The IT Nerd

Smartphone payment provider LINE Pay announced yesterday that around 133,000 users’ payment details were mistakenly published on GitHub between September and November of this year:

Files detailing participants in a LINE Pay promotional program staged between late December 2020 and April 2021 were accidentally uploaded to the collaborative coding creche by a research group employee. Among the leaked details were the date, time, and amount of transactions, plus user and franchise store identification numbers. Although names, addresses, telephone, credit card and bank account numbers were not shared, the names of the users and other details could be traced with a little effort. 

The information — which covered of over 51,000 Japanese users and almost 82,000 Taiwanese and Thai users — was accessed 11 times during the ten weeks it was available online. The information has since been removed, and LINE said users have been notified. The fintech division of the communication app company issued an apology and promised to train staff better.

An apology is not good enough. Not only do heads need to roll over this, the relevant government authorities need to investigate this company as they way they handle data is clearly suspect. Especially since they’ve had two other similar incidents in the past. Thus making this incident completely unacceptable by any standard.

A new report from SentinelOne details 27 vulnerabilities in the Eltima SDK, a USB-over-network library used by numerous cloud providers to remotely mount a local USB drive. The software and cloud platforms affected include Amazon WorkSpaces, FlexiHub and more. Exploiting these flaws would allow remote threat actors to gain elevated access on a cloud desktop to run code in kernel mode. 

Yan Michalevsky, CTO and Cofounder, Anjuna Security:

“The implication of this flaw is that remote attackers can gain privileged access on cloud instances and potentially compromise data.This is where Confidential Computing can further protect applications and data even when the infrastructure is compromised and attackers gain admin access.”

“This is just one example of what has been known for a while:  Today’s computing infrastructure isn’t safe. Any host data and security protection can be compromised via USB but also through multiple other software-based avenues that lead to the holy grail:  Unencrypted host memory.” 

There’s no sign of a widespread exploitation of the issues that SentinelOne has raised, and the vendors have been notified and taken action to mitigate them. But you can bet the bad guys are going to start to exploit this now that this report is out there if people don’t take the mitigation steps in the report.

Here’s a story that I thought I would never be writing. A Cuba Ransomware Gang Hauls in $44M in Payouts. That’s right. A ransomware gang in Cuba. The gang used a variety of tools and malware to carry out attacks in volume on critical sectors, warned the FBI in a flash alert.

Anurag Gurtu, CPO, StrikeReady (www.strikeready.co) had this to say:

Cuba ransomware is known to targets victims’ personal files such as photos, videos, and documents. This attack involves using CryptGenRandom API call to generate keys for encryption of files using a custom algorithm. It’s not uncommon to see this ransomware gang using a Russian linked malware –  Hancitor, aka Chanitor malware.  

Hancitor spreads via social engineering techniques mainly through phishing e-mails embedded with malicious links and weaponized Microsoft Office documents containing malicious macros in them. And its attack chain often begins with the threat actor sending out fake DocuSign malspam emails, which results in a victim unknowingly downloading a Trojanized Microsoft Word document. Once the fake DocuSign document is opened and its malicious macro code is allowed to run, Hancitor will reach out to its command and control (C2) infrastructure to receive a malicious URL containing a sample of Ficker to download.

Companies need to work on ensuring that their employees are equipped with the tools to avoid being phished. Because if the threat doesn’t get in, nothing bad will happen. And that’s the best form of protection.

A Russian hacking group is using new stealthy type of malware called Ceeloader. The Nobelium hacking group has continued to breach gov’t and enterprise networks worldwide by targeting their cloud and managed service providers:

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.

The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.

Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).

And:

To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim’s environment.

In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.

Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim’s network. 

This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.

Eddy Bobritsky, CEO, Minerva Labs (www.minerva-labs.com) had this commentary:

“The Ceeloader looks to be another evolution step in the ever increasing malware sophistication, using more improved evasion techniques and very specific low level attack methods such as file-less downloading and memory injection.

Most traditional antiviruses and protection services base their detection on known signatures and threat actor behaviors. This makes attacks like these very difficult to mitigate for zero-day and unknown malware variants, especially those designed to evade detection, and require specialized approaches like implementation of Hostile Environment Simulation Models along with other anti-evasion protection techniques.”

This seems pretty scary for admins and those who are charged with protecting networks from being hacked and pwned. I guess it’s time for everyone to bring their “A” game to keep this threat at bay.

German security researchers analyzed nine popular WiFi routers from these companies:

• Asus
• AVM
• D-Link
• Netgear
• Edimax
• TP-Link
• Synology
• Linksys

And what they found is absolutely insane. They found a total of 226 potential vulnerabilities in them, even when running the latest firmware. What’s really insane about this is that these routers are used by millions of people. And some of the vulnerabilities that were uncovered are publicly disclosed ones, which is REALLY bad.

Here’s the specific routers that were tested:

• TP-Link Archer AX6000 – 32 security issues
• Synology RT-2600ac – 30 security issues
• Netgear Nighthawk AX12 – 29 security issues
• D-Link DIR-X5460 – 26 security issues
• Edimax BR-6473AX – 25 security issues
• Asus ROG Rapture GT-AX11000 – 25 security issues
• Linksys Velop MR9600 – 21 security issues
• AVM FritzBox 7530 AX – 20 security issues
• AVM FritzBox 7590 AX – 18 security issues

Now given that these nine had issues, it’s a pretty safe bet that if you grabbed any other router with the latest firmware from these companies, you’d find issues as well.

The vendor responses to the researchers was quick. Here’s what they said (translated from German):

• Asus: Asus examined every single point of the analysis and presented us with a detailed answer. Asus has patched the outdated BusyBox version, and there are also updates for “curl” and the web server. The pointed out that password problems were temp files that the process removes when it is terminated. They do not pose a risk.
• D-Link: D-Link thanked us briefly for the information and published a firmware update that fixes the problems mentioned.
• Edimax: Edimax doesn’t seem to have invested too much time in checking the problems, but at the end there was a firmware update that fixed some of the gaps.
• Linksys: Linksys has taken a position on all issues classified as “high” and “medium”. Default passwords will be avoided in the future; there is a firmware update for the remaining problems.
• Netgear: At Netgear they worked hard and took a close look at all problems. Netgear sees some of the “high” issues as less of a problem. There are updates for DNSmasq and iPerf, other reported problems should be observed first.
• Synology: Synology is addressing the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to new versions and Synology will soon be cleaning up the certificates. Incidentally, not only the routers benefit from this, but also other Synology devices.
• TP-Link: With updates from BusyBox, CURL and DNSmasq, TP-Link eliminates many problems. There is no new kernel, but they plan more than 50 fixes for the operating system

Here’s my advice to stay safe:

If you are using any of the models mentioned in the report, you are advised to apply the available security updates and manually check for new updates (I never recommend the use of automatic updating for routers) on weekly basis and change the default password to one that is unique and strong. In fact, that is my advice for anyone who has a router or IoT device in their home.

Additionally, you should do this following:

• Disable remote access
• Disable UPnP (Universal Plug and Play)
• Disable WPS (WiFi Protected Setup)

All of that will keep you as safe as possible.

Earlier this week, CISA and the FBI issued a warning reminder for organizations to stay vigilant against cyber threats during the holiday season, especially on weekends when ransomware gangs normally like to strike – since many companies are closed, short-staffed or off-guard.

While CISA and the FBI provided some best practices to manage the risk of posed cyber threats, I sourced some commentary. Starting with Brent Sleeper, data security product marketing manager at HelpSystems, a provider of IT management software and services, who says the following:

“Ransomware has been a constant cybersecurity threat to organizations for many years. With the tools needed to carry out these attacks readily available on the dark web, ransomware has evolved into a serious activity for today’s cybercriminals. The tools are used to gain access to systems or networks with the objective of stealing or locking down sensitive data. The perpetrators then demand a ransom for its safe return, with many threatening to release the data into the public domain or destroy it if the ransom is not paid. Organizations that fall victim to ransomware attacks will often face weeks of costly disruption and unwanted publicity, so it’s important to understand the risks and limit the number of vulnerabilities that could potentially be exploited.

Improving awareness is a step in tackling ransomware. As ransomware is often delivered through email, employees should be educated on what to look out for and understand the dangers of clicking on unsolicited links or opening attachments. However, even with training in place, employees may still inadvertently trigger an attack, which is why it’s critical to have technology that prevents ransomware from reaching your organization in the first place. Email security solutions that automatically detect and remove malicious content or active code buried deep in attachments can neutralize threats before they do any harm. Organizations can also make sure that vulnerabilities in systems, software and applications are minimized by keeping them patched and up to date. These countermeasures will help ensure an organization’s defense against ransomware is more resilient and robust, and that its data is well protected.”

Next up is Mieng Lim, VP of product management at Digital Defense by HelpSystems, who says:

“Ransomware threats are constantly evolving. From the commoditization of ransomware through the recent availability of as-a-service tools, to increasingly sophisticated attack strategies, it is a threat landscape that demands constant monitoring and education from organizations and governments alike. This is perfectly illustrated by the new strain of ransomware discovered by Sophos this week.

Typically, hackers enter their victim’s systems and linger undetected, harvesting data and identifying targets before they deploy a targeted ransomware attack. However, this new python-based ransomware enters systems and initiates an attack within a few hours, making fast-acting threat detection and response absolutely essential for businesses. 

The first step in building an effective ransomware mitigation strategy is always setting realistic expectations. Ransomware breaches are no longer fully preventable, so businesses must focus on layering defensive barriers between an attacker and their most sensitive data. Running regular penetration testing and vulnerability scanning can help an organization identify and repair possible attack vectors, closing backdoors before an attacker can enter them and minimizing an attacker’s ability to escalate their privileges once inside the system. 

However, for any organization looking to improve its cyber threat response time, threat detection tools are a must. Network Traffic Analysis (NTA) works to monitor a network for any suspicious activity, detecting ransomware breaches and infection as quickly as possible. On top of these, active threat scans can give the organization peace of mind. If a breach is spotted, it is important to reassess the state of the IT environment to ensure that there isn’t a repeat attack. Unfortunately, we live in an era where preventing 100% of cyber risks is no longer possible, but constant vigilance, ongoing-cyber threat education, and a well-planned threat detection and response strategy will go a long way towards keeping your organization’s most sensitive data safe.”

Thanks to @TheDanLevy for bringing this to light. It seems that Ontario’s COVID-19 vaccine portal might have been pwned:

A spokesperson for the Solicitor General confirmed the government has received multiple reports of spam text messages received by individuals who scheduled appointments or accessed vaccine certificates through the COVID-9 immunization system.

“Ontarians should be aware these texts are financial in nature and that the government will never conduct a financial transaction through these methods,” Marion Ringuette said in a statement.

“The government takes allegations of fraud very seriously and is aggressively investigating these reports with our partner ministries, the Ontario Provincial Police (OPP) and others.”

This isn’t good and one hopes that spam texts are the only thing that are the result of this incident as I can see how anything more than that won’t end well for those who have been affected. In the meantime, Ontario residents should keep their heads on a swivel.

I recently wrote about the fact that the EMEA operations for Olympus were pwned by a ransomware attack. Well, it’s happened again. And I am not sure how I missed this:

On its website, the company said it was investigating a “potential cybersecurity incident” detected on Oct 10, 2021.

The cyber attack shut down the company’s IT systems in the Americas, affecting the U.S., Canada, and Latin America with no impacts on other parts of the world, the company said.

It appears to be a ransomware attack according to this:

However, citing a ransom note left behind by the ransomware-as-a-service (RaaS) group BlackMatter, an insider told TechCrunch that Olympus was recovering from a ransomware attack.

Additionally, the ransom note pointed to BlackMatter’s Tor website used for collecting ransom from other victims.

There is clearly more pwnage going on than I can keep up with. And that’s not good. I’m not talking about the fact that missing pwnage affects my click rates and page views. I am talking about the fact that every single day there’s a company being pwned. That’s not good for all of us.

Security researcher David Schutz discovered an SSRF bug in an internal Jobs API Google Cloud project. The now-patched vulnerability would have allowed attackers to access sensitive resources but was found while Schutz was conducting research for Discovery Documents. This is now fixed.

Yariv Shivek, VP of Product, Neosec had this to say:

The exploitation of this SSRF vulnerability highlights the need for API traffic monitoring and behavioral analytics: Once an attacker obtains an access token (or an API key, or any other form of credentials) they can impersonate an authenticated party and operate as that party. Can you spot abnormal behavior carried out by authenticated parties? Do you even see it?

That’s a good question. Hopefully finding out the answer to that question doesn’t have any negative effects. As in someone who gets pwned.