal $305M from DMM Bitcoin crypto exchange 

Ticketmaster confirms data hack which could affect 560m globally

How a Nigerian influencer, North Korean hacker and Canadian scammer committed fraud worldwide        

Malware

New ATM Malware Threatens European Banking Security   

Server Side Credit Card Skimmer Lodged in Obscure Plugin   

LightSpy: Implant for macOS  

The Pumpkin Eclipse  

Hacking 

Remote Command Execution on TP-Link Archer C5400X 

CVE-2024-23108: Fortinet FortiSIEM 2nd Order Command Injection Deep-Dive   

Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919)

Detecting Cross-Origin Authentication Credential Stuffing Attacks     

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Intelligence and Information Warfare 

NATO holds first meeting of Critical Undersea Infrastructure Network  

CERT-UA warns: Ukrainian finances targeted with SmokeLoader malware  

How the DOJ is using a Civil War-era law to enforce corporate cybersecurity  

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader  

GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns  

OpenAI models used in nation-state influence campaigns, company says  

Cybersecurity  

Stop Using “SLA” When Discussing Vulnerabilities  

How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors  

Multiple botnets dismantled in largest international ransomware operation ever  

HUGE Google Search document leak reveals inner workings of ranking algorithm       

NIST Getting Outside Help for National Vulnerability Database

Cybersecurity Education Maturity Assessment  

‘It’s putting patients’ lives in danger’: Nurses say ransomware attack is stressing hospital operations   

Could the Next War Begin in Cyberspace?   

OpenAI’s Altman Sidesteps Questions About Governance, Johansson at UN AI Summit

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Ticketmaster owner Live Nation confirmed the Ticketmaster data breach that compromised the data of 560 million customers.

ShinyHunters, the current administrator of BreachForums, recently claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.

This week Ticketmaster owner Live Nation confirmed the data breach that compromised the data of 560 million customers.

On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.

Threat actors had access to a third-party cloud database environment containing company data. The company discovered the intrusion on May 20, 2024, and immediately launched an investigation with industry-leading forensic investigators.

The stolen data were offered for sale on the dark web a week later.

“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.” reads the form 8-K filing to the US Securities and Exchange Commission.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

Live Nation notified regulatory authorities and impacted users.

Bleeping Computer reported that ShinyHunters told Hudson Rock Co-Founder Alon Gal that he breached both Santander and Ticketmaster. The threat actor revealed that the data was stolen from cloud storage company Snowflake by using credentials obtained through information-stealing malware to access a Snowflake employee’s ServiceNow account. The threat actors used to credential to exfiltrate data, including auth tokens for accessing customer accounts. The threat actor also claimed to have used this method to steal data from other companies.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)

The vulnerability CVE-2021-44832 is Apache Log4j2 library is still a serious problem for multiple industries, expert warns it threatens global Finance.

The independent cyber threat intelligence analyst Anis Haboubi warns of a severe logging configuration flaw that could dramatically impact the financial industry.

Critical Vulnerability Threatens Global Finance
A severe logging configuration flaw could collapse finance. Sisense, ISO-certified and trusted by top financial groups, is at the center of this crisis. pic.twitter.com/Tbg2V4cQBZ

— Anis Haboubi |₿| (@HaboubiAnis) May 31, 2024

The vulnerability is CVE-2021-44832 and impacts Apache Log4j2, a remote attacker can exploit this vulnerability to execute malicious code on affected systems. The flaw received a CVSS score of 6.6 and impacts all log4j versions from 2.0-alpha7 to 2.17.0. Versions 2.3.2 and 2.12.4. are not impacted.

“Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.” reads the advisory.

The vulnerability was discovered by Checkmarx security researcher Yaniv Nizry who reported it to Apache on December 27, 2020. The Apache Software Foundation released Log4j 2.17.1 version to address the flaw a couple of days later.

The recent breaches at Sisense and Snowflake, both ISO/IEC 27001 certified companies, highlight a critical vulnerability that still threatens the entire finance industry. Despite adhering to stringent security standards, the flaws in their infrastructure have exposed sensitive financial data to unauthorized access, potentially leading to catastrophic consequences, Haboubi told SecurityAffairs.

Why does this old flaw still threaten the Finance industry?

The critical flaw in logging configurations allows attackers with write access to exploit a JDBC Appender with a JNDI URI, enabling remote code execution. This can lead to complete system compromise, allowing attackers to execute malicious code remotely and gain unauthorized access to sensitive financial data. Sisense and Snowflake are trusted by top international financial groups.

“These companies rely on their services for critical operations, including data analytics and cloud storage. A breach in these systems can disrupt financial activities on a global scale, causing significant financial and reputational damage.” said Haboubi.

“The breaches have resulted in the exfiltration of several terabytes of customer data, including access tokens, email account passwords, and SSL certificates. This data can be exploited by attackers to gain further access to financial systems and conduct fraudulent activities. Interconnected Financial Systems: The financial industry is highly interconnected. A vulnerability in one system can lead to a domino effect, compromising other systems and services. The potential for widespread disruption makes this flaw particularly dangerous.”

The breaches have raised questions about whether Sisense and Snowflake were doing enough to protect sensitive data. The stolen data, which was apparently not encrypted while at rest, underscores the need for more robust security measures.

In conclusion, the flaws in the infrastructure of Sisense and Snowflake, combined with their extensive use in the finance sector, pose a significant threat. Immediate action is required to mitigate these vulnerabilities and protect the integrity of financial operations globally. Enhanced security measures, such as the integration of PEM key-based authentication, are crucial to prevent future breaches and ensure the safety of sensitive financial data.

4/4
It's crucial to update your logging configurations and implement robust SSH security measures immediately. Ensure all access points are secure to protect against potential exploits. Stay vigilant and secure! pic.twitter.com/yn6QLUL4zW

— Anis Haboubi |₿| (@HaboubiAnis) May 31, 2024

“It’s quite impressive. I believe the attackers breached the systems several months, or perhaps even years, ago. They likely waited for the right moment to exfiltrate the data, and Sisense only recently discovered the breach. One of the biggest issues for me is that Sisense allowed “Connecting to a Private Network with an SSH Tunnel” without a PEM key. This is what they discreetly fixed in the commit I shared with you. The attackers clearly exploited the Log4j vulnerability from the outset to gain privileged access to critical infrastructures. They then hid for months to see if they could maintain persistence” concludes the expert. “even today 30% of log4J installations are vulnerable to log4hell”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Log4j2)

Crooks stole approximately 48.2 billion yen ($304 million) worth of Bitcoin from the Japanese cryptocurrency exchange DMM Bitcoin.

The Japanese cryptocurrency exchange DMM Bitcoin announced that crooks stole 4,502.9 Bitcoin (BTC), approximately $304 million (48.2 billion yen), from the its wallets.

“At approximately 1:26 p.m. on Friday, May 31, 2024, we detected an unauthorized leak of Bitcoin (BTC) from our wallet. We are still investigating the details of the damage, but the following is what we know at this stage. We have already taken measures to prevent the unauthorized leak, but we have also implemented restrictions on the use of some services to ensure additional safety.

We deeply apologize for any inconvenience caused to our customers.” reads a message published by the exchange on its website. The page is currently unavailable.

The company assured that the customers’ Bitcoin (BTC) deposits will be fully guaranteed.

In response to the heist, DMM Bitcoin limited the following services:

・ Screening of new account openings
・ Processing of cryptocurrency withdrawals
・ Suspension of buying orders for spot trading (only selling orders accepted)
・ Suspension of new open positions for leveraged trading (only settlement orders accepted)

The company added that limit orders for spot trading and leveraged trading that have already been placed will not be canceled and that withdrawals of Japanese Yen may take longer than usual.

DMM Bitcoin has yet to provide details about the attack.

Cryptocurrency security firm Elliptic reported that this incident would be the eighth-largest crypto heist of all time, and the largest since the $477 million hack suffered by FTX, in November 2022. Elliptic also confirmed it has identified the wallets involved in the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bitcoin)