LastPass admits hackers stole encrypted passwords, customer info in a data breach
Password management service LastPast has confirmed it recently has suffered a data breach, where hackers gained access to a cloud-based storage environment using information (the cloud storage access key and dual storage container decryption keys) stolen in the August 2022 security incident.
The company said the info stolen in the recent breach included basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, phone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
LastPass says that there is no evidence that any unencrypted credit card data was affected.
Meta will pay $725 million over Cambridge Analytica data scandal
Facebook parent Meta Platforms has agreed to pay $725 million to settle a long-running lawsuit that claimed Facebook illegally shared data of millions of users with the now-defunct political consulting firm Cambridge Analytica, according to Bloomberg. The lawsuit was brought by Facebook users after it became known that the research firm connected to Donald Trump’s 2016 campaign for president gained access to the data of as many as 87 million of users.
Hackers targeting Delta military system users in Ukraine with FateGrab, StealDeal infostealers
Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a security alert informing that hackers are targeting users of the Delta military intel system with FateGrab and StealDeal malware. The malware is being spread via emails sent from a compromised email address of one of the Ministry of Defense’s employees, and messaging platforms. The malicious message contains a warning that the certificate for the Delta system must be updated, as well as a PDF document with a link on a malicious ZIP archive.
After the victim clicks on the link, an archive named “certificates_rootca.zip” is downloaded on the system, which contains an executable file named “certificates_rootCA.exe” protected using the VMProtect tool.Once the executable file is run, several DLL files are created, including a file called “ais.exe,” which simulates certificate installation process that leads to the installation of the FateGrab and StealDeal information stealing malware.
Russian Gamaredon APT remains a major cyber threat to Ukraine
Palo Alto Networks’ Unit 42 released a report detailing cyber activities of Gamaredon, an advanced persistent threat (APT) group linked to Russia’s Federal Security Service, which is mostly known for their attacks targeting entities in Ukraine.
Although Gamaredon is mainly focused on Ukraine, over the past few months the group has been observed expanding its targeting beyond the country to Ukrainian and NATO allies. Specifically, in August 2022, the group tried, albeit unsuccessfully, to breach a large petroleum refining company within a NATO member nation using English lures.
Okta’s source code stolen in GitHub hack
Threat actors breached a private GitHub repository of Okta, a well-known provider of identity services, and stole source code belonging to the company. The incident took place earlier this month and affected Okta Workforce Identity Cloud (WIC) code repositories. The company said that the attackers stole its source code, but did not gain unauthorized access to the Okta service or customer data, including “HIPAA, FedRAMP or DoD customers,” as “Okta does not rely on the confidentiality of its source code for the security of its services.”
Play ransomware bypasses Microsoft’s ProxyNotShell mitigations
Operators behind the Play ransomware are now using a new exploit chain that bypasses ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA). The new exploit chain involves a SSRF equivalent to the Autodiscover technique and the exploit used in the second step of ProxyNotShell.
To execute arbitrary commands on hackers servers, the threat actor used Remote PowerShell to exploit the CVE-2022-41082 vulnerability. The researchers said that the second flaw abused by OWASSRF is likely CVE-2022-41080, a vulnerability that allows a remote user to escalate privileges on a vulnerable Microsoft Exchange server.
Malicious PyPI package impersonates SentinelOne SDK to steal data
Researchers discovered a malicious Python package on the PyPI (the Python Package Index) repository that posed as a legitimate SDK client from cybersecurity firm SentinelOne, but contained a malicious backdoor and data exfiltration functionality. While the module appeared to be a fully functional SentinelOne client, it had no connection to the legitimate threat detection company. Apparently, the package developer tried to capitalize on recognized brand image to trick unsuspecting users.
Hackers targeting food supplies in BEC scams, FBI warns
Cybercriminals are using business email compromise (BEC) schemes to steal shipments of food products and ingredients valued at hundreds of thousands of dollars, the US authorities warned. The tactic is the same as with any other BEC scams - cybercriminals would spoof emails of employees of legitimate companies or gain access to email system of a legitimate firm to send fraudulent emails to order food products.
In another security alert released this week the FBI warned that cybercriminals are impersonating brands using search engine advertisement services to defraud users. The agency recommends users to check URLs to make sure they access authentic websites, to type a business’ URL into the browser instead of searching for that business, and to use ad blockers when performing internet searches.
Zerobot botnet targets Apache bugs, adds new DDoS capabilities
Microsoft has a new report out highlighting Zerobot, a new growing threat that spreads primarily through IoT and web application vulnerabilities. The malware targets a variety of devices, including firewall devices, routers, and cameras, adding compromised devices to a distributed denial of service (DDoS) botnet. The most recent version of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.
Glupteba botnet is still active despite Google’s efforts to disrupt its operation
The Glupteba malware botnet has resurfaced once again with renewed vigor despite Google’s efforts to disrupt its operations nearly a year ago. A blockchain analysis shows that it took Glupteba operators about six months to build a new campaign from scratch and distribute it in the wild, and this time on a much larger scale.
Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices. It is distributed via fraudulent ads or software cracks. The researchers say there are several Glupteba modules aimed at exploiting vulnerabilities in various Internet of Things (IoT) appliances from vendors, such as MikroTik and Netgear.
Fortnite maker to pay $520M for violating children's privacy laws, deceptive practices
Epic Games, the creator of the widely popular Fortnite video game, will pay a total of $520 million for violating children’s privacy rules and engaging in deceptive practices. The company has agreed to pay a $275 million fine for collecting personal information from children under the age of 13, without their parents’ consent, and will pay $245 million for employing so-called “dark patterns” to trick millions of players into making unwanted in-game purchases.
Microsoft fined €60 million over ad cookies
France's privacy watchdog fined Microsoft's Ireland subsidiary €60 million for failing to implement a system that allows users to refuse cookies as easily as to accept them. The Commission Nationale de L'informatique et des Libertés (CNIL) said that although Microsoft’s search engine offered a button to accept cookies immediately, it provided more complex refusal option, which “actually discourages users from refusing cookies.”
Researchers expose the inner workings of the FIN7 cybercriminal gang
Cybersecurity firm Prodaft released an in-depth analysis of the inner working of FIN7, a well-known, financially motivated group focused on targeting businesses worldwide to steal payment card information. Since 2015, FIN7 has hit hundreds of companies, most of them in the restaurant, hospitality, and gaming industries. The report describes the group's organizational hierarchy, affiliations with various ransomware operations, and a new SSH backdoor system used for stealing data from compromised networks.