MOVEit victims list grows; US announces $10 million bounty
- It’s not been a good week for Progress Software after a new vulnerability was found in their MOVEit software which is at the centre of a mass data breach. Proof of concept code has also been released for the SQL injection vulnerability (tracked as CVE-2023-35708).
- The Minnesota Department of Education and the UK’s telecommunications regulator Ofcom have both been identified among the hundreds of victims in the attacks, along with the personal details of every driver’s license holder in the US state of Louisiana.
- The US government is offering $10 million for information on the Clop ransomware group who have claimed responsibility for the attacks. That kind and level of heat are unwanted attention for cybercriminals; I’d expect some sort of ‘shutting down’ type announcement from Clop as we did with Conti (vol. 5, iss. 21).
$91 million was extorted by LockBit from US victims, amongst at least 1,653 attacks against US victims since 2020, according to CISA.
- Russian national Ruslan Magomedovich Astamirov, 20, was arrested in Arizona this week for allegedly playing a part in LockBit’s ransomware attacks.
300 new sites/month were added to a massive phishing campaign that impersonated 100 footwear and clothing brands… 6,000 sites were discovered by researchers at Bolster.
Other newsy bits / in brief
IP Theft: South Korean prosecutors have arrested and indicted a former Samsung executive for “an attempt to copy a whole chip plant”. The unnamed 65-year-old Korean national allegedly acquired advanced chip manufacturing plans and intended to build a rival plant just one mile away from Samsung’s semiconductor plant in western China. It’s hot on the heels of what Bloomberg describes as ‘the plot to steal the other secret inside a can of Coca-Cola’ (a two-micron thick liner that prevents the sugary, acidic drink from dissolving the can itself). China’s Thousand Talents Plan primarily targets Chinese nationals who have succeeded overseas as entrepreneurs, professionals and researchers. It rewards them with cash bonuses, academic titles, and startup funds that encourage them to bring their knowledge back to the Chinese domestic market.
Patch now: Fortinet’s FortiOS and FortiProxy SSL-VPN contains a critical vulnerability that can be used, pre-authentication, to gain remote code execution on the devices. CVE-2023-27997 (9.2/10) has already been exploited in the wild. VPN devices are, by nature, on the perimeter of company networks, making them an attractive target for cybercriminals. This vulnerability makes it trivial for them to gain unauthorised access to the networks that the devices are intended to pre protecting.
Cadet Blizzard: Microsoft says it has identified a new unit carrying our cyber operations against Ukrainian infrastructure. The threat group, which Redmond is calling Cadet Blizzard, is a distinct unit within Russia’s Main Intelligence Directorate (GRU) and was behind the WhisperGate wiper attacks carried out in the weeks before they invaded Ukraine. A new report from Symantec this week provides details of how Russia’s Federal Security Service (FSB) has been using USB-based malware to steal data from targets.’ Shuckworm’ is a PowerShell script that copies itself to USB removable media in an apparent attempt to bridge air-gapped networks.
WooCommerce’s Stripe Gateway plug for WordPress has an insecure direct object reference (IDOR) vulnerability that could expose sensitive order details to attackers. The WooCommerce plugin is used by 900,000 websites to process card transactions; over half of them are still running a vulnerable version.
Barracuda Networks: Mandiant believes Chinese-backed attackers are likely behind the exploitation of Barracuda’s email security gateways. Last week Barracuda announced that it would be providing free replacement devices (vol. 6, iss. 24, indicating that the devices may have been compromised to such a low level that reinstallation would not eject at the attackers.
Capita is on the receiving end of a class-action style lawsuit launched by a UK law firm this week. The outsourcer suffered an incident in March (vol. 6, iss. 15). Capita has been quiet about the scale of the incident, and the UK’s Pensions Regulator is ‘engaging directly’ with the firm to understand the impact on pension scheme clients (vol. 6, iss. 19).
The Chinese’ChamelGang’ is using DNS-over-HTTPS to a custom name server to encrypt and hide its command and control traffic and exfiltrated data.
NCSC Cyber Incident Response: The UK National Cyber Security Centre is extending its cyber incident response (CIR) scheme. To date, participants in the scheme have been geared up to tackle incidents involving nation-states or that affect critical national infrastructure; the new’ level 2’ scheme, which will be delivered in partnership with CREST, is aimed at the more common, financially motivated attacks that affect most organisations.
SIM Swapping: The Federal Communications Commission is establishing a ‘privacy and data protection’ task force to tackle consumer issues including data sharing, collection of geolocation data and SIM swapping. SIM swapping is a common tactic cybercriminals use stolen personal data to convince telco customer service agents to transfer mobile phone numbers to new SIM cards, effectively redirecting all calls and SMS messages (including those used for multi-factor authentication).
AI Regulation: European Union officials have voted for stricter regulation of artificial intelligence and, under the draft legislation, AI will be banned from use in biometric surveillance.
- Top work, El Reg,: “A Florida man and his valet appeared in a Miami federal courtroom on Tuesday to respond to criminal charges of document hoarding and related claims.
Plus, a double-whammy of side-channel research this week:
HertzBleed: More side-channel research from academics at Israel’s Ben-Gurion University of the Negev and Cornell Tech, this time using the rolling shutter feature on modern smartphones to extract data on cryptographic keys from LEDs (paper) on the target devices. Videos of ‘HertzBleed’ (top pun) show it was successful against smart card readers and a Samsung Galaxy smartphone with USB speakers connected.
Freaky Leaky SMS: Delivery reports for SMS messages can be used to infer a recipient’s location, according to university researchers. The paper (PDF) claims “up to 96% accuracy for locations across different countries, and 86% for two locations within Belgium”. The technique uses the round-time to deliver the message and determine the location. Delivery reports are baked into the SMS standard and aren’t something you can disable for your device or account.