Cyber Security News - 01-13 March

Ransomware Attack on Food Giant Dole Food Company Blocked North America Production

“Good afternoon, Dole Food Company is in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America. Our IT group is working hard on mitigating the issues in order to get our systems up and running ASAP. Our plants are shut down for the day and all shipments are on hold. All our businesses are implementing our Crisis Management Protocol to resume “business as usual” post haste, inclusive of our Manual Backup Program if needed.” reads the notice.

LastPass: Hackers Breached the Computer of a DevOps Engineer in a Second Attack

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware.” continues the update.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

The investigation conducted by the company with the help of the cybersecurity firm Mandiant confirmed the attack on the DevOps engineer’s home computer.

TikTok Answers Three Big Cyber Security Fears About the App

Around the time of Trump's proposed ban nearly three years ago, TikTok had been downloaded around 800 million times worldwide. Currently it numbers 3.5 billion downloads, according to app analyst company Sensor Tower.

So what are the three chief cybersecurity concerns about TikTok which keep being flagged, and how does the company respond to them?

Illinois’ Biometric Privacy Law Provides Blueprint as States Seek to Curb Data Collection

Concerns over the collection and sale of biometric data have flared in recent years in light of the increased use of facial recognition technology, fingerprinting and iris scans.

The rapid adoption of the technology has alarmed policymakers and security experts due to the uniquely sensitive nature of biometric data which, unlike a password or account number, is impossible to change if stolen or misused.

Canada is Going to Ban TikTok on Government Mobile Devices

TikTok is also under the scrutiny of Canadian privacy regulators that are investigating whether the company obtains valid and meaningful consent from users when collecting their personal information.

“On a mobile device, TikTok’s data collection methods provide considerable access to the contents of the phone” - Mona Fortier, the president of Canada’s Treasury Board, said.

“While the risks of using this application are clear, we have no evidence at this point that government information has been compromised”.

China-Linked Mustang Panda APT Employed MQsTTang Backdoor as Part of an Ongoing Campaign Targeting European Entities

MQsTTang supports common backdoor capabilities, one of its hallmarks is the use of the MQTT protocol for C&C communication. The MQTT protocol is typically used for communication between IoT devices and controllers, the experts noticed that hasn’t been used in many publicly documented malware families.

The encoding scheme used by the threat actors is the same for every communication. The MQTT message’s payload is a JSON object with a single attribute named msg. The value of this attribute is generated by first encoding in base64 the actual content, then it is XORed with the hardcoded string nasa, and base64 encoded again.

Cybercriminals Use Fake Blue Screen of Death (BSOD) Message to Trick Victims

The pop-up will blend in with the background, making it hard to detect, and will likely contain false information or instructions.

The deceptive pop-up window that appears on the victim’s device has been designed to imitate a common error screen that many Windows users are familiar with.

Play Ransomware Gang has Begun to Leak Data Stolen From City of Oakland

The notice published by the City confirmed that its core functions (911, financial data, and fire and emergency resources) were not impacted, however, it warns the public of possible delays from the City as a result of the attack.

In an update provided by the City on February 14, 2023, it declared a local state of emergency due to the effect of the ransomware attack.

On March 3, the City confirmed revealed that an unauthorized third party has acquired certain files from its network and threatened to release the information publicly.

Ransom House Ransomware Attack Hit Hospital Clinic de Barcelona

At this time the ransomware gang behind the attack has yet to demand the payment of a ransom.

Regional government telecommunications secretary Segi Marcén said that no ransom would be paid by Spanish authorities.

The authorities are investigating into the security breach, the hospital did not explain if it has suffered a data breach.

Royal Ransomware Made Upto $11 Million USD Using Custom-Made Encryption Malware

The modus operandi of the Royal ransomware involves disabling the antivirus software of targeted organizations after breaching their network security.

As a result, considerable amounts of data are exfiltrated by attackers prior to the final deployment of the ransomware and encryption of the computers that are affected.

The operators of the Royal ransomware have demanded payment of a ransom in Bitcoin from their victims. These ransom demands have varied between roughly $1 million and $11 million USD, depending on the targeted organization’s size and level of sensitivity of the stolen data.

Almost Half of Industrial Sector Computers Affected By Malware in 2022

“Overall, 2022 stands out for its abnormal absence of any seasonal changes. Our team observed a steadily high rate of attacks on industrial sectors – without a typical drop in attacks during summer vacations or winter holidays period,” explained Kirill Kruglov, senior researcher at Kaspersky ICS CERT, commenting on the report’s findings.

“However, the growing attack rates in industrial sectors that are being conducted using social engineering seem alarming.”

In fact, the latest Kaspersky report suggests the top two malware categories seen by the team (malicious scripts and phishing pages) showed growth in the second half of 2022.

Threat actors reportedly used these tools to collect information, track activity and redirect browser requests to malicious web resources.

Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw

To defeat Secure Boot, the bootkit exploits CVE 2022|21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

CVE 2022|21894 has proven to be especially valuable to the BlackLotus creators. Despite Microsoft releasing new patched software, the vulnerable signed binaries have yet to be added to the UEFI revocation list that flags boot files that should no longer be trusted.

Microsoft has not explained the reason, but it likely has to do with hundreds of vulnerable bootloaders that remain in use today. If those signed binaries are revoked, millions of devices will no longer work.

As a result, fully updated devices remain vulnerable because attackers can simply replace patched software with the older, vulnerable software.

Security Researchers Warn of Hacking Attempts in the Wild Exploiting Critical Vulnerabilities in VMware NSX Manager

Wallarm Detect this week warned that, since December 2022, they are observing threat actors exploiting the issues. According to the experts, the CVE-2021-39144 vulnerability was exploited over 40 thousand times over the last 2 months.

“Active exploitation started on 2022-Dec-08 and keeps going” reads the advisory published by Wallarm Detect. “Attackers are scanning from well-known data centers like Linode and Digital Ocean – over 90% of the attacks are coming from their IP addresses”.

A Сritical Flaw Affects Fortinet FortiOS and FortiProxy

The advisory includes a list of models for which the flaw’s exploitation can only trigger a DoS condition.

Fortinet also provides a workaround for the flaw, the company recommends disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the administrative interface.

The security vendor acknowledged Kai Ni from the Burnaby InfoSec team for reporting the flaw.

Cybernews Researchers Discovered that BMW Exposed Sensitive Files that Were Generated by a Framework that BMW Italy Relies On

“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network”.

“Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen” - the Cybernews research team said.

Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.

Acer Confirms Data Breach After Hacker Sells 160GB Of Its Data Online

The alleged hacker also posted screenshots of technical documentation of the Acer V206HQL display, documents, BIOS definitions, and confidential documents to prove that they stole data.

Further, the threat actor said they will only accept the hard-to-trace
cryptocurrency Monero (XMR) as a form of payment and will only sell it via a middleman.

There is no public price set for the data stolen, probably the cybercriminal wants potential buyers to message them
privately with the highest bid offer.

This is not the first time that Acer has suffered a cybersecurity breach. 

Prior to this, the Taiwanese firm suffered a massive data breach in October 2021, when a group of hackers known as Desorden stole around 60GB worth of data from
the company’s after-sales systems in India.