Dish Network Confirms Network Outage Was a Cybersecurity Breach

Dish Network, one of the largest television providers in the United States, confirmed on Tuesday that a previously disclosed “network outage” was the result of a cybersecurity breach that affected the company’s internal communications systems and customer-facing support sites. CNBC reports: “Certain data was extracted,” the company said in a statement Tuesday. The acknowledgment is an evolution from last week’s earnings call, where it was described as an “internal outage.” Dish Networks’ website was down for multiple days beginning last week, but the company has now disclosed that “internal communications [and] customer call centers” remain affected by the breach. Dish said it had retained outside experts to assist in evaluating the problem.

The intrusion took place on the morning of Feb. 23, the same day the company reported its fourth-quarter earnings. “This morning, we experienced an internal outage that’s continuing to affect our internal servers and IT telephony,” Dish CEO W. Erik Carlson said at that time. “We’re analyzing the root causes and any consequences of the outage, while we work to restore the affected systems as quickly as possible.” According to Bleeping Computer, the Black Basta ransomware gang is behind the attack, first breaching Boost Mobile and then the Dish corporate network.

Read more of this story at Slashdot.

LastPass Says Home Computer of DevOps Engineer Was Hacked

wiredmikey shares a report from SecurityWeek: Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. LastPass on Monday fessed up a “second attack” where an unnamed threat actor combined data stolen from an August breach with information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. […]

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer’s home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee’s personal computer. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company said. “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass confirmed. LastPass originally disclosed the breach in August 2022 and warned that “some source code and technical information were stolen.”

SecurityWeek adds: “In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

Read more of this story at Slashdot.

Ransomware Gang Uses New Zero-Day To Steal Data On 1 Million Patients

Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. TechCrunch reports: The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT, developed by Fortra (previously known as HelpSystems), which is deployed by large businesses to share and send large sets of data securely. Community Health Systems said that Fortra recently notified it of a security incident that resulted in the unauthorized disclosure of patient data. “As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company’s affiliates were exposed by Fortra’s attacker,” according to the filing by Community Health Systems, which was first spotted by DataBreaches.net. The healthcare giant added that it would offer identity theft protection services and notify all affected individuals whose information was exposed, but said there had been no material interruption to its delivery of patient care.

CHS hasn’t said what types of data were exposed and a spokesperson has not yet responded to TechCrunch’s questions. This is CHS’ second-known breach of patient data in recent years. The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra’s file-transfer technology — including CHS. While CHS has been quick to come forward as a victim, Clop’s claim suggests there could be dozens more affected organizations out there — and if you’re one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it. Security researcher Brian Krebs first flagged the zero-day vulnerability in Fortra’s GoAnywhere software on February 2.

“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said in its hidden advisory. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”

Read more of this story at Slashdot.

Microsoft Upgrades Defender To Lock Down Linux Devices For Their Own Good

Organizations using Microsoft’s Defender for Endpoint will now be able to isolate Linux devices from their networks to stop miscreants from remotely connecting to them. The Register reports: The device isolation capability is in public preview and mirrors what the product already does for Windows systems. “Some attack scenarios may require you to isolate a device from the network,” Microsoft wrote in a blog post. “This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature.” Intruders won’t be able to connect to the device or run operations like assuming unauthorized control of the system or stealing sensitive data, Microsoft claims.

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they’re behind a full VPN tunnel, they won’t be able to reach Microsoft’s Defender for Endpoint cloud services. Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network. Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an “Isolate Device” tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

Read more of this story at Slashdot.

KeePass Disputes Vulnerability Allowing Stealthy Password Theft

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. BleepingComputer reports: KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can’t just steal the database and automatically gain access to the passwords stored within it. The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. […]

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn’t be classified as a vulnerability given that attackers with write access to a target’s device can also obtain the information contained within the KeePass database through other means. In fact, a “Security Issues” page on the KeePass Help Center has been describing the “Write Access to Configuration File” issue since at least April 2019 as “not really a security vulnerability of KeePass.” If the user has installed KeePass as a regular program and the attackers have write access, they can also “perform various kinds of attacks.” Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.” If the KeePass devs don’t release a version of the app that addresses this issue, BleepingComputer notes “you could still secure your database by logging in as a system admin and creating an enforced configuration file.”

“This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.”

Read more of this story at Slashdot.

US Says It ‘Hacked the Hackers’ To Bring Down Hive Ransomware Gang

The FBI revealed today that it had shut down the prolific ransomware gang called Hive, “a maneuver that allowed the bureau to thwart the group from collecting more than $130 million in ransomware demands from more than 300 victims,” reports Reuters. Slashdot readers wiredmikey and unimind shared the news. From the report: At a news conference, U.S. Attorney General Merrick Garland, FBI Director Christopher Wray, and Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive’s network and put the gang under surveillance, surreptitiously stealing the digital keys the group used to unlock victim organizations’ data. They were then able to alert victims in advance so they could take steps to protect their systems before Hive demanded the payments. “Using lawful means, we hacked the hackers,” Monaco told reporters. “We turned the tables on Hive.”

News of the takedown first leaked on Thursday morning when Hive’s website was replaced with a flashing message that said: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.” Hive’s servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit. The undercover infiltration, which started in July 2022, went undetected by the gang until now.

The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 different countries, and has collected more than $100 million in ransomware payments. Although there were no arrests announced on Wednesday, Garland said the investigation was ongoing and one department official told reporters to “stay tuned.”

Read more of this story at Slashdot.

DraftKings Warns Data of 67,000 People Was Exposed In Account Hacks

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. […] In a data breach notification filed with the Main Attorney General’s office, DraftKings disclosed that the data of 67,995 people was exposed in last month’s incident. The company said the attackers obtained the credentials needed to log into the customers’ accounts from a non-DraftKings source.

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads. “At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

After detecting the attack, DraftKings reset the affected accounts’ passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims’ linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.
“After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working,” adds the report.

“The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests.”

Read more of this story at Slashdot.

Hyundai App Bugs Allowed Hackers To Remotely Unlock, Start Cars

Vulnerabilities in mobile apps exposed Hyundai and Genesis car models after 2012 to remote attacks that allowed unlocking and even starting the vehicles. BleepingComputer reports: Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM “smart vehicle” platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to “remotely unlock, start, locate, flash, and honk” them. At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads.

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai’s endpoint containing the spoofed address in the JSON token and the victim’s address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target’s email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan’s app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target’s vehicle identification number (VIN). The response to the unauthorized request contained the target’s name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle’s history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. […] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

Read more of this story at Slashdot.

Germany Fires Cybersecurity Chief ‘Over Russia Ties’

Germany’s cybersecurity chief has been fired after allegations of being excessively close to Russia through an association he helped set up. The BBC reports: Arne Schonbohm had led the Federal Cyber Security Authority (BSI) — charged with protecting government communications — since 2016. German media have accused him of having had links with people involved with Russian intelligence services. The interior ministry is investigating allegations made against him. But it confirmed he had been fired with immediate effect.

Mr Schonbohm had come under scrutiny after his potential links to a Russian company through a previous role were highlighted by Jan Bohmermann, the host of one of Germany’s most popular late-night TV shows. Before leading the BSI, Mr Schonbohm had helped set up and run the Cyber Security Council Germany, a private association which advises business and policymakers on cybersecurity issues. He is said to have maintained close ties to the association and attended their 10th anniversary celebrations in September. One of the association’s members was a cybersecurity company called Protelion, which was a subsidiary of a Russian firm reportedly established by a former member of the KGB honored by President Vladimir Putin. Protelion was ejected from the association last weekend, and Cyber Security Council Germany says the allegations of links to Russian intelligence are untrue.

Read more of this story at Slashdot.

Games Are Starting To Require a Phone Number To Play

According to Polyon, players will be required to link a phone number to their Battle.net accounts if they want to play Overwatch 2. “The same two-factor step, called SMS Protect, will also be used on all Call of Duty: Modern Warfare 2 accounts when that game launches, and new Call of Duty: Modern Warfare accounts,” the report adds. From the report: Blizzard Entertainment announced SMS Protect and other safety measures ahead of Overwatch 2’s release. Blizzard said it implemented these controls because it wanted to “protect the integrity of gameplay and promote positive behavior in Overwatch 2.” Overwatch 2 is free to play, unlike its predecessor. Without SMS Protect, Blizzard reasoned that there is no barrier to toxic players or trolls creating a new account if an existing one is sanctioned. SMS Protect, therefore, ties that account to something valuable — in this case a player’s mobile phone.

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls “disruptive behavior,” and to protect accounts if they’re hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it’ll be harder for them to return to Overwatch 2. You can’t just enter any old phone number — you actually have to have access to a phone receiving texts to that number to get into your account.

Overwatch 2 lead software engineer Bill Warnecke told Forbes that, even if accounts are no longer tied to Overwatch’s box price — because the game is now free-to-play — Blizzard still wants players to make an “investment” in upholding a safe game. “The key idea behind SMS Protect is to have an investment on behalf of the owner of that account and add some limitations or restrictions behind how you might have an account,” Warnecke said. “There’s no exclusions or kind of loopholes around the system.” The report notes that Blizzard has refunded one player after they contacted customer support and said they didn’t have a mobile phone, but it’s unclear if this policy will apply more broadly.

Read more of this story at Slashdot.