Cyber Pulse: Edition 180 | 04 April 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Pervasive Risk for Discord as Multiple Discord Channels Hacked

The Discords of multiple major NFT projects were hacked as part of a phishing scam to trick users into handing over their digital jpegs. Bored Ape Yacht Club, Nyoki, and Shamanz confirmed Discord hacks in tweets. According to screenshots shared by independent blockchain investigator Zachxbt, the Discords of NFT projects Doodles and Kaiju Kingz were also targeted. Doodles and Kaiju Kingz confirmed in their Discords that they were also hacked. The goal of the hack was to trick users into clicking a link to “mint” a fake NFT by sending ETH and in some instances an NFT to wrap into a token.

Two wallet addresses have been tied to the hacks, now labelled Fake_Phishing5519 and Fake_Phishing5520 on blockchain explorer Etherscan. At least one Mutant Ape Yacht Club NFT (a BAYC spinoff by developer Yuga Labs) was stolen and quickly sold by the 5519 wallet, which sent 19.85 ETH to the 5520 wallet. This second wallet sent 61 ETH ($211,000) to mixing service Tornado Cash early Friday morning. The latest transaction of that wallet is a transfer of .6 ETH to a previously inactive wallet that then sent the same sum to an incredibly active wallet currently sitting on 1,447 ETH ($5 million), 6 million Tether coins ($6 million), and an assortment of other tokens.

This is not the first attack targeting crypto assets on Discord, which is a central hub for the vast majority of projects despite being a gaming-focused platform, nor will it be the last. Crypto projects already have to contend with exploits that take advantage of smart contract bugs, but the fact that an inordinate number of them also live on Discord exposes them to scams that exploit the platform itself. Edited – Original Source - Motherboard

Biggest Cryptocurrency Breach $540m Disclosed

Cryptocurrency network Ronin disclosed a breach in which attackers made off with $540 million worth of Ethereum and USDC stablecoin. The incident, which is one of the biggest heists in the history of cryptocurrency, specifically siphoned funds from a service known as the Ronin Bridge. Successful attacks on “blockchain bridges” have become increasingly common over the past couple of years, and the situation with Ronin is a prominent reminder of the urgency of the problem.  Blockchain bridges, also known as network bridges, are applications that allow people to move digital assets from one blockchain to another. Cryptocurrencies are typically siloed and can't interoperate—you can't do a transaction on the Bitcoin blockchain using Dogecoins—so “bridges” have become a crucial mechanism, almost a missing link, in the cryptocurrency economy. 

Bridge services “wrap” cryptocurrency to convert one type of coin into another. So if you go to a bridge to use another currency, like Bitcoin (BTC), the bridge will spit out wrapped bitcoins (WBTC). It's like a gift card or a check that represents stored value in a flexible alternative format. Bridges need a reserve of cryptocurrency coins to underwrite all those wrapped coins, and that trove is a major target for hackers. “Any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target,” says James Prestwich, who studies and develops cross-chain communication protocols. “Bridges will continue to grow because people will always want the opportunity to join new ecosystems. Over time, we'll professionalize, develop best practices, and there will be more people capable of building and analyzing bridge code. Bridges are new enough that there are very few experts.” Ronin was created by the Vietnamese company Sky Mavis, which develops the popular NFT-based video game Axie Infinity. In the case of this bridge hack, it seems attackers used social engineering to trick their way into accessing the private encryption keys used to verify transactions on the network. And the way these keys were set up to validate transactions was not maximally rigorous, allowing attackers to approve their malicious withdrawals. Edited – Original Source - Wired

FBI issue warning to US Energy Companies

The FBI warned five U.S. energy companies in mid-March that computers using Russian internet addresses had been scanning their networks, in a possible prelude to bigger cyberattacks. Russia is preparing disruptive cyberattacks that could target U.S. energy and financial industries to cause further pain to the Biden administration, in retaliation for heavy sanctions against the Kremlin for its invasion of Ukraine, several people familiar with the matter told Foreign Policy. Top U.S. cybersecurity officials have warned that Russia is looking to conduct disruptive or destructive digital attacks, as opposed to conducting routine espionage.  Since the onset of Russian-Ukraine conflict, there have been aggressive cyberattacks against the government and businesses entities of both the countries. Lately, researchers found three separate attack incidents of DDoS, malicious tools, and infrastructure disruption, that were launched against Ukraine.

Cybercriminals targeted WordPress sites to add a malicious script that ultimately uses visitors' browsers to carry out DDoS attacks on Ukrainian websites. Meanwhile, another cyberattack has hit the fixed-line telecommunications firm, Ukrtelecom. The attack is one of the most severe cyberattacks since the Russian invasion and disrupted services across the country. It could not be identified if Ukrtelecom was hit by a DDoS attack or a more sophisticated intrusion. The attack was acknowledged by Ukrtelecom in response to customers making comments on Facebook. Meanwhile, Anonymous continues to target Russian government entities and private businesses, this week the group claimed to have hacked the private firms Thozis Corp and Marathon Group owned by oligarchs.

The Ukraine CERT has warned against the GhostWriter APT group targeting state entities using Cobalt Strike Beacon. The Belarus-linked APT group has conducted a spear-phishing campaign. The phishing messages use a Saboteurs[.]rar archive including RAR-archive Saboteurs 21[.]03[.]rar. The attack chain finishes up with the delivery of a malicious program known as Cobalt Strike Beacon. The recent increase in cyberattacks aimed at Ukraine is ongoing in parallel with the Russian invasion. There could be more cyberattacks launched targeting Ukrainian entities. Thus, government agencies and businesses are recommended to follow the CERT-UA advisory to stay protected. Edited – Original Source – CBS

British Police Charge Two Teenagers Linked to LAPSUS$ Hacker Group

The City of London Police on Friday disclosed that it has charged two of the seven teenagers, a 16-year-old and a 17-year-old, who were arrested last week for their alleged connections to the LAPSUS$ data extortion gang.

"Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," Detective Inspector Michael O'Sullivan, from the City of London Police, said in a statement.

In addition, the unnamed 16-year-old minor has been charged with one count of causing a computer to perform a function to secure unauthorized access to a program. The charges come as the City of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21 on March 25, who have been subsequently "released under investigation." But the arrests are yet to put a dampener on the cartel's activities, which returned from a "vacation" this week to leak 70GB of data belonging to software services giant Globant on March 30. LAPSUS$, in a short span of a few months, has gained notoriety for their hacking spree, stealing and publishing source code of multiple top-tier technology companies on their Telegram channel, which currently has close to 58,000 subscribers. LAPSUS$, however, is unusual in its approach – for this group, notoriety most often appears to be the goal, rather than financial gain. Edited – Original Source – Hacker News

Critical software bugs in Operational Technology Giant Rockwell’s PLC

Two new security vulnerabilities have been disclosed in Rockwell Automation’s programmable logic controllers (PLCs) and engineering workstation software that could be exploited by an attacker to inject malicious code on affected systems and stealthily modify automation processes. The flaws have the potential to disrupt industrial operations and cause physical damage to factories in a manner similar to that of Stuxnet and the Rogue7 attacks, operational technology security company Claroty said.

“Programmable logic and predefined variables drive these [automation] processes, and changes to either will alter normal operation of the PLC and the process it manages,” Claroty’s Sharon Brizinov noted in a write-up published Thursday.

CVE-2022-1161 (CVSS score: 10.0) – A remotely exploitable flaw that allows a malicious actor to write user-readable “textual” program code to a separate memory location from the executed compiled code (aka bytecode). The issue resides in PLC firmware running on Rockwell’s ControlLogix, CompactLogix, and GuardLogix control systems. CVE-2022-1159 (CVSS score: 7.7) – An attacker with administrative access to a workstation running Studio 5000 Logix Designer application can intercept the compilation process and inject code into the user program without the user’s knowledge. Successful exploitation of the defects could allow an attacker to modify user programs and download malicious code to the controller, effectively altering the PLC’s normal operation and allowing rogue commands to be sent to the physical devices controlled by the industrial system. Edited – Original Source – Claroty

NATO actively targeted by threat groups

Google TAG disclosed that multiple cybercriminals are actively targeting NATO and Eastern European countries. These attackers are launching phishing and malware attacks against targeted individuals and organizations. Google’s report has covered three specific groups actively involved in the attacks. The report has highlighted that the Russian-based threat group, identified as COLDRIVER, is carrying out credential phishing attacks. These attacks are aimed at the NATO Center of Excellence and Eastern European militaries. Additionally, the hackers targeted a Ukrainian defence contractor, multiple U.S.-based NGOs, and think tanks.

There’s another hacking group identified as Curious Gorge. It is associated with China's PLA SSF and has been observed taking part in these attacks. It has targeted government and military organizations in Russia, Ukraine, Mongolia, and Kazakhstan. The report further describes credential phishing campaigns by the Belarusian threat actor Ghostwriter. The report further provides details about financially motivated cyber criminals using additional means, such as the use of current affairs to social engineer their users. In one such instance, the attacker was impersonating military officials, attempting to extort money against a rescue operation for relatives in Ukraine. TAG has observed that multiple ransomware brokers are still operating with their usual operational capability. The recent attacks aimed at the European government and businesses imply the destructive instincts of cybercriminals who could go to any length. Businesses in impacted regions are suggested to stay alert and proactively follow the recommendations by CERT-UA. Edited – Original Source – Google TAG

300% Increase in Attacks compared to 2020

According to a study by Argon Security, the attacks increased by more than 300% in 2021 compared to 2020. Some of the prominent attacks involved the exploitation of Log4J and the VSA tool. Besides these, there was also an uptick in the malicious use of open-source software repositories that enabled threat actors to infiltrate a software vendor’s network and employ malicious code to launch further attacks. This trend continues to be a serious threat as Sonatype revealed an upsurge in malicious packages infiltrating multiple opensource repositories since February. Towards the beginning of March, researchers from Sonatype identified hundreds of counterfeit packages in npm and PyPI repositories that were used to execute Remote Access Trojans (RATs). Over 130 typosquatting packages named after popular brands, websites, and projects were inserted into the npm repository to exfiltrate basic information such as username, hostname, IP addresses, and OS info. Besides this, there were eight malicious PyPI packages that leveraged dependency confusion attacks to target Azure developers and environments.

In another incident, a group of more than 200 malicious npm packages was found targeting Microsoft Azure developers to steal their Personally Identifiable Information (PII). The attack was targeted against the entire @azure npm scope. In order to stay under the radar, the attackers had created accounts by employing an automatic script - which was also used to upload malicious packages.  Recently, Chechmarx also raised an alarm about fully automated npm supply chain attacks that delivered hundreds of malicious packages into the npm systems. This was a work of a threat actor named RED-LILI. The attacker had fully automated the process of npm account creation to launch difficult-to-detect dependency confusion attacks. Checkmarx believes that the threat actor is still alive and continues to publish malicious packages.  It is a stark reality that open-source software is becoming a ripe target for software supply chain attacks. Therefore, organizations should bolster the security and education of their software development teams to thwart such sophisticated attacks. Additionally, it is very important that developers using open-source software must only download codes from official upstream repositories to prevent attacks due to hostile source codes. Edited – Original Source – AquaSec

Australian Government spending pledge for Cyber

The Australian government has revealed plans to strengthen its offensive and defensive cyber capabilities with an investment of $9.9bn. The significant funding pledge was included in the country’s new 2022-23 budget, which was announced on Tuesday. Dubbed REDSPICE, which stands for ‘Resilience, Effects, Defense, Space, Intelligence, Cyber and Enablers,’ it is the biggest single cybersecurity investment in Australian history. Australia’s foreign signals intelligence and security agency, the Australian Signals Directorate (ASD), will receive the funding over the next decade, with the first $4.2bn to be spent in the next four years. The government said the money would allow the ASD to “keep pace with the rapid growth of cyber capabilities of potential adversaries” and would support Australia’s commitment to its Five-Eyes and Aukus partners “while supporting a secure Indo-Pacific region.”

REDSPICE’s federal cyber package will be used to double the size of ASD and its cyber hunt activities, triple its current offensive cyber capability and quadruple its global footprint. It also aims to give Australia next-generation data science and artificial intelligence (AI) capabilities. The ASD currently employs around 2300 individuals. The REDSPICE program is vaunted to create 1900 new jobs at the directorate over the next ten years for corporate staff, data analysts, software engineers, computer programmers and other technologists. Edited – Original Source – ASD

Payment Card Industry Compliance Standard (PCI-DSS v4.0) Published

A new version of the PCI Data Security Standard (PCI DSS) has been published today by the PCI Security Standards Council (PCI SSC), the global payment security forum. Version 4.0 of the standard, which provides a baseline of technical and operational requirements designed to enhance payment security, will replace version 3.2.1 to help combat emerging threats and technologies. In addition, the updates are designed to enable innovative methods to combat new threats. PCI SCC said that the changes were driven by feedback from the global payments industry over the past three years, encompassing over 6000 items from more than 200 organizations.

Among the changes included in PCI DSS v4.0 are:

• Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls. 
• Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
• Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
• Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities as best suited for their business needs and risk exposure.

The current version, v3.2.1, will remain active for two years until March 31 2024. This will provide relevant organizations with time to understand v4.0 and implement the updates. PCI SCC has published a number of supporting documents alongside the updated standard in the PCI SSC Document Library. These include the Summary of Changes from PCI DSS v3.2.1 to v4.0, the v4.0 Report on Compliance (ROC) Template, ROC Attestations of Compliance (AOC) and ROC Frequently Asked Questions. In addition, Self-Assessment Questionnaires (SAQs) will be published in the coming weeks. Lance Johnson, executive director of PCI SSC, said: “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard.” Edited – Original Source – PCI Security Standards

Java Spring Framework Zero Day Patch Released

Spring has now released Spring Framework 5.3.18 and 5.2.20, which it says address the vulnerability. Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have also been released. Temporary remediation steps were also published by researchers at Praetorian prior to the updates being released. Spring also published suggested workarounds in its blog. A CVE report for the vulnerability was also published this afternoon and given the designation CVE-2022-22965, and assessed as being “high severity.” Spring4Shell is a bug in Spring Core, a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies. The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

In a blog published on Thursday (March 31), Spring revealed that the Spring4Shell bug was reported to VMware (which owns Spring) by researchers from AntGroup FG on Tuesday, with the team intending to release emergency patches for the bug on Thursday, but details of the bug were leaked online on Wednesday.

In its vulnerability report, Spring itself stated that for the “specific exploit” to work, an application must meet the following prerequisites:

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

“If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit,” the advisory reads. However, it did also say that “the nature of the vulnerability is more general, and there may be other ways to exploit it.” Given these prerequisites, it’s not clear how many instances of the Spring Core Java framework may be vulnerable to this bug. Edited – Original Source – Symantec

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.