AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/17/2023

Royal Mail’s ‘Cyber Incident’ Turns Out to Be Ransomware 

British postal service the Royal Mail has been hit by ransomware, rendering it unable to send any mail internationally and causing a huge backlog of undelivered packages. Earlier this week the Royal Mail requested(Opens in a new window) that customer stop posting any items intended for delivery outside of the UK, but didn’t divulge details as to what had happened beyond “disruption” and has since only referred to the situation as a “cyber incident(Opens in a new window).” The UK’s National Cyber Security Centre confirmed(Opens in a new window) it was working with the company and the National Crime Agency to “fully understand the impact” of what had happened. 

 

Millions of Insurance Customers Compromised Via Supplier 

Two insurance multi-nationals have revealed that millions of Japanese customers’ details were hacked and put up for sale after a third-party contractor was reportedly breached. Statements from Aflac and Zurich don’t name the breached supplier, but a local report from Tokyo-based news agency Jiji Press claimed the same US sub-contractor was to blame. In total, around two million customers were impacted by the incident – including 1.3 million enrolled in Aflac’s cancer insurance policies and 760,000 Zurich auto-insurance policyholders. Aflac said the compromised data included age, gender, last name, policy number, insurance type number and coverage amount/premium. “It should be noted that the above items of personal information leaked to the information leak site alone cannot identify an individual,” the insurer claimed. “Therefore, we believe that the possibility of the leaked information being misused by a third party is extremely low.” 

 

Cisco warns of two vulnerabilities affecting end-of-life routers 

Cisco warned customers this week that it will not release software updates or workarounds to address two vulnerabilities affecting a line of routers that were last sold in 2020. The popular routers – Cisco Small Business RV016, RV042, RV042G and RV082 – are affected by CVE-2023-20025 and CVE-2023-20026. Cisco said it is aware that proof-of-concept exploit code is available and noted that it was discovered by Hou Liuyang of Qihoo 360 Netlab. The bugs allow a remote attacker to “bypass authentication or execute arbitrary commands on the underlying operating system of an affected device.” They added that the vulnerabilities are not dependent on one another. CVE-2023-20025 carries a CVSS score of 9 and was rated critical by Cisco. While Cisco said there are no workarounds to address the vulnerability, administrators can disable the feature.  

 

NortonLifeLock warns that hackers breached Password Manager accounts 

Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms. “Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account,” NortonLifeLock said. 

 

Malware Attack on CircleCI Engineer’s Laptop Leads to Recent Security Incident 

DevOps platform CircleCI on Friday disclosed that unidentified threat actors compromised an employee’s laptop and leveraged malware to steal their two-factor authentication-backed credentials to breach the company’s systems and data last month. The CI/CD service CircleCI said the “sophisticated attack” took place on December 16, 2022, and that the malware went undetected by its antivirus software. “The malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems,” Rob Zuber, CircleCI’s chief technology officer, said in an incident report. 

 

Meta sues “scraping-for-hire” service that sells user data to law enforcement 

Meta said it’s suing “scraping-for-hire” service Voyager Labs for allegedly using fake accounts, proprietary software, and a sprawling network of IP addresses to surreptitiously collect massive amounts of personal data from users of Facebook, Instagram, Twitter, and other social networking sites. “Defendant created and used over 38,000 fake Facebook user accounts and its Surveillance Software to scrape more than 600,000 Facebook users’ viewable profile information, including posts, likes, friends lists, photos, and comments, and information from Facebook Groups and Pages,” lawyers wrote in Meta’s complaint. “Defendant designed the Surveillance Software to conceal its presence and activity from Meta and others, and sold and licensed for profit the data it scraped.” 

 

NSA asks Congress to let it get on with that warrantless data harvesting, again 

A US intelligence boss has asked Congress to reauthorize a controversial set of powers that give snoops warrantless authorization to surveil electronic communications in the name of fighting terrorism and so forth. NSA director General Paul Nakasone told the Privacy and Civil Liberties Oversight Board yesterday that the loss of Section 702 of the Foreign Intelligence Surveillance Act (FISA) would mean American spies would “lose critical insights into the most significant threats to our nation” if allowed to lapse on December 31.  

 

Canada’s largest alcohol retailer’s site hacked to steal credit cards 

The Liquor Control Board of Ontario (LCBO), a Canadian government enterprise and the country’s largest beverage alcohol retailer, revealed that unknown attackers had breached its website to inject malicious code designed to steal customer and credit card information at check-out. LCBO revealed on Wednesday that third-party forensic investigators found a credit card stealing script that was active on its website for five days. “At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” LCBO said. 

 

Biggest leak in Valve’s history includes pretty much everything from Half-Life 2, Portal, and Team Fortress 2 

Valve has suffered the biggest asset leak in the company’s history, after a series of asset repositories for its games from 2016 were released online. The games are Portal, Counter Strike: Source, Day of Defeat: Source, Half Life 2: Episodes 1 & 2, Half-Life 2 multiplayer, and Team Fortress 2. The leaks seem to originate from an account that calls themselves WandererLeaker, and to have been disseminated initially through Discord. In Discord chat the leaker wrote(opens in new tab): “I don’t care anymore. I also did my toying around with it for a few years, did not upload because I was threatened every time […] A real shame. I have no legal binding to these files. Not anymore”. They would later add “I have held onto these files since 2016”. 

 

New Backdoor Created Using Leaked CIA’s Hive Malware Discovered in the Wild 

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)’s Hive multi-platform malware suite, the source code of which was released by WikiLeaks in November 2017. “This is the first time we caught a variant of the CIA Hive attack kit in the wild, and we named it xdr33 based on its embedded Bot-side certificate CN=xdr33,” Qihoo Netlab 360’s Alex Turing and Hui Wang said in a technical write-up published last week. xdr33 is said to be propagated by exploiting an unspecified N-day security vulnerability in F5 appliances. It communicates with a command-and-control (C2) server using SSL with forged Kaspersky certificates. 

 

MSI accidentally breaks Secure Boot for hundreds of motherboards 

Over 290 MSI motherboards are reportedly affected by an insecure default UEFI Secure Boot setting settings that allows any operating system image to run regardless of whether it has a wrong or missing signature. This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue. The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models. 

Related Posts