🔓 [CyberFacts Weekly - Issue 0x04] Happy Halloween 🎃
Greetings! 🎃
Interesting week in Europe, right? It's interesting to see the parallel between (1) the social protests happening in Italy about the regulations that require all workers to possess a valid EU Digital COVID Certificate (a.k.a., "GreenPass") and (2) the incident at one (potentially more) cert-issuance sites, which have been found to be exposed on the public Internet without protection. Of course, in a matter of hours, there was an explosion of Telegram groups selling generated certificates.
At the beginning, it didn't seem like a big deal, because the EU Digital COVID Certificate system has this scenario figured out already. But, as more clearly forged but accepted passes have started to circulate (archived), more details bubbled up, revealing what seems to be a larger "compromise" of the certificate issuing infrastructure. Technically, nothing has been actively compromised: It's just some unwanted service exposure.
Just scroll down and you'll find more details.
Other highlights:
- 150 people arrested in dark web drug bust,
- Conti ransom gang starts selling access to victims,
- Using phone numbers as Wi-Fi passwords makes cracking them easy (of course!),
- DarkSide transfer $7M worth of BTCs,
- Mozilla makes breaking changes to the add-ons proxy API,
- Ransomware at San Carlo Italian chips maker,
- New Tesla forensics driving data can be acquired,
- Shrootless vulnerability can bypass macOS SIP.
If you like this digest, consider subscribing!
- Top Picks
- A Researcher Cracked 70% of Tel Aviv’s Wifi Networks Using a Mask Attack
- Exposed Certificate Issuance Systems Have been Used to Generate Valid EU Digital COVID Certificates
- Suspected cyberattack temporarily disrupts gas stations across Iran
- Italian Chips Maker San Carlo Hit by Conti Ransomware
- 150 arrested in dark web drug bust as police seize €26 million
- Operators Behind DarkSide Ransomware Transfer $7M Worth of BTCs Into 7 New Wallets
- How the FBI Obtains Data From US Cellular Network Operators
- Conti Ransom Gang Starts Selling Access to Victims – Krebs on Security
- Firefox Blocks Add-ons (Ab)using the Proxy API
- Tesla’s Autopilot Further Reverse Engineered
- Also Noteworthy
- Android smartphones infected with rare rooting malware
- Emergency Google Chrome update fixes zero-days used in attacks
- Ransomware Hackers Freeze Millions in Papua New Guinea
- Free Decryptor for AtomSilo, Babuk, and LockFile Released by Avast
- FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware | CISA
- Are Baby Boomers Really Less Vulnerable Online Than Younger Generations?
- North Korean state hackers start targeting the IT supply chain
- US Online Payment Processing Service FIS Replaces PAX Terminals Over Security Concerns
- DDoS has Been Hitting UK VoIP Providers for 4+ Weeks
- Quishing: Abusing QR Codes to Bypass Phishing Filters
- New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns | Proofpoint US
- Nobellium Now Targeting Resellers and Cloud-customization Service Providers
- How to Perform Timing Attacks on NFC Tags Using the CR95HF Reader
- Runbox, Fastmail, Posteo Temporarily Down Because of DDoS Attacks
- Malware Discovered in Popular NPM Package, ua-parser-js | CISA
- Initial Access Broker Landscape
- Too Many Scientific Papers in the Largest Fields Mean Ideas Won’t Rack Up
- Vulnerabilities
- Microsoft Finds a new Vulnerability that Could Bypass macOS System Integrity Protection (CVE-2021-30892)
- Popular CI/CD Pipeline Used by Fortune 500 and NGOs Just Fixed Broken Authentication Vulnerabilities
- Discourse Patches Critical RCE (CVE-2021-41163)
- Vulnerability in BillQuick Payment Exploited in the Wild to Deploy Ransomware (CVE-2021-42258)
- Tools
Top Picks
A Researcher Cracked 70% of Tel Aviv’s Wifi Networks Using a Mask Attack
by Ido Hoorvitch // CyberArk Threat Research Blog
The magic combo was (1) the terrible habit many people living in Israel have of using their cellphone numbers as WiFi passwords, (2) a recent WiFi attack, and (3) a decent cracking rig (8 x QUADRO RTX 8000 48GB GPUs).
Exposed Certificate Issuance Systems Have been Used to Generate Valid EU Digital COVID Certificates
by @Xiloeee // Twitter
At the beginning, it didn't seem like a big deal, because the EU Digital COVID Certificate system has this scenario figured out already (check here, or here, here, here, and here, some are in Italian). As more clearly forged but accepted passes have started to circulate (archived), more details bubbled up, revealing what seems to be a larger "compromise" of the certificate issuing infrastructure. Technically, nothing has been actively compromised: It's just some unwanted service exposure.
What most likely has/is happening is that someone has found the certificate issuing web frontend (probably by luck, info leak, or by scanning web services matching fingerprints derived by inspecting the source code) of some countries (MK, DE, PL, FR) exposed with no protection (or with known credentials) and have used that to generate vaccination certificates.
The first reaction, as predicted, is that some countries have started to remove keys (e.g., FR, MK) form the trust list. This only marginally fixed the problem. Indeed, since no private/signing key has been compromised, some countries rolled back the revocation. In addition to having to re-generate all certificates issued by those countries, more and more exposed certificate issuing web frontends could have been (and will be) abused to generate other certificates. So, if issuers don't keep audit trails (and it seems that it's possible to generate certificates without leaving an audit log), and if issuers don't urgently lock down their incidentally exposed services, the problem will soon be global and all keys will have to be revoked, potentially.
Suspected cyberattack temporarily disrupts gas stations across Iran
by Catalin Cimpanu // The Record by Recorded Future
A software glitch believed to have been caused by a cyberattack has disrupted gas stations across Iran and defaced gas pump screens and gas price billboards.
The incident, which took place earlier this morning, impacted the IT network of NIOPDC, a state-owned gas distribution company that manages more than 3,500 gas stations across Iran.
Italian Chips Maker San Carlo Hit by Conti Ransomware
by Time News // Time News
The prosecutor office and Italian LEA are investigating. Here's one of the many original articles that announced the attack (in Italian).
150 arrested in dark web drug bust as police seize €26 million
by Europol // Europol
More than €26.7 million (USD 31 million) in cash and virtual currencies have been seized in this operation, as well as 234 kg of drugs and 45 firearms. The seized drugs include 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills.
Operators Behind DarkSide Ransomware Transfer $7M Worth of BTCs Into 7 New Wallets
by Prajeet Nair // Data Breach Today
According to a crypto-wallet tracking service, the operators behind DarkSide ransomware moved $7M worth of BTCs from the wallet that received the Colonial Pipeline ransomware into 7 wallets.
How the FBI Obtains Data From US Cellular Network Operators
by Joseph Cox // Motherboard
AT&T retains “cloud storage internet/web browsing” data for 1 year. When asked what this detail entails exactly, such as websites visited by customers on the AT&T network, AT&T spokesperson Margaret Boles said in an email that “Like all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law.” The document also mentions that law enforcement can request records related to wearable devices from AT&T.
Full document obtained by Property of the People.
Conti Ransom Gang Starts Selling Access to Victims – Krebs on Security
by Brian Krebs // Krebs on Security
The Conti ransomware affiliate program [...] updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.
Firefox Blocks Add-ons (Ab)using the Proxy API
by Rachel Tublitz, Stuart Colville // Mozilla Security Blog
The Proxy API can be (ab)used to essentially create a in-browser firewall that blocks or otherwise interferes with Mozilla's upgrade functionality, which is critical (as you may understand). So, Mozilla has decided that all add-on using the Proxy API must be blocked and future add-ons using the Proxy API will have to include a special entry in their manifest to expedite review of legitimate add-ons.
Tesla's Autopilot Further Reverse Engineered
by Nick Carey // Reuters
"These data contain a wealth of information for forensic investigators and traffic accident analysts and can help with a criminal investigation after a fatal traffic accident or an accident with injury," Francis Hoogendijk, a digital investigator at the NFI, said in a statement.
Also Noteworthy
Android smartphones infected with rare rooting malware
by Catalin Cimpanu // The Record by Recorded Future
The rooting package contained exploits for the following five vulnerabilities: CVE-2020-0041, CVE-2020-0069, CVE-2019-2215, CVE-2015-3636, and CVE-2015, 1805.
Full analysis by Lookout here.
Emergency Google Chrome update fixes zero-days used in attacks
Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.
Full analysis here (in Chinese).
Ransomware Hackers Freeze Millions in Papua New Guinea
by Jamie Tarabay // Bloomberg
Papua New Guinea’s finance department acknowledged late Thursday that its payment system, which manages access to hundreds of millions of dollars in foreign aid money, was hit with a ransomware attack.
Free Decryptor for AtomSilo, Babuk, and LockFile Released by Avast
by Catalin Cimpanu // The Record by Recorded Future
Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile.
FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware | CISA
by CISA // CISA
In a Flash report the FBI releases IOCs associated with attacks using Ranzy Locker, a ransomware variant first identified targeting victims in the United States in late 2020.
Are Baby Boomers Really Less Vulnerable Online Than Younger Generations?
by Bryson Medlock Threat Researcher at ConnectWise's Cyber Research Unit October 26, 2021 // Dark Reading
[...] older generations are more suspicious of any electronic communication. They espouse paranoia and distrust with any form of online communication. Their attitudes are the very essence of the zero-trust cybersecurity model.
North Korean state hackers start targeting the IT supply chain
by Sergiu Gatlan // BleepingComputer
North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities.
US Online Payment Processing Service FIS Replaces PAX Terminals Over Security Concerns
by Brian Krebs // Krebs on Security
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
And then we learn the reason behind that, and that PAX security exec resigns the day after the raid.
DDoS has Been Hitting UK VoIP Providers for 4+ Weeks
by Eli Katz // Comms Council UK
Several Comms Council UK members and international IP-based communications service providers have been subjected to Distributed Denial of Service (DDoS) attacks over the past four weeks which appear to be part of a coordinated extortion-focused international campaign by professional cyber criminal.
Quishing: Abusing QR Codes to Bypass Phishing Filters
by Rachelle Chouinard // Abnormal
these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist.
New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns | Proofpoint US
by Selena Larson, Joe Wise // Proofpoint Threat Insight
Proofpoint identified a new cybercriminal threat actor impersonating Philippine health, labor, and customs organizations, and other entities based in the Philippines
Nobellium Now Targeting Resellers and Cloud-customization Service Providers
by Tom Burt // Microsoft On the Issues
This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
How to Perform Timing Attacks on NFC Tags Using the CR95HF Reader
by Federico Cerutti // ceres-c
[The word] "secure" is put into quotation marks as the company’s security model is based upon NDA’d documentation and a custom mutual authentication algorithm.
Runbox, Fastmail, Posteo Temporarily Down Because of DDoS Attacks
by Catalin Cimpanu // The Record by Recorded Future
For a couple of hours before reading this piece I noticed numerous "random" reports on Reddit by users noticing Fastmail hiccups.
Malware Discovered in Popular NPM Package, ua-parser-js | CISA
by CISA // CISA
Versions of a popular NPM package named ua-parser-js was found to contain malicious code.
Initial Access Broker Landscape
by Trevor Giffen // Curated Intelligence
An "initial access broker" is an individual who compromises systems or user accounts with the intent of gaining privileged access, to later sell. Initial access sales happen both publicly and privately, across many contexts.
Too Many Scientific Papers in the Largest Fields Mean Ideas Won't Rack Up
by Johan S. G. Chu, James A. Evans // Proceedings of the National Academy of Sciences
Examining 1.8 billion citations among 90 million papers across 241 subjects, we find a deluge of papers does not lead to turnover of central ideas in a field.
Among the examined fields, computer science and artificial intelligence are among those with the most substantial citation decay.
The advancement of scientific knowledge is kind of becoming a victim of its own success.
Vulnerabilities
Microsoft Finds a new Vulnerability that Could Bypass macOS System Integrity Protection (CVE-2021-30892)
the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process.
Popular CI/CD Pipeline Used by Fortune 500 and NGOs Just Fixed Broken Authentication Vulnerabilities
by Simon Scannel // SonarSource Blog
The vulnerabilities allowed an unauthenticated user to access sensitive information and read arbitrary files on a GoCD server instance.
Discourse Patches Critical RCE (CVE-2021-41163)
by CISA // CISA
Discourse, one of the most popular open-source discussion platform, has just patched a critical RCE vulnerability (CVE-2021-41163).
Vulnerability in BillQuick Payment Exploited in the Wild to Deploy Ransomware (CVE-2021-42258)
by Caleb Stewart // Huntress Blog
The Huntress ThreatOps team discovered [active exploitation of] CVE-2021-42258 [...] to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.
Tools
FormatFuzzer: Generate Binary Inputs and Parsers from Templates
FormatFuzzer is a framework for high-efficiency, high-quality generation and parsing of binary inputs. It takes a binary template that describes the format of a binary input and generates an executable that produces and parses the given binary format. From a binary template for GIF, for instance, FormatFuzzer produces a GIF generator - also known as GIF fuzzer.
Check the paper for details.
An Analysis of EU Digital COVID Certificates
by Denys Vitali // GitHub
An up-to-date analysis of valid certificates circulating after the EU Digital COVID Certificate incident. I've archived this repository here just in case.
GreenPass Experiments
by Alessandro Mazzeo // GitHub
I don't think this is in any way related to the EU Digital Covid Certificate incidents.
An ATT&CK-like Matrix Focused on CI/CD Pipeline Specific Risks
by Hiroki Suezawa // GitHub
Technically not a tool, but a handy reference.
Phishious: The VirusTotal of Secure Email Gateways
by Rices // GitHub
Phishious exploits a common misconfiguration where many organisations broadcast overly sensitive information in email bounce responses and non-delivery reports. The sensitive information typically comes in the form of original untampered inbound message headers.