Archive for Hacked

Optus Pwned By Hackers… Personal Info Stolen

Posted in Commentary with tags on September 22, 2022 by itnerd

Australian telco Optus has disclosed that they suffered a cyber attack which resulted in the personal info of customers including names, DOBs, addresses and contact details being stolen. The attack occurred after hackers broke through the company’s firewall, accessing sensitive information of Optus’ 9.7 million subscribers. The company has confirmed the breach and exposed information but has stated that payment details and account passwords have not been compromised, and that services including mobile phones and home internet were not affected. The thing is, what was stolen is enough to start identity theft campaigns. Which makes this a non trivial event.

Mark Bower, VP of Product Management, Anjuna Security had this to say:

     “Too often we see large scale breaches where payment details and passwords were the only things protected, largely due to regulations like PCI DSS, yet massive amounts of personal data are not. That’s no longer good enough for maintaining customer trust. The types of data breached in this attack put millions of Australians at risk from phishing, social attack and phone scams which can have huge personal anxiety and financial consequences. Modern enterprises can certainly avoid this with a more holistic approach to data security given the availability of tools that can dramatically reduce impact of insiders or advanced attackers even in a total breach situation which is an inevitable and expected scenario for today’s CISO.”

Australia has been very good at investigating stuff like this. Thus I have to assume that the authorities are all over this. Which means we’ll find out how bad this is soon enough.

Uber Now Says It Was Pwned By Lapsus$ And Details How They Got In

Posted in Commentary with tags , on September 20, 2022 by itnerd

Uber posted a blog post yesterday which you can read here and it provides way more detail about last week’s hack of the company. Starting with how the threat actors got in:

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

This is an attack vector called MFA fatigue. Where a threat actor takes advantage of MFA prompts causing fatigue among users where they will just approve any MFA prompt that hits their phone, even if they didn’t do anything to cause the prompt to come up. That’s a growing problem.

Next up is who Uber holds responsible for this. And the threat actors are Lapsus$:

We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.

Lapsus$ has been busy quite clearly. And given how high profile this hack was, and how much media attention it has gotten, that will motivate more attacks as reportedly, that’s what drives this group.

Yana Blachman, Threat Intelligence Specialist at Venafi had this comment:

“With the Lapsus$ cybercrime group having been responsible for breaches at Nvidia, Microsoft and Samsung over the last year, these recent attacks on Uber and Rockstar shows that it has an appetite for Big Tech companies and should be a warning to the entire industry. Despite the group being relatively young, its list of victims is starting to read like a “who’s who” of the tech industry.

“In the past – such as the Samsung breach – its attacks have been characterized by the use of stolen code-signed certificates. These are real crown jewels for hackers, as they allow malicious files to masquerade as legitimate. If organisations do not properly secure the process and the infrastructure for managing code signing certificates, the likelihood of abuse, as well as the impact of any compromise, are both extremely high.”

I am sure even more details will appear in the coming days from Uber. Thus you can expect updates to this story. And likely new stories on Lapsus$ attacking other companies as well.

American Airlines Pwned By Hackers…. Customer Data Leaked

Posted in Commentary with tags on September 20, 2022 by itnerd

American Airlines has had to admit that they were pwned by hackers and customer data is in the wild. AP has the story:

American Airlines says personal information of a “very small number” of customers and employees was compromised after hackers breached some employee email accounts.

The airline said Tuesday that it has no indication that the attackers have misused any of the personal information.

American said the breach was discovered in July. The airline declined to say how precisely how many people had their personal information exposed or the nature of that information.

“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” American spokesman Curtis Blessing said. “A very small number of customers and employees’ personal information was contained in those email accounts.

The way this statement was written by American Airlines leaves me with more questions than answers. Perhaps they don’t know the full extent of the breach. Or they do and simply don’t want to say. Either is plausible. John Gunn, CEO of Token takes this view:

 “The reputational damage from this breach will likely far exceed the out-of-pocket losses, especially in an industry where proper precautions and safety are paramount in customers’ selection of which airline they fly with.”

This is 100% true. And it likely doesn’t help that American Airlines is clearly being guarded about what it says. I would keep an eye on this story as I am sure that the airline will have to say more on this hack.

A Company Called FishPig Has Been Pwned… And This Could Lead To The Pwnage Of 200K Websites That Use Their Software…. Yikes!

Posted in Commentary with tags on September 14, 2022 by itnerd

A reader of this blog brought the story of a company called FishPig. I’m not sure that’s the best name for a company, but whoever. Anyway, they were apparently pwned by hackers and here’s the fallout from that:

FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.

The unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by covert commands related to handling the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

“We are still investigating how the attacker accessed our systems and are not currently sure whether it was via a server exploit or an application exploit,” Ben Tideswell, the lead developer at FishPig, wrote in an email. “As for the attack itself, we are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system. Once inside though, they must have taken a manual approach to select where and how to place their exploit.”

FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces.

Well that concerns me right out of the gate as this blog runs on WordPress. I only run a handful of plug-ins and none of them are from this company as far as I recall. But I’ll be checking the few plug-ins that I use on this site to ensure that I personally haven’t been pwned. If you run a WordPress site or use Magento, you might want to do the same thing. Like now. The article that I linked to can help you with that if you’re unsure as to what you should be looking for and doing.

This is your classic supply chain attack. And it illustrates why you need to be on top of everything that you use in your software stack. As well as being on top of what your vendors use in their software stack. Because anything that you use, or they use, no matter how minor, can lead to you getting pwned by hackers.

InterContinental Hotels Group Appears To Have Been Pwned

Posted in Commentary with tags on September 6, 2022 by itnerd

This is still a developing story. But Brian Krebs who is a go to guy when it comes to hackers, scammers, and computer security news is reporting this:

The news that the company disclosed to the London Stock Exchange doesn’t say anything useful. Thus it isn’t really clear what’s going on. From reading it, the hack seems like ransomware. But until the company decides to give an update, we can only guess.

Watch this space for more details.

The Los Angeles Unified School District Pwned By Ransomware

Posted in Commentary with tags on September 6, 2022 by itnerd

The Los Angeles Unified School District has disclosed a ransomware attack which hit its IT systems over the weekend. The school district, which more than 640,000 students K-12 enrolled, and it includes LA and LA county posted this on Twitter.:

Dr. Darren Williams, CEO and Founder of BlackFog had this to say:

     “With the education vertical typically being under funded, under resourced and in many cases reliant on antiquated cybersecurity tools to prevent cyberattacks, it’s unlikely we’ll see this change in the near future. Cybercriminals will continue to target organizations with weak cybersecurity defenses and a plethora of sensitive data they can exfiltrate and leverage for extortion. Often, we see smaller school districts being targeted, unfortunately for LAUSD, 640,000 students will undoubtedly feel the pain from this incident.”

Clearly this was timed to coincide with the return to school so that it had the maximum effect. We can expect to see more of this behaviour as clearly there’s a perceived value to ransomware gangs to executing their attacks in this manner.

Plex Has Been Pwned…. Users Asked To Change Their Passwords

Posted in Commentary with tags , on August 24, 2022 by itnerd

In case you’re not familiar with Plex, this is a service that lets users stream video from their computer to any other device. Effectively creating their own personal streaming service in the process. Well, this service has been pwned and a “limited subset” of user data has been pulled from its servers according to the company via an email that was sent out to users. Troy Hunt creator of haveibeenpwned.com was apparently affected by this and posted the email that Plex sent out:

But the company is still telling users to change their passwords. Instructions on how to do that can be found here. And the company says that the cause of the breach has been discovered:

We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions.

Still, that may be cold comfort if you’re affected by this.

Digital Ocean Indirectly Pwned In Attack On Mailchimp

Posted in Commentary with tags on August 17, 2022 by itnerd

Digital Ocean says some customer email addresses were exposed due to a recent ‘Security incident’ at email marketing company Mailchimp.

  • On August 8th, DigitalOcean discovered that our Mailchimp account had been compromised as part of what we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain. 
  • From that Mailchimp incident, we suspect certain DigitalOcean customer email addresses may have been exposed. Out of an abundance of caution, we are currently sending email communications to those impacted. 
  • A very small number of DigitalOcean customers experienced attempted compromise of their accounts through password resets. These customers’ accounts have been secured, and have been contacted directly. 
  • As of August 9th, we have migrated email services away from Mailchimp. 
  • No customer information other than email address was compromised, however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. 

Charming. This is similar the Toronto Symphony Orchestra ransomware hack from a couple of weeks ago. Which is that this was a supply chain attack.

Mark Bower, VP of Product, Anjuna Security:

“There are three things attackers go for – credentials, code and keys, irrespective of platform or architecture. From there, it’s access to sensitive data, sometimes en-masse and catastrophic. The first is the human problem and the easy button for attackers with trusted email being a great place to start to obtain escalated privilege and control, as in this case. But businesses have to look out for insider risk and also get past the unsustainable patch sprints that leave system’s open to compromise like Log4J did to the industry. Escalated privilege – from insiders, attacks, or vulns leaves a massive gap in defenses: operating memory data theft has been missing from risk conversations because it’s not been easy to protect until the arrival of new techniques like confidential computing. With more and more data staying persistent in memory for speed, cloud latency reduction and scaling, it’s becoming a considerable risk – mitigations must therefore include it today and on CISO’s near term roadmap.”

If you take this hack combined with the indirect attack on the TSO, companies should get the message that they have to assess their attack surface including the third party services that they use and see what their risks are. That way they take steps to make sure that they don’t pwned directly or indirectly.

Clop Ransomware Pwns Water Supplier…. Just The Wrong Water Supplier

Posted in Commentary with tags on August 16, 2022 by itnerd

Clop ransomware has claimed to have breached Thames Water supplier by accessing their SCADA systems, which would give them the ability to cause harm to 15 million customers. However, as Clop published evidence of stolen files, the spreadsheet presented featured South Staff Water and South Staffordshire email addresses. South Staffordshire Water, a company which supplies 330 million liters of drinking water, issued a statement confirming an IT disruption from a cyberattack.

Oops.

Dr. Darren Williams, CEO and Founder of BlackFog has this to say:

     “With the rise of ransomware as a main attack method, criminals are running rampant to find any vulnerable systems they can take over. Whilst Clop did successfully breach South Staffordshire Water’s systems, they totally missed the mark here, claiming responsibility for a breach that didn’t happen (Thames Water being in South England, and Staffordshire being up North…)

Nevertheless, whilst misidentification of their target is somewhat embarrassing, the very fact that a water board is their latest victim is quite harrowing: severe drought conditions currently preside over the UK, with millions of households facing strict water usage restrictions. Clearly, attackers want to hit us where it hurts the most…

All organizations must remember how crucial it is to secure your environment and prevent data exfiltration at the endpoint if we are to prevent cataclysmic scarcities in our critical infrastructure supply chain.

On a lighter note, we must remember that such attack vectors are not any more dangerous than the usual, just uniquely targeted.”

Even accidentally pwning someone is still pwning someone. And it still has far reaching effects that the victim will still have to deal with.

Luxembourg Based Pipeline Operator Pwned In Ransomware Attack

Posted in Commentary with tags on August 1, 2022 by itnerd

Bleeping Computer is reporting that BlackCat ransomware has claimed responsibility for an attack on European gas pipeline. Creos Luxembourg S.A., a natural gas pipeline and electricity network operator in the central European country, last week announced that they had suffered a cyber attack. While the cyberattack had resulted in the customer portals of Encevo and Creos becoming unavailable, there was no interruption in the provided services.

On July 28, the company posted an update on the cyberattack, with the initial results of their investigation indicating that the network intruders had exfiltrated “a certain amount of data” from the accessed systems.

At that time, Encevo wasn’t in a position to estimate the scope of the impact and kindly asked customers to be patient until the investigations were concluded, at which time everyone would receive a personalized notice.

Since no further updates have been posted on Encevo’s media portal, this procedure is likely still underway. Encevo says that when more information becomes available, it will be posted on a dedicated webpage for the cyberattack.

For now, all customers are recommended to reset their online account credentials, which they used for interacting with Encevo and Creos services. Furthermore, if those passwords are the same at other sites, customers should change their passwords on those sites as well.

Saryu Nayyar, CEO and Founder of Gurucul had this to say:

     “With Encevo unable to “estimate the scope” of the attack, it highlights a common problem with today’s security operations. Too often are security teams overwhelmed with disparate and unrelated alerts or have to piece together the alerts manually, which leads to false positives and wasted efforts. Security teams lack the high accuracy needed to not only establish a threat but also understand the entire attack campaign versus just individual threats. The ability to collect a full set of telemetry across different sources, link together the various indicators of compromise (IoCs) and “build the puzzle” automatically is critical to providing the full context needed by security teams to get ideally prevent the attack, but also in this case be able respond appropriately and quickly.”

I for one will be interested to see the scope of the attack and the data that was stolen. Or in the words of the pipeline operator, “accessed” as that’s going to be interesting to see. Along with how the pipeline operator deals with the fallout of this attack.