How an attacker hid on an IT network for three years
Welcome to Cyber Security Today. It’s Wednesday June 19th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
A suspected China-based threat actor hid in an organization’s on-premise IT network for about three years in part by exploiting unpatched network appliances. That’s according to researchers at Sygnia, who were called to investigate the attack. They nickname the attacking group Velvet Ant. Its goal was espionage. One tactic was compromising two legacy F5 BIG-IP firewalls running an outdated version of the operating system that were exposed to the internet. The attacker used it for internal command and control. In fact the gang exploited several entry points to get into the IT network and maintain persistence. This attacker was so adept that as soon as one foothold was discovered by defenders the gang quickly shifted to another foothold. One of the organization’s weaknesses: Some of the IT systems weren’t monitored. For example, some Windows servers weren’t connected to the organization’s endpoint detection and response software. This is a short version of the report. It shows the importance of establishing a resilient defence against sophisticated attackers. That means having continuous network and device monitoring, periodic and systemic threat hunting, stringent traffic controls and system hardening. In particular, perimeter firewalls should be configured to allow only necessary outbound connections. That means internet-facing devices such as load balancers should be behind firewalls.
Broadcom has released security updates to VMware vCenter Server to close three vulnerabilities. Two of the holes have been rated as critical, so administrators should install the patches fast. Products affected have vCentre Server, meaning vSphere and Cloud Foundation
A health board in southwestern Scotland is notifying everyone in the region this week to assume their personal information it held will likely be published by a ransomware gang. In the letter to tens of thousands of residents, the CEO of the Dumfries and Galloway health district says the data published May 6th included x-rays, test results, and letters between health care professionals.
Still in the United Kingdom, cybersecurity researcher Jeremiah Fowler has discovered another company whose employees created an unprotected database open to the internet with personal information that anyone could have copied. The company is Total Fitness, a chain of health clubs across Northern England and Wales. The database is largely of faces of club members, apparently for identification. However, Fowler says it also includes images of passports, credit cards and utility bills. The risk is the identity of a person can be determined through an AI and facial images search across the internet. Question to IT and security leaders: Do you monitor all data stores created by your employees?
Two more men have pleaded guilty in a U.S. court for their roles in breaking into a law enforcement database and threatening people. That brings the total to three men who admit to being part of a gang calling itself ViLe. After accessing the database with a police officer’s stolen password, information was stolen. Victims were then told to pay up or data on them would be published.
There’s another warning to Docker administrators about tightening API security. Researchers at Datadog Security Labs discovered a new attack campaign targeting Docker API endpoints that are publicly exposed without authentication. The goal is to infect virtualized Docker servers with cryptominers. This is similar to a report from Trend Micro I told you about on June 7th. The most recent report says a hacker is looking for hosts with port 2375 open to the internet. That is Docker’s default port. If vulnerable, the attacker tries to spawn an Alpine Linux container and bind it to the root directory of the Docker host. If this succeeds the attacker escalates their privileges through accessing the underlying file system of the Docker host within the container. One lesson: Attackers are looking for misconfigured Docker hosts.
A new version of the Caffeine phishing-as-a-service operation for hackers has emerged. According to researchers at EclecticIQ, it’s now called ONNX Store. As before, this service is aimed at attackers trying to get into financial institutions. Its weapon is creating phishing messages that embed QR codes into PDF attachments. These messages might appear to come from Adobe or Microsoft, perhaps pretending to be HR department salary updates or employee handbooks. When a victim scans the included QR code they get taken to a malicious phishing page that looks legitimate, such as an Office 365 login page, where credentials can be copied. One nasty option crooks using the service can pay for is including the ability of that phishing page to capture two-factor authentication tokens and cookies of victims.
Finally, an American electronic manufacturing company, Key Tronic, has acknowledged a hacker copied what it says is “limited” data including some personally identifiable information from its IT systems. The incident was detected early last month. No details were released. However, according to Security Affairs, the BlackBasta ransomware gang leaked over 500 GB of data allegedly stolen from the company. Key Tronic had to stop operations in the U.S. and Mexico for two weeks to clean up the attack. In a regulatory filing the company says so far it has spent US$600,000 on external cybersecurity experts to deal with the attack.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
