Search This Blog

Showing posts with label Hacking. Show all posts

SRF: Investigation Links Qatar to FIFA Hacking and Ex-CIA Operative’s Firm


Qatar reveals to have launched a large-scale and long-standing operation against FIFA officials via ex-CIA operatives. With Switzerland serving as a key operator, the highest circles of the Qatari government were as well involved in the espionage operation that was working in secret. 

With the intelligence agents involved planned on swaying the world events in the operation and hackers stealing controversial information and data, the operation was in fact funded by an anonymous client with hundreds of millions of dollars. 

The issue came to light when an investigation by Swiss media SRF’s investigative team ‘SRF Investigativ’ shared details of how the state of Qatar had officials of the world football spied on. Additionally, the investigations showed how the non-FIFA critics of the upcoming World Cup were targeted as well. 

According to the English- version of the report by Tariq Panja from The York Times, The SRF News revealed that Qatar hired an ex-CIA operative Kevin Chalker’s “Global Risk Advisors” firm for “predictive intelligence” on FIFA officials who would attempt on moving the World Cup from the country, via their predictive intelligence efforts allegedly involving computer hacking through intermediaries. 

The ultimate goal of the said efforts is to prevent Qatar from losing the World Cup bid, following the massive criticism that was raised when FIFA awarded the tournament to the authoritarian country in 2010. 

The scope of the covert activities remains considerable, since at least 66 operators were expected to be deployed over the course of one sub-operation alone for over nine years. Moreover, a budget of $387 million was allocated for the operation, with the activities spanning five continents. 

The SRF investigations dig the credentials against the ex-CIA agent Chalker. The investigation deduces that initially, before the World Cup awarding in December 2010, Chalker apparently served as an espionage operator for various bids. But as the criticism raised regarding corruption and human rights violation after the 2010 World Cup was awarded, the target was eventually changed. Now, the goal shifted to preventing FIFA, from taking the World Cup from Qatar, at all costs. 

The investigation showed that Switzerland was the most prominent factor to Qatari intelligence operation. Since, Chalker travelled to Zurich at the demand of Qatar with the intention of bugging the hotel rooms of journalists and members of the Executive Committee. One of the documents revived, included photos taken covertly as a part of surveillance operation. These photographs were reportedly taken at Zurich’s plush Baur au Lac hotel, and showed individuals connected to FIFA meeting with officials and journalists. 

Apparently, FIFA mostly remined oblivious to the spy operation. Sepp Blatter, FIFA’s former President, commented in an interview with SRF, “That there was an organized espionage affair in FIFA, that surprised me. And it's alarming.” Although, several documents indicate that Blatter was of great interest to the spies. The documents mention, for instance, that Blatter’s “plans and intentions” ought to be known in advances. 

Besides, Chalker and Global Risk Advisors are currently dealing with a civil lawsuit, in regard to connection to similar alleged activities. The lawsuit was filed by former US president Donald Trump ally Elliot Broidy. Broidy accused Chalker and his company of a hacking attack on behalf of Qatar, after Broidy’s personal data was leaked to newspapers in 2018. Although, Chalker denies all allegations. The lawsuit is still pending.

Cyberattacks On Small Businesses: The US Economy’s ‘Achilles Heel’?

Small business firms play an important role when it comes to the economy, but they are more vulnerable to cyberattacks. 

At the time when Elena Graham, co-founder of Canada-based security service CYDEF, started selling cyber security software to smaller firms and businesses, business was relatively slow. However, now the demand is increasing, driven by a sharp rise in remote work that has exposed small businesses to cyberattacks. 

Since the start of the year, business at her security firm has tripled reaching an all-time high. "It was a total head-in-the-sand situation. 'It's not going to happen to me. I'm too small.' That was the overwhelming message that I was hearing five years ago. But yes, it is happening." says Elena. 

But with the booming security services, one can deduce that small businesses are comparatively at higher risk of being attacked by threat actors, than large businesses, as noted by Barracuda Networks.  

The risks were dramatically bolstered by the global pandemic. According to a report by RiskReconm, a Mastercard company that evaluated companies’ cyber-security risk, cyberattacks on small companies surged by more than 150% between 2020-21. 

"The pandemic created a whole new set of challenges and small businesses weren't prepared," says Mary Ellen Seale, chief executive of the National Cybersecurity Society, a non-profit that helps small businesses create cyber-security plans. 

In March 2020, at the peak of the pandemic, a survey of small businesses by broadcaster CNBC concluded that only 20% planned on investing in cyber-protection. 

Working remotely, during the pandemic, meant that more personal devices like smartphones, tablets, and laptops had access to sensitive corporate information.  

Lockdown, however, put a strain on budgets, curtailing the amount of money businesses could invest in security. Cybersecurity and costly in-house experts were frequently out of reach. Consequently, the weak cyber-security infrastructure was prone to cyber-attacks. 

With just one compromised supplier, cyber criminals could access networks of organizations further up the supply chain. According to Ms. Seale, "Large businesses depend on small businesses[…]They are the lifeblood of the United States, and we need a wake-up call." Small businesses account for more than 99% of companies in the US and employ nearly half of all Americans, playing a critical role in the global economy. In regard to this, Dr. Kim says they are like the economy's "Achilles heel". 

“They may be a small company but what they sell to large businesses could be very important. If they're hacked, [their product] won't be fed into supply chains and everything will be affected," Dr. Kim further adds. 

US Government Says Election Hacking Does Not Pose Any Threat


Despite the U.S. government's efforts to chill everyone out about election hacking less than a month before the midterm elections, the topic is still on many minds. 
According to a public service announcement, carried out on Tuesday, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) said they are aware that, as far as they know, an election hack has never been successful in the United States, and that it's unlikely there will be one anytime soon if it strikes.  
As stated in the announcement, "Neither the FBI nor CISA believes there is any evidence that cyber activity has prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, and affected the accuracy of voter registration information in their investigations" (emphasis in original). Considering the extensive safeguards in place and the distributed nature of election infrastructure, the FBI and the CISA continue to assess that it would be very difficult for any attempts to manipulate votes at scale to be unwittingly carried out."  
There has been a persistent campaign by some pro-Trump and GOP operatives and sympathizers for the past two years, including MyPillow CEO Mike Lindell, who spread unfounded conspiracy theories and sometimes even flat-out made-up claims of vote manipulation and hacking against voting systems across the country, leading to the announcement. Election security experts believe that the FBI and CISA's announcement appears to be all set to pre-empt these types of allegations. 
Matt Bernhard, a research engineer at the non-profit organization Voting Works, which focuses on election cybersecurity, told Motherboard in an online chat that this feels like a pre-bunking exercise.   
According to Professor Dan Wallach, an expert in electronic voting systems who taught at Rice University for many years. He has studied them; electronic voting systems are the future.  
“If we take it for what it says, it both focuses our attention on misinformation and ‘pre-bunks’ more sophisticated hacking operations,” Dan told Motherboard via email. 
It is pertinent to clarify, however, that “this does not mean we can relax about these sorts of sophisticated attacks. The election administrators are, to a specific degree, implementing cyber defenses, and they are currently working on improving them," he added. “Even though it is much easier to convince people that there has been tampering with the election than to do the tampering itself.”

Although election hacks have been rare and ineffective, and are unlikely, federal and state governments are prepared for any eventuality.  
"At the Department of Homeland Security, we are very intensely focused on the security of the elections," Minister Mayorkas, who serves as the secretary for the Department of Homeland Security, said earlier this week. There have been past reports on potential vulnerabilities in voting machines by Motherboard as well. However, there has not been any evidence that voting machines have been breached during an actual election that has happened in the past.

Researchers Recently Made the World's Websites Less Vulnerable to Hacking and Cyberattacks


An international team of researchers has created a scanning tool to reduce the vulnerability of websites to hacking and cyberattacks. The black box security assessment prototype, which was tested by engineers in Australia, Pakistan, and the UAE, outperforms existing web scanners, which collectively fail to detect the top ten weaknesses in web applications. 

Dr Yousef Amer, a mechanical and systems engineer at UniSA, is one of the co-authors of a new international paper that describes the tool's development in the wake of increasing global cyberattacks. Cybercrime cost the globe $6 trillion in 2021, representing a 300 percent increase in online criminal activity over the previous two years. 

Remote working, cloud-based platforms, malware, and phishing scams have resulted in massive data breaches, while the implementation of5G and Internet of Things (IoT) devices has made us more connected – and vulnerable – than ever. Dr. Yousef Amer and colleagues from Pakistan, the United Arab Emirates, and Western Sydney University highlight numerous security flaws in website applications that are costing organisations badly.

Because of the pervasive use of eCommerce, iBanking, and eGovernment sites, web applications have become a prime target for cybercriminals looking to steal personal and corporate information and disrupt business operations. Despite an anticipated $170 billion global outlay on internet security in 2022 against a backdrop of escalating and more severe cyberattacks, existing web scanners, according to Dr. Amer, fall far short of evaluating vulnerabilities.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” he says.

Almost 72% of businesses have experienced at least one serious security breach on their website, with vulnerabilities tripling since 2017. According to WhiteHat Security, a world leader in web application security, 86% of scanned web pages have on average 56% vulnerabilities. At least one of these is classified as critical. The researchers compared the top ten vulnerabilities to 11 publicly available web application scanners.

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100 per cent website security. There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,”Dr Amer stated.

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code

It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.

Hackers Had Internal Access for 4 Days

Password management solution LastPass has confirmed that the company was hacked and the hackers had access to its development system for four days. The company stated in a blog post that nearly two weeks back, it detected some “unusual activity” in portions of its “LastPass development environment”, and immediately carried out an investigation for the same. 

As per the company’s reports, the hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers were able to compromise a company developer’s endpoint to gain access to the Development environment, impersonating the developer after he “authenticated using multi-factor authentication,” which allowed them to get hold of some of the source code and “some proprietary LastPass technical information”. However, the company claims that no user data was compromised during the action.  

The company states that all of its “products and services are operating normally.” The Investigation for the hack is still ongoing and the company states that it has “implemented additional enhanced security measures.” 

LastPass CEO Karim Toubba stated that “There is no evidence of any threat actor activity beyond the established timeline [...] there is no evidence that this incident involved any access to customer data or encrypted password vaults”. 

The company restated that despite the unauthorized access, the hacker did not succeed in getting hold of any sensitive user data owing to system design and zero trust access (ZTA) is put in place to avert such incidents in the future. 

ZTA includes complete segregation of the Development and Production environment and the company’s own inability to access any of its customer’s password vaults without the master password set by the customers. “Without the master password, it is not possible for anyone other than the owner of a vault data,” the CEO stated. 

Lastly, LastPass also mentioned that it has restored to the services of a leading cybersecurity firm to enhance its source code safety practices and will ensure its system’s security, deploying additional endpoint security guardrails in both Development and Production environments to better detect and prevent any attack aiming at its systems.

Google Blocks Malicious Domains Used by Hack-for-hire Groups

About hack-for-hire

Threat Analyst Group (TAG) of Google last week revealed that it blocked around 36 malicious domains used by Hacking groups in Russia, UAE, and India. 

In a technique similar to surveillance ecosystems, hack-for-hire groups give their clients the leverage to launch targeted cyberattacks on corporate organizations, politicians, activists, journalists, and other users that are at high-risk. 

What is Google saying?

Google in its Blog says "as part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm."  

The only difference in the manners of the two is that while users buy the spyware from commercial vendors and later use it themselves, the actors behind hack-for-hire cyberattacks deploy the hacking attempts on the clients' behalf so that the buyers remain anonymous. 

How does hack-for-hire operate?

The hack-for-hire ecosystem is flexible in two ways, first in how the actors deploy the attacks themselves, and second, in the large range of targets, they seek in a single campaign on their clients' behalf. 

Some hacking groups publicly market their products and services to any user that is willing to pay, however, few operate in a hidden manner and sell their services to a limited public. 

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," says Google. 

Other Details

A recent campaign launched by an Indian hacking group attacked an IT company in Cyprus, a fintech organization in the Balkans, an educational institute in Nigeria, and a shopping company in Israel, hinting the wide range of victims. 

According to Google Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. 

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns, Google adds. 

Conti Ransomware Shuts Down and Rebrands Itself


The Conti ransomware group has effectively put a stop to their operation by shutting down its infrastructure and informing its team leaders that the brand no longer exists. Advanced Intel's Yelisey Boguslavskiy tweeted that the gang's internal infrastructure had been shut down.

The Tor admin panels that members used to conduct negotiations and post "news" on their data leak site are currently down, according to BleepingComputer. Despite the fact that the public-facing 'Conti News' data dump and the ransom negotiation website are still available. 

As per Bleeping Computer, "The agenda to conduct the attack on Costa Rica for the purpose of publicity instead of ransom was declared internally by the Conti leadership. Internal communications between group members suggested that the requested ransom payment was far below $1 million USD (despite unverified claims of the ransom being $10 million USD, followed by Conti’s own claims that the sum was $20 million USD)". 

Despite the fact that the Conti ransomware brand has been retired, the cybercrime organisation will continue to play a significant role in the ransomware industry for some time. Rather than rebranding as another large ransomware organisation, Conti leadership has collaborated with other minor ransomware gangs to carry out attacks. 

Smaller ransomware gangs profit from this alliance because they have access to professional Conti pentesters, negotiators, and operators. The Conti cybercrime syndicate is able to expand its mobility and ability to dodge law enforcement more effectively by subdividing into smaller "cells" that are all monitored by the central leadership.

Conti has worked with a wide range of well-known ransomware operations, according to a study published by Advanced Intel. Conti's current members, which include negotiators, intelligence analysts, pentesters, and coders, are scattered throughout several ransomware operations. Despite the fact that they will now employ the same encryptors and negotiation sites as the other ransomware operation, they remain part of the larger Conti criminal group.

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails


Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In


CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

This New Malware Uses Windows Bugs to Conceal Scheduled Tasks


Microsoft has found a new malware employed by the Chinese-backed Hafnium hacking group to create and hide scheduled activities on compromised Windows PCs in order to sustain persistence. 

Cyberespionage attacks by the Hafnium threat group have previously targeted US defence businesses, think tanks, and researchers. It's also one of the state-sponsored groups Microsoft has tied to the global exploitation of the ProxyLogon zero-day vulnerability, which affected all supported Microsoft Exchange versions last year. 

The Microsoft Detection and Response Team (DART) stated, "As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defence evasion malware called Tarrask that creates 'hidden' scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification." 

Tarrask, a hacking tool, hides them from "schtasks /query" and Task Scheduler by removing the related Security Descriptor registry value, which is a previously undiscovered Windows flaw. 

By re-establishing dropped connections to command-and-control (C2) infrastructure, the threat group was able to keep access to the infected devices even after reboots. While the Hafnium operators could have deleted all on-disk artefacts, including all registry keys and the XML file uploaded to the system folder, this would have destroyed persistence between restarts. 

The "hidden" tasks can only be discovered by performing a manual search of the Windows Registry for scheduled tasks that do not have an SD (security descriptor) Value in their Task Key. 

Admins can additionally check for important events associated to tasks "hidden" by Tarrask malware by enabling the Security.evtx and Microsoft-Windows-TaskScheduler/Operational.evtx logs. Microsoft also suggests setting logging for 'TaskOperational' in the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and keeping an eye on outbound connections from crucial Tier 0 and Tier 1 assets. 

DART added, "The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique."

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances


SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.

Wightlink Customers' Details Compromised in Cyber Attack


Wightlink, a UK ferry company, has been struck by a highly complex cyber-attack that may have exposed the personal information of "a small number of customers and staff." Wightlink stated, the incident, which occurred in February, reportedly impacted certain back-office IT systems but not its ferry services, booking system, and website.

According to the company, law enforcement and the UK's Information Commissioner's Office (ICO) have been contacted, since they have possible breach victims. Wightlink has three routes between Hampshire in southeast England and the Isle of Wight, an island off the south coast. The company claims to carry 4.6 million passengers each year on over 100 daily sailings.

Wightlink claimed in a statement received by The Daily Swig: “Unfortunately, despite Wightlink taking appropriate security measures, some of its back-office IT systems were affected by a cyber-attack last month. However, this criminal action has not affected Wightlink’s ferries and FastCats, which have continued to operate normally during and following the attack, nor were its booking system and website affected.” 

Wightlink said it hired third-party cybersecurity experts to analyse and analyse the situation as soon as it was detected. The operator stated it was working with the South East Regional Organised Crime Unit in addition to reporting the incident to the ICO. 

The company stated, “Wightlink does not process or store payment card details for bookings. However, the investigation has identified a small number of customers and staff for whom other items of personal information may have been compromised during the incident. 

Wightlink chief executive Keith Greenfield stated, “I would like to thank all my colleagues at Wightlink who responded quickly ensuring that the impact to customers was minimised and that cross-Solent travel and bookings were unaffected.”

Cuba Ransomware Hacked Microsoft Exchange Servers


To get early access to business networks and encrypt devices, the Cuba ransomware campaign is exploiting Microsoft Exchange vulnerabilities. The ransomware group is known as UNC2596, and the ransomware itself is known as COLDDRAW, according to cybersecurity firm Mandiant. 

Cuba is the most popular name for malware. Cuba is a ransomware campaign that began in late 2019, and while it started slowly, it gained traction in 2020 and 2021. In December 2021, the FBI issued a Cuba ransomware notice, stating that the group has infiltrated 49 critical infrastructure firms in the United States. Researchers indicate that the Cuba operation predominantly targets the United States, followed by Canada, according to a new analysis by Mandiant. Since August 2021, the Cuba ransomware gang has been using Microsoft Exchange vulnerabilities to launch web shells, RATs, and backdoors to gain a foothold on the target network. 

"Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021," explains Mandiant in a new report. 

Cobalt Strike or the NetSupport Manager remote access tool is among the backdoors planted, although the organisation also utilises their own 'Bughatch', 'Wedgecut', 'eck.exe', as well as Burntcigar' tools. 
  • Wedgecut comes in the form of an executable named “check.exe,” which is a reconnaissance tool that enumerates the Active Directory through PowerShell.
  • Bughatch is a downloader that fetches PowerShell scripts and files from the C&C server. To evade detection, it loads in memory from a remote URL.
  • Burntcigar is a utility that can terminate processes at the kernel level by exploiting a flaw in an Avast driver, which is included with the tool for a “bring your own vulnerable driver” attack.
Finally, Termite is a memory-only dropper that downloads and loads the payloads mentioned earlier. However, this tool has been seen in campaigns by a variety of threat groups, indicating that it is not exclusively utilised by Cuba threat actors. 

Threat actors use stolen account credentials obtained with the widely available Mimikatz and Wicker tools to elevate access. They then use Wedgecut to undertake network reconnaissance before using RDP, SMB, PsExec, and Cobalt Strike to move laterally. Bughatch is then loaded by Termite, followed by Burntcigar, which disables security tools and creates the foundation for data exfiltration and file encryption. For the exfiltration process, the Cuba gang does not use cloud services, instead transfers everything to its own private infrastructure. 

Changing Operations 

Cuba ransomware teamed up with spammers behind the Hancitor malware in May 2021 to get access to corporate networks via DocuSign phishing emails. Since then, Cuba's operations have shifted to focus on vulnerabilities in public-facing services, such as the Microsoft Exchange ProxyShell and ProxyLogon flaws. Because security updates to fix the exploited vulnerabilities have been available for months, this move makes the assaults more potent but also easier to prevent. 

Once there are no more valuable targets running unpatched Microsoft Exchange servers, the Cuba operation will likely shift its focus to other vulnerabilities. This means that adopting accessible security updates as soon as they are released by software providers is critical in maintaining a strong security posture against even the most sophisticated threat actors.

UK Foreign Office Suffered ‘Serious Cyber Security Incident’


A "serious incident" compelled the Foreign Office of the United Kingdom to seek immediate cybersecurity assistance. A recently released public tender document confirmed the incident. According to a document released on February 4, the Foreign, Commonwealth and Development Office (FCDO) sought "urgent business support" from its cybersecurity contractor, BAE Applied Intelligence, 

The FCDO paid the company £467,325.60 — about $630,000 — for its services after issuing a contract for "business analyst and technical architect support to assess an authority cyber security incident" on January 12, 2022, according to the notice. However, the incident's facts, which had not previously been made public, remain unknown. 

The document stated, “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. Due to the urgency and criticality of the work, the Authority was unable to comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.” 

The Stack was the first to report on the BAE contract. According to an FCDO's spokesperson who did not give their name stated that the office does not comment on security but has measures in place to detect and protect against potential cyber events. Further queries about the incident, such as whether classified information was accessed, were declined by the spokesperson. 

TechCrunch also contacted the United Kingdom's data protection authority to see if the event had been reported, but is yet to hear back. The announcement of the apparent incident came only days after the British Council, an institution that specialises in international cultural and educational opportunities, was found to have suffered a severe security breach. Clario researchers discovered 144,000 unencrypted files on an unsecured Microsoft Azure storage server, including the personal and login information of British Council students. 

Following an investigation by the UK's National Cyber Security Center, Wilton Park, a Sussex-based executive agency of the FCDO, was hit by a cyberattack in December 2020, which revealed that hackers had access to the agency's systems for six years, though there was no proof that data had been stolen.

Over 40 Billion Records Exposed in 2021


According to Tenable's analysis of 1,825, breach data incidents publicized between November 2020 and October 2021, at least 40,417,167,937 records were exposed globally in 2021. This is risen from 730 publicly announced incidents with just over 22 billion data exposed over the same period in 2020. 

Organizations can efficiently prioritize security operations to stop attack paths and protect key systems and assets by studying threat actor behavior. Many of the events investigated for this research can be easily mitigated by fixing legacy flaws and fixing misconfigurations, which can help limit attack routes. 

In 2021, ransomware had a huge impact on businesses, accounting for about a 38% of all data breaches.  and unsecured cloud databases were responsible for 6% of all breaches. SSL VPNs that haven't been patched remain an ideal entry point for cyberespionage, exfiltrating sensitive and proprietary data, and encrypting networks. 

Threat groups, particularly ransomware, have been progressively exploiting Active Directory flaws and misconfigurations. When security controls and code audits are not in place, software libraries and network stacks that are frequently utilized among OT devices might create additional threats. 

Cyberespionage operations used the software supply chain to acquire sensitive data, whereas ransomware groups preferred physical supply chain disruption as a technique to extract payment. Data breaches wreaked havoc on the healthcare and education sectors the most. 

Claire Tills, Senior Research Engineer, Tenable stated, “Migration to cloud platforms, reliance on managed service providers, software and infrastructure as a service have all changed how organizations must think about and secure the perimeter.”  

“Modern security leaders and practitioners must think more holistically about the attack paths that exist within their networks and how they can efficiently disrupt them. By examining threat actor behaviour we can understand which attack paths are the most fruitful and leverage these insights to define an effective security strategy. ” 

Fixing assets is difficult enough given the sheer frequency of vulnerabilities revealed, but in 2021 it became much harder due to partial patches, vendor miscommunications, and patch bypasses. 

There were 21,957 common vulnerabilities and exposures (CVEs) reported in 2021, up 19.6% from 18,358 in 2020 and 241% more than the 6,447 declared in 2016. The number of CVEs increased at an average yearly percentage growth rate of 28.3 percent from 2016 to 2021.

$50 Million Lost to Fraudsters Impersonating as Broker-Dealers


A California man admitted his involvement in a large-scale and long-running Internet-based fraud scam that allowed him and other fraudsters to drain about $50 million from hundreds of investors.

Between 2012 and October 2020 Allen Giltman, 56, and his co-conspirators constructed phoney websites to collect money from people via the internet by advertising various investment opportunities (mainly the purchase of certificates of deposit). 

According to court documents, "The Fraudulent Websites advertised higher than average rates of return on the CDs, which enhanced the attractiveness of the investment opportunities to potential victims. At times, the fraudulent websites were designed to closely resemble websites being operated by actual, well-known, and publicly reputable financial institutions; at other times, the fraudulent websites were designed to resemble legitimate-seeming financial institutions that did not exist." 

They advertised the phoney investment sites in Google and Microsoft Bing search results for phrases like "best CD rates" and "highest cd rates." The scammers pretended to be FINRA broker-dealers in interactions with victims seeking investment possibilities, claiming to be employed by the financial companies they imitated on the scam sites. 

They employed virtual private networks (VPNs), prepaid gift cards to register web domains, prepaid phones, and encrypted applications to interact with their targets, and false invoices to explain the huge wire transfers they obtained from their victims to mask their genuine identities during their fraud schemes. 

"To date, law enforcement has identified at least 150 fraudulent websites created as part of the scheme," the Justice Department stated. 

"At least 70 victims of the fraud scheme nationwide, including in New Jersey, collectively transmitted approximately $50 million that they believed to be investments." 

The charge of wire fraud conspiracy, which Giltman consented, carries a possible sentence of 20 years in jail, while the charge of securities fraud carries a maximum sentence of five years in prison. Both are punishable by fines of $250,000 or double the gross gain or loss from the offence, whichever is greater. Giltman is scheduled to be sentenced on May 10, 2022. 

Stay Vigilant

The FBI's Criminal Investigative Division and the Securities and Exchange Commission cautioned investors in July 2021 that scammers posing as registered financial professionals such as brokers and investment advisers were posing as them. 

The July alert came after FINRA issued a similar fraud alert the same week regarding broker imposter frauds involving phishing sites that impersonate brokers and faked SEC or FINRA registration documents. 

"Fraudsters may falsely claim to be registered with the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) or a state securities regulator in order to lure investors into scams, or even impersonate real investment professionals who actually are registered with these organizations," the FBI and SEC stated. 

Investors should first use the search engine to see if people marketing investment possibilities are licensed or registered, and then ensure they're not scammers by contacting the seller using independently confirmed contact information from the firm's Client Relationship Summary (Form CRS).

Researcher Detects 70 Web Cache Poisoning Vulnerabilities, Gets $40k in bug bounty rewards


Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet. 

Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services. 

The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks. These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster. Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients. 

Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.” 

Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post. 

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.

“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.” 

Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients. 

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said. 

Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case. 

For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers. 

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said. 

The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.

Anubis Trojan Targeted 400 Banks’ Customers


A malicious app disguised as the official account management portal for French telecom giant Orange S.A. is targeting customers of Chase, Wells Fargo, Bank of America, and Capital One, as well as almost 400 other financial institutions. 

According to researchers, this is only the beginning. Researchers at Lookout cautioned in a recent report that once downloaded, the malware - a version of banking trojan Anubis – collects the user's personal data and uses it to mislead them. And it's not just huge bank customers that are at risk, according to the researchers: Crypto wallets and virtual payment networks are also being targeted.

The Lookout report stated, “As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain.”

“This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.” 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The report added, “We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future.” 

New Anubis Tricks 

The malicious version of the Orange Telecom account management software was uploaded to the Google Play store in July 2021 and then removed, but analysts believe this was only a test of Google's antivirus defences and that it could reappear shortly. 

The banking trojan connects to the command-and-control (C2) server after being downloaded on the device and downloads another application to start the SOCKS5 proxy. 

“This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as ‘FR.apk’ in ‘/data/data/,'” the researchers stated.

The user is then prompted to disable Google Play Protect, giving the attacker complete control, according to the research. Banks, reloadable card businesses, and cryptocurrency wallets are among the 394 apps targeted by, according to the researchers. 

The Anubis client was linked back to a half-completed crypto trading platform, according to the Lookout team. 

Anubis, which was first discovered in 2016, is freely available as open-source code on underground forums, along with instructions for budding banking trojan criminals, according to the research. 

According to Lookout, the basic banking trojan has added a credential stealer to the mix in this current edition of Anubis code, putting logins for cloud-based platforms like Microsoft 365 in danger. 

As per Kristina Balaam, a security researcher with Lookout, the Lookout team was unable to discover any successful attacks linked to the Orange S.A. campaign. 

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust and Wells Fargo,” Balaam stated.

A flaw in Anti Cheating Browser Extension led Hackers to Hack University Computers


A web security vulnerability in an anti-cheating browser extension developed a way to sneak into the machines of college students as well as other users before they could be fixed. 

Security researchers at Sector 7, the research section of Dutch security firm Computest, identified a cross-site scripting (XSS) bug in the Proctorio Google Chrome browser plugin. Proctorio is a type of proctoring software, which has come into its own during the pandemic to prevent cheating throughout online assessments. 

The technology has been widely employed in the Netherlands, much to the ire of local student organizations that have unsuccessfully challenged its use as a privacy danger. Concerns were raised because the program may read and update data on websites visited by users, as well as take screenshots and monitor webcam footage. 

“This [vulnerability] could be used by a malicious page to access data on any site where the user is currently logged in, for example, read all your email,” Sector7 told The Daily Swig. 

“And it could be used to access features like the webcam if the user has granted any website permission to use it.” 

According to a professional write-up of the flaw by Sector7, the problem came through errors in the Proctorio extension's implementation of an 'open calculator' functionality. Since the calculator is attached to the DOM of the page activating Proctorio, JavaScript on the page can immediately enter an expression for the calculator and afterward activate the evaluation, according to the researchers. 

This enables the website to run code within the content script. The page can then send messages to the background website from the scope of the content script, which is regarded as messages from the content script. Researchers discovered that they could trigger uXSS using a mixture of messages. 

Sector7 told The Daily Swig: “[The] root cause [of the vulnerability] was evaluating untrusted JavaScript originating from a webpage in the extension, leading to universal cross-site scripting.” 

Nevertheless, Proctorio has finally corrected the critical security flaw. As Chrome browser extensions are updated automatically, users do not have to actively upgrade their software to be secured. 

Sector7 reported the problem to Proctorio in June, and a week later received confirmation that it had been rectified. Sector7 verified the fix in August, well before it revealed its technical findings last week. Sector7/Computest investigated the Proctorio program at the demand of local media outlet RTL Nieuws, which afterward compiled a report on the findings.