TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #26
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 26 of TRIAGE Tuesday! First we look at a software supply chain attack on NPM packages that has the high potential to impact a huge amount of organizations depending on the final answer to which packages have been infected. A data leak of Chinese citizen data, if released and verified, will be one of the largest data leaks ever to be released. An insider threat at a bug bounty organization serves as a perfect reminder of why employees can be one of the biggest threats to an organization and how quickly reputations can be affected by one person’s actions. Two major issues affecting Microsoft systems that need to be closely monitored and then we finish off the week with a look at the count of attacks on Ukraine so far in the conflict and how it has spread! Enjoy a closer look at all 5 stories below!
A bit of a delay in sharing this week due to a mini-derecho(land based hurricane force winds) and a fiber cut that took down the internet for most of the Midwest on Tuesday!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1.?IconBurst NPM software supply chain attack grabs data from apps websites
Overview: ReversingLabs researchers recently discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the NPM package manager. Researchers at ReversingLabs identified more than two dozen NPM packages, dating back six months, that contain obfuscated Javascript designed to steal form data from individuals using applications or websites where the malicious packages had been deployed. Upon closer inspection, we discovered evidence of a coordinated supply chain attack, with a large number of NPM packages containing jQuery scripts designed to steal form data from deployed applications that include them. While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites. In one case, a malicious package had been downloaded more than 17,000 times.
TRIAGE: NPM packages and Javascript means this makes for a bad day, no matter who you are or which systems you are setup to protect. As noted, this means mobile apps, desktop applications and many websites that use any of the infected NPM packages are potentially infected. Everyone will need to watch this research closely as evidence is found on the technical details to check for exposure in their systems. I am sure most of us are already in hyper-vigilance mode for suspicious activity, or you sure should be as much as possible, but here is another avenue of attack to keep a close eye on going forward. We have seen infected software packages cause infections in the past, whether they were compromised in some way, or some open source maintainer quit working on the project and it was taken over by a malicious actor in some way with malware inserted somewhere in the process.
2.?Hacker claims to have obtained data on 1 billion Chinese citizens
Overview: A hacker has claimed to have stolen the personal information of 1 billion Chinese citizens from a Shanghai police database, in what would amount to one of the biggest data breaches in history if found to be true. The anonymous hacker, identified only as “ChinaDan”, posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000 (£165,000). “In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on billions of Chinese citizen,” the post said.
TRIAGE: This is a massive leak of data, and a bit of rarity where the vast majority of leaks have been from countries in the “West” and not Russia/China/North Korea based citizens. The price also seems fairly low for that large of a trove of data that may contain an extreme level of details on each person considering the source and that more restrictive laws around personal data collection are new as well. Many of us have had our data leaked from different sources several times now, especially if you have any sort of work in the past with government agencies in the United States, so it will be interesting to see how this plays out in China with a completely different set of laws and social conventions.
3.?Rogue HackerOne employee steals bug reports to sell on the side
领英推荐
Overview: A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards. The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday. HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.
TRIAGE: We have seen several times already in the past that just because it is a technology or information security focused company, they are in no way immune to the same incidents as any company in another industry. Sadly, in some cases, more likely to see certain behavior cause an even larger issue because of the data they are given access to for their day to day work functions. Here we have a perfect case of complete insider threat, where an employee of a bug bounty firm steals the details on unreleased vulnerabilities and profits off that knowledge by selling it directly to the company affected. This serves as a stark reminder to all of us that internal monitoring is just as important as external monitoring and that anyone can make bad choices at any point - you need systems in place to watch for this activity to be able to stop it from happening or at least intercept the activity from continuing going forward.
4.?Microsoft finds Raspberry Robin worm in hundreds of Windows networks and Microsoft Exchange servers worldwide backdoored with new malware
Overview:
Raspberry Robin: Microsoft reported that hundreds of businesses’ networks have already been compromised by the Windows worm Raspberry Robin. Multiple security experts discovered Raspberry Robin in 2021. Microsoft even saw evidence from 2019. Raspberry Robin acts like a worm and is installed via external devices (such as USB flash drives). It gains access through msiexec.exe, which is utilized to install malicious DLL files.
Microsoft Exchange: Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. The malware, dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022, is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software. It has been used in the wild without being detected since at least March 2021, right after the start of last year's massive wave of ProxyLogon attacks.
TRIAGE: Two big new issues hitting Microsoft systems in the past week, please keep an eye out for both and get a basic technical understanding of the flow of the tech behind each one. Raspberry Robin serves as a wonderful excuse to ban access to USB devices on corporate machines if you do not already have a policy in place to stop this exact kind of bad activity. Anyone running Exchange on prem will want to monitor for the above malware, but so far it appears to be focused outside of the United States if you are working for a company that is U.S. based. Just remember we are all still connected and are only a few hops away from everyone else,
5.?Ukraine targeted by almost 800 cyberattacks since the war started
Overview: Ukrainian government and private sector organizations have been the target of 796 cyberattacks since the start of the war on February 24, 2022, when Russia invaded Ukraine. According to Ukraine's cybersecurity defense and security agency SSSCIP (short for State Service of Special Communications and Information Protection), the country's networks have been under a constant barrage of hacking attempts since the war started. "Enemy hackers continue to attack Ukraine. The intensity of cyberattacks has not decreased since the beginning of Russia's full-scale military invasion, although their quality has been declining," SSSCIP said on Thursday.
TRIAGE: The level of attacks at this point are not the surprising part, but the chart included in the article as translated from the original source tells a more detailed story - these are not all cyber attacks on governmental groups or just critical infrastructure, but financial services, commercial entities and almost half fall into the general “other” category. Russia is also ramping up around their kinetic attacks as expected, and making more moves to target allies that are trying to assist Ukraine as we also expected. This is still an active situation with constantly developing new actions and we all need to maintain vigilance around this activity as well as it continues to pour out into the rest of the globally connected internet.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!