Cyber Pulse: Edition 188 | 27 July 2022

Hackers steal $6 million from blockchain music platform

The decentralized music platform Audius was hacked, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. Audius is a decentralized streaming platform hosted on the Ethereum blockchain where artists can earn AUDIO tokens by sharing their music, and users can earn tokens by curating and listening to content. After a hacker stole $6 million worth of AUDIO tokens this weekend, the platform responded within minutes by freezing several services until the developers could deploy fixes to prevent further theft of tokens.

According to a post-mortem report published by Audius, the hacker exploited a bug in the contract initialization code that allowed them to perform repeated invocations of the initialize functions. This enabled the intruder to transfer 18.5 million AUDIO tokens held by the so-called “community treasury” to their wallet, essentially stealing a significant amount of money and changing the platform's governance dynamics. Next, the actor attempted to execute four governance proposals, three of which failed and one passed, transferring the entirety of the Audius community pool to the attacker's wallet. Audius’ contract system has undergone two in-depth security assessments in August 2020 and October 2021 from two different auditors, but neither discovered the exploited vulnerability. This is a teaching moment for Audius and other blockchain-based projects, showing that the required audits do not always find all exploitable bugs. While the Audius attack was not as large as those on Axie Infinity's Ronin bridge and Poly Network, where hackers stole over $600 million of tokens from both projects, the hacker still stole a significant number of tokens.

GoMet Backdoor Used in Attacks Targeting Ukraine

An uncommon malware has been used in an attack aimed at a large Ukrainian software development company. Researchers believe that the attack has been carried out by Russian state-sponsored actors. GoMet is a simple piece of software written in the Go programming language and includes nearly all the usual functions an attacker prefers in a remotely controlled agent. The backdoor supports job scheduling using Cron or task scheduler based on the OS, file download, single command execution, and ability to open a shell or upload a file. GoMet features a daisy-chain attack ability, whereby attackers gain access to a network or machine to gain access to multiple networks and computers for connections from one infected host to another, thus reaching hosts that are isolated from the internet.

Researchers from Cisco Talos discovered a modified GoMet backdoor being used in attacks targeting a Ukrainian software firm. They believe that it is an attempt to perform supply chain attacks. Two samples of the backdoor with minor differences have been discovered, believed to have the same source code.  In the modified version, the cronjob was set up to run every two seconds instead of every hour. It prevents an hour-long sleep if a connection fails. If the malware failed to reach the C2, the backdoor sleeps for a random amount of time between five and ten minutes. To prevent forensic analysis, the backdoor enumerates autorun values. Instead of creating new values, it replaced one of the existing goodware autorun executables with the malicious one. Ukraine continues to face a series of attacks, GoMet backdoor is among the latest. For staying secure, private and government firms are suggested to stay vigilant and follow the recommendations of CERT-UA.

Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

Security researchers at Trend Micro have identified GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes.

"Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan said in a report last week.

GitHub Actions (GHAs) is a continuous integration and continuous delivery (CI/CD) platform that allows users to automate the software build, test, and deployment pipeline. Developers can leverage the feature to create workflows that build and test every pull request to a code repository or deploy merged pull requests to production. Both Linux and Windows runners are hosted on Standard_DS2_v2 virtual machines on Azure and come with two vCPUs and 7GB of memory. Researchers said it identified no fewer than 1,000 repositories and over 550 code samples that are taking advantage of the platform to mine cryptocurrency using the runners provided by GitHub. The Microsoft-owned code hosting service has been notified of the issue. What's more, 11 repositories were found to harbour similar variants of a YAML script containing commands to mine Monero coins, all of which relied on the same wallet, suggesting it's either the handiwork of a single actor or a group working in tandem. Cryptojacking-oriented groups are known to infiltrate cloud deployments through the exploitation of a security flaw within target systems, such as an unpatched vulnerability, weak credentials, or a misconfigured cloud implementation.

SonicWall: Patch critical SQL injection bug immediately

SonicWall has published a security advisory today to warn of a critical SQL injection flaw impacting the GMS (Global Management System) and Analytics On-Prem products. The flaw, tracked as CVE-2022-22280, allows SQL injection due to improper neutralization of special elements used in an SQL Command. It carries a severity rating of 9.4, categorizing it as “critical”, and is exploitable from the network without requiring authentication or user interaction, while it also has low attack complexity.

"SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately," warns SonicWall in an advisory.

SonicWall clarifies that they are not aware of any reports of active exploitation in the wild or the existence of a proof of concept (PoC) exploit for this vulnerability yet. However, applying the available security updates and mitigations is crucial to minimize the chances of attackers exploiting the bug. SQL injection is a bug that allows attackers to modify a legitimate SQL query so that it performs unexpected behaviour by inputting a string of specially crafted code in a web page's form or URL query variables. Using this flaw, attackers can access data they usually should not have access to, bypass authentication, or potentially delete data from the database. Considering the widespread deployment of SonicWall GMS and Analytics, which are used for central management, rapid deployment, real-time reporting, and data insight, the attack surface is significant and typically on critical organizations. The recommended action to resolve this vulnerability is to upgrade to GMS 9.3.1-SP2-Hotfix-2 or later and Analytics 2.5.0.3-Hotfix-1 or later. Any version number below these is vulnerable to CVE-2022-22280.

Ukrainian Radio Stations Hacked to Broadcast Fake News About Zelenskyy's Health

Ukrainian radio operator TAVR Media on Thursday became the latest victim of a cyberattack, resulting in the broadcast of a fake message that President Volodymyr Zelenskyy was seriously ill. Cybercriminals spread information that the President of Ukraine, Volodymyr Zelenskyy, is allegedly in intensive care, and his duties are performed by the Chairman of the Verkhovna Rada, Ruslan Stefanchuk," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in an update.

The Kyiv-based holding company oversees nine major radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar. In a separate post on Facebook, TAVR Media disclosed its servers and networks were targeted in a cyberattack and it's working to resolve the issue. The company also emphasized that "no information about the health problems of the President of Ukraine Volodymyr Zelenskyy is true." The false reports, which were broadcasted between 12 and 2 p.m., also prompted Zelenskyy to take to Instagram, stating, "I have never felt as healthy as I do now." The provenance of the intrusion remains unknown as yet, although several threat actors have capitalized on the ongoing conflict between Russia and Ukraine to carry out a barrage of cyberattacks, with hacking groups taking sides. In a related development, the Computer Emergency Response Team of Ukraine (CERT-UA) also warned of macro-laden PowerPoint documents being used to deploy Agent Tesla malware targeting state organizations of the country.

Researchers identify new Rust-based malware source code leaked

Cyble researchers spotted a new Rust-based info stealer, named Luca Stealer. The source code of the malware has been released for free on hacker forums. Luca Stealer is being actively used by threat actors. The source code for Luca Stealer was leaked on July 3. The researchers have identified 25 malware samples built on this source code in the wild. The stealer can target various Chromium-based browsers, chat apps, gaming apps, and cryptocurrency wallets. Earlier, the stealer was built to pilfer data using a Telegram bot. However, since it can upload data only up to 50MB, the developer made it compatible with Discord webhooks. The author claimed that the malware was developed only in six hours. It shows a detection rate of 22% on VirusTotal. 

Luca Stealer’s developer is probably new on the cybercrime forum and has leaked the source code to build a reputation for themselves. They have, furthermore, provided steps to alter the stealer and compile the source code. It has been updated thrice and the developer is constantly adding multiple capabilities. Luca Stealer is special in the way that it can steal locally stored data for 17 applications as it focuses on password manager browser extensions. In addition to this, it captures screenshots and saves them as a PNG file and sends the details to the operators. However, it lacks the clipper used to alter clipboard contents to hijack crypto transactions, unlike most info stealers.

T-Mobile reaches historic $350 million settlement in 2021 data breach

T-Mobile as agreed to pay $350 million to a group of victims and commit $150 million extra to security upgrades to settle a class-action lawsuit brought in the wake of a 2021 hack of sensitive customer data. The settlement would be one of the largest data breach penalties levied against a company in the U.S. — only Equifax, which agreed in 2019 to pay at least $575 million to settle allegations tied to a 2017 data breach brought by the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, has faced steeper penalties.

“Like Equifax, they have a settlement that seems both large and small at the same time,” said Melissa Krasnow, a partner at VLP Law Group who specializes in data security and privacy, who emphasized that government investigations would continue even after a class-action settlement is paid out. “It seems huge, but just as with Equifax I wonder if there’s more [to come].”

The breach, which T-Mobile disclosed last August, was originally believed to have affected about 50 million people in the U.S., but that number was later revised to 76.6 million people. Exposed information included customers’ first and last names, Social Security numbers and driver’s license information. A 21-year-old living in Turkey took credit for the attack, and said he did it to gain attention, The Wall Street Journal reported. The company admitted no liability or wrongdoing in the proposed settlement, which is awaiting approval from the U.S. Court for the Western District of Missouri.

Hackers Deceive Developers by Spoofing GitHub Commit Metadata

A warning has been issued by Checkmarx security experts about a new supply chain attack method in which the hackers utilize fake commit metadata to legitimize malicious GitHub archives. Commits are essential components in the GitHub system and have a unique hash or ID. They record every change made to the documents, the timeline of change, and who made the change. As per Checkmarx researchers, threat actors could tamper with the commit metadata to make the repositories look relevant and updated. It is possible to spoof the committer and link the commit to a legitimate GitHub account. Fake commits can be automatically generated and added to the user’s GitHub activity graph, pretending as if they have been active on the code hosting platform for a very long time. Here, the developers get deceived as they believe that the repository comes from a trustworthy source.

According to Checkmarx, the threat actors can manipulate the timestamps associated with commits. Threat actors seed to receive the email address of the committer account in order to launch an attack. They use certain commands to substitute a fake username and email for the real ones. Hackers employ this tactic repeatedly to fill their repository’s contributors section with verified contributors and give the project a credible appearance. As a result, the GitHub repository's reputation is improved, but the spoofed user is never made aware that their identity has been used. Fake metadata tricks developers into using code they would normally shun which leads to threat actors gaining legitimacy. In order to provide security, Checkmarx researchers recommended developers sign their commits. Also, staying vigilant about contributor's activity can help contain the supply chain attack.

600 Industrial Control System (ICS) products vulnerable

More than 600 industrial control system (ICS) product vulnerabilities were disclosed in the first half of 2022 by the US Cybersecurity and Infrastructure Security Agency (CISA), according to an analysis conducted by industrial asset and network monitoring company SynSaber. SynSaber researchers have counted 681 vulnerabilities disclosed by CISA, slightly more than in the first half of 2021. It’s worth noting that CISA does not publish advisories for all publicly disclosed ICS flaws, which means that the actual number of issues disclosed between January and June could be higher. Approximately 13% of the 681 CVEs don’t have a patch and may never get fixed — these are called “forever day vulnerabilities.”

However, in some cases, even if the vulnerability does have a patch, applying it may not be a straightforward task due to what SynSaber describes as “complicated interoperability and warranty constraints.” Organizations may need to wait for the affected OEM vendor to greenlight patching and they need to determine operational risks before any steps are taken. More than 22% of the vulnerabilities made public by CISA in H1 2022 have been assigned a “critical” severity rating and 42% have been rated “high severity” based on their CVSS score.

However, as experts have often highlighted, CVSS scores can be misleading in the case of ICS. SynSaber advises organizations to look at certain indicators to determine if a vulnerability is practically exploitable within their environment. For example, if exploitation requires user interaction, local/physical access, or elevated privileges on the targeted system, then it’s less likely to be exploited. Just over half of the 681 ICS vulnerabilities require a software patch, while 34% require a firmware update and 12% need a protocol update. An assessment by SynSaber shows that roughly 40% of vulnerabilities should be addressed immediately, and 8% cannot be easily addressed and likely require compensating controls to prevent exploitation.

US introduces the Quantum Computing Cybersecurity Preparedness Act

A bipartisan bill that seeks to strengthen national security against quantum-computing threats has been introduced in the US Senate. The Quantum Computing Cybersecurity Preparedness Act addresses federal agencies’ preparedness for quantum computing and requires them to adopt proper defences against quantum-computing-enabled data breaches. The bill underlines the need to migrate federal agencies’ information technology systems to post-quantum cryptography and mandates that the Office of Management and Budget (OMB) will supervise the migration process.

“Quantum computing will provide for huge advances in computing power, but it will also create new cybersecurity challenges. This bipartisan legislation will require the government to inventory its cryptographic systems, determine which are most at risk from quantum computing, and upgrade those systems accordingly. I urge my colleagues to join us in supporting this legislation,” Portman said.

Per the bill, OMB will also guide federal agencies for one year after the National Institute of Standards and Technology (NIST) issues post-quantum cryptography standards and will keep Congress informed on the status of federal agencies’ migration to post-quantum cryptography standards and on post-quantum cryptography risks, defences and necessary funding.