Robin’s Newsletter #315

30 June 2024. Volume 7, Issue 26
TeamViewer says it was compromised by Cozy Bear. Thousands arrested in law enforcement crackdown on scammers. Two critical MOVEit vulnerabilities.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

TeamViewer says Russian APT group compromised its IT environment

  • TeamViewer, the company behind a popular remote IT administration tool of the same name, says that the Russian state-sponsored group APT29 (aka Cozy Bear, Midnight Blizzard) gained unauthorised access to its corporate IT environment this week. The company says there is “no evidence” the attackers gained access to its production environment or customer data.
  • TeamViewer claims over 600,000 customers worldwide, making it an attractive target for Russian intelligence, with other target companies potentially overlooking the use of a legitimate administration tool. (Albeit one also popular with scammers and fraudsters). 
  • The incident’s root cause was the credential theft of a “standard employee account” on 26th June. That’s a pretty good turnaround time to detect and investigate. LINK, MORE

More critical vulnerabilities in MOVEit file transfer solution

  • Progress Software has patched two critical vulnerabilities in its MOVEit Transfer and Gateway products. Vulnerabilities in the same software were responsible for the 2,773 organisations breached by the Cl0p cybercrime group last year.
  • The company contacted customers on 13th June, with the information under embargoed until 25th June to allow affected users time to patch against the vulnerabilities. CVE-2024-5805 and CVE-2024-5806 are authentication bypass bugs with 9.1/10 CVSS scores.
  • The Shadowserver Foundation reported exploitation attempts against MOVEit instances shortly after the public disclosure. LINK, ADVISORIES: GATEWAY, TRANSFER

Thousands of arrests in global operation against scammers

  • International law enforcement agencies arrested over 3,900 suspects and seized $257 million in assets this week. Operation First Light involved officers from 61 countries and identified a further 14,600 potential suspects involved in phishing, investment fraud, romance scams, and impersonation scams. 
  • Police stopped a $331,000 business email compromise scam involving a victim in Spain and recovered $3.7 million wired through bank accounts in Malaysia and Hong Kong. LINK

Interesting stats

Upto 6 months the expected wait time for blood tests at NHS hospitals in south-east London affected by the Qilin cybercriminal attack on Synnovis, a supplier of blood tests for the region,  30% capacity available at the affected hospitals and GP surgeries, according to The Guardian. Law enforcement agencies in the UK and the US have announced that they are joining forces to tackle the Qilin group, which is believed to operate from Russia. STAT, UK/US

Other newsy bits / in brief

⚠️ Incidents:

  • CRM provider HubSpot is investigating an incident involving “bad actors… attempting to gain unauthorized access to [customer] accounts.” LINK
  • Evolve Trust & Bank confirmed a data breach this week after customer information was posted on the dark web. A LockBit affiliate appears to be responsible for the breach, including name, Social Security Number, date of birth, account information, and other personal information. Payment card and online banking credentials “do not appear to be impacted by the cybersecurity incident,” a spokesperson said. Evolve Bank used to provide services to other financial players, including popular multi-currency provider Wise, though Wise says it had ceased its involvement with Evolve well before this incident. Airwallex, Stripe, and many other fintech companies are known to have partnered with Evolve. LINK, MORE
  • “Massive” distributed denial of service (DDOS) attacks are being reported by Crimean telco operators. LINK
  • Polyfill[.]io, a cloud-hosted service to add modern Javascript features to older web browsers, was purchased by a Chinese company called Funnull this week, who have used the domain to serve up malware to visitors of websites using the service. (Using the subresource integrity (SRI) field would protect you from such attacks). LINK, SRI
  • Yahoo Japan says it will waive $189 million in advertising charges stemming from fraudulent clicks. LINK
  • The CISA security breach in March of this year was due to its Chemical Security Assessment Tool environment, which facilities use to assess and record security at sites possessing sensitive chemicals. LINK
  • Car dealership software vendor CDK expects system outages to persist through 30th June following a ransomware attack. LINK

🏴‍☠️ Ransomware:

  • Brain Cipher (a LockBit 3.0 variant) targeted a national data centre in Indonesia, impacting over 200 institutions, including immigration services and causing backlogs at Jakarta’s Soekarno–Hatta International Airport. The cybercriminals demanded a ransom of $8 million, which the Indonesian government refused to pay. LINK
  • South Africa’s National Health Laboratory Service (NHLS) confirmed a ransomware attack, while it battles an mpox (aka monkeypox) outbreak in the country. LINK

🕵️ Threat Intel:

  • ‘Mirai-like’ botnet attacking end-of-life Zyxel NAS326 and NAS542 devices using CVE-2024-29973, a critical command injection vulnerability patched earlier in June. LINK
  • Five WordPress plugins installed on up to 36,000 websites have been compromised and used to gain control over the installed sites in a software supply-chain attack. LINK
  • SentinelOne says that Chinese state-backed hackers are increasingly deploying ransomware as their final stage of an attack in an attempt to make money or distract defenders and cover their tracks. LINK
  • Mac users searching for the ‘Arc’ web browser are being targeted with malware through Google Ads, according to Malwarebytes. LINK

🪲 Vulnerabilities:

File transfer double-header this week:

  • Progress Software MOVEit (see above)

  • Fortra FileCatalyst Workflow is vulnerabile to SQL injection, allowing unauthenticated attackers to create admin users. CVE-2024-5276 (9.8/10) was discovered in May by Tenable but only made public this week. LINK, ADVISORY

  • GitLab Community and Enterprise editions contain a bug allowing pipelines to run as any user. CVE-2024-5655 (9.6/10). LINK, ADVISORY

  • Juniper has released an emergency patch for its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. CVE-2024-2973 (10/10) allows for authentication bypass on the affected devices and for the attacker to take full control. LINK, ADVISORY

🛠️ Security engineering:

  • Google is removing certificate authority (CA) Entrust from Chrome in November this year. “Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly trusted CA poses to the internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.” This is likely to result in some things not verifying correctly. Set a reminder in your calendar to consider it when triaging issues later this year. LINK

🧿 Privacy:

  • The California Privacy Protection Agency (CPPA) and France’s Commission Nationale de l’Informatique et des Libertés (CNIL) have inked a deal to collaborate on research and share findings. LINK

👮 Law Enforcement:

  • The US Department of Justice has indicted four suspected members of the FIN9 cybercrime group for causing $71 million in losses to US companies. LINK
  • Amin Timovich Stigal, 22, a Russian national, has been indicted by US authorities for his role in the ‘WhisperGate’ wiper attacks against Ukraine ahead of Russia’s 2022 invasion. If you’re scratching your head over why the US is stepping in here, despite the systems being Ukrainian, some of them were hosted on servers in the US. LINK
  • A 42-year-old man in Western Australia was arrested for allegedly setting up fake free wifi networks at Australian airports and domestic flights. LINK

💰 Investments, mergers and acquisitions:

  • Odaseva, a startup focused on securing Salesforce environments, has raised $54 million in funding. I find it interesting that there’s a whole bunch of solution providers in this space (WithSecure, Varonis, and Salesforce itself) and that, if this kind of investment (and presumably revenue) is available, Salesforce doesn’t just step up and secure its solutions. LINK
  • PortSwigger, the firm behind the popular Burp Suite penetration testing toolkit, has taken a $112 million investment from Brighton Park Capital. LINK

And finally

  • WikiLeaks founder Julian Assange has agreed a deal with the US government to end an extradition battle. Assange pleaded guilty to a single charge of conspiring to obtain and disclose classified US documents at a federal court in Saipan, the capital of the Northern Mariana Islands, a US territory in the Pacific Ocean. In exchange, he was sentenced to time served due to his incarceration at London’s Belmarsh prison, where he had been held since leaving the Ecuadorian embassy five years ago. After the hearing, Assange returned to his native Australia as a free man. LINK
  • Pub quiz fact: Sapian is the location of the US’s smallest and most remote federal court.
Robin

  Robin's Newsletter - Volume 7

  NHS Health care Synnovis Ransomware Qilin TeamViewer APT29 Russia Progress Software MOVEit Operation First Light HubSpot Evolve Bank and Trust Crimea Indonesia Brain Cipher WordPress Forta FileCatalyst GitLab Juniper Entrust FIN9 WikiLeaks Julian Assange
Next:
Robin’s Newsletter #316
Previous:
Robin’s Newsletter #314