CyberWatch - May 17, 2023

Ransomware gang steals data of 5.8 million PharMerica patients

Analysis: Pharmacy services provider PharMerica experienced a significant data breach affecting more than 5.8 million patients, resulting in their medical information being exposed to hackers.

The breach occurred on March 12, 2023; the stolen data includes patients' full names, addresses, dates of birth, Social Security numbers, medications, and health insurance details. PharMerica discovered the intrusion on March 14 and confirmed the theft of client data on March 21. However, affected individuals were only notified of the breach on May 12, 2023. PharMerica is offering victims of the attack one year of identity protection fraud monitoring services through Experian to minimize the risk and potential impact of malicious attacks.

Operating in all 50 US states, with 180 local and 70,000 backup pharmacies, PharMerica serves 3,100 medical facilities nationwide. The breach notification was submitted to the Office of the Maine Attorney General.

Although details of the hacking incident are not specified by the company, the Money Message ransomware gang claimed responsibility for the attack on March 28, 2023 and began publishing the stolen data. The threat actors listed BrightSpring, a health service provider that merged with PharMerica in March 2019, as another victim.

Money Message stated that they had stolen 4.7 terabytes of data, including at least 1.6 million unique records of personal information. On April 9, 2023, the threat actors released the stolen data on their extortion site, and the files are still accessible for download. Furthermore, a threat actor has reposted the entire data dump on a clearnet hacking forum, dividing it into 13 parts for easier downloading.

Money Message is a relatively new ransomware operation that gained attention for its breach against Taiwanese PC parts maker MSI (Micro-Star International) in March 2023.

Access Point advises that you have a dedicated threat hunting program that largely focuses on proactively hunting within your network for any indicators of compromise associated to threat groups that may have evaded detection. Constantly monitoring threat groups and their latest tactics, techniques, and procedures will help keep your organization safe as you keep up with the latest news.

While your team is hunting for any indicators of compromise, it is important that you are also blocking for any known IOCs such as URLs, IP ranges, email addresses, file hashes, etc. We recommend that organizations focus on prevention and mitigation strategies, such as robust backups, segregated networks, defense mechanisms, and a tried and tested disaster recovery plan. Most importantly, you should never pay ransom as it will only mark you as an attractive target for future attacks.

Source

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

Analysis: According to SentinelOne, a Golang implementation of Cobalt Strike called Geacon has been observed on VirusTotal.

While Cobalt Strike has predominantly targeted Windows systems, attacks against macOS are relatively rare. Geacon, a Go variant of Cobalt Strike, has been available on GitHub since February 2020. Two new samples uploaded to VirusTotal in April 2023 have been traced back to Geacon variants named geacon_plus and geacon_pro, which were developed in October 2022 by anonymous Chinese developers named z3ratu1 and H4de5.

The geacon_pro project is no longer accessible on GitHub, but a snapshot from March 6, 2023 revealed its ability to evade antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 Core Crystal. SentinelOne discovered artifacts related to Geacon, including an application called “Xu Yiqing’s Resume_202030320.app,” which uses a run-only AppleScript to download a Geacon payload from a Chinese IP address. The Geacon binary, compiled from the geacon_plus source code, contains various functions for downloading payloads, exfiltrating data, and facilitating network communications.

Another sample masquerades as the SecureLink remote support app (SecureLink.app) and primarily targets Intel devices. This trojanized application requests access to contacts, photos, reminders, camera, and microphone permissions, while its main component is a Geacon payload that connects to a command-and-control server in Japan.

The rise of Geacon samples suggests an increasing interest in targeting macOS systems.

Access Point emphasizes the need for security teams to be aware of this tool and implement appropriate protections to mitigate potential risks, as the macOS ecosystem has been increasingly targeted by various threat actors — including state-sponsored groups — for deploying backdoors and information stealers. It is also important to be actively threat hunting within your organization for any indicators of compromise to ensure that there are not any unwanted attackers within your network.

Source

New Ransomware Gang RA Group Hits U.S. and South Korean Organizations

Analysis: A new ransomware group called RA Group has emerged, leveraging the leaked source code of Babuk ransomware to create its own locker variant.

According to Cisco Talos, the cyber criminal gang has been active since at least April 22, 2023 and is rapidly expanding its operations. RA Group has already compromised several organizations in the United States and South Korea across various industries such as manufacturing, wealth management, insurance providers, and pharmaceuticals. Similar to other ransomware groups, RA Group employs double extortion tactics, encrypting victims' files and running a data leak site to pressure them into paying ransom.

The Windows-based binary uses intermittent encryption to speed up the process and avoid detection, while also deleting volume shadow copies and the contents of the Recycle Bin. The group customizes ransom notes with the victim's name and provides a unique link to download the exfiltrated data. If victims fail to contact the threat actors within three days, RA Group leaks the victim’s files. Additionally, the ransomware avoids encrypting system files and folders using a hard coded list, allowing victims to download the qTox chat application and communicate with the operators using the provided qTox ID.

What sets RA Group apart is it has been observed selling exfiltrated data from victims on its leak portal, posting the information on a secure TOR site. The adoption of the Babuk ransomware code by various threat actors has been on the rise. SentinelOne Recently disclosed that actors with varying levels of sophistication and expertise are using the Babuk builder to develop multiple variants capable of targeting Linux systems. Other ransomware actors, such as AstraLocker and Nokoyawa, have also adopted the Babuk source code in the past year.

Additionally, the discovery of new ransomware strains named Rancoz and BlackSuit has been reported. As mentioned previously, these developments indicate that threat actors are continuously evolving and customizing their ransomware to bypass cybersecurity measures and adapt to the changing security landscape to evade detection.

It is essential that organizations have a dedicated team hunting for threats to ensure these events can be avoided. This includes blocking where possible for any IOCs such as URLs, IP ranges, email addresses, file hashes, etc.

Source

New Phishing-as-a-Service Platform Lets Cyber Criminals Generate Convincing Phishing Pages

Analysis: A new Phishing-as-a-Service (PhaaS) platform called Greatness has been utilized by cybercriminals to target business users of Microsoft 365 since mid-2022. This platform has significantly lowered the barrier to entry for carrying out phishing attacks.

Greatness focuses on Microsoft 365 phishing pages and provides its affiliates with an attachment and link builder to create highly convincing decoy and login pages. The platform features pre-filled victim email addresses, appropriate company logos, and background images extracted from the target organization's real Microsoft 365 login page.

Campaigns involving Greatness predominantly targeted manufacturing, healthcare, and technology companies in the United States, United Kingdom, Australia, South Africa, and Canada; there was a noticeable increase in activity in December 2022 and March 2023.

Phishing kits like Greatness offer cost effective and scalable options for threat actors — including rookies — to design convincing login pages for various online services and bypass two-factor authentication (2FA). The decoy pages created by Greatness act as reverse proxies to harvest victims' credentials and time-based one-time passwords (TOTPs) entered during login attempts.

The attack chain typically begins with malicious emails containing HTML attachments. When the attachment is opened, obfuscated JavaScript code redirects the user to a landing page where their email address is already pre-filled, prompting them to enter their password and MFA code. The entered credentials and tokens are then forwarded to the affiliate’s Telegram channel, providing unauthorized access to the compromised accounts.

The AiTM phishing kit, which is part of Greatness, includes an admin panel that allows affiliates to configure the Telegram bot, track stolen information, and create booby-trapped attachments or links. Each affiliate is required to have a valid API key, which is used to load the phishing page. The API key also helps prevent unauthorized access to the phishing page from unwanted IP addresses and facilitates communication with the genuine Microsoft 365 login page by posing as the victim.

This combination of phishing kit and API allows for a “man-in-the-middle" attack, where the phishing kit requests information from the victim, which the API then submits to the legitimate login page in real-time. This enables the PhaaS affiliate to steal usernames, passwords, and authenticated session cookies if the victim uses MFA.

Access Point emphasizes the importance of user education and security awareness training. It is important to teach users to exercise caution when downloading and opening files, especially from unknown sources and suspicious emails. Teaching users how to hover over suspicious links and emails, while also reporting potential phishing emails are all tactics to ensure your users do not leave you exposed.

Implementing MFA for all user accounts as a layered defense, while not foolproof, is also essential should users' credentials be exposed to attackers.

Source

Capita warns customers they should assume data was stolen

Analysis: Capita, a consulting, transformation, and digital services business, has issued a warning to its customers, urging them to assume that their data was stolen in a cyberattack that occurred in early April.

The attack, initially described as a “technical problem,” was later confirmed to be a cyberattack that resulted in a weekend long outage. The Black Basta Ransomware gang claimed responsibility for the attack and threatened to sell allegedly stolen data on its data leak site.

Capita informed Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, that the servers accessed by the hackers contained personal information of approximately 470,000 active, deferred, and retired members. This information includes names, dates of births, National Insurance numbers, and USS member numbers. While Capita cannot confirm definitively if the data was exfiltrated, it has advised USS to operate under the assumption that it was.

The cyberattack is thought to have affected up to 350 UK corporate retirement schemes, making it the largest hack of its kind in British history. Capita has reported the incident to the Information Commissioner’s Office (ICO), the Pension Regulator, and the Financial Conduct Authority. The company expects to incur exceptional costs of up to $25 million associated with the incident.

Capita is a government contractor that provides services to various sectors, including finance, IT, healthcare, and education.

Access Point advises against paying ransom as it encourages further attacks and funds more criminal activity with no guarantee of the data’s decryption upon payment. Instead, it is recommended that organizations focus on prevention and mitigation strategies, such as robust backup and disaster recovery plans, response strategies, data backups, employee training, and timely software patching to protect against ransomware and other cyber threats.

Source

Vulnerabilities

Parental control app with 5 million downloads vulnerable to attacks

Analysis: The 'Parental Control - Kids Place' app for Android, developed by Kiddowares, has been found to be impacted by multiple vulnerabilities that could have serious implications for user safety and privacy.

The app, which has 5 million downloads on Google Play, offers various parental control features. However, versions 3.8.49 and older of the app are vulnerable to five security flaws identified by researchers at SEC Consult.

The vulnerabilities include weak password storage, where user registration and login actions return the unsalted MD5 hash of the password, making it easily decryptable. Additionally, the customizable device name for children can be manipulated to trigger a cross-site scripting (XSS) payload in the parent web dashboard, allowing unauthorized access.

The app's web dashboard is also vulnerable to cross-site request forgery (CSRF) attacks. Furthermore, the dashboard feature meant for file transfer between parents and children can be exploited to upload arbitrary files to an AWS S3 bucket, potentially containing malware.

Lastly, the app allows children to temporarily remove all usage restrictions without notifying the parent, enabling them to bypass parental controls.

To address these vulnerabilities, users are strongly advised to update to version 3.8.50 or later of the app. The vendor, Kiddowares, was notified of the flaws by SEC Consult and released the patched version on February 14, 2023. Users can update the app by accessing the Google Play store and checking for updates in their account settings or by going to the app details and initiating the update process.

It is crucial for users of the 'Parental Control - Kids Place' app to promptly update to the latest secure version to mitigate the risks associated with these vulnerabilities.

Access Point recommends users of the 'Parental Control - Kids Place' app for Android update to version 3.8.50 or later. This update addresses multiple vulnerabilities that could lead to unauthorized access, file uploads of arbitrary content, password decryption, and the bypassing of parental control restrictions. Users can update the app by accessing the Google Play store and checking for updates through their account settings or by navigating to the app details and initiating the update process. Updating to the latest secure version is essential to ensure the safety and privacy of users and their children while using the app.

Source

New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

Analysis: A security vulnerability has been discovered in the Essential Addons for Elementor WordPress plugin, which could allow attackers to gain elevated privileges on affected websites.

Tracked as CVE-2023-32243, the vulnerability has been addressed in version 5.7.2 of the plugin, released on May 11, 2023. The flaw, present since version 5.4.0, allows unauthenticated users to escalate their privileges to any user on the WordPress site. Exploiting the vulnerability successfully could enable a threat actor to reset the password of any user, potentially granting them full control over the website, including administrator accounts.

The disclosure of this vulnerability comes more than a year after another severe flaw in the same plugin was revealed, which could have allowed arbitrary code execution on compromised websites. Additionally, there has been a recent wave of attacks targeting WordPress sites since late March 2023, with the goal of injecting the SocGholish (aka FakeUpdates) malware.

SocGholish is a JavaScript malware framework that acts as an initial access provider for delivering additional malware to infected hosts. The malware is distributed through drive-by downloads disguised as web browser updates.

Attackers are continually evolving their techniques to evade detection and extend the lifespan of their campaigns, as seen in the case of SocGholish.

Wordfence, a security company, has warned that the vulnerability in the Essential Addons for Elementor plugin is actively being exploited in the wild. They have detected and blocked 200 attacks targeting the flaw within a 24-hour period. It is crucial for users to update to the latest version of the plugin promptly to mitigate the risk posed by this vulnerability.

Access Point recommends that users of the Essential Addons for Elementor WordPress plugin to update to version 5.7.2 or later immediately. This update addresses a critical vulnerability that allows unauthenticated users to escalate their privileges on affected websites, potentially leading to the compromise of administrator accounts and full control of the site. Updating to the latest version of the plugin is crucial to protect the website from potential exploitation.

Access Point’s vulnerability management team also recommends that users ensure that they regularly update all plugins and themes on their WordPress websites to stay protected against known vulnerabilities. Additionally, users should maintain a strong password policy and practice good security hygiene, such as regularly monitoring for suspicious activity and implementing strong security measures.

Source

CISA: Several Old Linux Vulnerabilities Exploited in Attacks

Analysis: The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related vulnerabilities to its known exploited vulnerabilities (KEV) catalog.

Seven new vulnerabilities were added, including:

• Ruckus AP remote code execution (CVE-2023-25717)
• Red Hat Polkit privilege escalation (CVE-2021-3560)
• Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904)
• Jenkins UI information disclosure (CVE-2015-5317)
• Apache Tomcat remote code execution (CVE-2016-8735)
• Oracle Java SE and JRockit issue (CVE-2016-3427)

While the Ruckus product vulnerability has been exploited by the AndoryuBot DDoS botnet, there are no public reports of exploitation for the other vulnerabilities. However, technical details and proof-of-concept exploits are available for these long-known vulnerabilities. The vulnerabilities all have a connection to Linux, suggesting they may have been leveraged in attacks on Linux systems, including Android devices.

CISA noted a connection between two vulnerabilities, with the Apache Tomcat flaw resulting from a component not being updated to account for Oracle's fix for CVE-2016-3427. It remains uncertain if the weaknesses were exploited by the same threat actor or if they were used in a chained attack. CISA adds vulnerabilities to its catalog only when there is reliable evidence of real-world exploitation.

This is not the first time CISA has raised the alarm about the exploitation of Linux vulnerabilities, as they previously warned about the PwnKit vulnerability being actively exploited.

Access Point Technology’s recommended course of action is for organizations and individuals to promptly address these vulnerabilities highlighted by CISA. While some of the vulnerabilities have already been exploited, others may still pose a risk if left unpatched. It is crucial to apply the necessary updates and patches provided by the respective vendors or Linux distributions to mitigate the vulnerabilities.

Organizations and individuals should also closely monitor security advisories and notifications from the vendors and Linux distributions for updates regarding these vulnerabilities. By staying informed and promptly implementing the patches and fixes, the risk of exploitation can be significantly reduced.

Additionally, it is important to maintain a strong security posture by following best practices, such as regularly updating software and systems, employing robust security measures, and monitoring for any signs of compromise.

Considering the potential connection to attacks on Linux systems and Android devices, it is especially important for users of these platforms to ensure they are running the latest software versions and have applied the available security updates. By taking proactive steps to address these vulnerabilities, individuals and organizations can enhance the security of their systems and protect against potential exploitation.

Source

‍