Lowe’s Market chain leaves client data up for grabs

A misconfiguration on a website owned by the US-based Lowe’s Market grocery store chain could have allowed threat actors to gain control of its systems.

On February 7, the Cybernews research team discovered a misconfiguration on the Lowe’s Market website. The supermarket chain’s website was leaking a treasure trove of private credentials, which left the company vulnerable to potential attacks by cybercriminals.

Together, the compromised credentials could enable an unscrupulous hacker to gain control of most of the online store’s functionality, see sensitive customer information, and abuse access to paid services, all while putting Lowe’s Market customers at risk.

With almost 150 locations, the Lowe’s chain primarily operates stores in Texas, New Mexico, Colorado, Arizona, and Kansas.

At the time of writing, the company has already fixed the issue. Cybernews reached out to Lowe’s Market regarding the details of the misconfiguration and the possible duration of data exposure. However, the company has yet to provide a response to the inquiry.

Access to databases

Researchers found a publicly accessible environment file (.env) hosted on the Lowe’s Market website. Public access to the file posed a risk to the security of the company’s systems, as it was leaking sensitive data and numerous credentials.

An examination of the environment file suggests that the developers were not following the best practices, while poor security configurations might have led to more secrets, an industry term for vital data that should be kept private, being exposed.

The leaked secrets could have allowed threat actors to access databases as the hosts, usernames, and ports of main, tracking, legacy, recipe, and redis.io databases were exposed.

Database hosts and credentials are considered sensitive information, as they are used to access respective databases and their contents. In the case of Lowe’s Market, most database hosts are internet-connected, making it particularly easy for threat actors to access them.

Due to legal reasons, it is impossible to check the contents of the databases, but the titles suggest that some of them contained information about products, such as recipes, while others could have contained customer usage data.

At least one of the databases likely contained user information, as the company has limited support for online grocery purchases. One of the titles in the legacy database contained the word “billing,” leading researchers to assume that it may have contained private user data.

The environment file also revealed the access key to Amazon Web Services (AWS) S3 server and bucket name. This information could have been used to log in and access the bucket and its contents and modify or delete existing data.

While the AWS S3 bucket could have stored sensitive information, based on its name, researchers assume it stored only website-related assets.

“The bucket most likely only stored images used by the site and similar, non-sensitive assets,” said Cybernews researcher Aras Nazarovas.

“It is possible that it contained sensitive information as well, as we saw some cases like that, but there is no way to know in this particular case.”

A treasure trove of keys uncovered

The .env file contained numerous application programming interface (API) keys dedicated to a specific website’s functionality. Malicious actors could have used the leaked API keys and credentials to steal user information, change product pricing, and hijack most of the store’s functionality.

One of these leaked keys, GrocerKey API, allowed access to partial credit card information, addresses, and top-spending users, as well as the ability to send unsolicited orders, issue refunds, launch ad campaigns, reset passwords, and check in-store and in-app balances.

The REST API key that enables querying user information was also leaked, and this could have allowed a threat actor to use it along with GrocerKey API to make unauthorized online purchases.

Some other leaked keys could have enabled threat actors to use the company’s official communication channels to send malicious messages across various platforms.

Screenshot of leaked API keys and email credentials | Source: Cybernews

For instance, cybercriminals could have used the leaked Campaign Monitor, Pushwoosh, Loyalty Lane, and Postmark API keys to send emails, application notifications, and SMS messages to Lowe’s Market users. In addition, the threat actor could have used leaked Inmar API keys and credentials to produce custom coupons with significant discounts.

Finally, the exposed Geocoder API key could have allowed a threat actor to gain access to the company’s Google Maps API. A malicious actor could thus exploit the key to use this access for personal gain, resulting in increased usage and, subsequently, higher bills that the company would be responsible for paying.

This is because each request sent through the Geocoder API to Google Maps would be charged to the company as the legal owner of that account.

“No sensitive information can be obtained, the only possible misuse would be to send requests through the API, or flooding the API with requests to a point where the account would be rate-limited, affecting the website’s ability to display maps,” said Nazarovas.

Takeover of Facebook app

Along with the API keys, the environment file also exposed Facebook OAuth credentials and Github OAuth tokens.

Using the leaked Facebook app ID and secret key, the attacker could have requested sensitive user data from Facebook or taken over Lowe’s Market’s Facebook application, with serious consequences for user privacy and security.

Leaking such sensitive information as the GitHub OAuth token could have been dangerous as it can provide unauthorized access to a user’s Github account and the repositories it contains.

According to CyberNews more grocery stores might be affected, if you want to learn more give a loot at the original post at:

https://cybernews.com/security/lowes-market-data-leak/

About the author: Paulina Okunytė, Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lowe’s Market)

NBA is warning fans of a data breach after a third-party newsletter service hack

The NBA (National Basketball Association) disclosed a data breach after a third-party firm providing a newsletter service was breached.

The NBA (National Basketball Association) is notifying followers of a data breach after a third-party company providing a newsletter service was breached.

The National Basketball Association (NBA) is a professional basketball league in Northern America composed of 30 teams (29 in the United States and 1 in Canada). It is one of the major professional sports leagues in the United States and Canada and is considered the premier men’s professional basketball league in the world.

NBA launched an investigation into the security breach with the support of external cybersecurity experts to determine the extent of the incident.

The NBA pointed out that its systems were not impacted, according to the data breach notification sent to the fans, the incident affected an unknown number of individuals.

BleepingComputer, which first reported the news, confirmed that some fans’ personal information was stolen.

According to the association, an unauthorized third party accessed and created copies of the names and email addresses of some of its fans. The data breach did not compromise usernames, passwords, and other information.

“We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA,” reads the data breach notification, as reported by BleepingComputer.

“There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted.”

Even if credentials were not exposed as a result of this incident, fans must be vigilant for phishing attacks and other fraudulent activities that could target them by abusing the exposed information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NBA)

Kaspersky released a new decryptor for Conti-based ransomware

Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware.

Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware.

In March 2022, a Ukrainian security researcher has leaked the source code from the Conti ransomware operation to protest the gang’s position on the conflict.

After the leak of the source code, an unknown ransomware group started distributing a modified version of the Conti ransomware in attacks aimed at companies and state institutions.

In late February 2023, Kaspersky researchers uncovered a new portion of leaked data published on forums and noticed the presence of 258 private keys. The leak also included source code and some pre-compiled decryptors, which allowed the researchers to release new version of the public decryptor.

“The malware variant whose keys were leaked, had been discovered by Kaspersky specialists in December 2022. This strain was used in multiple attacks against companies and state institutions.” states Kaspersky.

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”

The researchers added all 258 keys to the latest build of Kaspersky’s utility RakhniDecryptor 1.40.0.00. Users can download the decryptor from the Kaspersky’s “No Ransom” site.

 “For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our “No Ransom” webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky.

Below is the list of recommendations provided by the experts to protect organizations from ransomware attacks:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
  • Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

The Conti group has been active since 2019, the FBI estimated that between 2020 and 2022 the gang breached hundreds of organizations. The FBI estimated that as of January 2022, the gang obtained $150,000,000 in ransom payments from over 1,000 victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

US govt agencies released a joint alert on the Lockbit 3.0 ransomware

The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang.

The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.

“The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023.” reads the advisory published by US agencies. “LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit.”

The Lockbit gang has been active since at least 2019 and today it is one of the most active ransomware groups offering a Ransomware-as-a-Service (RaaS) model.

The LockBit 3.0 ransomware (aka LockBit Black) was launched in June 2022 and is a continuation of previous versions of the ransomware, LockBit 2.0 (released in mid-2021), and LockBit.

The LockBit 3.0 ransomware is a modular malware that is more evasive than its previous versions, its shared similarities with Blackmatter and Blackcat ransomware.

“LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).” reads the joint alert

“If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”

By protecting the code with encryption, the latest LockBit version can avoid the detection of signature-based anti-malware solutions.

The ransomware doesn’t infect machines whose language settings are included in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

Initial attack vectors used by affiliates deploying LockBit 3.0 ransomware include remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

Upon execution in the target network, the ransomware attempts to escalate privileges if they are not sufficient, terminate processes and services, delete logs, files in the recycle bin folder, and shadow copies residing on disk.

LockBit 3.0 attempts to perform lateral movement by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges.

Operators can also compile LockBit 3.0 for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.

  • The RaaS’s affiliates use the following tools to exfiltrate data before encrypting it:
  • Stealbit, a custom exfiltration tool used previously with LockBit 2.0;
  • publicly available file-sharing services, such as MEGA.

The affiliates have been observed using various freeware and open-source tools furing their attacks.

“These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.” continues the report.

The alert states that LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. It also supports a Safe Mode feature to bypass endpoint antivirus and detection.

The alert also provides mitigations and security controls to prevent and reduce the impact of the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RaaS)

Feds arrested Pompompurin, the alleged owner of BreachForums

U.S. law enforcement arrested this week a US citizen suspected to be Pompompurin, the notorious owner of the BreachForums cybercrime forum.

U.S. law enforcement arrested this week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused to be the owner of the popular hacking forum BreachForums. 

The news of the arrest was first reported by Bloomberg, which reported that federal agents arrested Conor Brian Fitzpatrick from Peekskill, New York.

The man was arrested by the feds at his home around 4:30 p.m. Wednesday.

“Federal agents have arrested a Peekskill, New York, man they say ran the notorious dark web data-breach site “BreachForums” under the name “Pompompurin.”” reads the post published by Bloomberg. “Conor Brian Fitzpatrick was arrested by a team of investigators at his home around 4:30 p.m. Wednesday, an FBI agent said in a sworn statement filed in court the next day. Fitzpatrick is charged with a single count of conspiracy to commit access device fraud.”

In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Langmire said that at around 4:30 p.m. on March 15, 2023, he led a team of that made a probable cause arrest of Conor Brian Fitzpatrick in Peekskill, NY.

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompompurin/’ and c) he was the owner and administrator of ‘BreachForums’ the data breach website referenced in the Complaint,” Langmire wrote.

According to the Westchester News12 website, the agents spent hours inside and outside of the suspect’s home, they were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices.

Fitzpatrick was released on a $300,000 bond signed by his parents, he is scheduled to appear before the District Court for the Eastern District of Virginia on March 24, 2023.

The defendant must: submit to supervision by and report for supervision to the PRETRIAL SERVICES As Directed; he was ordered to surrender any passport.

The man has been restricted from contacting his co-conspirators, getting medical or psychiatric treatment, and using unlawfully narcotic drugs or other controlled substances unless prescribed by a licensed medical practitioner.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET.

pompompurin always confirmed that he was ‘not affiliated with RaidForums in any capacity,’

The law enforcement authorities have yet to shut down the website, another admin of the forum that goes online with the alias “Baphomet” announced that he is taking the control of the platform.

Baphomet added that he believes that the feds haven’t had access to the infrastructure.

“I also since that point have been constantly monitoring everything and going through every log to see any access or modifications to Breached infra. So far nothing like that has been seen.” said Baphomet. “My only response to LE, or any media outlet is that I have no concerns for myself at the moment. OPSEC has been my focus from day one, and thankfully I don’t think any mountain lions will be attacking me in my little fishing boat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation

Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw.

Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer).

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries.” reads the statement pblished by the company.

“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.”

Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog.

The company pointed out that its network operations or the security of its customer data have not been compromised.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank, the Community Health Systems, and the data security firm Rubrik. At this time, the Clops ransomware group only added the bank and the data security firm to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hitachi Energy)

HinataBot, a new Go-Based DDoS botnet in the threat landscape

A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities.

Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws to compromise routers and servers.

The experts reported that the HinataBot bot was seen being distributed since the beginning of 2023 and its operators are actively updating it.

The name “Hinata” comes after a character from the popular anime series, Naruto.

Akamai’s SIRT recently discovered the new bot within HTTP and SSH honeypots, it stood out due to its large size and the lack of specific identification around its newer hashes.

The sample captured by the experts abuses old vulnerabilities and weak credentials, the researchers reported that it attempts to exploit flaws in the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A). 

HinataBot supports multiple methods of communication, including both dialing out and listening for incoming connections. The botnet can launch distributed denial-of-service (DDoS) flooding attacks that relies on protocols such as HTTP, UDP, TCP, and ICMP to send traffic. However, the latest version of HinataBot only supports HTTP and UDP attacks.

Akamai said that by reverse engineering the bot and imitating the command and control (C2) server, was able to test the offensive capabilities of the botnet by running two attack methods (HTTP and UDP) in a 10-second period.

“The http_flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The request sizes ranged from 484 to 589 bytes per request, with sizes varying mostly due to randomization of User-Agent and Cookie header data.” reads the report published by Akamai. “The udp_flood generated 6,733 packets for a total of 421 MB of packet capture data over the wire. There isn’t much else that’s interesting about this attack: it is volumetric in nature and seems to do a decent job of pushing volume.”

Test results show that a botnet composed of just 1,000 nodes can carry out a UDP flood that would weigh in at around 336 Gbps per second. A botnet of 10,000 nodes (which is roughly 6.9% of the size of Mirai at its peak) can generate a UDP flood that would weigh in at more than 3.3 Tbps. The HTTP flood at 1,000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps, while with 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.

HinataBot is the last bot in order of time to join the ever-growing list of emerging Go-based bots after GoBruteforcer and KmsdBot.

“The HinataBot family relies on old vulnerabilities and brute forcing weak passwords for distribution. This is yet another example of why strong password and patching policies are more critical than ever.” concludes Akamai that also privided Indicators of Compromise and YARA rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HinataBot)

Top 5 Insider Threats to Look Out For in 2023

Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity and some companies fail to recognize associated dangers.

Cyberattacks are growing more complex as technology advances. Many businesses concentrate their cybersecurity efforts solely on external attacks, which leaves more openings for internal risks. Some companies fail to recognise the danger of losing confidential information owing to employee negligence or malice. Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity. According to statistics on insider threats, these threats may originate from employees, business contractors, or other reliable partners with simple access to your network. However, insider threat reports and recent developments have shown a sharp rise in the frequency of insider attacks. Because of these, cybersecurity professionals are now paying more attention to the detrimental effects of insider attacks.

In general, security experts need more confidence in their ability to identify and thwart insider threats successfully. 74% of respondents in an insider attack said their company was moderately to extremely vulnerable. 74% of respondents—a 6% increase from 2021—also claim that insider threat assaults have become more regular. In 2022, 60% of respondents said they had an insider attack, while 8% said more than 20. Insider assaults are more challenging to identify and thwart than external attacks, according to 48% of respondents. It can be challenging for defences to distinguish between insider threats and regular user activity since insider threats employ genuine accounts, passwords, and IT technologies. Overall, insider threats are becoming a more significant threat. These findings imply that security teams should prepare for them in 2023.

Organisations must be able to address the risks from malicious insiders who intentionally steal sensitive data for personal reasons and users who can accidentally expose information due to negligence or simple mistakes. 

Here are the top 5 threats security teams should look out for in 2023:

Employee Negligence

Employee carelessness or ignorance may result in unintentional data leaks, improper handling of sensitive information, or a failure to adhere to security policies and procedures. Negligence is to blame for more than two of every three insider incidents. Workers could not be cognizant of the possible hazards they bring to the company or might not prioritise security measures. They act carelessly, repeating passwords for personal and professional accounts or leaving flash drives with private data at a coffee shop without intending to cause harm. Some are unaware of their involvement and fall victim to social engineering techniques like phishing scams. Others may engage in negligent behaviour, such as evading security measures for convenience.

Malicious Insiders

Insiders who intend to cause harm to the company by stealing data, interfering with business processes, or selling confidential information are considered malicious insiders. These people might be driven by greed, retaliation, or a desire to upend the business. These people are currently employed. They might not be the most ardent supporters of your business, and they frequently vent their resentment by erasing or changing important data sets, leaking confidential information, or taking other sabotage measures. Turn cloaks are malicious insiders who consciously do something terrible to an organisation. A trustworthy business partner, contractor, or employee could be the insider. Turn cloaks may have ideological, vengeful, or pecuniary motivations. Some engage in clandestine activities like stealing private information or sensitive documents.

Insider Collusion

When two or more employees collaborate to steal information, commit fraud, or participate in other nefarious acts, this is called insider collusion. As a result of the employees’ collaboration and potential ability to conceal their activities, this type of danger might be challenging to identify. Whether intentionally or unintentionally, these threats serve a foreign power. They might be forced to divulge information by outsiders through blackmail or bribery, or they might be tricked into disclosing their login information via social engineering. The most challenging insider risks to identify are moles, which are potentially the most damaging. Moles function similarly to turn cloaks, except they join a firm intending to harm the organisation. Whether they support a nation-state or an unknown cause, they are frequently motivated by an intense political motive.

Third-Party Vendors and Contractors

Companies with access to sensitive data or systems may be at risk of insider threats from third-party suppliers and contractors. These individuals might adhere to different security procedures than full-time employees and have a lower stake in the company’s success. Not every insider works for the company. Suppliers, contractors, vendors, and other outside parties with limited inside access can pose an equal threat to staff members with the same rights. Most businesses outsource some of their work to specialised companies or outside agencies. These third parties are occasionally easy targets for cyber attackers because they lack advanced security protocols. Suppose these companies are provided privileged access to part of your company network. In that case, you can bet that the bad actors will infiltrate your system after compromising the partner’s security network, resulting in a third-party data breach.

Security Policy Evaders

The group of workers that prefer to ignore security policies and protocols is last but certainly not least. The business frequently has security policies created to safeguard its personnel and data. Some regulations could be burdensome and inconvenient, and some employees might choose the simple route. Contemporary businesses have security procedures in place to protect their critical data. These safeguards may bother some employees, who may devise workarounds that raise the risk of a data leak. These workarounds could jeopardise the security and data protection of the organisation. Policy evaders might be considered insider threats since they purposefully break security policies, procedures, and best practices.

Conclusion

Organisations can employ technological solutions like access restrictions, monitoring, data loss prevention technologies and insider threat solutions “to rein in their insider risk and prevent threats.” A thorough security plan should be in place and periodically reviewed and updated when new risks arise. Your company’s reputation, future growth, customers, and employees can all be protected by knowing how insider threats show themselves.

About the Author: Mosopefoluwa Amao is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant cybersecurity content for organizations and spreading security awareness. She volunteers as an Opportunities and Resources Writer with a Nigerian based NGO where she curated weekly opportunities for women. She is also a regular writer at Bora.

Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.

Connect with her on LinkedIn and Instagram

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Insider Threats)

China-linked APT likely linked to Fortinet zero-day attacks

An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328).

A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks aimed at government organizations.

A few days ago, Fortinet researchers warned of an advanced threat actor that is targeting governmental or government-related entities.

The unknown threat actor is exploiting a vulnerability in Fortinet FortiOS software, tracked as CVE-2022-41328, that may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The CVE-2022-41328 vulnerability (CVSS score: 6.5) is a path traversal issue in FortiOS can can result in arbitrary code execution.

“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.” reads the advisory published by Fortinet.

The vulnerability impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. The company addressed the vulnerability with the release of versions 6.4.12, 7.0.10, and 7.2.4 respectively.

Fortinet launched an investigation into the attacks after the FortiGate devices of one customer suddenly halted and failed to reboot. The devices halted displaying the following error message:

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

The failure of the integrity test blocks the reboot of the device to protect the integrity of the network.

Mandiant researchers linked a series of attacks that took place in mid-2022 to a China-linked threat actor tracked as UNC3886 by the security firm.

“a suspected China-nexus threat actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments.” reads the report published by Mandiant. “This involved the use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) and deployment of multiple custom malware families on Fortinet and VMware systems.”

The attackers exploited the CVE-2022-41328 zero-day to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access, then they maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.

Threat actors also bypassed the firewall rules active on FortiManager devices with a passive traffic redirection utility. The attackers also used a custom API endpoint created within the device to maintain persistence ùon FortiManager and FortiAnalyzer, then disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.

Once compromised the Fortinet devices, the threat actors established backdoor access using two previously undocumented malware, a Python-based Thincrust backdoor disguised as legitimate API calls and the ICMP port-knocking Castletap passive backdoor.

Once obtained access to the Fortinet devices, the attackers targeted ESXi servers to deploy malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors. This allowed the attackers to maintain persistent access to the hypervisors and execute commands on guest virtual machines.

When FortiManager was not exposed to the Internet, the threat actors deployed a traffic redirector (Tableflip) and a passive backdoor (Reptile) to circumvent the new ACLs.

“many network appliances lack solutions to detect runtime modifications made to the underlying operating system and require direct involvement of the manufacturer to collect forensic images. Cross organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.” concludes Mandiant.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Baseband RCE flaws in Samsung’s Exynos chipsets expose devices to remote hack

Google’s Project Zero hackers found multiple flaws in Samsung ’s Exynos chipsets that expose devices to remote hack with no user interaction.

White hat hackers at Google’s Project Zero unit discovered multiple vulnerabilities Samsung ’s Exynos chipsets that can be exploited by remote attackers to compromise phones without user interaction.

The researchers discovered a total of eighteen vulnerabilities, the four most severe of these flaws (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution.

An attacker only needs to know the victim’s phone number to exploit these vulnerabilities.

“Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” reads the advisory published by Google. “With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.”

Experts warn that skilled threat actors would be able to create an exploit to compromise impacted devices in a stealthy way.

The experts recommend turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in settings of vulnerable devices to prevent baseband remote code execution attacks.

“Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. Turning off these settings will remove the exploitation risk of these vulnerabilities.” states the report.

Samsung Semiconductor’s advisories provide the list of Exynos chipsets impacted by these vulnerabilities. Below is a list of devices allegedly affected by these flaws:

  • Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
  • Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
  • The Pixel 6 and Pixel 7 series of devices from Google;
  • any wearables that use the Exynos W920 chipset; and
  • any vehicles that use the Exynos Auto T5123 chipset.

Google did not disclose technical details of these flaws to avoid threat actors could develop their own exploits.

“Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution,” said Project Zero leam lead Tim Willis.

The experts are disclosing details only for five vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075 and CVE-2023-26076) that have exceeded Project Zero’s standard 90-day deadline.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung’s Exynos)

Read, think, share … Security is everyone's responsibility

Exit mobile version