T-Mobile data breach: CPNI (Customer Proprietary Network Information) exposed
31.12.2020 Incindent Securityaffairs
T-Mobile has disclosed a data breach that exposed customers’ network information (CPNI), including phone numbers and calls records.
T-Mobile has disclosed a data breach exposing customers’ account’s information. The T-Mobile security staff discovered “malicious, unauthorized access” to their systems.
“We are reaching out to let you know about a security incident we recently identified and quickly shut down that may have impacted some of your T-Mobile account information.” reads the statement published by the company.
“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved.”
T-Mobile said that threat actors did not access names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs.
The company reported the incident to the authorities and is investigating the incident with the heal of a cybersecurity firm. T-Mobile discovered that the attackers had access to the CPNI (Customer Proprietary Network Information).
Customer proprietary network information (CPNI) is the data collected by telecommunications companies about a consumer’s telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer’s telephone bill.
“Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service,” continues the statement.
The telecommunication giant is in the process of notifying impacted customers.
This isn’t the first time that the company suffers a security breach, below a list of incident disclosed by the company:
In August 2018, T-Mobile suffered a security breach that exposed personal information of up to 2 million customers.
In November 2019, the US branch of the telecommunications giant disclosed a security breach that impacted a small number of customers of its prepaid service.
In March 2020, T-Mobile was the victim of a sophisticated cyber attack that targeted its email vendor, the incident exposed customer and financial data.
Japanese Aerospace Firm Kawasaki Warns of Data Breach
30.12.2020 Incindent Threatpost
The Japanese aerospace manufacturer said that starting in June, overseas unauthorized access to its servers may have compromised customer data.
Japanese aerospace company Kawasaki Heavy Industries on Monday warned of a security incident that may have led to unauthorized access of customer data.
According to the company’s data breach notification, it first discovered unauthorized parties accessing a server in Japan, from an overseas office in Thailand, on June 11, 2020. After terminating that access, the company throughout the following days in June discovered several other incidents of unauthorized access. Kawasaki said these stemmed from other overseas sites in Indonesia, the Philippines, and the United States.
Of note, while Kawasaki said that “some information from overseas offices may have been leaked to external parties,” the company has not yet found evidence of leaking information to the external network. However, the company said it is currently contacting customers who may have been affected by the unauthorized access.
2020 Reader Survey: Share Your Feedback to Help Us Improve
“Because Kawasaki handles important sensitive information such as personal information and social infrastructure-related information, information security measures have been a top priority for the company,” said the company’s data breach notice, posted on its website [PDF]. “However, the unauthorized access in question had been carried out with advanced technology that did not leave a trace.”
The multinational corporation primarily manufactures motorcycles, engines, heavy equipment, aerospace and defense equipment, rolling stock and ships. This includes production involvement for various aerospace equipment such as the Boeing 787 Dreamliner, P-1 Maritime Patrol Aircraft and the International Space Station Kibo, for instance. The company has also developed various manufacturing processes, used by various industrial plants for crushing raw materials (like limestone and clay) and burning and manufacturing cement.
Kawasaki has at least 34,000 employees across Japan, Asia, the Americas and Europe, as well as various subsidiaries, including Kawasaki Heavy Industries Motorcycle.
Further details of the specific data that’s potentially at risk, and further information of the unauthorized accesses themselves, were not disclosed. Threatpost has reached out to Kawasaki for further comment.
While the incident was first discovered in June, “due to the fact that the scope of unauthorized access spanned multiple domestic and overseas offices, it took a considerable amount of time until the company can formally announce the incident,” according to the company.
Following an unauthorized access from an overseas office in the United States, on July 8, Kawasaki added “additional restriction” to all overseas network connections. It then conducted a “security soundness” inspection of 26,000 terminals for its Japan and Thailand network connections. In October, the company confirmed via network monitoring that no further unauthorized access to the Japan office occurred after August.
“We have therefore enhanced monitoring operations to accesses from overseas offices and tightened access restrictions to block unauthorized accesses,” according to the company. “Since then, we have continued to strengthen company-wide security measures.”
In a separate security incident, Kawasaki warned that it has received reports of people receiving fraudulent emails. The messages pretended to be from recruiters from Kawasaki Heavy Industries Group in the United States.
“Should you unexpectedly receive any such emails, please thoroughly confirm the sender’s identity before deciding to respond,” said the company on its website. “There is risk of your personal information being obtained and misused if you reply to these emails or open any attached files. These emails may also be infected with computer viruses, therefore we ask you to be especially cautious.”
Japanese Kawasaki Heavy Industries discloses security breach
30.12.2020 Incindent Securityaffairs
Japanese giant Kawasaki Heavy Industries discovered unauthorized access to a Japanese company server from multiple overseas offices.
Kawasaki Heavy Industries disclosed a security breach, the company discovered unauthorized access to a Japanese company server from multiple overseas offices. Information from its overseas offices might have been stolen as a result of a security breach that took place earlier this year.
Kawasaki Heavy Industries Ltd. is a Japanese public multinational corporation primarily known as a manufacturer of motorcycles, engines, heavy equipment, aerospace and defense equipment, rolling stock and ships. It is also active in the production of industrial robots, gas turbines, boilers, and other industrial products.
Japan’s Kawasaki Heavy Industries announced a security breach and potential data leak after unauthorized access to a Japanese company server from multiple overseas offices.
“On June 11, 2020, an internal system audit revealed a connection to a server in Japan from an overseas office (Thailand) that should not have occurred. Within the same day, communication between the overseas office and our Japan office was fully terminated considering as a case of unauthorized access.” reads the statement published by the company. “However, other unauthorized accesses to servers in Japan from other overseas sites (Indonesia, the Philippines, and the United States) were subsequently discovered.”
Kawasaki discovered the incident during an internal audit, its IT staff noticed “a connection to a server in Japan from an overseas office (Thailand) that should not have occurred.”
“Kawasaki Heavy Industries, Ltd. announced that it was subject to unauthorized access from outside the company. As a result of a thorough investigation, the company has discovered that some information from overseas offices may have been leaked to external parties,” continues the statement.
“At this time, the company has found no evidence of leaking information to the external network.”
The Japanese firm announced to have enhanced monitoring operations to access from overseas offices, it also restricted access to its Japanese servers from abroad.
Kawasaki Heavy Industries conducted a security audit of approximately 26,000 terminals in Japan and Thailand network and in early October the company announced the inspection of approximately 3,000 terminals in overseas offices network (excluding Thailand) that were potentially impacted by the security incident.
On November 30, the company restored the network communication terminated between overseas offices and the Japan headquarter.
Kawasaki confirms that no unauthorized connections were made to the Japanese servers after August, it also pointed out that the attack was sophisticated and used advanced technology to avoid detection.
“the unauthorized access in question had been carried out with advanced technology that did not leave a trace.“
“To this end, since the confirmation of unauthorized access, Kawasaki special project team engaged with an independent external security specialist firm has been investigating and implementing countermeasures. Their investigation confirmed a possibility that information of unknown content may have been leaked to a third party. However, at the present time, we have found no evidence of leaking information including personal information to external parties.”
Other prominent Japanese companies were hit by cyber attacks this year, including defense contractors Pasco and Kobe Steel and Mitsubishi Electric.
Kawasaki Says Data Possibly Stolen in Security Breach
30.12.2020 Incindent Securityweek
Kawasaki Heavy Industries on Monday revealed that information from its overseas offices might have been stolen following a security breach that occurred earlier this year.
Based in Japan, Kawasaki Heavy Industries is a multinational corporation best known for the manufacturing of motorcycles, heavy equipment, engines, ships, rolling stock, and aerospace and defense equipment.
On June 11, 2020, the company discovered that unknown actors breached its network. It immediately launched an investigation into the matter but, because the unauthorized access spanned multiple offices, it had no information to share publicly until now.
The thorough investigation, Kawasaki says, revealed that “some information from overseas offices may have been leaked to external parties.”
Kawasaki explained that the incident was discovered during an internal audit, which revealed “a connection to a server in Japan from an overseas office (Thailand) that should not have occurred.”
The company terminated communications between the affected office and its Japan headquarters and started an investigation that revealed additional unauthorized access to its servers in Japan, originating from overseas sites located in Indonesia, the Philippines, and the United States.
“We have enhanced monitoring operations to accesses from overseas offices and tightened access restrictions to block unauthorized accesses. Since then, we have continued to strengthen company-wide security measures,” the company announced.
During its investigation, the company conducted a security assessment of roughly 29,000 terminals in Japan and in overseas office networks where incidents possibly occurred.
Kawasaki also says that no further unauthorized access to its network has been observed since August, and that communications between the affected overseas offices and the Japan office have been restored at the end of November.
“Because Kawasaki handles important sensitive information such as personal information and social infrastructure-related information, information security measures have been a top priority for the company. However, the unauthorized access in question had been carried out with advanced technology that did not leave a trace,” the company reveals.
Although the investigation revealed that data might have been leaked, the company could not determine what information may have been compromised. However, it says no personal information was impacted. Regardless, the company is contacting potentially affected customers.
On November 1, 2020, Kawasaki established a Cyber Security Group, which the company says will continue to tighten monitoring and access controls between offices, and will also strengthen security measures, to ensure no similar incidents occur.
Threat actor is selling a dump allegedly including 2,5M customers of service provider Ho Mobile
29.12.2020 Incindent Securityaffairs
Threat intelligence analyst discovered a threat actor that is selling a database of the Italian mobile service provider Ho mobile.
Threat intelligence analyst @Bank_Security first spotted on a popular hacking forum a threat actor that is selling a database allegedly containing the database of the Italian mobile service provider Ho mobile.
Ho mobile is an Italian mobile telephone service offered by Vodafone Enabler Italia, an Italian virtual mobile telephone operator.
Threat intelligence analyst Bank_Security is specialized in cybercrime and fraud. He discovered the ad during the ordinary monitoring activity then he decided to warn users because SIM Swapping is a scorching topic in Italy in the underground communities.
The dump allegedly includes 2,500,000 customers’ records and other data that can be exploited by hackers for SIM swapping attacks,
He told me that he wants to avoid possible bank fraud via SIM swap, phishing, or vishing attempts.
At the time of writing, the threat actor has shared a sample of 10 Ho Mobile customers. The entire database is available for sale, but the threat actor has not set a price and expects an offer from a potential buyer.
Below the list of fields for the records in the exposed sample:
birthDate: xxxx-xx-xx
email: xxxx@xxxx.xxx
emailVerified:
address: xxx xxxxxxx
addressId: xxxxx
addressType: x
city: xxxxxx
country: Italia
deleteFlag:
province: xx
streetNum: x
zipCode: xxxxx
address:
addressId: xxxxx
addressType: x
city: Genova
country: Italia
deleteFlag:
province: GE
streetNum:
zipCode:
address: xxx xxxxxx
addressId: xxxxx
addressType: x
city: xxxxxx
country: Italia
deleteFlag:
province: xx
streetNum: x
zipCode: xxxxx
endUserCommercialAssent:
endUserContractNumber:
endUserGpsAssent:
endUserHabitsAssent:
fiscalCode: xxxxxxxxxxxxxxxx
gender: M
hasPaid:
name: xxxxxxx
nationality: Italia
surname: xxxxxx
age: xx
customerId: xxxxx
customerIdHash: xxxxxxxxxxxxxxxxxxxxxxxxxx
customerStatus: ACTIVE
hasAccount: x
isMissingData:
piva:
phoneNumber: xxxxxxxxxx
phoneNumberContractNumber:
masterDealerId:
masterDealerName:
pdvAddress:
pdvCity:
pdvId:
pdvName:
pdvPiva:
pdvProvince:
pdvStreetNumber:
pdvZipCode:
phoneNumberCommercialAssent: x
phoneNumberGpsAssent: x
phoneNumberHabitsAssent: x
phoneNumberHash: xxxxxxxxxxxxxxxxxxxxxxxxxx
phoneNumberReasonId: x
phoneNumberStatus: ACTIVE
phoneNumberThirdPartiesAssent:
roleEndUser: B
simActivationDate: xxxx-xx-xx
simCapacity: 128K
simExpirationDate: xxxx-xx-xxT00: 00: 00.000 + 02: 00
simHlr: xxxxxxx
simIccid: xxxxxxxxxxxxxxxxxxx
simImsi: xxxxxxxxxxxxxxx
simPuk: xxxxxxxx
simReasonId:
simStatus: Attivo
In the forum thread, the actor said he already dumped the customers’ data and claims that “only the phone number and ICCID are needed to sim swap, so it will work unless operator send new SIM cards to all 2.5 million customers.”
At the time of this writing it was not possible to verify the authenticity of the data, we have to wait for an official statement from Ho Mobile.
“Privacy is a very hot topic nowadays. Unfortunately there are data breaches every day but when this data can be used to commit banking fraud via sim swapping, phishing or vishing to steal money from victims, this becomes an even bigger problem.” Bank Security told me. “Companies must invest more in cyber security because unfortunately it is only a matter of time before their data is sold, as in this case, on the various forums by cyber criminals.”
Stay Tuned ….
Finland confirms that hackers breached MPs’ emails accounts
29.12.2020 Incindent Securityaffairs
The Parliament of Finland confirmed that threat actors had access to email accounts of multiple members of parliament (MPs).
“Parliament of Finland has been subjected to a cyberattack in the fall of 2020. The attack was discovered by parliament technical surveillance. Some parliament e-mail accounts may have been compromised as a result of the attack, among them e-mail accounts that belong to MPs.” Parliament officials said.
“The cyberattack is being investigated by the National Bureau of Investigation. The investigation is supported by Parliament of Finland.”
The attack took place in the fall of 2020, in the same period Russia-linked hackers accessed the emails and data of a small number of Norwegians parliamentary representatives and employees.
Foreign hackers broke into the internal IT system and accessed email accounts for some MPs.
The Finnish Central Criminal Police (KRP) is investigating the security breach with the support of the Parliament.
According to KRP Commissioner Tero Muurman, the attack is likely part of a cyberespionage campaign carried out by nation-state actors, but it did not cause any damage to the Parliament’s infrastructure.
“At this stage, one alternative is that unknown factors have been able to obtain information through the hacking, either for the benefit of a foreign state or to harm Finland,” Muurman said.
“The theft has affected more than one person, but unfortunately, we cannot tell the exact number without jeopardizing the ongoing preliminary investigation. This case is exceptional in Finland, serious due to the quality of the target and unfortunate for the victims,”.
The KRP revealed it is investigating the incident with the support of international law enforcement and intelligence bodies.
“The breach has affected more than one person, but unfortunately we cannot provide the exact number without endangering the ongoing preliminary investigation,” Muurman said, adding that the nature of this investigation is unusual for Finnish authorities.
“This case is exceptional in Finland, with serious and unfortunate consequences for the victims,”
Parliament Speaker Anu Vehviläinen said that this incident is a serious attack on Finnish society and democracy.
“We cannot accept any kind of hostile cyber activity, whether carried out by a governmental or non-governmental body,” Vehviläinen said.
“In order to strengthen cyber security, we need our own national measures as well as active action at the EU level and in other international cooperation,” she added.
In October, the Norwegian police secret service (PST) blamed Russia-linked cyberespionage group APT28 for the cyber attack that targeted the email system of the country’s parliament in August.
E-commerce app 21 Buttons exposes millions of users’ data
29.12.2020 Incindent Securityaffairs
Researchers discovered that the popular e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.
Researchers from cybersecurity firm vpnMentor discovered that the e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.
21 Buttons allows users to shares photos of their outfits with links to the brands they’re wearing, then their followers can purchase their favorite clothes directly from the relevant brands using the app.
There are different platforms that have carved out a niche for themselves on the internet. 21 Buttons with over 5 million downloads on Android happens to be one such social network that is primarily geared towards the fashion industry.
Fashion influencers can earn a commission for any purchases made via their profiles.
On 2 November 2020 vpnMentor experts discovered that the 21 Buttons app was using a misconfigured AWS bucket that has exposed the data of hundreds of influencers.
“The company was storing over 50 million pieces of data from the app on a misconfigured AWS cloud storage bucket. Buried amongst all this data, we discovered invoices for commissions paid by 21 Buttons to 100s of influencers all around Europe, based on the value of sales made through their profiles.” reads the report published by vpnMentor.
“The invoices exposed a massive amount of information about how much individual influencers earn on 21 Buttons, along with incredibly sensitive personal information.”
The misconfigured AWS bucket was containing over 50 million files at the time of the discovery, including sensitive info such as full names, addresses, financial information (i.e. bank account numbers, PayPal email addresses), photos, and videos.
The huge trove of data includes over 400 invoices that provides information on how much the various brand had paid in commissions to the influencers.
Prominent influencers impacted by the data leak are:
Carlota Weber Mazuecos
Freddy Cousin Brown
Marion Caravano
Irsa Saleem
Danielle Metz
Data included in the S3 bucket could be used by threat actors to carry out multiple malicious activities, including phishing attacks, fraud and identity theft, stalking, and harassment.
vpnMentor researchers pointed out that data remained exposed online for more than a month since they first reported the discovery to the company. Only on 22nd December, vpnMentor received the reply of 21 Buttons, but it is unclear if it has secured the data.
At the time it is impossible to determine if anyone had access to the exposed data.
21 Buttons may also face negative backlash and other consequences as a result of this data breach, including fines and legal action, loss of customers and partners, and negative publicity.
Below the timeline of discovery:
Date discovered: 2nd Nov. 2020
Dates vendors contacted: 5th Nov., 12th Nov., 8th Dec. 2020
Dates Amazon Contacted: 10th Nov., 8th Dec. 2020
Date of Response: 22nd Dec. 2020
Date of Action:
Crypto Exchange EXMO Says Funds Stolen in Security Incident
23.12.2020 Incindent Securityweek
UK-based cryptocurrency exchange EXMO informed customers on Monday that it discovered large withdrawals from its hot wallets.
Founded in 2013, the exchange claims more than 27,000 active traders at the moment.
While it did not reveal the exact amount of stolen funds, the exchange did say it observed transfers out of its Bitcoin, Ripple, Zcash, Tether, Ethereum Classic, and Ethereum hot wallets.
“We are still investigating the incident, but as of now, the security audit report showed that some amounts of BTC, XRP, ZEC, USDT, ETC and ETH in EXMO’s hot wallets were transferred out of the exchange,” EXMO announced.
The company said it immediately re-deployed hot wallets, but admitted that the affected ones comprise approximately 5% of the total assets.
The assets stored in cold wallets were not affected by the security incident, EXMO said, adding that all funds stolen in the attack will be covered by the exchange.
The Block has calculated that EXMO lost roughly $10.5 million worth of funds as a result of the incident.
EXMO has published a list of the wallets the attackers transferred funds to, asking other exchanges to block transactions to and from them.
“We kindly ask all the services and exchanges to block all the accounts that are connected to these wallets. Currently, we are locating the reason for the incident and will keep this list updated,” EXMO noted in a blog post.
The company has already informed law enforcement of the security incident and suspended withdrawals for the time being.
“While the investigation is still in progress, we want to assure you that we have taken all the necessary measures for your safety. Funds depositing and withdrawal are still suspended. But don't worry. It's just a temporary measure,” the exchange said in a tweet today.
SolarWinds Claims Execs Unaware of Breach When They Sold Stock
23.12.2020 Incindent Securityweek
Texas-based IT management and monitoring solutions provider SolarWinds told the U.S. Securities and Exchange Commission (SEC) that its executives were not aware that the company had been breached when they decided to sell stock.
News that SolarWinds was breached as part of what appears to be a sophisticated cyber-espionage campaign had a significant impact on the value of the company’s shares.
Just days before the hack came to light, the firm’s two biggest investors, Silver Lake and Thoma Bravo, sold more than $280 million in stock to a Canadian public pension fund. The investors said in a statement that they were not aware of the cyberattack when they sold the stock.
While SolarWinds initially did not respond to requests for comment on the suspicious timing of the stock sales, the company told the SEC in a filing that “all sales of stock by executive officers in November were made under pre-established Rule 10b5-1 selling plans and not discretionary sales.”
It’s worth noting that Equifax also claimed that its executives were not aware of the massive breach suffered by the company in 2017 when they sold stock, but it later turned out that insider trading did take place.
SolarWinds’ investigation is ongoing, but the company said it had found no evidence that the attackers targeted products other than its Orion monitoring platform. The attackers leveraged their access to push trojanized updates to as many as 18,000 customers between March and June 2020. However, security researchers determined that the firm was likely breached at least one year before the intrusion was discovered.
The number of major companies that have confirmed being impacted, at least to some extent, continues to grow. Cisco, VMware and Microsoft have confirmed finding compromised Orion software on their systems, but they all claimed impact was limited.
As for government targets, the list includes the State Department, Commerce Department, Treasury, Homeland Security Department, and the National Institutes of Health. A senator revealed on Monday that dozens of email accounts were compromised as part of the attack targeting the Treasury.
Shortly after the SolarWinds breach came to light, several people said the attack seemed to be the work of Russian cyberspies, which U.S. Secretary of State Mike Pompeo appeared to confirm on Friday. However, President Donald Trump suggested on Saturday that it may have been China, not Russia. Both China and Russia have denied the accusations.
A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says
23.12.2020 Incindent Thehackernews
As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems.
"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team said on Friday in a post detailing the Sunburst malware.
What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL, Supernova ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack.
In a standalone write-up, researchers from Palo Alto Networks said the Supernova malware is compiled and executed in-memory, permitting the attacker to bypass endpoint detection and response (EDR) systems and "deploy full-featured – and presumably sophisticated – .NET programs in reconnaissance, lateral movement and other attack phases."
How the Sunburst Backdoor Operates
The discovery is yet another indication that in addition to being a lucrative infection vector for threat actors, the supply chain attack of SolarWinds — which cast a wide net of 18,000 companies and government agencies — had been executed with a far broader scope and extraordinary sophistication.
The adversaries used what's called a supply chain attack, exploiting SolarWinds Orion network management software updates the company distributed between March and June of this year to plant malicious code in a DLL file (aka Sunburst or Solorigate) on the targets' servers that's capable of stealthily gathering critical information, running remote commands, and exfiltrating the results to an attacker-controlled server.
Analysis of the Solorigate modus operandi has also revealed that the campaign chose to steal data only from a select few of thousands of victims, opting to escalate their attacks based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
The escalation involves the predefined command-and-control (C2) server — a now-sinkholed domain called "avsvmcloud[.]com" — responding to the infected system with a second C2 server that allows the Sunburst backdoor to run specific commands for privilege escalation exploration, credential theft, and lateral movement.
The fact that the compromised DLL file is digitally signed implies a compromise of the company's software development or distribution pipeline, with evidence suggesting that the attackers have been conducting a dry run of the campaign as early as October 2019.
The October files did not have a backdoor embedded in them in the way that subsequent software updates SolarWinds Orion customers downloaded in the spring of 2020 did — rather, it was mainly used to test if the modifications showed up in the newly released updates as expected.
The US Cybersecurity and Infrastructure Security Agency (CISA), in an alert last week, said it found evidence of initial infection vectors using flaws other than the SolarWinds software.
Cisco, VMware, and Deloitte Confirm Malicious Orion Installations
Cybersecurity firms Kaspersky and Symantec have said they each identified 100 customers who downloaded the trojanized package containing the Sunburst backdoor, with the latter finding traces of a second-stage payload called Teardrop in a small number of organizations.
The specific number of infected victims remains unknown at this time, but it has steadily increased since cybersecurity firm FireEye revealed it had been breached via SolarWinds's software early this month. So far, several US government agencies and private companies, including Microsoft, Cisco, Equifax, General Electric, Intel, NVIDIA, Deloitte, and VMware have reported finding the malware on its servers.
"Following the SolarWinds attack announcement, Cisco Security immediately began our established incident response processes," Cisco said in a statement to The Hacker News via email.
"We have isolated and removed Orion installations from a small number of lab environments and employee endpoints. At this time, there is no known impact to Cisco products, services, or to any customer data. We continue to investigate all aspects of this evolving situation with the highest priority."
FireEye was the first to expose the wide-ranging espionage campaign on December 8 after discovering that the threat actor had stolen its arsenal of Red Team penetration testing tools, making it so far the only instance where the attackers escalated access thus far. No foreign governments have announced compromises of their own systems.
Although media reports have cited it to be the work of APT29, Russia has denied involvement in the hacking campaign. Neither have cybersecurity companies and researchers from FireEye, Microsoft, and Volexity attributed these attacks to the threat actor.
VMware, Cisco Reveal Impact of SolarWinds Incident
22.12.2020 Incindent Securityweek
VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.
An advisory published last week by the NSA warned that malicious actors have been “abusing trust in federated authentication environments to access protected data.” The agency noted that the recent SolarWinds Orion product hack is “one serious example of how on-premises systems can be compromised leading to abuse of federated authentication and malicious cloud access.”
In that advisory, the NSA mentioned another recent advisory, one focusing on Russian state-sponsored hackers exploiting CVE 2020-4006, a recently patched vulnerability affecting the VMware Workspace ONE Access identity management product and some related components.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also reported last week that it had found evidence that the compromised SolarWinds Orion platform may not have been the only initial access vector. CISA said it had been “investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified.”
The NSA advisory on the exploitation of the VMware vulnerability also mentions SAML abuse and security blogger Brian Krebs reported learning from sources that the SolarWinds attackers also exploited the VMware flaw.
The NSA has not confirmed the connection, and VMware said in a statement published on Friday that it has not received any information on CVE 2020-4006 being “exploited in conjunction with the SolarWinds supply chain compromise.”
As for the cyber-spies behind the SolarWinds attack targeting its own systems, VMware admitted that it has identified some “limited instances” of the compromised Orion software on its internal networks, but it has found no evidence of exploitation, and claimed that SolarWinds’ own investigation to date has also not found any evidence of exploitation against VMware.
Cisco also confirmed last week that it identified the malicious software on “a small number of lab environments and a limited number of employee endpoints.” The networking giant said it does not use SolarWinds solutions for monitoring or managing its enterprise network, and it had found no evidence that its offers or products were impacted, or that any customer data was exposed as a result of the incident.
Microsoft also confirmed detecting the malicious SolarWinds binaries on its own systems last week, but claimed it found no evidence that its systems were abused to target others. The tech giant reported identifying over 40 customers that were targeted by the threat group.
According to SolarWinds, up to 18,000 of its customers may be impacted and the list of known victims continues to grow.
Researchers reported last week that they had found evidence suggesting that the attackers penetrated SolarWinds systems at least one year before the breach was discovered.
Shortly after the SolarWinds breach came to light, several people said the attack seemed to be the work of Russian cyberspies, which U.S. Secretary of State Mike Pompeo appeared to confirm on Friday. However, President Donald Trump suggested on Saturday that it may have been China, not Russia.
Microsoft confirms breach in SolarWinds hack, but denies its clients were affected
19.12.2020 Incindent Securityaffairs
Microsoft confirms that it was also breached in the SolarWinds supply chain hack, but excluded that the attack impacted its customers.
Microsoft has confirmed that it was one of the companies breached in the recent SolarWinds supply chain attack, but the IT giant denied that the nation-state actors compromised its software supply-chain to infect its customers.
Last week, Russia-linked hackers breached SolarWinds, the attackers had used a trojanized SolarWinds Orion business software updates to distribute the backdoor tracked as SUNBURST (aka Solarigate (Microsoft)).
The company notified roughly 33,000 Orion customers of the incident, but it argued that less than 18,000” customers may have used the backboard version of its products.
According to a report published by Reuters agency citing anonymous sources familiar with the investigation, Microsoft also compromised in the SolarWinds supply–chain attack and the hackers were able to compromise its software to distribute malware to its clients.
“As with networking management software by SolarWinds, Microsoft’s own products were then used to further the attacks on others, the people said.” reported the Reuters agency.
“It was not immediately clear how many Microsoft users were affected by the tainted products.”
Basically, the report states that Microsoft itself was the victim of a supply chain attack, a circumstance that the company denied.
Microsoft issued the following statement in response to the reports published by the media.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Frank Shaw, the corporate vice president of communications at Microsoft, confirmed that its company detected multiple malicious SolarWinds binaries in its environment, but excluded that that the company’ clients were impacted.
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert to warn of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. According to CISA, the attack was carried out by an APT group that demonstrated patience, operational security, and complex tradecraft in these intrusions.
CISA experts pointed out that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated.” reads the alert.
Microsoft, FireEye, and GoDaddy have partnered to create a kill switch for the Sunburst backdoor that was employed in the recent SolarWinds hack.
SolarWinds Likely Hacked at Least One Year Before Breach Discovery
19.12.2020 Incindent Securityweek
An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach.
SolarWinds has confirmed that sophisticated cyberspies, which are believed to be sponsored by the Russian government, compromised the software build system for its Orion product and delivered trojanized updates to as many as 18,000 customers between March and June 2020.
However, an analysis of the threat actor’s infrastructure conducted by threat intelligence company DomainTools, which specializes in DNS and domain analysis, suggests that SolarWinds was breached at some point in 2019.
An investigation conducted by threat intelligence firm ReversingLabs showed that the first version of the Orion software modified by the hackers was actually from October 2019. This version, 2019.4.5200.8890, was only slightly modified and it did not contain the malicious backdoor code, but it indicates that this is when the attackers first started making tests for modifying the software. The actual breach of SolarWinds infrastructure likely took place before this date.
According to DomainTools, the attackers likely started infrastructure management and staging in December 2019 and in February 2020 they started operationalizing command and control (C&C) domains.
The threat group started delivering its backdoored updates in March, but the malware, tracked as SUNBURST, is designed to remain dormant for up to two weeks, which makes it more difficult to detect and which resulted in communications from victim devices only starting in April.
“The SolarWinds intrusion was a long-planned event, occurring in distinct stages: supply chain breach, software modification testing, infrastructure development, then final deployment,” explained Joe Slowik, senior security researcher at DomainTools.
Slowik also pointed out that while some media reports citing US government sources have attributed the SolarWinds attack to Russia-linked threat actor APT29 (aka Cozy Bear, YTTRIUM and The Dukes), it’s possible that it was actually a different group whose activities have been tied to Russian intelligence services. This is based on the fact that Microsoft, FireEye and Volexity, which in the past analyzed APT29, have either assigned new names to this activity or they haven’t mentioned the link to a known actor.
In the meantime, the names of more victims have come to light. Microsoft confirmed that it detected some of the malicious binaries on its own systems and said it identified 40 customers that appeared to be high-value targets (i.e. they received later-stage payloads).
Several U.S. government organizations, including the Energy Department, have also been named as victims, and an analysis of the domain generation algorithm used by the SUNBURST malware revealed the names of hundreds of potential victims.
One of the latest victims identified through this method was U.S. cable and internet services provider Cox Communications. Kaspersky reported on Friday that a major American telecommunications company had been hit, but it did not identify it. However, Reuters revealed that it was Cox.
UK Energy Startup 'People's Energy' Discloses Data Breach
19.12.2020 Incindent Securityweek
UK energy supplier People’s Energy this week started informing customers of a data breach that affected some of their personal information.
The Shawfair, Scotland-based startup was founded in 2017 and currently has approximately 270,000 customers, all of which were affected by the newly disclosed cyber-incident. The company provides electricity and gas to customers in Scotland, England and Wales.
In a data breach notification published on its website, the energy supplier reveals that, on December 16, it was the victim of a cyberattack in which an unauthorized party accessed one of the systems used to store member data.
The breach was stopped immediately after the compromise vector was identified, and no financial information was accessed in the attack, but other personal data was indeed affected, the company says.
“As soon as we became aware of what was happening, we acted immediately to close down the route being used to get into our system, and to stop access to any further information,” People’s Energy notes.
Impacted data, the company reveals, includes names and phone numbers, physical and email addresses, dates of birth, numbers for People’s Energy accounts, tariff details, and identification numbers for both gas and electricity meters.
People’s Energy says that user account passwords were not affected in the incident.
“We’ve informed the Information Commissioner’s Office and the energy industry regulator, Ofgem. We’re following their guidance, and are keeping them updated on the situation,” the company says.
The data breach affected both current and former customers and the company is currently working on contacting all of the affected parties.
According to the BBC, People’s Energy revealed in an interview that 15 small-business customers had their financial information accessed by the attackers.
With the stolen information opening the venue for possible phishing attacks, affected customers are advised to exercise caution on all unsolicited calls and emails, and to avoid clicking on links in emails or messages they did not request.
“We have no idea of the motivation behind this attack. The police are investigating, and we’ll pass on any relevant information as soon as it’s available,” People’s Energy says, adding that it is currently working on improving protections for its systems.
Digging the recently leaked Chinese Communist Party database
18.12.2020 Incindent Securityaffairs
KELA researchers analyzed a database recently leaked online that contains data for 1.9 million Chinese Communist Party members in Shanghai.
After the announcement of the leak of the database which contains the personal information of 1.9 million Chinese Communist Party (CCP) members in Shanghai, KELA researchers have obtained it. This database includes the members’ name, sex, ethnicity, hometown, organization, ID number, address, mobile number, landline, and education.
Further analysis allowed the experts to determine that the database also includes information of CCP members who worked at foreign consulates in Shanghai, as well as at the Chinese branches of different international banking, pharmaceutical, automotive and defense firms, universities, and research firms.
It is interesting to note that some of the companies in which CCP members were found are Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more. It is important to note that the employment of CCP members in Chinese companies is a known fact – and does not constitute by itself espionage of any sort.
The database was extracted from a server on April 16, 2016 by a local dissident, then a second source, dubbed “the Data Cleaner” uploaded it to activists’ private chat rooms. The “Data Cleaner” converted the database to a Microsoft Excel file on July 3, 2016. According to the README file of the database obtained by the KELA team, the source of the current file is LIHKG (lihkg[.]com) which is a Hong-Kong-based forum, where the database was uploaded on August 18, 2020.
While one might assume that this leaked database is new, it is important to note that the same database has been circulating in Chinese Darknet markets for at least 2 years. Therefore, it is unclear why the database has recently surfaced again. It was first offered for sale on November 4, 2018 on DeepMix market, which is considered as one of the largest and most well-known Chinese Darknet markets. The following is the screenshot of the original offer which was cached by KELA’s systems: image - 2020-12-16T142551.285.png
Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales
18.12.2020 Incindent Securityweek
Before this week, few people were aware of SolarWinds, a Texas-based software company providing vital computer network monitoring services to major corporations and government agencies worldwide.
But the revelation that elite cyber spies have spent months secretly exploiting SolarWinds’ software to peer into computer networks has put many of its highest-profile customers in national governments and Fortune 500 companies on high alert. And it’s raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock.
Founded in 1999 by two brothers in Tulsa, Oklahoma, ahead of the feared turn-of-the-millennium Y2K computer bug, the company’s website says its first product “arrived on the scene to help IT pros quell everyone’s world-ending fears.”
This time, its products are the ones instilling fears. The company on Sunday began alerting about 33,000 of its customers that an “outside nation state” — widely suspected to be Russia — injected malicious code into some updated versions of its premier product, Orion. The ubiquitous software tool, which helps organizations monitor the performance of their computer networks and servers, had become an instrument for spies to steal information undetected.
“They’re not a household name the same way that Microsoft is. That’s because their software sits in the back office,” said Rob Oliver, a research analyst at Baird who has followed the company for years. “Workers could have spent their whole career without hearing about SolarWinds. But I guarantee your IT department will know about it.”
Now plenty of other people know about it, too. One of SolarWinds’ customers, the prominent cybersecurity firm FireEye, was the first to detect the cyberespionage operation, and began notifying other victims. Among other revealed spying targets were the U.S. departments of Treasury and Commerce.
But the Trump administration has been silent on what other agencies were breached. And that wasn’t sitting well with some members of Congress.
“Stunning,” tweeted Sen. Richard Blumenthal, a Connecticut Democrat. He said a Senate Armed Services Committee classified briefing Tuesday “on Russia’s cyberattack left me deeply alarmed, in fact downright scared. Americans deserve to know what’s going on.”
“Declassify what’s known & unknown,” he demanded.
The Department of Homeland Security directed all federal agencies to remove the compromised software on Sunday night and thousands of companies were expected to do the same. The Pentagon said in a statement Wednesday that it had so far found “no evidence of compromise” on its classified and unclassified networks from the “evolving cyber incident.”
The NSA, DHS and FBI briefed the House Intelligence Committee Wednesday on what was widely considered a serious intelligence failure, and Democratic Sen. Dick Durbin told CNN “this is virtually a declaration of war by Russia on the United States, and we should take that seriously.”
Among business sectors scrambling to protect their systems and assess potential theft of information were the electric power industry, defense contractors and telecommunications firms.
The breach took the air out of SolarWinds, which is now based in the hilly outskirts of Austin, Texas. The compromised product accounts for nearly half the company’s annual revenue, which totaled $753.9 million over the first nine months of this year. Its stock has plummeted 23% since the beginning of the week.
Moody’s Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs.”
SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. The SolarWinds board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on Dec. 7, according to a financial filing, a day before FireEye first publicly revealed the hack on its own system and two days before the change of CEOs was announced.
It was also on Dec. 7 that the company’s two biggest investors, Silver Lake and Thoma Bravo, which control a majority stake in the publicly traded company, sold more than $280 million in stock to a Canadian public pension fund. The two private equity firms in a joint statement said they “were not aware of this potential cyberattack” at the time they sold the stock. FireEye disclosed the next day that it had been breached.
The hacking operation began at least as early as March when SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have. FireEye described the malware’s dizzying capabilities — from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its reconnaissance forays as Orion activity.
FireEye said Wednesday that it had identified a “killswitch” that prevents the malware used by the hackers from operating. But while that disables the original backdoor, it won’t remove intruders from systems where they created different ways of remotely accessing victimized networks.
SolarWinds executives declined interviews through a spokesperson, who cited an ongoing investigation into the hacking operation that involves the FBI and other agencies.
Thompson’s last few weeks at the helm are likely to be spent responding to frightened customers, some of them rankled about marketing tactics that might have made a target of SolarWinds and its highest-profile clients.
The company earlier this week took down a web page that boasted of dozens of its best-known customers, from the White House, Pentagon and the Secret Service to the McDonald’s restaurant chain and Smithsonian museums. The Associated Press is among customers, though the news agency said it did not use the compromised Orion products.
SolarWinds estimated in a financial filing that about 18,000 customers had installed the compromised software. And while that made them vulnerable to spy operations, security experts say its unlikely the hackers penetrated the vast majority. Spies tend to have narrow interest in such operations. Dozens of “high-value targets” in government and industry were compromised, said FireEye, without naming them. It said it has confirmed infections in North America, Europe, Asia and the Middle East to governments, consulting firms and the health care, technology, telecommunications and oil and gas industries — and has been informing affected organizations around the world.
Stanford University cybersecurity expert Alex Stamos said there aren’t nearly enough qualified threat hunters globally to scour potentially infected organizations for hidden malware from the operation.
“We are going to be reaping an ‘iron harvest’ of second-stage malware for years from this one,” he tweeted, a reference to unexploded World War II bombs that continue to be found in Europe three-quarters of century later.
The SolarWinds Perfect Storm: Default Password, Access Sales and More
17.12.2020 Incindent Threatpost
Meanwhile, FireEye has found a kill switch, and Microsoft and other vendors are quickly moving to block the Sunburst backdoor used in the attack.
UPDATE
A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week. Researchers said that includes its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism; and, SolarWinds’ deep visibility into customer networks.
That story is unfolding as defenders take action. Microsoft for instance began blocking the versions of SolarWinds updates containing the malicious binary, known as the “Sunburst” backdoor, starting Wednesday; and, FireEye has identified a kill switch for the malware.
“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained. Microsoft calls the backdoor “Solorigate.”
The backdoor was injected into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers. It beacons out to a command-and-control (C2) domain called avsvmcloud[.]com.
The kill switch, developed by FireEye in collaboration with Microsoft and GoDaddy, will defang new and previous Sunburst infections by disabling any deployments that are still beaconing to the C2.
“We identified a killswitch that would prevent Sunburst from continuing to operate,” a FireEye spokesperson told Threatpost. “Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution.”
Compromising a Legitimate Patch
On Monday, SolarWinds confirmed that adversaries (likely nation-state-backed) were able to inject malicious code into normal software updates for the Orion network-management platform. This installed the Sunburst/Solorigate backdoor inside the platform, which the attackers were subsequently able to take advantage of in targeted attacks on the U.S. Departments of Treasury and Commerce, DHS, FireEye and others around the world.
“It’s possible that the bad actors were able to gain access to either the SolarWinds source-code repository or their build pipeline and insert the malicious code,” said Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “We know this because the component that contained the malware was ‘code signed’ with the appropriate SolarWinds certificate. This made the DLL look like a legitimate and safe component for their Orion product. From there, it was bundled into a patch and distributed across thousands of customers.”
In all, SolarWinds said that it pushed out tainted software updates to almost 18,000 government agencies, contractors and enterprises over the course of the incident (between March and June), as Threatpost previously reported.
Also, even though the last push of the trojanized updates happened in June, the malicious updates remained available for download until this week. And Huntress researcher Kyle Hanslovan said that he had seen the malicious DLL still available via various update mechanisms.
“For some time, there were three fully compromised packages still publicly available for download from SolarWinds’ website, but have since been removed after we reported the findings,” according to a Huntress spokesperson.
For its part, SolarWinds has declined to issue any statement other than what it said in a media statement on Sunday: “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.”
SolarWinds: A Perfect Target
Orion is a product with such market dominance that company CEO Kevin Thompson bragged on an October earnings call that “we don’t think anyone else in the market is really even close in terms of the breadth of coverage we have. We manage everyone’s network gear.”
In addition to its overall footprint, perhaps what made SolarWinds the most attractive vector for the attackers however is its sheer reach into customer networks.
“One of the things that made SolarWinds an ideal target was the fact that the software would typically be given access to the full network to be able to do its job,” Marcus Hartwig, manager of security analytics at Vectra, told Threatpost. “Compromising SolarWinds makes sure an attacker does not have to worry about firewalls and other preventative security solutions working against them when performing recon or moving laterally.”
He added, “Additionally, SolarWinds Orion is a network management tool. It knows EVERYTHING on your network. Device, software version, firmware version, applications, etc… so they have a complete inventory – and as such can look at the exploits they have available to them and determine based on the devices that are vulnerable which organizations they will target. Quite frankly, it’s genius as it improves their return.”
Hartwig also noted that the users of SolarWinds are IT/network admins with privileged access accounts. He explained, “So, targeting SolarWinds means getting instant access to the most valuable accounts on the network, which is the key step in any attack succeeding.”
All of this alone would make in an irresistible target for a widespread supply-chain attack, but other alleged security lapses appear to have sealed the deal.
Security Supernova
For instance, security researcher Vinoth Kumar told Reuters that he discovered a hard-coded password for access to SolarWinds’ update server last year – the very easy-to-guess “solarwinds123.”
“This could have been done by any attacker, easily,” Kumar told the news service.
Sources also told Reuters that cybercriminals were spotted hawking access to SolarWinds’ infrastructure in underground forums, as far back as 2017. One of the access-dealers, they said, was the notorious Kazakh native known as “fxmsp,” which made headlines last year for hacking McAfee, Symantec and Trend Micro; and who is wanted by the Feds for perpetrating a widespread backdoor operation spanning six continents.
No AV Detection
To boot, a German newspaper flagged the fact that SolarWinds has a support page advising users to disable antivirus scanning for Orion products’ folders in order to avoid issues in the product’s efficacy. It’s not an uncommon practice, but security researchers did note that it make the platform more of a target:
“There are sometimes legitimate reasons to whitelist some paths, such as for instance when working with malware or when using some remote access tools that may have dual use,” Kaspersky researcher Costin Raiu told Threatpost. “However, it is a terrible practice to whitelist or skip scanning folders in Program Files or Common Files, where applications running on the system reside, especially if they have self-updating functionality. If these are legitimate applications that are not normally detected, then they shouldn’t be whitelisted.”
He added, “Obviously, in the case of a supply-chain attack, such as the one that affected SolarWinds, users might find themselves in a position where the antivirus doesn’t detect the malicious module, even if the antivirus product has been updated to detect it. This is because the application path has been whitelisted. If the attackers deployed something more destructive, such as a wiper or ransomware, even if antivirus products might have detected it heuristically, it would still be allowed to run because the folder is whitelisted.”
Since no security solution detect this supply-chain attack proactively, it is likely that the whitelisting didn’t impact the instant effectiveness of the malware deployment, he added – however, this may impact the ability to disinfect the affected systems, he warned.
Companies: Assess the Damage
For now, researchers said that organizations should take steps to assess whether they are infected with Sunburst/Solorigate; and if so, if they were targeted for further intrusion.
“While not every SolarWinds customer was likely a primary target for this particular activity, that doesn’t mean that additional persistence mechanisms were established en masse, in a way that would affect most or all customers,” Daniel Trauner, director of security, Axonius, told Threatpost. “Disabling any servers running backdoored versions of the product and disconnecting those hosts from your network is smart, but that’s certainly not enough. Organizations should immediately look for evidence of further persistence or lateral movement from those hosts. This applies to those who have already patched as well.”
Further, it should be said that the kill switch only works to prevent Sunburst from being effective — in all probability, the cyberactors have already moved laterally.
“In the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the Sunburst backdoor,” the FireEye spokesperson said. “This kill switch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of Sunburst.”
Microsoft partnered with security firms to sinkhole the C2 used in SolarWinds hack
17.12.2020 Incindent Securityaffairs
Microsoft and its partners have seized the primary domain used in the SolarWinds attack to identify the victims through sinkholing.
Microsoft partnered with other cybersecurity firms to seize the primary domain used in the SolarWinds attack (avsvmcloud[.]com) in an attempt to identify all victims and prevent other systems from being served malicious software.
The domain avsvmcloud[.]com was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.
The tainted version of SolarWinds Orion plug-in masqueraded network traffic as the Orion Improvement Program (OIP) protocol, it communicates via HTTP to C2 to retrieve and execute malicious commands, dubbed “Jobs.” The backdoor supports multiple features, including file transferring, executing files, disabling system services, and gathering system info.
The attackers used VPN servers in the same country as the victim to obfuscate the IP addresses and evade detection.
In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. The vendor recommends users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.
The C&C domain communicates to the bot via DNS responses that contained a CNAME field with information on the domain that will provide further commands and payload to the SUNBURST backdoor.
Now security firms sinkholed the avsvmcloud[.]com domain that is now under the control of Microsoft.
Experts from Symantec confirmed that the presence of the SUNBURST backdoor on the internal networks of 100 of its customers.
“Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates but has not identified any further malicious impact on those machines.” reads the analysis published by Symantec.
After the seizure of avsvmcloud[.]com, the domain redirects to an IP address owned by Microsoft. All the infected machine that will attempt to contact the C2 will be tracked by Microsoft and its partners that will notify the impacted organizations.
The FBI and CISA are still investigating the supply chain attack along with security firms in the attempt to determine the extent of the attack.
US DHS CISA, Microsoft, and FireEye, have shared Indicators of Compromise for the SolarWinds attack.
45 Million Medical Images Left Exposed Online
16.12.2020 Incindent Threatpost
A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.
More than 45 million medical images—and the personally identifiable information (PII) and personal healthcare information (PHI) associated with them–have been left exposed online due to unsecured technology that’s typically used to store, send and receive medical data, new research has found.
A team from CybelAngel Analyst Team uncovered sensitive medical records and images–including X-rays CT scans and MRI images—that anyone can access online in a six-month investigation researchers conducted into network attached storage (NAS) and Digital Imaging and Communications in Medicine (DICOM).
NAS is an inexpensive storage solution used mainly by small companies or individuals to store data rather than paying for more expensive dedicated servers or virtual cloud servers, while DICOM is a global standard used by healthcare professionals to transmit medical images.
[Editor’s Note: Threatpost has published an exclusive FREE eBook, sponsored by ZeroNorth. The eBook, “Healthcare Security Woes Balloon in a Covid-Era World”,examines the pandemic’s current and lasting impact on cybersecurity. Get the whole neatly-packaged story and DOWNLOAD the eBook now – on us!]
“CybelAngel Analyst Team detected medical devices leaking more than 45 million unique imaging files on unprotected connected storage devices with ties to hospitals and medical centers worldwide,” David Sygula, senior cybersecurity analyst at CybelAngel, said in the report Full Body Exposure, adding that leaks were found in data across 67 countries.
Free eBook on Healthcare and CybersecurityThe findings are concerning for a number of reasons. Threat actors can violate people’s privacy by selling the data on the dark web, where it is a valuable commodity, researchers said. They also can use the images and data to blackmail patients or to scam the medical system by using patient data to set up “ghost clinics” and “ghost patients” to commit fraud.
Moreover, privacy concerns over patient data are especially critical as the world is currently in the midst of a pandemic in which PII and PHI can have major implications for patient lives and the lives of those they’ve been in contact with. Threat actors or those with bad intentions also can use access to the data to modify someone’s medical records with ill intent, researchers noted.
CybelAngel tools scanned approximately 4.3 billion IP addresses to discover the images, which were left exposed on more than 2,140 unprotected servers across 67 countries including the United States, United Kingdom, France and Germany, according to the report.
Images typically included up to 200 lines of metadata per record which included the name, birth date and address of the patient as well as his or her height, weight, diagnosis and other PHI. Anyone could access the images and data without the need for a username or password; in fact, in some cases, login portals to the systems storing the info accepted blank usernames and passwords, researchers said.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” Sygula said in a press statement. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals.”
Researchers investigated the route medical images and data take from devices such as MRI, CT scanners and X-rays using DICOM through to a centralized Picture Archiving and Communication System (PACs), which stores and distributes the images.
The PACS workstations usually include DICOM viewers, which can exist in the form of web applications, as well as organizational and collaborative tools. While these means of communication and transfer are meant to be secure, researchers discovered that security was “insufficient,” at best.
“To make matters worse, the existing DICOM application security measures are not mandatory and are not implemented by default,” Sygula wrote.
In most cases, the leak involved a NAS device that would expose data in a number of ways. These include unsecured ports allowing FTP and SMB protocols to provide unauthorized third parties access to devices and their data, as well as Dynamic DNS (DDNS) granting outsiders access to unsecured web services.
CybelAngel provided some simple advice for healthcare facilities to avoid exposing sensitive data to those unauthorized to view it. Researchers suggest they ensure that pandemic response not exceed current security policies, as well as maintain proper network segmentation of connected medical imaging equipment.
CybelAngel also suggests that healthcare facilities conduct real-world audit of third-party partners to ensure that they also are in compliance with protocols so data isn’t leaked inadvertently in transit, according to the report.
Spotify Changes Passwords After Another Data Breach
15.12.2020 Incindent Threatpost
This is the third breach in the past few weeks for the world’s most popular streaming service.
Spotify has alerted users that some of their registration data was inadvertently exposed to a third-party business partner, including emails addresses, preferred display names, passwords, gender and dates of birth. This is at least the third breach in less than a month for the world’s largest streaming service.
A statement from Spotify about the incident said the exposure was due to a software vulnerability that existed from April 9 until Nov. 12 when it was corrected.
“We take any loss of personal information very seriously and are taking steps to help protect you and your personal information,” the statement, released Dec. 9, read. “We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”
Spotify Targeted
The announcement comes just a handful days after some of the streaming service’s most popular stars pages were taken over by a malicious actor named “Daniel” who used hijacked Spotify artist pages, including Dua Lipa and Pop Smoke, to proclaim his love of Trump and Taylor Swift. The incident during its highly publicized year-end Spotify Wrapped 2020 announcement of the year’s most popular streams.
Just a week prior to that incident, in late November, Spotfiy was on the receiving end of a rash of account takeovers following a credential-stuffing operation. In this type of attack, threat actors bet on people reusing passwords; they try stolen passwords and IDs on different services to gain access to a range of accounts.
Researchers at vpnMentor found an open and vulnerable Elasticsearch database with more than 380 Spotify user records, including login credentials.
“The exposed database belonged to a third party that was using it to store Spotify login credentials,” the firm said. “These credentials were most likely obtained illegally or potentially leaked from other sources.”
At the time of that breach, Spotify initiated rolling password resets, leaving the database useless.
Spotify & Credential Stuffing
Now Spotify’s user data has been exposed again.
“A very small subset of Spotify users was impacted by a software bug, which has now been fixed and addressed.” A statement from a Spotify spokesperson to Threatpost read. “Protecting our users’ privacy and maintaining their trust are top priorities at Spotify. To address this issue, we issued a password reset to impacted users. We take these obligations extremely seriously.”
The company urges users to update passwords for other accounts tied to the same email account.
“Again, while we are not aware of any unauthorized use of your personal information, as a precautionary measure, we encourage you to remain vigilant by monitoring your account closely,” Spotify’s statement added. “If you detect any suspicious activity on your Spotify account, you should promptly notify us.”
Kacey Clark, threat researcher with Digital Shadows, told Threatpost that these types of basic data theft are exactly what malicious actors need to launch a credential-stuffing attacks.
“Brute-force, cracking tools and account checkers are the cornerstones of many account takeover operations, reliably enabling attackers to get their hands on even more of your data.” Clark explained to Threatpost. “They’re automated scripts or programs applied to a login system ― whether it’s associated with an API or website ― to access a user’s account.”
Once they’re in, there’s little limit to the amount of damage account hackers could potentially inflict on victims.
“Criminal operations using brute-force cracking tools or account checkers may also take advantage of IP addresses, VPN services, botnets or proxies to maintain anonymity or improve the likelihood of accessing an account,” Clark added. “Once they’re in, they can use the account for malicious purposes or extract all of its data (potentially including payment-card details or personally identifiable information) to monetize it.”
She punctuated the point with Digital Shadows’ research findings that streaming services accounted for 13 percent of the accounts listed on criminal marketplaces.
“In the end, would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?” she asked.
Streaming Services Targeted
Media and streaming services are well-known targets of credential-stuffing attacks. Akamai recently identified the risk of credential-stuffing attacks for content providers like Spotify.
“Hackers are very attracted to the high profile and value of online streaming services,” according to the firm. In Akamai’s most recent report on the state of media-industry security, it found that a full 20 percent of the observed 88 billion credential-stuffing attacks over the past year were aimed at media companies.
“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Akamai researcher Steve Ragan explained. “Password-sharing and recycling are easily the two largest contributing factors in credential-stuffing attacks.”
And while good password protections are a smart way for consumers to protect their data, Ragan stressed it’s businesses that need to take proactive steps to boost security and maintain consumer trust.
“While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”
Details for 1.9M members of Chinese Communist Party Members leaked
15.12.2020 Incindent Securityaffairs
Security experts from Cyble discovered that the details of 1.9 million members of the Chinese Communist Party were leaked on a hacking forum.
During routine Dark web monitoring, the experts from Cyble found a post on a Russian-speaking forum offering the details of 1.9 million members of Chinese Communist Party.
The huge trove of data, a 293 MB CSV file, was offered for free. The exposed records included name, sex, ethnicity, organization, hometown, ID, Address, Mobile Number, Phone Number, Education.
Chinese Communist Party
“People who are concerned about their information exposure can register on Cyble’s data breach monitoring and notification platform, AmiBreached.com, to ascertain the risks at no cost. Also, Android users (Link) and iOS users (Link) can gain full access to it just by downloading the mobile application.” states the post published by Cyble.
Below a list of suggestions provided by Cyble to prevent cyber-attacks:
Never click on unverified/unidentified links
Do not open untrusted email attachments
Only download media from sites you trust
Never use unfamiliar USBs
Use security software and keep it updated
Backup your data periodically
Keep passwords unique and unpredictable
Keep Software and Systems up to date
Train employees on Cyber Security
Set up Firewall for your internet
Take a Cyber Security assessment
Update passwords regularly
SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product
15.12.2020 Incindent Securityweek
SolarWinds’ investigation into the recent attacks that leveraged its products to target government and private sector organizations revealed that 18,000 customers may have used the compromised products, the company said in a filing with the Securities and Exchange Commission (SEC) on Monday.
The IT management and monitoring solutions provider has confirmed reports that threat actors compromised the software build system for its Orion monitoring platform and leveraged that access to deliver trojanized updates to customers between March and June 2020. The vendor says the attacker could have exploited the introduced vulnerability to compromise the server running the Orion product.
SolarWinds says it has notified roughly 33,000 Orion customers of the incident, but the firm believes that in reality “fewer than 18,000” customers may have used the compromised version of its products.SolarWinds hacked
It also noted that it detected an attack targeting its Microsoft Office 365 email and productivity systems, but the company is still trying to determine if this incident is related to the Orion hack, and claims that it has found no evidence that data was exfiltrated.
SolarWinds has released a hotfix and by December 15 it expects to release another update that will replace the compromised component and provide additional security enhancements. The company pointed out that there is no evidence that other products are impacted, and noted that only products downloaded, implemented or updated between March and September contained the vulnerability. The source code repository of the Orion products was apparently not compromised.
FireEye, which is one of the companies that was apparently targeted in the campaign involving the SolarWinds exploit, reported observing multiple victims, including government, technology, consulting, extractive and telecom organizations in North America, Europe, the Middle East and Asia.
Several U.S. government organizations were also hit, including the Treasury and Commerce department, and Reuters reported on Monday that the hackers also gained access to internal communications at the Department of Homeland Security (DHS).
However, in its SEC filing, SolarWinds noted that it “is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the” attacks reported by the media.
According to its website, SolarWinds has more than 300,000 customers worldwide, including over 425 of U.S. Fortune 500 companies, all the biggest telecoms firms in the United States, the U.S. Military, the State Department, the Pentagon, the NSA, and the Department of Justice.
The DHS issued an emergency directive on Sunday, instructing federal agencies to immediately look for signs of a breach, collect forensic evidence for an investigation, and take steps to lock the attackers out.
A Russian state-sponsored threat actor is reportedly behind this campaign — the group tracked as APT29 and Cozy Bear seems to be the main suspect. Russia has denied the allegations in a statement published by its U.S. embassy on Sunday.
FireEye, which tracks the attacker as UNC2452, said the hackers used the trojanized SolarWinds software to deliver a backdoor named SUNBURST and, in at least some cases, deliver other previously unknown payloads.
Pay2Key hackers stole data from Intel’s Habana Labs
14.12.2020 Incindent Securityaffairs
Pay2Key ransomware operators claim to have compromised the network of the Intel-owned chipmaker Habana Labs and have stolen data.
Intel-owned AI chipmaker Habana Labs was hacked by Pay2key ransomware operators who claim to have stolen from the company.
The group announced the hack on Twitter, they claim to have stolen sensitive data, including information about a new artificial intelligence chip code named Gaudi.
The hacked shared a link to a leak directory and images of the source code and internal processes belonging to the hacked company.
The Pay2Key leak directory includes Windows domain controller data and a file listing from the Gerrit development code review system.
Source Bleeping Computer
“The hackers also claim to have gained access to the company’s Domain Controller, which if true, would indicate they were able to breach all its organizational network. If it is linked to that of Intel, the hackers may have gained access to the American organization too.” reads the post published by Calcalistech.
The Pay2key operators have also blackmailed several Israeli companies throughout November.
At the time of this writing, it is not clear the ransom demands, it is only known that the gang gave to Habana Labs “72hrs to stop leaking process.”
Researchers from Profero speculate that the Pay2Key gang was an Iran-based crew because they used ransom payment wallets operated by Iranian bitcoin exchanges.
Spotify Informs Users of Personal Information Exposure
12.12.2020 Incindent Securityweek
Spotify this week started informing users that their personal information might have been inadvertently shared with some of the company’s business partners.
In a data security breach notice filed with the California Attorney General, the streaming service revealed that it inadvertently exposed user data to business partners for several months.
“We deeply regret to inform you that your Spotify account registration information was inadvertently exposed to certain of Spotify’s business partners. Firstly, we want to apologize that there has been an incident,” the company told users.
Spotify also revealed that it identified the issue on November 12, adding that the data exposure was the result of a vulnerability in its system. The information, however, was not exposed publicly.
“We estimate that this vulnerability existed as of April 9, 2020 until we discovered it on November 12, 2020, when we took immediate steps to correct it,” the streaming service added.
Affected data might have included Spotify account registration information such as user email address and password, preferred display name, date of birth, and gender.
The company says it has conducted an internal investigation into the incident and that it has already contacted the business partners that may have accessed user data, to make sure that the leaked information was deleted.
“We take any loss of personal information very seriously and are taking steps to help protect you and your personal information,” Spotify noted.
The streaming service has also decided to reset the passwords for the affected accounts, to ensure that they are kept secure.
Spotify also claims that it has no reason to believe that the exposed information has been or will be used without authorization. Regardless, it does urge users to reset passwords for other accounts on which the same email address and password combination are used.
“Again, while we are not aware of any unauthorized use of your personal information, as a precautionary measure, we encourage you to remain vigilant by monitoring your account closely. If you detect any suspicious activity on your Spotify account, you should promptly notify us,” Spotify said.
Cybersecurity Firm FireEye Got Hacked; Red-Team Pentest Tools Stolen
10.12.2020 Incindent Thehackernews
FireEye, one of the largest cybersecurity firms in the world, said on Tuesday it became a victim of a state-sponsored attack by a "highly sophisticated threat actor" that stole its arsenal of Red Team penetration testing tools it uses to test the defenses of its customers.
The company said it's actively investigating the breach in coordination with the US Federal Bureau of Investigation (FBI) and other key partners, including Microsoft.
It did not identify a specific culprit who might be behind the breach or disclose when the hack exactly took place.
However, The New York Times and The Washington Post reported that the FBI has turned over the investigation to its Russian specialists and that the attack is likely the work of APT29 (or Cozy Bear) — state-sponsored hackers affiliated with Russia's SVR Foreign Intelligence Service — citing unnamed sources.
As of writing, the hacking tools have not been exploited in the wild, nor do they contain zero-day exploits, although malicious actors in possession of these tools could abuse them to subvert security barriers and take control of targeted systems.
Red Team tools are often used by cybersecurity organizations to mimic those used in real-world attacks with the goal of assessing a company's detection and response capabilities and evaluating the security posture of enterprise systems.
The company said the adversary also accessed some internal systems and primarily sought information about government clients but added there's no evidence that the attacker exfiltrated customer information related to incident response or consulting engagements or the metadata collected by its security software.
"This attack is different from the tens of thousands of incidents we have responded to throughout the years," FireEye CEO Kevin Mandia wrote in a blog post.
"The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."
The accessed Red Team tools run the gamut from scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. A few others are modified versions of publicly available tools designed to evade basic security detection mechanisms, while the rest are proprietary attack utilities developed in-house.
To minimize the potential impact of the theft of these tools, the company has also released 300 countermeasures, including a list of 16 previously disclosed critical flaws that should be addressed to limit the effectiveness of the Red Team tools.
If anything, the development is yet another indication that no companies, counting cybersecurity firms, are immune to targeted attacks.
Major cybersecurity firms such as Kaspersky Lab, RSA Security, Avast, and Bit9 have previously fallen victims to damaging hacks over the past decade.
The incident also bears faint similarities to The Shadow Brokers' leak of offensive hacking tools used by the US National Security Agency in 2016, which also included the EternalBlue zero-day exploit that was later weaponized to distribute the WannaCry ransomware.
"Security companies are a prime target for nation-state operators for many reasons, but not least of all is [the] ability to gain valuable insights about how to bypass security controls within their ultimate targets," Crowdstrike's co-founder Dmitri Alperovitch said.
The release of red team tools stolen by the adversary "will go a long way to mitigating the potential impact of this intrusion for organizations all over the world," he added.
Top cybersecurity firm FireEye hacked by a nation-state actor
9.12.2020 Incindent Securityaffairs
The cyber security giant FireEye announced that it was hacked by nation-state actors, likely Russian state-sponsored hackers.
The cybersecurity firm FireEye is one of the most prominent cybersecurity firms, it provides products and services to government agencies and companies worldwide.
The company made the headlines because it was the victim of a hack, and experts blame Russia-linked hackers for the attack.
“FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.” reported The New York Times.
The company notifies law enforcement, the F.B.I. launched an investigation into the hack.
“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” reads a post published by FireEye.
The security firm did not attribute the attack to a specific actor, but the NYT pointed out that the F.B.I. agents involved in the investigation were Russia specialists.
The intruders were interested in gathering info about the tools used by the company, so-called “Red Team tools.” Red Team tools are custom-tools developed from malware spotted by the company in attacks in the wild.
The Red Team tools could replicate the most sophisticated hacking tools in the world and are used by the company for penetration testing and vulnerability assessment on the systems of the FireEye’s customers.
“During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security.” reported the security firm.”These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits.”
The tools in FireEye’s arsenal are placed in a sort of digital safe, but these tools in the wrong hands could be very dangerous. Threat actors could use these tools to carry out attacks that could not be attributed to them.
Experts highlighted the risks related to the possibility that Russian intelligence agencies saw an advantage in mounting the attack while US authorities were was focused on securing the presidential election system.
This hack is the most severe since the theft of the National Security Agency that took place in 2016 by ShadowBrokers group.
The attack against FireEye was very sophisticated and threat actors “went to extraordinary lengths” to fly under the radar.
The attack involved previously unseen IP addresses, many inside the United States.
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.” wrote Kevin Mandia. “They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Mandia explained that this is a surgical attack that exhibited “discipline and focus.” Google, Microsoft, and other firms that conduct cybersecurity investigations declared they had never seen some of these techniques.
FireEye opted to share key elements of its Red Team tools so that other defense teams around the world would be able to detect ongoing attacks using them.
Investigators are trying to determine if the hackers have exploited a recently patched VM flaw, that according to an advisory published by the N.S.A. was targeted by Russia-linked hackers in recent attacks.
At the time of this writing, FireEye has seen no evidence to date that any attacker has used the stolen Red Team tools.
Cybersecurity Firm FireEye Says Was Hacked by Nation State
9.12.2020 Incindent Securityweek
Prominent U.S. cybersecurity firm FireEye said Tuesday that foreign government hackers with “world-class capabilities” broke into its network and stole offensive tools it uses to probe the defenses of its thousands of customers, who include federal, state and local governments and top global corporations.
The hackers “primarily sought information related to certain government customers,” FireEye CEO Kevin Mandia said in a statement, without naming them. He said there was no indication they got customer information from the company’s consulting or breach-response businesses or threat-intelligence data it collects.
FireEye is a major cybersecurity player — it responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack — and has played a key role in identifying Russia as the protagonist in numerous aggressions in the burgeoning netherworld of global digital conflict.
Neither Mandia nor a FireEye spokeswoman said when the company detected the hack or who might be responsible. But many in the cybersecurity community suspect Russia.
“I do think what we know of the operation is consistent with a Russian state actor,” said former NSA hacker Jake Williams, president of Rendition Infosec. “Whether or not customer data was accessed, it’s still a big win for Russia.”
FireEye’s Mandia said he had concluded that “a nation with top-tier offensive capabilities” was behind the attack.
The stolen “red team” tools — which amount to real-world malware — could be dangerous in the wrong hands. FireEye said there’s no indication they have been used maliciously. But cybersecurity experts say sophisticated nation-state hackers could modify them and wield them in the future against government or industry targets.
The hack was the biggest blow to the U.S. cybersecurity community since a mysterious group known as the “Shadow Brokers” in 2016 released a trove of high-level hacking tools stolen from the National Security Agency. The U.S. believes North Korea and Russia capitalized on the stolen tools to unleash devastating global cyberattacks.
The nation’s Cybersecurity and Infrastructure Security Agency warned that “unauthorized third-party users” could similarly abuse FireEye’s stolen red-team tools.
Milpitas, California-based FireEye, which is publicly traded, said in Tuesday’s statement that it had developed 300 countermeasures to protect customers and others from them and was making them immediately available.
FireEye has been at the forefront of investigating state-backed hacking groups, including Russian groups trying to break into state and local governments in the U.S. that administer elections. It was credited with attributing to Russian military hackers mid-winter attacks in 2015 and 2016 on Ukraine’s energy grid. Its threat hunters also have helped social media companies including Facebook identify malicious actors.
Thomas Rid, a Johns Hopkins cyberconflict scholar, said that if the Kremlin were behind the hack it could have been seeking to learn what FireEye knows about Russia’s global state-backed operations — doing counterintelligence. Or it might have seeking to retaliate against the U.S. government for measures including indicting Russian military hackers for meddling in the 2016 U.S. election and other alleged crimes. FireEye is, after all, a close U.S. government partner that has “exposed many Russian operations,” he said.
FireEye said it is investigating the attack in coordination with the FBI and partners including Microsoft, which has its own cybersecurity team. Mandia said the hackers used “a novel combination of techniques not witnessed by us or our partners in the past.”
Matt Gorham, assistant director of the FBI’s cyber division, said the hackers’ “high level of sophistication (was) consistent with a nation state.”
The U.S. government is “focused on imposing risk and consequences on malicious cyber actors, so they think twice before attempting an intrusion in the first place,” Gorham said. That has included what U.S. Cyber Command terms “defending forward” operations such as penetrated the networks of Russia and other adversaries.
U.S. Sen. Mark Warner, a Virginia Democrat on the Senate’s intelligence committee, applauded FireEye for quickly disclosing the intrusion, saying the case “shows the difficulty of stopping determined nation-state hackers.”
Cybersecurity expert Dmitri Alperovitch said security companies like FireEye are top targets, with big names in the field including Kaspersky and Symantec breached in the past.
“Every security company is being targeted by nation-state actors. This has been going on got over a decade now,” said Alperovitch, the co-founder and former chief technical officer of Crowdstrike, which investigated the 2016 Russian hack of the Democratic National Committee and Hillary Clinton’s campaign.
He said the release of the “red-team” tools, while a serious concern, was “not the end of the world because threat actors always create new tools.”
“This could have been much worse if their customer data had been hacked and exfiltrated. So far there is no evidence of that,” Alperovitch said, citing hacks of other cybersecurity companies — RSA Security in 2011 and Bit9 two years later — that contributed to the compromise of customer data.
Founded in 2004, FireEye went public in 2013 and months later acquired Virginia-based Mandiant Corp., the firm that linked years of cyberattacks against U.S. companies to a secret Chinese military unit. It had about 3,400 employees and $889.2 million in revenue last year, though with a net loss of $257.4 million.
The company’s 8,800 customers last year included more than half of the Forbes Global 2000, companies in telecommunications, technology, financial services, healthcare, electric grid operators, pharmaceutical companies and the oil-and-gas industry.
Its stock fell more than 7% in after-hours trading Tuesday following news of the hack.
FireEye Says 'Sophisticated' Hacker Stole Red Team Tools
9.12.2020 Incindent Securityweek
Cybersecurity Firm Shares Countermeasures With Partners and Government Agencies to Blunt the Effects of the Breach
Cybersecurity powerhouse FireEye late Tuesday acknowledged that a “highly sophisticated” threat actor broke into its corporate network and stole a range of automated hacking tools and scripts.
The breach, likely the work of a nation-state backed actor, follows a pattern of advanced threat actors targeting security vendors. FireEye said the stolen red-team tools are publicly available and have been modified to evade basic security detection mechanisms.
FireEye Logo“Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools,” FireEye said in a blog post announcing the intrusion.
“We have incorporated the countermeasures in our FireEye products—and shared these countermeasures with partners, government agencies—to significantly limit the ability of the bad actor to exploit the Red Team tools,” the company added.
FireEye said the tools stolen by the attacker did not contain zero-day exploits. “The tools apply well-known and documented methods that are used by other red teams around the world.
"Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario," it added.
FireEye CEO Kevin Mandia said the company was specifically targeted by the attacker. “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a separate statement.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,” he added.
Mandia also disclosed that the attacker primarily sought information related to “certain government customers.”
“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly,” the chief executive added.
FireEye isn’t the first big-name security vendor to suffer a breach at the hands of nation-state backed threat actors. In 2015, Kaspersky acknowledged its network was compromised by a threat actor known publicly as Duqu and linked to a nation-state.
“If a nation-state with all of its resources targets an organization, the chances are very high that the adversary will be successful," Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, told SecurityWeek. "Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response. The adage, 'those who live in glass houses should not throw stones,' applies here. Any organization can be compromised; it is how you respond to an intrusion that determines its severity."
"Hopefully, these tools don't make their way into the public's hands," Holland continued. "We have seen the damaging impact of Hacking Team and the NSA's EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders' lives more challenging."
Shares of publicly traded FireEye (NASDAQ: FEYE) were trading down nearly 8% in after hours trading Tuesday, after enoying a recent rise following a $400 million strategic investmentled by investment giant Blackstone announced in late November.
Chrome, Edge and Firefox May Leak Information on Installed Apps
7.12.2020 Incindent Securityweek
Two information disclosure vulnerabilities recently identified in the Chrome, Edge, and Firefox web browsers may be exploited to obtain information on applications on the system, Fortinet reports.
The bugs impact Protocol Handlers, which are related to a mechanism that allows apps to register their own URI schemes used for process execution.
In Windows, there are three different keys used for the management of URL handlers, and web browsers would prompt users to choose a different application to handle URLs containing non-http schemes.
“Though it requires user interaction and thus poses a limited risk, it expands the attack surface beyond the browser borders,” Fortinet security researcher Rotem Kerner says.
To exploit the feature, an attacker could create web pages meant to trigger potentially vulnerable applications within the victim system. Such attacks may even bypass protection mechanisms like Smart Screen, the researcher argues.
By exploring possible ways to abuse this feature, Kerner discovered that Firefox (78.0.1 64-bit, on Windows 10) could leak protocol handlers.
Tracked as CVE-2020-15680 and already patched, the vulnerability exists because the web browser renders images sourced in existing and non-existing protocol handlers in a different manner. Specifically, if the source of an image element is set to a non-existing handler, the element would be displayed with different sizing of 0x0.
“This difference can be measured using a simple JS script Basing on this a malicious actor may perform a brute-force attack to disclose the different protocol handlers on a targeted system,” the security researcher notes.
In Chrome (tested against version 83.0.4103.116 on Windows 10), the exploitation of this issue is noisier, but the results are the same.
Here, Kerner explains, the browser window loses focus when the user is displayed the message box prompting them to allow for a different application to be opened, if the handler exists. To brute force the list of handlers, the attacker could redirect the victim to a different domain, thus eliminating the opening of multiple message boxes.
“A wide range of applications nowadays uses custom URL handlers and can be detected using this vulnerability. Some examples: music players, IDE, office applications, crypto-mining, browsers, mail applications, antivirus, video conferencing, virtualizations, database clients, version control clients, chat clients, voice conference apps, shared storages,” the researcher says.
An attacker could exploit these issues to identify social apps used by the target, perform general reconnaissance, identify potentially vulnerable apps on the system, identify installed security solutions, or improve browser fingerprinting.
Contacted by the researcher, Google said this was a user fingerprinting issue, but confirmed that it would release a fix. Microsoft does not consider this a security flaw. However, Edge, which is based on Chromium, will likely be patched as well when the fix arrives for the open source browser.
Hacker Who Stole Information From Nintendo Sentenced
3.12.2020 Incindent Securityweek
A computer hacker who stole information from Nintendo and was also caught with child pornography on his computer was sentenced Tuesday to three years in prison.
Ryan S. Hernandez, 21, of Palmdale, California, had pleaded guilty in January to one count of computer fraud and abuse and one count of possession of child pornography. The federal judge ordered Hernandez to be on seven years of supervised release following his prison term and register as a sex offender.
Hernandez was caught stealing confidential Nintendo files in 2016 when he was a minor. The FBI investigated and contacted Hernandez and his parents. He agreed to stop hacking the company, according to court records.
But from June 2018 to June 2019, Hernandez hacked Nintendo services and stole confidential information about popular video games, gaming consoles and developer tools, prosecutors said. The FBI searched his home and computers in 2019 and found thousands of confidential Nintendo files as well videos and images of minors engaged in sex.
The judge recommended Hernandez be incarcerated at a federal prison for inmates with cognitive challenges and ordered him to pay $259,323 in restitution to Nintendo.
Xerox DocuShare Bugs Allows Data Leaks
3.12.2020 Incindent Threatpost
CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.
Xerox issued a fix for two vulnerabilities impacting its market-leading DocuShare enterprise document management platform. The bugs, if exploited, could expose DocuShare users to an attack resulting in the loss of sensitive data.
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security bulletin urging users and administrators to apply a patch that plugged two security holes in recently released versions (6.6.1, 7.0, and 7.5) of Xerox’s DocuShare. The vulnerability is rated important.
Tracked as CVE-2020-27177, Xerox said the vulnerabilities open Solaris, Linux and Windows DucuShare users up to both a server-side request forgery (SSRF) attack and an unauthenticated external XML entity injection attack (XXE). Xerox issued its security advisory (XRX20W) on November 30.
Xerox did not share the specifics of the bugs or possible attack scenarios. In its “Mini Bulletin” it offered links to hotfix links to tarball files addressing bugs in affected versions of Solaris, Linux and Windows DocuShare.
However, a hotfix for the Solaris version of DocuShare 7.5 is not available. Xerox did not return press inquiries ahead of this published news article.
Potential Threat Vectors
A SSRF vulnerability would allow an attacker to abuse functionality on a server hosting the software-as-a-service (SaaS) DocuShare. A successful SSRF attack typically allows an adversary to read or update internal resources.
“The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed,” according to an OWASP Foundation description of a SSRF attack.
An XXE is a type of attack against an application that parses XML input. “This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” OWASP describes.
A successful XXE attack would allow a cybercriminal to gain access to confidential data and could also facilitate attacks that include: “denial of service, server side request forgery and port scanning from the perspective of the machine where the parser is located,” according OWASP.
Bug hunter Julien Ahrens (@MrTuxracer) is credited for finding the bug and bringing it to Xerox’s attention.
Xerox DocuShare is an enterprise document management system used by mid-sized and large businesses. The document management system market, worth $41.65 billion in 2019, is a dominated companies such as Xerox, IBM, Oracle and OpenText.
Cayman Islands Bank Records Exposed in Open Azure Blob
2.12.2020 Incindent Threatpost
An offshore Cayman Islands bank’s backups, covering a $500 million investment portfolio, were left unsecured and leaking personal banking information, passport data and even online banking PINs.
A Cayman Island investment firm has removed years of backups, which up until recently were easily available online thanks to a misconfigured Microsoft Azure blob. The blob’s single URL led to vast stores of files including personal banking information, passport data and even online banking PINs — which in addition to a security problem, presents a potential public-relations nightmare for a firm in the business of discreet, anonymous offshore financial transactions.
The massive cybersecurity blunder was pointed out by a researcher to The Register, which agreed not to disclose the name of the compromised bank in return for details about how this happened. Once evidence was given to the bank of the exposed data, the information was passed onto a bank staffer with a college computer science background, the report added. There was no one else on staff specifically dedicated to cybersecurity.
The Register added that the firm’s staff were “completely unaware” how the Azure blob worked (the Azure blob is the Microsoft backup storage solution that competes with Amazon Web Services S3 bucket and other cloud storage solutions). The entire operation was completely dependent on an outside provider for cybersecurity.
The Register said the firm claims it manages $500 million in investments.
“This was a backup solution provided by our IT vendor in Hong Kong which we saw as a fairly normal cloud provision,” the bank employee said in response to The Register. “Clearly there’s some issue here!”
The data has since been removed from view by the IT vendor.
Cybersecurity and legal expert Ilia Kolochenko, who founded and serves as the CEO of ImmuniWeb, said the investment firm should expect fallout from the breach.
“For this specific case, most jurisdictions will likely consider this incident to be gross negligence, exposing the fund to a series of lawsuits from the clients,” Kolochenko told Threatpost. “In the past, similar incidents led to bankruptcies due to irreparable impact on the reputation and inability to continue operations with frustrated customers. We should also expect various law enforcement agencies, in charge of the prosecution of tax evasion or money laundering, to start a probe of the documents for investigative purposes.”
Cloud Misconfiguration Breaches
Regardless of the flavor or brand of cloud storage, misconfigurations have plagued all sorts of businesses in recent months.
Hotel reservation platform Cloud Hospitality, which is used by hotels to integrate their systems with online booking systems, recently exposed the data of about 10 million people as the result of a misconfigured Amazon Web Services S3 bucket.
Subscription Christian app Pray.com, which has been downloaded by more than a million people on Google Play, also exposed the personal data of its tens of millions of customers, including payment information submitted by subscribers for donations. Here too, the culprit was a misconfigured AWS S3 bucket.
“Through further investigation, we learned that Pray.com had protected some files, setting them as private on the buckets to limit access,” vpnMentor’s report on the breach said. “However, at the same time, Pray.com had integrated its S3 buckets with another AWS service, the AWS CloudFront content delivery network (CDN). Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app’s users – rather than load those files from the app’s servers. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”
Google Cloud users have experienced similar cloud configuration challenges. Last September, a Comparitech survey of 2,064 Google Cloud Buckets found 6 percent of Google Cloud buckets are misconfigured and open to public view.
Time to Ramp-Up In-House Expertise
This widespread cloud vulnerability landscape is growing ever wider since businesses have had to quickly shift to a remote work setup in the wake of the pandemic. And malicious actors have taken notice.
According to report from Accuris last spring, 93 percent of cloud deployments analyzed were misconfigured and one in two had unprotected credentials stored in container configuration files.
“The only way to reduce such exposures is to detect and resolve policy violations earlier in the development lifecycle and ensure that cloud native infrastructure is provisioned securely to being with,” the report recommended. “As organizations embrace infrastructure-as-code (IaC) to define and manage cloud native infrastructure, it becomes possible to codify policy checks (policy-as-code) into development pipelines.”
Securing the cloud, and the sensitive data stored in it, needs to become a top priority at all levels of organizations both for protecting the business reputation, as well as the bottom line, researchers warned.
“Countless organizations of all sizes blindly move their data to the cloud without proper training of their IT personnel,” Kolochenko added. “Eventually, this leads even to larger disasters than criminal data breaches. Worse, cybercriminals are well aware of the myriad of misconfigured cloud instances, and continuously monitor the entire internet for such low-hanging fruit. Such attacks, unless exposed by the media or security researchers, are virtually undetectable and thus extremely dangerous: the integrity of your trade secrets and most sensitive data may suddenly get into the hands of your competitors, malicious nation-state actors and organized crime.”
French pharmaceuticals distribution platform Apodis Pharma leaking 1.7+ TB of confidential data
2.12.2020 Incindent Securityaffairs
The CyberNews investigation team discovered French pharmaceuticals distribution platform Apodis Pharma leaking 1.7+ TB of confidential data.
Original post @ https://cybernews.com/security/french-pharmaceuticals-distribution-platform-leaking-1-7-tb-confidential-data/
The CyberNews investigation team discovered an unsecured, publicly accessible Kibana dashboard of an ElasticSearch database containing confidential data belonging to Apodis Pharma, a software company based in France.
Apodis Pharma is a company that offers a digital supply chain management platform and other software solutions created for pharmacies, healthcare institutions, pharmaceutical laboratories, and health insurance companies.
The database discovered by CyberNews contains over 1.7 TB of confidential business-related data, including pharmaceutical sales data, full names of Apodis Pharma partners and employees, client warehouse stock statistics, pharmaceutical shipment locations and addresses, and more.
On November 17, Apodis Pharma closed the database – it is no longer accessible to the public.
What’s in the database?
The unsecured Apodis Pharma ElasticSearch database contains seven unique indexes, which include the following:
An archive of confidential pharmaceutical shipment data, shipment storage status, the precise times and locations of where the shipments have been picked up by sellers or distributors, as well as the quantity of pharmaceuticals in the shipments.
An archive of 25,000+ partner and client organizations, such as pharmaceutical laboratories and pharmacies, serviced by the Apodis Pharma distribution platform.
Two archives of products stored in Apodis Pharma client warehouses, containing 17,324,382 entries and 32,960,114 entries each. The archives include product data like product quantities and IDs, as well as warehouse data.
An archive of confidential product sales data containing 17,556,928 quarterly entries that includes information such as sales dates, locations, prices, and quantities sold between Apodis Pharma clients like pharmaceutical laboratories and pharmacies.
An archive of user data containing 4,436 entries, including full names of people who appear to be Apodis Pharma clients, partners, and employees.
Consumer and client data visualizations and analytics, including consumer gender statistics, and presumably confidential client sales and warehouse stocks charts.
Storing confidential client and patient data on a publicly accessible server without any kind of authentication process in place is highly dangerous, especially for organizations related to pharmaceuticals – during a worldwide pandemic.
Who had access to the database?
At the time of writing this report, it is still unclear who had access to the publicly available Apodis Pharma database.
However, the database has already been indexed on at least one popular IoT search engine, which means that there is almost no doubt that the data has been accessed and possibly downloaded by outside parties for potentially malicious purposes.
What’s the impact of the Apodis Pharma leak?
Malicious actors with unauthorized access to this database could cause a lot of damage not only to the clients of Apodis Pharma, but also to untold numbers of unsuspecting patients across France.
Attackers could leak the confidential information to severely damage trust in the company, or blackmail Apodis Pharma and its clients by hijacking the database and holding it hostage.
Malicious actors with an intention to disrupt the pharmaceutical supply chain in France could meddle with client and patient names, prices, addresses, and product IDs in order to cause widespread confusion, mix-ups, and – potentially – drug shortages across more than 25,000 laboratories, warehouses, and pharmacies across France during a pandemic.
Intruders could download the database and sell it to the competitors of Apodis Pharma clients, who would be able to make business decisions based on the confidential information found in the database.
“Unfortunately, server-side data leaks like this are still common these days. While some companies might think that leaving their Kibana dashboards accessible to the public is no big deal, 1.7TB of information is a very tempting target for cybercriminals. Malicious actors will jump at the opportunity to either steal or ransom such a massive amount of company data. After noticing one misconfiguration, they can then begin to probe the rest of the company’s defenses, looking for other, even more lucrative blind spots, which might result in far more damage than the initial leak. This is why all organizations – from small businesses to the largest multinationals – should make sure to shore up their cyber defenses before it’s too late.” said CyberNews.com Senior Writer & Researcher Edvardas Mikalauskas.
Disclosure
Following our vulnerability disclosure guidelines, we notified Apodis Pharma about the misconfiguration on October 22. However, we received no reply. Our follow-up communications were left unanswered as well. We then reached out to CERT France on October 29 in order to help secure the database. CERT contacted Apodis Pharma and informed the company about the misconfiguration.
However, more than two weeks later, the database was still publicly accessible. For this reason, we reached out directly to Apodis Pharma CTO Mathieu Bolard on November 16, who had the issue fixed the following day.
The global impact of the Fortinet 50.000 VPN leak posted online
27.11.20 Incindent Securityaffairs
The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal.
A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.
This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.
The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.
In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.
After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.
As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and Spain are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.
Complete list of affected countries
10103 United States
6336 China
2821 Japan
2543 Korea
2280 Brazil
2212 Germany
2127 United Kingdom
1547 Spain
1370 Italy
1294 France
1096 Australia
981 Russian Federation
847 Netherlands
761 Argentina
688 Taiwan
648 Canada
575 Egypt
569 Colombia
520 South Africa
444 India
424 Poland
400 Sweden
397 Indonesia
384 Denmark
374 Mexico
367 Switzerland
364 Turkey
353 Chile
344 Viet Nam
325 Venezuela
308 Ukraine
267 Hong Kong
253 Pakistan
238 Hungary
226 Finland
220 New Zealand
217 Czech Republic
206 Romania
177 Belgium
163 Austria
153 Iran
147 Philippines
136 Portugal
135 Estonia
128 Norway
123 Saudi Arabia
122 Peru
118 Ireland
113 Panama
110 Thailand
104 Malaysia
88 Kuwait
87 Israel
77 Uruguay
73 Azerbaijan
69 Singapore
61 United Arab Emirates
59 El Salvador
58 Bangladesh
55 Slovenia
53 Greece
51 Belarus
51 Kenya
46 Bulgaria
45 Paraguay
45 Slovakia
43 Oman
41 Ecuador
41 Lithuania
41 Morocco
38 Honduras
37 Dominican Republic
31 Guatemala
31 Seychelles
30 Puerto Rico
24 Latvia
22 Macedonia
21 Luxembourg
20 Qatar
19 Kazakhstan
19 Kyrgyzstan
18 Nicaragua
17 Croatia
17 Cyprus
17 Lebanon
16 Algeria
15 Jordan
14 Bahrain
14 Costa Rica
12 Ghana
12 Moldova
12 Syrian Arab Republic
11 Nigeria
11 Uzbekistan
10 Bolivia
10 Holy See (vatican City State)
10 Iraq
10 Trinidad And Tobago
9 Bosnia And Herzegovina
9 Iceland
8 Cameroon
8 Palestinian Territory
8 Tanzania
7 Georgia
7 Ivory Coast
7 Mauritius
7 Myanma
7 Zambia
6 Angola
6 Armenia
6 Mozambique
6 Sri Lanka
5 French Polynesia
5 Liberia
5 Montenegro
4 Palau
4 Tunisia
3 Afghanistan
3 Aruba
3 Fiji
3 Malawi
3 Nepal
2 Aland Islands
2 Bahamas
2 Bermuda
2 Cuba
2 Guam
2 Rwanda
2 Uganda
1 Andorra
1 Belize
1 Benin
1 Botswana
1 Cambodia
1 Cayman Islands
1 Guinea
1 Martinique
1 Papua New Guinea
1 Republic of the Congo
1 Reunion
Reunion Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.
As observed, these files reveal usernames, passwords, access levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.
The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.
The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.
Impact this leak
Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.
In Portugal, 136 devices are vulnerable and were shared in this leak.
Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the VPN Fortinet client with a leaked password can be seen in the next images.
At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.
Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
More details here: https://www.fortiguard.com/psirt/FG-IR-18-384
Original Post at https://seguranca-informatica.pt/the-global-impact-of-the-fortinet-50-000-vpn-leak-posted-online/#.X8Dk581Kg2x
Details of 16 million Brazilian COVID-19 patients exposed online
27.11.20 Incindent Securityaffairs
The personal and health details of more than 16 million Brazilian COVID-19 patients, including Government representatives, have been exposed online.
Personal and health details of more than 16 million Brazilian COVID-19 patients has been accidentally exposed online due to an error of an employee of a Brazilian hospital.
An employee of Albert Einstein Hospital in Sao Paolo has uploaded a spreadsheet containing usernames, passwords, and access keys to sensitive government systems on GitHub.
The spreadsheet contained the login credentials for several systems, including the E-SUS-VE and Sivep-Gripe applications that are used to manage data on COVID-19 patients.
The archive includes data belonging to government representatives, including Brazil President Jair Bolsonaro, seven ministers, and 17 provincial governors.
The exposed data includes patient names, addresses, ID information, but also healthcare records such as medical history and medication regimes.
The data leak was discovered by a GitHub user who found the spreadsheet containing the credentials on the GitHub account associated with the hospital employee.
The user shared his discovery with the Brazilian newspaper Estadao, which notified the Brazilian Ministry of Health and the hospital.
The spreadsheet was promptly removed from GitHub and the passwords and the access keys for the systems were changed.
Sophos notifies data leak after a misconfiguration
27.11.20 Incindent Securityaffairs
The cyber-security firm Sophos is notifying customers via email about a security breach that took place earlier this week.
ZDNet reported that the cyber-security firm Sophos is notifying customers via email about a security breach, the company became aware ot the incident on November 24.
“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” reads the email sent to customers and obtained by ZDNet.
“At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers,” the company said. “Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. “
According to the company, exposed information included customer first and last names, email addresses, and phone numbers (optional).
A Sophos spokesperson revealed that only a “small subset” of the company’s customers were affected. At the time of writing the exact number of affected customers is still unknown.
Sophos became aware of the misconfiguration after it was alerted by a security researcher. The company immediately addressed the issue the same day.
In April, the security firm released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.
The company investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.
The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.
Belden discloses data breach as a result of a cyber attack
26.11.20 Incindent Securityaffairs
Belden, the manufacturer of networking and cable products, disclosed a data breach, threat actors have stolen employee and business information.
The manufacturer of networking and cable products Belden disclosed a data breach, the company revealed that attackers gained “unauthorized access and copying of some current and former employee data, as well as limited company information regarding some business partners.”
“Belden was the target of a sophisticated attack by a party outside the company that accessed servers that contained personal information of some current and former Belden employees, as well as limited company information regarding some of our business partners.” reads a statement published by the company.
“Our IT professionals were able to detect the unusual activity and believe we have stopped further unauthorized access of personal data on our servers.”
The IT staff detected a suspicious activity on its infrastructure and with the help of a third-party forensic experts determined it was the victim of a “sophisticated attack.”
The company said the breach did not impact operations at manufacturing plants, quality control or shipping, it added that attackers only had access to a “limited number” of company servers.
The company announced it has lockout the threat from its network, but it is still investigating the incident.
Belden notified the impacted employees and offered them free monitoring and support services.
“Personal information accessed and stolen may have contained such information as names, birthdates, government-issued identification numbers (for example, social security / national insurance), bank account information of North American employees on Belden payroll, home addresses, email addresses and other general employment-related information. Limited company information accessed and stolen related to some of our business partners include bank account data and, for U.S. partners, their taxpayer ID numbers.” continues the statement.
“We are notifying all affected employees and business partners and are taking steps to provide individuals with free monitoring and support services, where available. We have also notified appropriate regulatory and law enforcement authorities who are assisting with the investigation. We sincerely regret any inconvenience this situation may cause all impacted individuals.”
The firm is also notifying affected business partners.
“Safety is always paramount at Belden and we take threats to the privacy of personal and company information very seriously,” stated Roel Vestjens, president and CEO of Belden. “We regret any complications or inconvenience this incident may have caused and are offering assistance to those individuals who may have been impacted.”
Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach
25.11.20 Incindent Securityaffairs
Retail giant Home Depot has agreed to a $17.5 million settlement in a multi-state investigation of the data breach that the company suffered in 2014.
The US largest home improvement retailer giant Home Depot agrees to $17.5 million settlement over the 2014 data breach.
In 2014, Home Depot revealed that the data breach impacted 56 million customers across the US and Canada. According to the US retailer the payment card information of approximately 40 million Home Depot consumers nationwide. Online customers were not impacted by the security breach.
The settlement was announced by Delaware Attorney-General Kathy Jennings this week, it confirmed that 46 states have reached an agreement with the US company.
Hackers compromised the company point-of-sale (PoS) systems with malware that was designed to steal payment card data.
Home Depot also agreed to implement and maintain additional security practices in the future to prevent similar attacks.
Below security provisions agreed to in the settlement:
Employing a duly qualified Chief Information Security Officer reporting to both the Senior or C-level executives and Board of Directors;
Providing resources necessary to fully implement the company’s information security program;
Providing appropriate security awareness and privacy training to all relevant personnel;
Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
Undergoing a post settlement information security assessment to evaluate The Home Depot’s implementation of the information security program.
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts AG Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”
Hundreds of female sports stars and celebrities have their naked photos and videos leaked online
23.11.20 Incindent Securityaffairs
Hackers have stolen naked photos and videos from hundreds of female sports stars and celebrities and leaked them online.
Threat actors have stolen naked photos and videos from hundreds of female sports stars and celebrities and leaked them online.
The attack took place in the same hours as hackers hit Manchester United and brings us back to mind the Fappening cases that exposed online cache of nude photos and videos of celebrities back in 2014.
Now explicit content stolen from the phones of four unnamed British athletes was posted online.
The athletes are now evaluating all the options to have the photos and videos removed from the internet, but they know that it is quite impossible.
“The hack, which the athletes became aware of this week, has caused panic and one leading sports agency has advised its clients to take extra measures to protect their private data.” reported The Times.
The situation is embarassing, one of the athletes reportedly had about 100 images stolen, while hackers have leaked more than 30 pictures and videos belonging to another athlete.
“The athletes, who had photographs and videos stolen from their phones, were considering steps last night to have the material removed from the dark net.“
“It really is difficult to know what to do next,” an agent of one of the impacted athletes told The Times. “The people who do this are sick. “We have seen some very unpleasant cases, even where people have been blackmailed over [stolen] material.”
“It can take years to pursue, just to get it taken down from the internet. As a victim you have to decide if you want to go through it.”
“Accessing and then leaked people’s personal data is utterly reprehensible, and we would urge everyone to take steps to secure their online accounts,” a spokesman for the National Cyber Security Centre said.
One of the most crucial countermeasures to adopt to prevent this kind of incident is to enable multiple-factor authentication for those services that implement it.
“The NCSC recommends people turn on two-factor authentication where it’s available.” continues NCSC’s spokesman.
“We also recommend a strong password made up of three random words to reduce the likelihood of being hacked, and important accounts should use a unique password.”
“The NCSC’s Cyber Aware website has actionable steps to stay secure.”
Threat actor shared a list of 49,577 IPs vulnerable Fortinet VPNs
23.11.20 Incindent Securityaffairs
A threat actor has published online a list of one-line exploits to steal VPN credentials from over 49,000 vulnerable Fortinet VPNs.
A threat actor, who goes online with the moniker “pumpedkicks,” has leaked online a list of exploits that could be exploited to steal VPN credentials from almost 50,000 Fortinet VPN devices.
Researchers from Bank Security first reported the availability of the list of 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379.
The list includes devices belonging to big enterprises, financial institutions, and government organizations across the world.
IPs vulnerable to Fortinet SSL VPN CVE-2018-13379
The Fortinet VPN devices included in the list are vulnerable to the CVE-2018-13379, which is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files, to upload malicious files on unpatched systems, and take over Fortinet VPN servers.
The popular researcher AX Sharma, who analyzed the exploit shared by the threat actor, explained that it could allow attackers to access the sslvpn_websession files from FortiNet VPNs to steal login credentials.
Upon obtaining the stolen credentials, attackers could use them to gain access to the target networks and carry out multiple malicious operations, such as manually delivering malware and ransomware.
Since August 2019, the popular cybersecurity expert Kevin Beaumont has reported that threat actors were attempting to exploit the CVE-2018-13379 in the FortiOS SSL VPN web portal and CVE-2019-11510 flaw in Pulse Connect Secure.
CISA and FBI have recently observed attacks carried out by APT actors that combined two the CVE-2018-13379 and CVE-2020-1472 flaws.
Government experts explained that attackers are combining these two flaws to hijack Fortinet servers and use them as an entry point in government networks, then take over internal networks using the Zerologon flaw to compromise all Active Directory (AD) identity services.
According to Ax Sharma, the list of vulnerable Fortinet VPNs includes over four dozen IP belonging to major banking, finance, and governmental organizations.
The most worrisome aspect of this discovery is that despite the CVE-2018-13379 is a well-know vulnerabilty, many organizazion have yet to fix it more than 2 years after its public disclosure.
This means that the affected organizations are failing to implement an efficient patch management process.
Researchers Find Tens of AWS APIs Leaking Sensitive Data
18.11.20 Incindent Securityweek
Palo Alto Networks security researchers identified more than 20 Amazon Web Services (AWS) APIs that can be abused to obtain information such as Identity and Access Management (IAM) users and roles.
The same attack could be leveraged to abuse 22 APIs across 16 different AWS services to obtain the roster of an account, get a glimpse into an organization’s internal structure, and leverage the information to launch targeted attacks against specific individuals.
According to the security researchers who identified the vulnerable APIs, the attack works across all three AWS partitions (aws, aws-us-gov or aws-cn). AWS services susceptible to abuse include Amazon Simple Storage Service (S3), Amazon Key Management Service (KMS), and Amazon Simple Queue Service (SQS).
“The root cause of the issue is that the AWS backend proactively validates all the resource-based policies attached to resources such as Amazon Simple Storage Service (S3) buckets and customer-managed keys,” Palo Alto Networks explains.
A Principal field is typically included in resource-based policies, to specify the users or roles with access to the resource. However, if a nonexistent identity is included in the policy, the API call to create or update the policy fails, and an attacker can abuse this feature to check existing identities in an AWS account.
By repeatedly invoking the vulnerable APIs with different principals, an adversary can enumerate the targeted account’s users and roles. What’s more, the enumeration is not visible from the targeted account, because the API logs and error messages are available only for the “attacker’s account where the resource policies are manipulated,” the researchers note.
Detection and prevention of such an attack are rather difficult, with the adversary not being time restricted when it comes to performing reconnaissance on random or targeted AWS accounts.
IAM security best practices for organizations looking to mitigate the issue, Palo Alto Networks says, include reducing attack surface by removing inactive users and roles, making usernames and role names difficult to guess by adding random strings to them, log and monitor identity authentication activities, use two-factor authentication (2FA), and log in with identity provider and federation.
“Good IAM security hygiene can still effectively mitigate the threats from this type of attack. Although it’s not possible to prevent an attacker from enumerating identities in AWS accounts, the enumeration can be made more difficult and you can monitor for suspicious activities taken after the reconnaissance,” the researchers note.
COVID-19-Related Data Breach Affects Thousands in Delaware
17.11.20 Incindent Securityweek
Public health officials in Delaware on Sunday disclosed that the personal information of thousands of people who were tested for the coronavirus this summer was mistakenly shared with an unauthorized individual.
The state’s Division of Public Health said the data breach happened when a temporary staff member sent two unencrypted emails in August that included files with the test results, names, dates of birth and phone numbers of 10,000 people. The files did not include financial information, the Delaware State News reported.
The emails were meant to be distributed among the employees of a call center who help people obtain their test results, but the temporary agency staffer sent it to an unauthorized user by mistake, officials said. The person who received the emails on Aug. 13 and Aug. 20 alerted the division about the error and reported deleting the messages.
The first email had the information of people tested between July 16 and Aug. 10. The second email included the data of people tested on Aug. 15.
The agency said officials have reported the breach to the U.S. Department of Health and Human Services and the Delaware Department of Justice. In addition, the agency will open a call center dedicated to providing information about the data breach. People with questions can call 1-833-791-1663 starting Monday.
The person who sent the emails is no longer employed by the agency. Staff were retrained on the appropriate policies and procedures.
Ticketmaster Scores Hefty Fine Over 2018 Data Breach
14.11.20 Incindent Threatpost
The events giant faces a GDPR-related penalty in the U.K., and more could follow.
Ticketmaster’s UK division has been slapped with a $1.65 million fine by the Information Commissioner’s Office (ICO) in the UK, over its 2018 data breach that impacted 9.4 million customers.
The fine (£1.25million) has been levied after the ICO found that the company “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – a failure which violates the E.U.’s General Data Protection Regulation (GDPR).
In June 2018, the ticket-selling giant said that it found malware within a customer chat function for its websites, hosted by Inbenta Technologies. Worryingly, the malicious code was found to be accessing an array of information, including name, address, email address, telephone number, payment details and Ticketmaster login details. It later came to light that the attack was the work of the Magecart gang, known for injecting payment skimmers into vulnerable website components.
The malware managed to stay under the radar for months as well, Ticketmaster admitted at the time. The breach affected international customers who purchased, or attempted to purchase, event tickets between September 2017 and late June 2018; while UK users were impacted between February and June 2018.
U.S. customers were not affected.
The UK portion of the breach began in February 2018 when Monzo Bank customers reported fraudulent transactions, the ICO said.
“The Commonwealth Bank of Australia, Barclaycard, Mastercard and American Express all reported suggestions of fraud to Ticketmaster,” according to the regulator’s announcement of the fine. “But the company failed to identify the problem.”
Thus, the ICO found that Ticketmaster not only failed to look into risks and appropriate security measures for the chatbot, but that it didn’t identify the issue in a timely manner.
The watchdog group also determined that the breach did in fact lead directly to widespread fraud.
“Investigators found that, as a result of the breach, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud,” according to the ICO. “Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use.”
Although the UK portion of the breach began in February 2018, the penalty only relates to the issues starting in May 2018, when new rules under the GDPR came into effect.
Other Ticketmaster divisions were eventually found to be impacted by the Magecart attacks, which could lead to further GDPR fines.
Researchers at RiskIQ in 2018 uncovered evidence that the Inbenta attack was not a one-off, but instead indicative of a larger initiative involving successful breaches of many different third-party providers, including Inbenta, the SociaPlus social media integration firm, web analytics companies PushAssist and Annex Cloud, the Clarity Connect CMS platform and others.
RiskIQ also said that as a result, it found evidence the skimmer was active on a broader range of Ticketmaster websites than previously known, including Ticketmaster sites for Ireland, Turkey and New Zealand, among others.
“When customers handed over their personal details, they expected Ticketmaster to look after them,” said James Dipple-Johnstone, ICO deputy commissioner. “But they did not. Ticketmaster should have done more to reduce the risk of a cyberattack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Vertafore data breach exposed data of 27.7 million Texas drivers
13.11.20 Incindent Securityaffairs
Vertafore announced that information of 27.7 million Texas drivers has been exposed in a data breach caused by a human error.
Vertafore announced that information of 27.7 million Texas drivers has been accidentally exposed due to a human error. The company disclosed this security breach this week, data was stored on an unsecured external storage service and they were accessed by an external party.
Exposed data included Texas driver license numbers, names, dates of birth, addresses, and vehicle registration histories. The company pointed out that the data breach did not expose Social Security numbers or financial account information.
“Vertafore recently determined that as a result of human error, three data files were inadvertently stored in an unsecured external storage service that appears to have been accessed without authorization.” states the data breach notification published by the software provider.
“The files, which included driver information for licenses issued before February 2019, contained Texas driver license numbers, as well as names, dates of birth, addresses and vehicle registration histories. They did not contain any Social Security numbers or financial account information. No information misuse has been identified.”
The incident took place on March 11, and the data were secured on August 1. The company launched an investigation into the incident that confirmed that the files had been accessed by an unauthorized third party.
The exposed files contained information on driver’s licenses issued before February 2019, such kind of data was held by the company through its insurance rating software product.
The company confirmed that no customer data or any other data belonging to partners, vendors, or other suppliers were impacted.
The investigation is still ongoing, Vertafore hired a prominent firm intelligence firm to determine if the data have been abused by threat actors.
At the time of writing, there is no indication of data abuses or misuses.
The company reported the incident to relevant authorities including the Texas Attorney General, the Texas Department of Public Safety, the Texas Department of Motor Vehicles, and federal law enforcement.
Vertafore is also notifying Texas drivers whose data was exposed in the security breach, it is offering them one year of free credit monitoring and identity restoration services.
“You may enroll in the free credit monitoring and identity restoration services. Additionally, although no financial information was impacted, it is always a good idea to remain vigilant, to review your account statements and to monitor your credit reports.” concludes the data breach notice.