Tag Archives: Threat

Weekly Breaches – 22th of May

We face too many breaches happen every day. Just want to share some important ones of them happened this week here.

As an important note; these are the sharing of attackers and these information need verification.

Indonesia Vaccine Data:
The threat actor RichTheKid shared that they have 690k records of Indonesia vaccine data. It takes 1.3 GB.

pipl.com Database Leak
pipl.com is one of the most important identity information provider. The threat actor toprakbilen90 claimed that they have leaked pipl.com’s database including first and last name, aliases and past name , e-mail address , physical address, date of birth, court and bankruptcy notes, phone number, social media profile links, political affiliations, race, religion, skills, gender, employers past and present, automobiles and proper. The data is about 2.96GB.

BBVA Mexico
A threat actor shared BBVA Mexico data with screenshots in a private Facebook group. As seen from the screenshots that the threat actor shared, they include customer identity information, transaction information and so on.

Ministry of Justice – Qatar Database
The threat actor keftar claimed they have the database of the Ministry of Justice. The data includes lots of csv files and the total size of the data is unknown.

Wanted Conti!

Ransomware is a growing danger day by day and unfortunately, no permanent measures can be taken against these attacks. It seems like for now, the USA seems to apply the most correct non-technical method against Ransomware attacks.

The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti. The statement was published on 6th of May.

According to several reports, annual income of Conti is about more than $150M and it seems like they are located in Russia.

We think that rewarding is an important measure against ransomware groups because although a lot of technical measures have been taken and talked about, the cases are increasing day by day. With this reward action, Conti members are likely to be exposed in a few months. We will see together whether such a measure will work.

Parrot is Used to Conduct Malicious Campaigns

Parrot TDS (Traffic Direction System) has infected various web servers hosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local government sites.

The situation discovered by Avast and is currently being used to run a campaign called FakeUpdate that distributes the NetSupport Remote Access Trojan (RAT) via fake browser update notifications.

FakeUpdate Campaign (From Avast’s post)

Parrot TDS acts as a gateway for further malicious campaigns to reach potential victims. Attackers buy TDS services to filter incoming traffic and send it to the final destination serving malicious content.

According to Avast analysts, activity in TDS servers increased in February 2022 by detecting suspicious JavaScript files on compromised web servers.

A detailed technical analysis shared by Avast here.

Everything About Attack Surface Management

For many years, we are using vulnerability scanners to identify security weaknesses and flaws in our internet facing environment. A vulnerability scan is an automated process and critically important for organizations to see what vulnerabilities they have and attackers can use if they target them.

Despite all this success, widespread use and importance, vulnerability scan has some gaps to manage the organizations’ attack surface.

Gaps of Vulnerability Scan

Vulnerability scan process is an active scan so risky to use for sensitive assets. It can cause slowness and even interruption. Because of this, especially for systems that need 24×7 operation and are critical, it is a technical risk for the availability of the systems. This is the most important of the hurdles ahead for making the scanning process continuously. The other one is the technique behind the vulnerability scanning, since it is an active scanning process, it takes too long for a wide range of networks. This risk sometimes causes the scan not to be completed in the desired time, and the scan times are slipped and the assets can’t be scanned for a long time. A significant risk remains for vulnerabilities discovered in the time between two scans and for machines installed in the DMZ.

For scanning, a scope is determined and this scope is scanned periodically. This causes Shadow IT. Services that are out of scope for various reasons or hosted in third party institutions remains as unscanned. Shadow IT is a very big problem especially for big organizations.

Vulnerability scanning is a process that focuses only on identifying vulnerabilities. However, attackers may use several findings about the organization like misconfigurations, compromised accounts, third party connections, etc.

What does attack surface management do differently?

There are several tools already in internet that we can check information about out organization. Passive subdomain tools, port scanners, certificate and dns record checkers, etc. Some of them are free and some of them paid services.

These services is also checked by attackers as the discovery phase before an attack. So, it is very important to check the findings at frequent intervals from these tools. However, there are many tools like that and it seems impossible to check all of them everyday, about all keywords of the organizations – keyword means here every word that an attacker searches for in the discovery phase, including brand, application, web site, VIP names, and others.

Fundamentally, Attack Surface Management is a passive scanning process that using these free or paid tools already hosted in internet. This passive scan provides a continuous scanning process. With the keywords explained above, Attack Surface Management tool scans all these tools continuously and since it is a passive scan, there is no any risk about the availability of the systems.

Third Party Connections

With developing technology and methods, all companies need to work with many other companies and have a direct connection for this. The number of these links is increasing day by day. This situation also creates a great opportunity for attackers and in recent years attacks over third party connections increased and they mostly succeeds. This requires the risk management teams to closely monitor third-party risks.

Very understandably, organizations normally do not let others scan their environment. It is not possible to scan the organization to determine their vulnerabilities before starting a connection with them. It remains only to rely on the company’s own tests and some paper work that we will make the third-party connection. With Attack Surface Management, it can be very fast and risk free to identify their risks before creating the connection.

What to Expect from Attack Surface Management?

For covering all internet facing risk, security teams need to master all assets they have both hosted in their own institutions and third party. An Attack Surface Management tool should firstly show all the assets that organization have. These may include all subdomains, IP addresses, dns records, cloud environments, certificates, uris, etc. And also, all the technologies that the organization is using in their DMZ like the number of the web servers, applications and operating systems.

All these findings are critical for Shadow IT. Systems that are forgotten and not patched for long time causes big risks for the organizations.

The other important – and maybe the most important – output is the vulnerabilities of the systems. Attack Surface Management tools use tools like Shodan to investigate the vulnerabilities and unlike a vulnerability scan, Attack Surface Management may show the misconfigurations like forgotten default IIS or Apache web pages, default Admin panels, and again, IIS or Apache misconfigurations. Also missed configurations like DMARC records or A records can be important seeds for attackers for their discovery phases.

As we told above, it is critical to scan all of these assets often, and it is preferable to do it every day. The fact that this scan can be done every day and the scan time is also very important.

The number of tools that an Attack Surface Management product uses in passive scanning is also very important. Do not forget that the main purpose here is to perform the discovery phase of the attacker, and a vulnerability or misconfiguration that you cannot detect after these scans, but can be found by the attacker, can lead to very bad results.

Risk Management

For risk management processes, all tasks including vulnerabilities and misconfigurations should be followed regularly. For providing this, like other vulnerability management solutions, Attack Surface Management tools should be integrated with ticketing systems in the organizations. Via this integration, tasks can be assigned to engineers and followed in a single system.

Latest Statement about Okta Incident and Lapsus$

Everything started with a post of Lapsus$ Telegram group including screenshots of Okta’s admin panel. We shared the news as asking whether Okta hacked?

An update about the incident came from David Bradbury, the CSO of Okta as “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.

In the continuation, Okta accepts an incident like “between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday” and claiming the impact is limited to the access that support engineers have and no customers were affected.

Against this announcement, Lapsus$ made some announcements too about the incident and the post of Okta. Lapsus$ also shared the link of the Security & Privacy Document of Okta located in okta.com and claimed that they found AWS keys in Slack.

Okta Hacked?

Since December, we are reading about the actions of Lapsus$. Samsung, Nvidia, and Ubisoft were some of their victims. Analysts suspecting that some of the members of the group are from South America, and some of them from Europe.

Lastly, the group shared a screenshot on their Telegram channel that showing they reached to the console of Okta.

Okta announced that they started an investigation after the hacker group shared the screenshot.

We will provide updates as more information becomes available” said officials of Okta.

Okta is a major Single Sign-On provider and a hack can effect thousands of other companies. If verified, an attack on Okta would represent a major attack on digital supply chains. It can cause more damage than Solarwinds incident since most major applications of the customers of Okta are already placed in their Okta interface and has a single sign-on authentication.

Sberbank Temporarily Stopped Updates

As the sanctions against Russia gradually increased, we saw that technology companies also participated in these sanctions at a large rate. Meanwhile, cyber attacks against Russia continue with all their violence by different threat actors. Against these sanctions and threats, different measures stand out on the Russian side.

Sberbank, one of the biggest banks in Russia, temporarily stop updating software due to the increased risk of device infection.

We urge users to stop updating software now, and developers to tighten control over the use of external source code. If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s source code in your programs, conduct a manual or automated check, including, view the text of the source code,” Sberbank officials said.

The use of such software can lead to infection of personal and corporate computers, as well as IT infrastructure.The most important attack like this was experienced with the Solarwinds case. Customers of Solarwinds hacked because of the infected update of its Orion software and went undetected for months until Mandiant determined the malicious.

These latest events that emerged with the war showed us that there will be big changes in the cyber security industry in the coming days. On the one hand, many large cybersecurity manufacturers are buying smaller companies, it seems like countries will concentrate more on local cyber security and even IT product production.

Biggest Insider Threat – Lapsus$ Job Advertisement

A few months ago, there were reports that threat groups were contacting the employees of the companies they were planning to attack and asked for their support to infiltrate in exchange for a certain share. It seems that this issue is getting more and more important every day.

Lastly, Lapsus$ group published a job advertisement that they are recruiting employees that working in certain companies including Claro, Telefonica, ATT, Microsoft, Apple and similar ones.

Insider threat is already a major risk for companies because they are trusted people of the company and have access to various data and systems. Until now, we have mostly treated internal threats as individual initiatives. These may be some employees who are unhappy, want to achieve different personal gains, just careless ones who sending e-mail to wrong destinations or untrained ones making mistakes on working systems. But with employees who started working with threat groups, insider threat goes to another dimension. Now, with the support and motivation of the threat groups, insider threats becomes more dangerous as knowing what she is doing really and is focused.

In the job advertisement, Lapsus$ also calls for the ones who are not employee but already has VPN to these companies. This also shows us the importance of the 3rd party risk and NDA agreements. even if you take adequate precautions with your own users inside – which is not 100% possible, this 3rd party connections poses great risk.

There is a lot to be done about this. As a post incident activity, the penalties given to the cases that have emerged can provide a deterrent in this regard. But the most important thing undoubtedly should be to increase the loyalty of the users to the company.

TEMP.Zagros in Action

While the whole world is dealing with the ongoing cyber war with the land war between Russia and Ukraine, the Iranian threat group TEMP.Zagros (aka MuddyWater) has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems.

The group is active since at least May 2017 and targeting threatened a wide variety of countries and sectors especially in Middle East and Arabian Peninsula. TEMP.Zagros also known as multiple small groups behaving independently, rather than a single group.

The group had an intense work in Turkey, especially in January, at Turkish private organizations and governmental institutions with the goal of deploying a PowerShell-based backdoor. Recently, the group seems active again with an obfuscated trojan to execute arbitrary code and commands received from its command and control (C2) servers.

For more information about the groups TTPs;

https://attack.mitre.org/groups/G0069/

Conti CVEs Leaked

On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account.

Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some screenshots of the folders in server.

On 4th of March, another Twitter account @c3rb3ru5d3d53c shared the vulnerabilities that Conti is using to compromise the systems with the screenshot below.

Conti has harmed many organizations and continues to do so. We know that even in February alone, they hacked many organizations and managed to get their data out.

As can be seen in the screenshot, the threat group is using vulnerabilities that already has patch, instead of using very sophisticated techniques. This situation shows us, even very simple vulnerability management can prevent most of these attacks. Even scanning with free tools and patching the vulnerabilities really can prevent your system actively. So, this sharing from @c3rb3ru5d3d53c Twitter account was very important for us because it shows us that even very simple measures can prevent big problems.