CircleCI, Slack disclose separate security breaches
CircleCI, a company behind the eponymous continuous integration and continuous delivery(CI/CD) platform, is warning users that they should rotate all secrets stored in their CircleCI environments following a security breach. In a short security advisory the CI/CD provider said it is currently investigating a security incident, without sharing any details regarding the nature of the breach, or when and how it occurred. The company also recommends that users review internal logs for unauthorized access via CircleCI integrations that may have taken place between December 21, 2022 and January 4, 2023.
In a separate incident, business messaging app Slack disclosed a data breach where a threat actor gained access to Slack’s private code repositories on GitHub using stolen employee tokens. Slack says that the intruder did not access other areas of its environment, including the production environment, and they did not access other Slack resources or customer data.
Data of 235 million Twitter users available for free on a hacking forum
A database containing more than 235 million unique records of Twitter users is now available for free on a hacker forum. The dataset appears to be from the same breach that came to light late December 2022. The leak contains information such as name, username, email address, follower count, and creation date. The data appears to have been scraped through a now-patched vulnerability rather than by hacking into Twitter’s systems.
LockBit ransomware gang apologizes for attacking children’s hospital
The LockBit ransomware gang has issued a formal apology for a ransomware attack on Toronto’s Hospital for Sick Children (SickKids Hospital) and provided the medical center with a free decryptor. The gang explained that an affiliate responsible for the attack broke LockBit’s rules that forbid attacks on institutions where damage to the files could lead to death. The group said they banned the guilty party form their affiliate program.
Researchers release a free decryptor for MegaCortex ransomware
BitDefender released a free decryptor for victims of the MegaCortex ransomware, as well as a step-by-step tutorial on how to operate the decryptor in both single-computer and network modes.
Meta fined €390 million for forcing users to accept targeted ads
The Irish Data Protection Commission (DPC) has fined Facebook and Instagram parent Meta a total of €390 million for violating online privacy rules. The DPC said that Meta used its Terms of Service to gain users’ forced consent for targeted advertising.
The watchdog has issued two fines - a €210 million ($222.5 million) fine over violations of the EU General Data Protection Regulation (GDPR) related to Facebook, and a €180 million ($191 million) fine for similar infringements in Instagram. In response to this decision, the company said it intends to appeal both the substance of the rulings and the fines, as it believes its approach respects the GDPR.
Rackspace confirms the Play ransomware was behind a December 2022 breach
Cloud services provider Rackspace has confirmed that the Play ransomware was responsible for a December cyberattack that took down its hosted Microsoft Exchange environment. The company said in an incident report update that the attackers used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment.
The exploit chain, which was first reported by CrowdStrike, involves CVE-2022-41080 and CVE-2022-41082 that are used to achieve remote code execution and bypass the blocking rules through Outlook Web Access (OWA).
Rackspace also said that the attackers accessed some of its customers' Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks.
PurpleUrchin freejacking campaign bypasses CAPTCHA and steals cloud platform resources
Palo Alto Network’s Unit42 released an in-depth analysis of a freejacking campaign dubbed “PurpleUrchin” and its operator, a South African-based threat actor known as “Automated Libra.” The threat actor uses a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and combine 'freejacking' with the "Play and Run" technique to abuse free cloud resources.
Bluebottle campaign targets banks in French-speaking countries in Africa
Symantec has a report out detailing a recent campaign launched by a cyber-crime group called ‘Bluebottle’ that specializes in targeted attacks against the financial sector and is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware. The observed campaign compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations.
Ukrainian police shut down call center that scammed thousands of foreigners
Ukrainian cyberpolice dismantled an underground call center that defrauded thousands of residents of Kazakhstan while pretending to be IT security teams of their banks. Call center operators allegedly contacted victims posing as bank employees and told them that their bank accounts have been compromised. After obtaining victims’ financial data the scammers transferred money from victims’ accounts to banking accounts under their control. The fraudsters also issued quick loans and sent the loan amounts to their accounts.
Hackers launched over 1,500 attacks against Ukraine since the start of Russia’s invasion
The Computer Emergency Response Team of Ukraine (CERT-UA) detected and analyzed more than 1,500 cyberattacks launched by threat actors against Ukraine since Russia had unleashed war on the country in late February 2022. Between September and December 2022, the Ukrainian defenders observed multiple malicious operations coming from numerous Russian and pro-Russian hacker groups such as Gamaredon, Sandworm, APT28, APT29, Ghostwriter, Xaknet, Killnet, and others.
Thousands of MS Exchange servers exposed to ProxyNotShell attacks
Researchers are warning that there are nearly 60,000 of internet-facing Exchange Server instances vulnerable to the ProxyNotShell flaws that could be used by threat actors as a point of entry into an organization’s network.
Hackers exploit Fortinet devices to spread ransomware within corporate environments
Hackers are actively exploiting a critical Fortinet authentication bypass vulnerability (CVE-2022-40684) to deploy ransomware. In October 2022, a proof-of-concept (PoC) exploit code was made publicly available for this bug.
According to eSentire, threat actors have been observed buying and selling compromised Fortinet devices in the underground markets. Hacker sales ranged from individual organizations to bulk sales, with numerous buyers showing interest. One Initial Access Broker was seen offering monthly subscriptions to compromised Fortinet devices, located in specific countries, and selling this access in bulk at costs between $5,000 and $7,000.
Hackers use Windows error reporting tool to deploy Pupy RAT malware
Researchers at cybersecurity firm K7 Security Labs spotted a malware distribution campaign that used an interesting technique to deploy the Pupy RAT (remote access tool). The new technique abuses the legitimate Windows Problem Reporting (WerFault.exe) error reporting tool designed to gather information about the hardware and software problems on Windows systems. Pupy RAT is an open source remote admin tool available on GitHub. Since 2013, this tool has been used by multiple Iran-linked state-backed hackers like APT33 (Elfin), APT35 (Charming Kitten), and APT34/OilRig.
PyTorch dependency chain compromised in a supply chain attack
Users who have installed the nightly builds of the PyTorch library between December 25, 2022, and December 30, 2022 are strongly recommended to uninstall the framework and use the latest nightly binaries (newer than Dec 30th 2022) due to malicious dependency chain compromise.
The infected package contained a malicious dependency that used the “dependency confusion” technique to target PyTorch Linux users with malware capable of collecting sensitive information from the victim machine.