Category: security

Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it’s calling “0ktapus,” a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB’s findings, with more than half containing captured multi-factor authentication codes used to access a company’s network.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks,” Microsoft researchers wrote. “These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF.”

Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED’s extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we’ve seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).

The cost estimates are based on both immediate and longer-term expenses. While some costs like the payment of ransoms and those related to investigating and containing the breach tend to be accounted for right away, others such as regulatory fines and lost sales can show up years later. On average, those polled said they accrued just under half of the costs related to a given breach more than a year after it occurred.

Analysts at cybersecurity firm Cyble, who sampled the new info-stealer and named it “Luca Stealer,” report that the malware comes with standard capabilities for this type of malware. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of “cold” cryptocurrency and “hot” wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file, and performs a “whoami” to profile the host system and send the details to its operators.

Lenovo has also informed customers about Retbleed, a new speculative execution attack impacting devices with Intel and AMD processors. The company has also issued an advisory for a couple of vulnerabilities affecting many products that use the XClarity Controller server management engine. These flaws can allow authenticated users to cause a DoS condition or make unauthorized connections to internal services.

Most of the third-party cookies installed by government websites are known tracking cookies, except in the case of Germany, where under 10% of third-party cookies are associated with domains that are known to track users. The researchers also found that, depending on the country, 20% to 60% of the third party cookies installed by government websites remain in visitors’ browsers without expiring for a year or more. That’s a long time for a tracker installed without your knowledge or consent to remain active. Beyond specifically tracking cookies, the researchers measured the number of trackers of any kind present on government websites. The Russian gov.ru has the most trackers out of any government website analyzed by the researchers, numbering 31 trackers in total. However, Brazil and Canada aren’t far behind, with 25 trackers present on both investexportbrasil.gov.br and nac-cna.ca. The US government website with the most trackers is hhs.gov, which has 13.

The researchers point out that both third-party tracking cookies are automatically installed in visitors’ web browsers without their consent. However, the researchers guess that web developers and administrators likely include third-party content without intending to add trackers to their websites. A great many websites now rely on third-party resources and include social content that come with trackers built-in.

But now they’ve had an incident of their own:
On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter’s disclosure was similar to an existing disclosure previously submitted through HackerOne… Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.

The blog post includes a detailed timeline of HackerOne’s investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed “during the entirety of their two and a half months of employment” and notification of seven customers “known or suspected to be in contact with threat actor.”)

“We are confident the insider access is now contained,” the post concludes — outlining how they’ll respond and the lessons learned. “We are happy that our previous investments in logging enabled an expedient investigation and response…. To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data….”

“We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses…. We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats.”

The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, the RV130 VPN Router, the RV130W Wireless-N Multifunction VPN Router, and the RV215W Wireless-N VPN Router. This vulnerability only affects devices with the web-based remote management interface enabled on WAN connections. […] Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security. Users are advised to apply the configuration changes until they migrate to Cisco Small Business RV132W, RV160, or RV160W Routers, which the vendor actively supports.

“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting,” the advisory explains. The attackers then stole credentials to access underlying SQL databases and used SQL commands to dump user and admin credentials from critical Remote Authentication Dial-In User Service (RADIUS) servers.

“Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure,” the federal agencies added. The three federal agencies said the following common vulnerabilities and exposures (CVEs) are the network device CVEs most frequently exploited by Chinese-backed state hackers since 2020. “The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns,” the NSA added. Organizations can protect their networks by applying security patches as soon as possible, disabling unnecessary ports and protocols to shrink their attack surface, and replacing end-of-life network infrastructure that no longer receives security patches.

The agencies “also recommend networks to block lateral movement attempts and enabling robust logging and internet-exposed services to detect attack attempts as soon as possible,” adds BleepingComputer.

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT’s inaction wasn’t enough, the company’s current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public — as just about every company does when fixing a critical vulnerability — it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, “CVE-2019-6260,” the industry’s designation to track the vulnerability, didn’t appear on QCT’s website. […] “[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month,” writes Ars’ Dan Goodin in closing. “QCT’s decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company’s BMCs should verify their firmware’s integrity or contact QCT’s support team for more information.”