Hackers stole LastPass source code and proprietary technical info

Password management software firm LastPass, a company behind a widely used password management tool, disclosed a security incident, which resulted in the theft of source code and proprietary technical information.

According to a security notice posted on the company’s website, the attackers gained access to portions of the LastPass development environment two weeks ago through a single compromised developer account. LastPass says that Master Passwords that manage access to encrypted vaults in its flagship password manager software were not compromised in the incident, and that there is no evidence of any unauthorized access to encrypted vault data or customer data in the LastPass production environment.

Russia-linked APT29 abuses Microsoft 365 features to evade detection

The Russia-linked cyber-espionage APT29 (Nobelium, Cozy Bear) group believed to be behind the widespread 2020 SolarWinds compromise has been using newer tactics that involve abusing various Microsoft 365 features in order to evade detection.

Specifically, APT29 was observed disabling Microsoft 365 licensing models in order to undermine organizations’ abilities to use logging features to confirm which accounts were compromised.

In related news, Microsoft has published the technical details about a new post-compromise malware used by Nobelium. Dubbed “MagicWeb,” the malicious tool is an evolution of FoggyWeb, a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federation Services (AD FS) server decrypting token-signing certificates and token-decryption certificates, and downloading and executing additional malware payloads. MagicWeb is a malicious DLL that exceeds the capabilities of FoggyWeb by facilitating covert access directly.

ETHERLED and GAIROSCOPE: Two novel techniques that allow to steal data from air-gapped systems

Israeli researcher Mordechai Guri has detailed two novel techniques that allow to steal data from highly secured air-gapped systems and MEMS gyroscopes.

The first method, dubbed “ETHERLED,” is a data exfiltration attack, which involves sending Morse code signals via LED lights on network interface controller (NICs), while the second technique, “GAIROSCOPE,” leverages a smartphone’s gyroscope to pick up inaudible nearby soundwaves and doesn’t rely on using the microphone. A malicious actor could collect passwords or login credentials by listening for sound waves generated from the speakers of an air-gapped system and picked up from the gyroscope of a nearby smartphone.

Iranian hackers use new tool to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts

Google’s Threat Analysis Group (TAG) shared details about a novel tool used by an Iran-linked state-sponsored threat actor known as APT35 or Charming Kitten to steal data from Gmail, Yahoo!, and Microsoft Outlook accounts.

Dubbed “Hyperscrape,” the tool is written in .NET for Windows PCs and is designed to run on the attacker's machine and download victims’ inboxes using previously obtained credentials. First spotted in December 2021, Hyperscrape is said to be under active development. The TAG team says that the malware was deployed against less than two dozen accounts located in Iran.

Ransomware gang demands $10 million to unlock French hospital’s computer systems

French hospital Center Hospitalier Sud Francilien (CHSF), which services an area of 600,000 people, has suffered a cyberattack that disrupted its IT systems forcing the institution to refer patients to other healthcare facilities, bar emergency cases.

According to local media, the LockBit ransomware gang may have been the perpetrator behind the hack. The ransomware operators are said to have demanded a $10 million ransom from the facility.

Greece's natural gas distributor DESFA discloses a cyberattack

Greece's national gas system operator DESFA revealed it was hit by a cyberattack, which affected part of its IT infrastructure and resulted in a “confirmed impact on the availability of certain systems and the possible leakage of a number of files and data.”

The company said the incident had not impacted its operations and natural gas supply. According to news media reports, the operator was hit by the Ragnar Locker ransomware gang, said to have leaked more than 360 GB of data allegedly stolen from DESFA.

The LockBit ransomware gang announces more aggressive strategy after it was hit with DDoS attack

The LockBit ransomware operators shut down their dark web data leak site due to a DDoS attack demanding that they delete data stolen in the June ransomware attack against security service provider Entrust.

Following the attack the gang announced that they will employ a more aggressive strategy that would involve triple extortion attack, an extension of the double extortion that seeks to add additional pressure on a targeted company.

Malicious actors hacked Bitcoin ATMs using a zero-day vulnerability

Bitcoin ATM maker General Bytes suffered a cybersecurity incident, which saw threat actors made of with cryptocurrency stolen through the exploitation of a previously unknown vulnerability in General Bytes Bitcoin ATM servers.

The company revealed that the intruders identified running CAS services through scanning the Digital Ocean cloud hosting IP address space, and then exploited the zero-day vulnerability in CAS administrative interface to create a default admin user. The attackers then modified the crypto settings of a number of two-way machines and inserted their own wallet addresses, so the BATMs started to forward coins to the attacker's wallet when customers sent invalid payments to BATMs.

Over 80,000 Hikvision CCTV cameras exposed to cyberattacks

Threat actors are still targeting CCTV cameras made by Chinese state-owned manufacturer and supplier of video surveillance equipment Hikvision vulnerable to an easily exploitable command injection flaw disclosed back in 2021. Tracked as CVE-2021-36260, the flaw allows a remote attacker to execute arbitrary shell commands on the target system.

Out of 285,000 internet-facing Hikvision web servers analyzed by the researchers more than 80,000 were found to be vulnerable. The majority of the vulnerable devices are located in China, the US, Vietnam, the UK, Ukraine, and Thailand.

Sophisticated BEC scam targets high-level Microsoft 365 accounts

Cybersecurity researchers have warned of an advanced business email compromise (BEC) campaign that targets Microsoft 365 accounts of high-level executives, even those protected by multi-factor authentication (MFA).

The campaign combines spear phishing with attacker-in-the-middle (AiTM) techniques to bypass MFA and gain access to a business executive's account. The attackers then add a second authenticator device to the account for persistent access. According to the researchers, the observed campaign is widespread and targets large transactions of up to several million dollars each.

Malicious actors are increasingly adopting Sliver framework as Cobalt Strike alternative

Threat actors ranging from nation-state actors to ransomware operators are increasingly incorporating the Sliver security testing framework in their hacking campaigns as a replacement for Cobalt Strike (a penetration testing tool which is also used a lot by cyber criminals), Microsoft warns.

Threat actors use C2 frameworks to manage their access to compromised hosts and networks during an intrusion.

One threat actor that adopted Sliver is DEV-0237 (aka FIN12), which has been linked to various ransomware operators. The group has previously leveraged initial access bought from other groups (initial access brokers) to deploy various ransomware strains such as Ryuk, Conti, Hive, and BlackCat.

A spyware firm offers iOS and Android hacking services for €8 million, leaked documents show

Spyware consortium Intellexa (includes Nexa Technologies, WiSpear/Passitora, Cytrox, and Senpai) is reportedly offering services that include Android and iOS device exploits for €8 million, according to a leaked commercial proposal.

The leaked documents feature services for remote data extraction from Android and iOS devices, more specifically, remote, one-click exploits that allow users to plant malware onto Android or iOS mobile devices. The proposal includes 10 simultaneous infections for iOS and Android devices, as well as a “magazine of 100 successful infections”. The documents also include a list of Android devices vulnerable to the attack. The exploits supposedly should work on iOS 15.4.1 and Android 12.