Risky Biz News Ransom campaign hits cloud servers

pIn other news Iranians also targeted the Harris campaign Germany wants to limit Windows kernel access 2024 set to be highestgrossing year for ransomwareppThis newsletter is brought to you by Corelight You can subscribe to an audio version of this newsletter as a podcast by searching for Risky Business News in your podcatcher or subscribing via this RSS feed On Apple PodcastsppA threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructureppThe data extortion campaign has been taking place since earlier this year and involves a largescale scan of the internet for companies that have exposed their environment variable filesppAlso known as ENV these files act as a centralized location for storing configuration data by multiple software solutionsppSecurity firm Palo Alto Network says the attacker has been scanning the internet for ENV files extracting login credentials and accessing cloud serversppThe attacker has allegedly scanned more than 230 million unique servers and successfully retrieved 90000 environment variableswith around 7000 of these being access keys associated with cloud servicesppPAN researchers say that in some cases the attacker accessed cloud servers exfiltrated data deleted the original files and then asked for a ransom to return the stolen documentsppDue to the fact that negotiations were handled via a private channel researchers are unable to determine if any company has paid the attackersppThe campaign follows a similar pattern seen in the mid2010s when multiple threat actors started scanning the internet for misconfigured databases such as MongoDB Elasticsearch Redis and Apache Cassandra Attackers stole or deleted data and then asked for ransoms from the beleaguered companies many of which did not see their data backppPalo Alto Networks did not reveal the number of victims but the main lesson here is that while some individual cloud services and software may now use secure defaults to prevent unauthorized remote access these wont work when the attackers are using legit access credentialsppOh and secure your ENV files you goofballs Thats not the stuff you want to be putting on the internetppEnzo Biochem settlement Biotech company Enzo Biochem will pay 45 million to settle regulatory charges related to an April 2023 ransomware attack that exposed the personal data of 24 million patients The sum will be divvied out to patients in Connecticut New York and New Jersey Attorneys General from the three states sued the company for its lax security protocols Officials said hackers breached Enzo Biochem after getting hold of login credentials shared by multiple employees that had not been changed for more than a decadeppAutoCanada hack Car dealership AutoCanada has been hit by hackers over the past weekend The company says it shut down systems after a breach of its internal IT systems on Sunday AutoCanada says it expects the attack to cause disruptions to its operations until systems are restored The company is now the second North American car dealership to deal with a major cyber attack after CDK Global was hit by ransomware in JuneppIran denies Central Bank hack The Iranian government has denied that hackers broke into the countrys Central Bank systems and stole information on all account holders The hack was initially reported by Iran International in a twosentence article with no other detailsppVow cryptoheist A threat actor has stolen 12 million worth of assets from the Vow cryptocurrency project Vow says the attacker exploited a recent change in its conversion rate to receive 100 times the funds they were entitled to The project is looking at ways to recover the fundsppHolograph hack arrests Italian police has detained two suspects believed to have stolen 144 million from cryptocurrency platform Holograph The company filed a complaint with French authorities after getting hacked in June Holographs token lost 80 of its market value after the incident The two suspects are set to be extradited to France to face charges for their crimes Additional coverage in CoinSpeakerppWashington Times ransomware attack The Rhysida ransomware gang claims it hacked rightwing news outlet the Washington Times The group claims it has stolen employee sensitive data and has given the site a week to pay a ransom The group is asking for 15 Bitcoin300000 The news outlet has not confirmed the hack Additional coverage in the Daily DotppKim Dotcom extradition New Zealands Justice Minister has signed the extradition to the US for Kim Dotcom the founder of the Megaupload filesharing site The FBI has been seeking Dotcoms extradition since 2012 He is wanted in the US for piracy and copyright infringementrelated crimes Additional coverage in The GuardianppTexas sues GM over car privacy The Texas Attorney General has sued General Motors for illegally collecting and selling drivers data to insurance companies Texas officials say the carmaker used technology baked into its cars and misleading dark patterns to trick car owners into giving consent to having their data collected and sold to third parties This data was later used to create Driving Scores that helped car insurers charge larger fees GM is the first car manufacturer to be hit with a lawsuit for selling driver data The Texas OAG says it is also investigating other carmakers for the same practiceppAstra Linux says chill Russian OS maker Astra Linux has told users to relax after an American think tank has called on the research community to start analyzing how the OS works and how its being used inside RussiappFBI warns Harris campaign of infoop The FBI has told the Harris presidential campaign it was the target of a foreign actors influence operation Neither the FBI nor the Harris campaign reveal details about the foreign actor A Recorded Future report published this week claims that Russia China Iran and American extremist groups are all running active influence operations targeting the US presidential election Additional coverage in ReutersppBSI wants to limit kernel access Germanys cybersecurity agency wants to block cybersecurity tools from accessing the Windows kernel The Federal Office for Information Security BSI is exploring the idea after a CrowdStrike update temporarily bricked 85 million Windows systems across the globe at the end of July Microsoft cant limit security tools from accessing the Windows kernel due to an agreement with European antitrust regulators The BSI is planning a conference later this year with major tech firms where it hopes they will commit to restricting access to the kernel in a way that satisfies the antitrust ruling Additional coverage in the WSJppSmartphone security label Germanys cybersecurity agency wants to introduce a cybersecurity labeling scheme for smartphones and mobile devices The label would be designed to provide easytounderstand information about a mobile devices security features The smartphone labeling scheme would follow a similar scheme German authorities have set up for routers and IoT devicesppIndia orders spamcall crackdown Indias telecom watchdog has ordered service providers to take measures to block unwanted spam and promotional calls from unregistered telemarketing numbers Providers are required to create blocklists and share blocked numbers with each other no more than 24 hours after a number has been banned Providers that fail to comply with the new rules risk getting disconnected from the national network for up to two years Additional coverage in Yahoo News Read full TRAI orderPDFppIn this Risky Business News sponsored interview Tom Uren talks to Brian Dye CEO of Corelight about a string of recent CISA advisories These advisories address specific technical issues but when examined together Brian says there is an underlying message about addressing security holisticallyppSlilpp seller sentenced A judge has sentenced a Russian national to 40 months in prison for selling stolen financial data and login credentials on an underground forum known as Slilpp Officials say Georgy Kavzharadze was one of the sites most prolific vendors going by the name of TeRorPP He allegedly made over 12 million for selling stolen data and credentials on the site The FBI tracked down Kavzharadze after it seized Slilpp in June 2021 Hes been in custody since May 2022ppFIN7 Team Cymru looks at FIN7s new server infrastructure since its bigtime return to the malspam scene this yearppTWELVE returns Kaspersky researchers say that a proUkrainian hacking group known as TWELVE has returned with new attacks against Russian organizations The group launched in April of last year but ceased activity after its Telegram channel was suspended at the start of 2024 Kaspersky says it has now detected the groups attack patterns in recent intrusions that took place in June New evidence also suggests the group is sharing infrastructure with another threat actor known as DARKSTAR Also known as Shadow or Comet this group is also known for attacking Russian companies with ransomwareppOlympic Games attack infrastructure BforeAI researchers have published a list of IOCs used in attacks designed to exploit the recent Paris Olympic GamesppTwitter DDoS attack Chinese security firm QiAnXin says that it detected one of the Mirai botnet variants launch a DDoS attack on Twitter during the MuskTrump live interview Sources inside Twitter claimed Musk was lying and that there was no DDoS attackppPeregrine Technologies profile Forbes has published a profile on Peregrine Technologies a startup founded by a former Palantir exec that sells surveillance tools to police forcesppGafgyt botnet AquaSec researchers have spotted a Gafgyt botnet variant that targets machines with weak SSH passwords in order to deploy a cryptominer specialized in GPU mining AquaSec says the botnet appears to be targeting cloud servers with access to highend resources rather than the IoT equipment it usually infectsppEDRKillShifter The RansomHub ransomware gang is using a new tool named EDRKillShifter to disable EDR products on compromised networks before launching their attacksppPrestashop skimmer Sucuri researchers look at a web skimmer strain they found planted on ecommerce sites running on the Prestashop CMSppTusk campaigns Kaspersky has published a report on three infostealer campaigns the company is tracking as Tusk These campaigns use multiple steps to infect both Windows and macOS users with infostealers There are also clues other subcampaigns may be dormant and ready to go soonppValleyRAT Fortinet researchers have taken a look at a recent campaign spreading the ValleyRAT malwareppBanshee Elastics security team looks at Banshee a new macOS infostealer that goes after browser data and cryptowallets The infostealer popped up on malware markets this month and is being sold for 3000month which is quite a pricey tag for a silly stealerppMint Stealer Security researcher Rakesh Krishnan has published a deep dive into Mint Stealer an infostealer thats been around for two years now and still going strong despite the crowded space on the stealer marketppJames Pope Corelights Director of Technical Marketing Engineering demonstrates the companys Open NDR Platform and how it combines network detections with a whole host of other data sourcesppMeta disinfo ops Meta has published its Adversarial Threat Report for the second quarter of the year The report covers disinfo operations between April and June As always Russia was the number one source for disinfo ops on Meta sites Half the report PDF is just Russian ops and Meta says it is seeing an increased number of forhire companies running disinformation and influence operations on behalf of the Russian government These private contractors lack the sophistication of Russian security agencies and usually run lowquality and highvolume campaigns centered around Russias war Meta says contractors struggle to engage authentic audiences and are often called out as trolls by its normal users The social media giant expects more private companies to join the disinformationforhire scene as Russias infoop needs grow in the coming monthsppRussian spearphishing campaigns Two Russian statesponsored groups have launched spearphishing campaigns targeting Western and Russian civil society members The attacks were discovered by security researchers from AccessNow and CitizenLab The malicious emails have targeted Russian and Belarusian nonprofit organizations Russian independent media international NGOs active in Eastern Europe and the former US Ambassador to Ukraine CitizenLab linked one of the campaigns to a group known as ColdRiver and Calisto linked to Russias FSB intelligence service The second campaign was the work of a new group thats been named ColdWastrel also believed to be linked to the Russian governmentppDoppelganger surveillance German government officials have formally confirmed the Russian origins of the Doppelganger disinformation group after theyve gained access and surveilled one of the groups web servers for days Officials took control of the server in midJuly after reports from Correctiv and the Qurium Foundation exposed the groups server infrastructure and network of EU companies supporting their work They say the server backend and logs contained connections from Russian IPs the wide use of the Cyrillic alphabet and usage patterns associated with Russian timezones and holidays Additional coverage in Correctiv Full BLfV reportPDFppAPT42 The Iranian hackers who breached the Trump campaign earlier this year have also targeted the Harris camp The phishing campaigns took place in May and June this year Google tracks the group as APT42 and says the threat actor has a long history of going after highranking government officials in both the US and IsraelppAPT35s Cyclops Harfang Labs has published a report on Cyclops a new malware platform written in Go and used in the wild by the APT35 Charming Kitten Iranian APT Harfang says Cyclops appears to have replaced the BellaCiao platform in the groups operations Work on the malware started in December 2023 and focuses on backdoorlike capabilitiesppGreen Cicada Security firm CyberCX has identified a network of at least 5000 Twitter accounts involved in a largescale disinformation campaign The Green Cicada network is one of the largest Twitter disinformation efforts ever discovered It has been active since late last year and predominantly engages with US political and cultural issues Researchers say the Green Cicada accounts appear to be controlled by an AI large language model system CyberCX has found clues to link the network to Chinese AI company Zhipu AI and an AI researcher affiliated with Tsinghua University in BeijingppWindows zeroclick RCE As people go through the Patch Tuesday updates and researchers take credit for their work it looks like Micorosft fixed a major vulnerability in Windows this week Its a 9810 zeroclick RCE that can be exploited on all Windows systems where IPv6 is enabledobviously via IPv6 packets Credit goes to Xiao Wei from KunlunLab Tracked as CVE202438063ppCopy2Pwn ZDI has published a writeup on Copy2Pwn CVE202438213 one of the six zerodays that Microsoft patched this week The zeroday was used by the DarkGate malware gang in campaigns this yearppSubstack worm Security firm Calif says it helped Substack patch a wormable XSS bug that could have been used for a MySpacelike attack to attack the sites usersppMatrix leaves vulnerabilities unpatched Security researcher Soatok Dreamseeker has published details about three bugs in the Matrix Libolm library The researcher says the Matrix project chose to retire the library rather than fix the reported issuesppAndroid Showcase app Security firm iVerify has found that an app preinstalled on millions of Google Pixel devices sold since 2017 is vulnerable and exposes users to attacks iVerify says an app named Showcaseapk has extensive system privileges that can allow traffic interception code injection and remote code execution attacks Google says it plans to remove the app in a future Pixel updateppSolarWinds exploitation CISA says that threat actors are exploiting a recently patched vulnerability in SolarWinds Web Help Desk servers The vulnerability was classified as under exploitation a day after a patch was made available The bug has a severity score of 98 out of 10 allows remote attackers to take over servers without needing to authenticate and impacts all Web Help Desk versions The core issue has been identified as another Java data deserialization bug ht ScreamingGoatppUnfixed Azure Passthrough Authentication bypass Microsoft has declined to patch a bypass in Azure ADs Passthrough Authentication scheme discovered by Cymulate researchers PoC availableppUDL files for phishing TrustedSec researchers have described a theoretical technique for now for using UDL files to hide malicious OLE code and bypass email security filters The technique is ideal for phishing operations and will likely get exploited in the wildppMITRE reaches 400 CNAs Cloud security firm Wiz has become the 400th registered CNA with MITRE Unfortunately with more organizations issuing CVEs this is bad news for that NIST backlog which has yet to be addressed According to Socket Security the number of CVEs awaiting analysis has increased by 30 since JuneppAcquisition news Digicert has acquired DNS and cloud provider VercarappCisco layoffs American tech giant Cisco will cut around 7 of its workforce 5500 as it refocuses on security cloud and AI Additional coverage in the San Francisco GateppThreattrend reports Abnormal Security Chainalysis Palo Alto Networks Radware Resilience and Zayo have recently published reports covering infosec industry threats and trends A summary of the Resilience reportppFrom the Chainalysis reportppNew toolSurveillance Watch Privacy advocate Esraa Al Shafei has launched Surveillance Watch a directory with all the known spyware and surveillance peddlersppNew toolDraytek Arsenal Two security researchers at Faraday have opensourced Draytek Arsenal a tool to reverse engineer Draytek firewalls The tool was presented at DEF CONppNew toolSnafflerParser Pentester zh54321 has released SnafflerParser a tool that beautifies the outputs of pentesting tool SnafflerppIn this edition of Between Two Nerds Tom Uren and The Grugq discuss what it would mean to be in a golden age of OSINT and whether we are in oneppIn this discussion Tom Uren and Patrick Gray talk about a US government policy initiative to cover cyber insurance gaps while also improving security across the economy Lofty goals but Tom wonders if it is a difficult way to address security gapsppThe Risky Business team has recently started publishing video versions of our podcasts Below is the main weekly show with Pat and Adam at the wheelppIn other news Police arrest tech company CEO for building DDoS function hackers steal 17 million from Ugandas central bank Windows Server 2012 zeroday awaits patchppIn other news FTC opens Microsoft antitrust probe US court overturns Tornado Cash sanctions ESET finds first Ubuntu UEFI bootkitppYour weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray Its supported by Lawfare with help from the William and Flora Hewlett Foundation This weeks edition is sponsored by Stairwell

You can hear a podcast discussion of thisppIn other news Geico fined over 2020 security breach a new proKremlin group emerges out of India Russian group behind Firefox and Windows zerodayspp
Risky Business publishes cybersecurity newsletters and podcasts for security professionals
ppp