Category: security

The intrusion took place on the morning of Feb. 23, the same day the company reported its fourth-quarter earnings. “This morning, we experienced an internal outage that’s continuing to affect our internal servers and IT telephony,” Dish CEO W. Erik Carlson said at that time. “We’re analyzing the root causes and any consequences of the outage, while we work to restore the affected systems as quickly as possible.” According to Bleeping Computer, the Black Basta ransomware gang is behind the attack, first breaching Boost Mobile and then the Dish corporate network.

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer’s home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee’s personal computer. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company said. “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass confirmed. LastPass originally disclosed the breach in August 2022 and warned that “some source code and technical information were stolen.”

SecurityWeek adds: “In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

CHS hasn’t said what types of data were exposed and a spokesperson has not yet responded to TechCrunch’s questions. This is CHS’ second-known breach of patient data in recent years. The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra’s file-transfer technology — including CHS. While CHS has been quick to come forward as a victim, Clop’s claim suggests there could be dozens more affected organizations out there — and if you’re one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it. Security researcher Brian Krebs first flagged the zero-day vulnerability in Fortra’s GoAnywhere software on February 2.

“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said in its hidden advisory. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they’re behind a full VPN tunnel, they won’t be able to reach Microsoft’s Defender for Endpoint cloud services. Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network. Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an “Isolate Device” tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn’t be classified as a vulnerability given that attackers with write access to a target’s device can also obtain the information contained within the KeePass database through other means. In fact, a “Security Issues” page on the KeePass Help Center has been describing the “Write Access to Configuration File” issue since at least April 2019 as “not really a security vulnerability of KeePass.” If the user has installed KeePass as a regular program and the attackers have write access, they can also “perform various kinds of attacks.” Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.” If the KeePass devs don’t release a version of the app that addresses this issue, BleepingComputer notes “you could still secure your database by logging in as a system admin and creating an enforced configuration file.”

“This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.”

News of the takedown first leaked on Thursday morning when Hive’s website was replaced with a flashing message that said: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.” Hive’s servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit. The undercover infiltration, which started in July 2022, went undetected by the gang until now.

The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 different countries, and has collected more than $100 million in ransomware payments. Although there were no arrests announced on Wednesday, Garland said the investigation was ongoing and one department official told reporters to “stay tuned.”

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads. “At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

After detecting the attack, DraftKings reset the affected accounts’ passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims’ linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.
“After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working,” adds the report.

“The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests.”

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai’s endpoint containing the spoofed address in the JSON token and the victim’s address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target’s email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan’s app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target’s vehicle identification number (VIN). The response to the unauthorized request contained the target’s name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle’s history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. […] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

Mr Schonbohm had come under scrutiny after his potential links to a Russian company through a previous role were highlighted by Jan Bohmermann, the host of one of Germany’s most popular late-night TV shows. Before leading the BSI, Mr Schonbohm had helped set up and run the Cyber Security Council Germany, a private association which advises business and policymakers on cybersecurity issues. He is said to have maintained close ties to the association and attended their 10th anniversary celebrations in September. One of the association’s members was a cybersecurity company called Protelion, which was a subsidiary of a Russian firm reportedly established by a former member of the KGB honored by President Vladimir Putin. Protelion was ejected from the association last weekend, and Cyber Security Council Germany says the allegations of links to Russian intelligence are untrue.

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls “disruptive behavior,” and to protect accounts if they’re hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it’ll be harder for them to return to Overwatch 2. You can’t just enter any old phone number — you actually have to have access to a phone receiving texts to that number to get into your account.

Overwatch 2 lead software engineer Bill Warnecke told Forbes that, even if accounts are no longer tied to Overwatch’s box price — because the game is now free-to-play — Blizzard still wants players to make an “investment” in upholding a safe game. “The key idea behind SMS Protect is to have an investment on behalf of the owner of that account and add some limitations or restrictions behind how you might have an account,” Warnecke said. “There’s no exclusions or kind of loopholes around the system.” The report notes that Blizzard has refunded one player after they contacted customer support and said they didn’t have a mobile phone, but it’s unclear if this policy will apply more broadly.