Cyber Briefing 2023.08.24

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.

In today’s edition: Openfire Vulnerable, Barracuda Email Security, FBI, Roblox, npm packages, Luna Token Grabber, Phishing, Open Redirect Flaws, DuoLingo, NoName Hackers, Norway, ALPHV Ransomware Group, Ireland, Denmark, North East BIC, Tornado Cash, Lapsus$, Bitwarden, Meta.

🚨 Cyber Alerts

1. Openfire Servers Vulnerable to Exploits

More than 3,000 Openfire servers are currently exposed to attacks due to a recent vulnerability that remains unpatched, as reported by vulnerability intelligence firm VulnCheck. The flaw, tracked as CVE-2023-32315, affects Openfire’s administration console, enabling unauthenticated attackers to access restricted pages. The vulnerability has already been exploited by threat actors, who have been creating admin console user accounts to install a remote web shell, granting them unauthorized access to execute commands and retrieve server data.

2. FBI Urgent Warning on Barracuda

In a Wednesday flash alert, the FBI has issued a strong recommendation for the immediate removal of Barracuda Networks’ email security appliances due to their ineffectiveness in addressing a zero-day vulnerability exploited by suspected Chinese hackers. The urgency arises as part of an effort to combat what has been described as one of the most extensive Chinese cyber espionage campaigns in recent years. The FBI’s cyber division warns that all affected Barracuda ESG appliances are compromised and susceptible to this exploit, emphasizing the need for their removal.

3. Malicious Packages Target Developers

Malicious npm packages have been discovered on the npm package repository, aiming to deliver the Luna Token Grabber, an open-source information stealer, to systems owned by Roblox game developers. The attack, reminiscent of a previous incident from 2021, involves deceptive modules that mimic the legitimate noblox.js package used by developers to interact with the Roblox gaming platform. The malicious packages were temporarily downloaded 963 times before being taken down, showcasing a multi-stage infection sequence that employs clever disguises and obfuscation to deploy the Luna Token Grabber.

4. Facebook Ads Used for Malicious Code

Cyber attackers are leveraging paid promotions featuring Large Language Models on Facebook to disseminate malicious code, targeting the installation of a malevolent browser add-on and pilfering victims’ credentials. As the interest in LLMs grows, these attackers are capitalizing on the emerging technology, disguising their activities behind alluring advertisements. The attackers employ URL shorteners, cloud storage, and Google sites to host malicious files, demonstrating sophisticated methods to compromise victims’ systems.

5. Resurgence of Open Redirect Flaws in Phishing

In light of a recent resurgence in phishing attacks leveraging open redirect flaws, Kroll’s Cyber Threat Intelligence (CTI) team highlights the need for organizations to refresh their employees’ awareness and understanding of identifying these vulnerabilities. These attacks involve malicious URL redirection, where threat actors manipulate legitimate URLs through open redirect vulnerabilities in web applications, directing victims to malicious external URLs. George Glass, Kroll’s Head of Threat Intelligence, explains that these vulnerabilities occur when websites allow user-supplied input within redirect links without proper validation or sanitization.

💥 Cyber Incidents

6. DuoLingo Investigates Data Sale

Language learning giant DuoLingo is currently in the midst of a rigorous investigation after a hacking forum post emerged, advertising the sale of information for 2.6 million customer accounts at a price tag of $1,500. The post, originating on Tuesday, contains details ranging from emails and phone numbers to courses taken, shedding light on how the platform’s customers engage with the service. While DuoLingo maintains that no data breach or hack has occurred, the matter is being treated with utmost gravity as they delve into the situation to ensure the safeguarding of user privacy.

7. NoName Hackers Target Norway’s Infrastructure

The NoName ransomware group has set its sights on nine crucial infrastructures, shaking the nation’s digital landscape. Their Distributed Denial of Service attack method has disrupted operations at various establishments, including government bodies and private companies. The hackers’ bold move has once again spotlighted the vulnerability of Norway’s critical infrastructure to cyber threats, while the affected organizations grapple with the aftermath and potential consequences of the breach.

8. Data Breach at Military Medical Facility

In another setback for the military’s electronic health record system, the Irish Defence Forces are investigating yet another alleged data protection breach at a military medical facility. This marks the third such breach related to the Socrates system within five years. The latest incident involves a healthcare worker who reportedly accessed private medical information without authorization, raising concerns about access and management of patient records within the Defence Forces, as well as broader issues of data privacy and security.

9. Danish Hosting Firms Hit by Ransomware Attack

Danish hosting companies CloudNordic and AzeroCloud have encountered severe data breaches, leading to the loss of crucial customer data and prompting a complete shutdown of their systems, including websites, emails, and client sites. Both brands, which belong to the same parent company, fell victim to the attack last Friday night. The situation remains dire, with limited restoration efforts, and CloudNordic has announced that many clients have irretrievably lost their data. While the hosting providers have declined to pay the ransom, they are collaborating with cybersecurity experts and law enforcement in the investigation.

10. ALPHV Ransomware Attack on UK Agency

The ALPHV ransomware group, also known as Blackcat, has targeted a UK-based office space rental agency, North East BIC, and claimed to have extracted a significant 317GB of data. The hackers have issued a three-day ultimatum to the company to respond, threatening to release the stolen data if their demands are not met. The stolen dataset reportedly includes personal employee data, curriculum vitae, financial reports, and client information, including driving licenses, social security numbers, and credit card data.

📢 Cyber News

11. Tornado Cash Founders Face Charges

The Department of Justice has taken significant action by revealing an indictment against the founders of Tornado Cash, a cryptocurrency mixer accused of aiding North Korean hackers in laundering vast sums of stolen money. Roman Storm, one of the founders, has been apprehended in Washington state, while his co-founder Roman Semenov, a Russian national, remains at large and is under U.S. Treasury sanctions for supporting North Korea. These individuals are charged with money laundering conspiracy and violation of the International Economic Emergency Powers Act, with the accusations carrying penalties of up to 20 years in prison.

12. Teenagers Convicted in Major Hacking Case

A court in London has pronounced two teenagers guilty of engaging in a hacking campaign that targeted major tech companies including Uber, Revolut, and video game developer Rockstar Games. Arion Kurtaj, an 18-year-old regarded as a pivotal figure in the Lapsus$ hacking group, was found to have independently breached the computer systems of Uber, Revolut, and Rockstar Games in a series of attacks during September 2022. Another 17-year-old defendant, who remains unnamed for legal reasons, was convicted for his role in attempted blackmail against telecommunications company BT and graphics-card manufacturer Nvidia, as part of the activities tied to Lapsus$.

13. Ransomware Attackers Accelerate

According to a Sophos report, the median dwell time for ransomware incidents decreased from nine to five days in the first half of 2023, driven partly by the pressure of improved endpoint detection. Sophos experts note that attackers’ tactics include using intermittent encryption and faster encryption algorithms, although a double-extortion attack in less than five days remains a challenge.

14. Bitwarden Launches E2EE Secrets Manager

Bitwarden, the provider of open-source password management tools, has introduced a cutting-edge ‘Secrets Manager’ designed to provide end-to-end encrypted security for IT professionals, DevOps teams, and software development groups. This innovative solution serves as a secure alternative to conventional practices such as hard-coding secrets or sharing sensitive files via email, ensuring data flexibility, scalability, and robust protection against potential breaches. With Bitwarden Secrets Manager, users can securely manage and share sensitive information such as API keys, encryption certificates, passwords, and more.

15. Meta Boosts Messenger Security

Meta has announced its commitment to introducing default end-to-end encryption (E2EE) for one-on-one friends and family chats on Messenger by the end of the year. The company has begun upgrading millions of user chats, marking a significant step toward CEO Mark Zuckerberg’s privacy-focused vision for social networking. To achieve this encryption, Meta has redesigned its system and introduced Hardware Security Modules (HSM) to ensure message security while maintaining accessibility through PIN protections.