What is “Triangulation Fraud” – Canadian man finds out the hard way

A Canadian man who says he’s been falsely charged with orchestrating a complex e-commerce scam is seeking to clear his name. His case appears to involve “triangulation fraud,” which occurs when a consumer purchases something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, the seller purchases the item from an online retailer using stolen payment card data. In this scam, the unwitting buyer pays the scammer and receives what they ordered, and very often the only party left to dispute the transaction is the owner of the stolen payment card.

Timothy Barker, 56, was until recently a Band Manager at Duncan’s First Nation, a First Nation in northwestern Alberta, Canada. A Band Manager is responsible for overseeing the delivery of all Band programs, including community health services, education, housing, social assistance, and administration.

Barker told KrebsOnSecurity that during the week of March 31, 2023 he and the director of the Band’s daycare program discussed the need to purchase items for the community before the program’s budget expired for the year.

On the morning of April 7, Barker awoke to a series of nasty messages and voice calls on Facebook from an Ontario woman he’d never met. She demanded to know why he’d hacked her Walmart account and used it to buy things that were being shipped to his residence. Barker shared a follow-up message from the woman, who later apologized for losing her temper.

Barker believes he and the Ontario woman are both victims of triangulation fraud, and that someone likely hacked the Ontario woman’s Walmart account and added his name and address as a recipient.

Read:
https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-triangle-of-e-commerce-fraud/

PsExec Exploits and BYOVD Attacks Deployed by Kasseika Ransomware

In 2023, there was a surge in ransomware groups employing bring-your-own-vulnerable-driver (BYOVD) attacks. Among these groups, Kasseika ransomware has recently joined the trend, along with Akira, BlackByte, and AvosLocker. This tactic enables threat actors to disable antivirus processes and services, facilitating the deployment of ransomware. Our investigation revealed that Kasseika ransomware specifically exploited the Martini driver to terminate antivirus-related processes on the victim’s machine.

Upon closer inspection, it was found that a large portion of the source code utilized in this attack can be attributed to BlackMatter. The fact that the BlackMatter source code is not widely available suggests that the Kasseika ransomware attack was carried out by a mature actor within a limited group who either acquired or purchased access to this code. It is worth noting that BlackMatter emerged as a successor to DarkSide, which served as the basis for ALPHV, also known as BlackCat. This lineage highlights the evolving nature of ransomware groups and their utilization of previous frameworks to develop and enhance their malicious activities.

Organizations can adopt a multilayered approach to protect against system entry points. Trend Vision One™ provides comprehensive security solutions with behavior detection capabilities. By detecting and blocking malicious components and suspicious behavior, it helps prevent damage caused by ransomware. With Trend Vision One™, organizations can enhance their security posture and mitigate the risks posed by evolving cyber threats.

Read:
https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

Chinese Hackers Exploit Zero-Days, Compromise 1,700+ Ivanti VPN Appliances

On January 10, Ivanti disclosed two zero-day vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887, which affect the Connect Secure and Policy Secure gateways. CVE-2023-46805 (CVSS v3 8.2) is an authentication bypass vulnerability in the web component (Ivanti Connect Secure 9.x, 22.x), while CVE-2024-21887 (CVSS v3 9.1) is a critical command injection vulnerability affecting the same. When exploited together, these vulnerabilities allow threat actors to bypass multi-factor authentication and execute unauthenticated remote code, posing a significant security risk.

Volexity identified the exploitation of these critical security flaws when they detected lateral movement through their Network Security Monitoring service on a compromised customer. Upon conducting a thorough investigation, the cybersecurity firm uncovered the presence of web shells on various local and internet-facing servers. The researchers also observed suspicious activities, such as log deletion and unusual communication originating from the management IP address.

Volexity has expressed concerns that there could be a greater number of compromised organizations beyond what their scanning has identified. Security researcher Kevin Beaumont, referring to the Ivanti zero-days as “ConnectAround,” estimated that up to 15,000 devices may have been affected. In response to the situation, the Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2023-46805 and CVE-2024-21887 in the Known Exploited Vulnerabilities Catalog and advised customers to implement recommended mitigations.

Read:
https://www.cpomagazine.com/cyber-security/chinese-hackers-and-others-are-exploiting-two-zero-days-compromising-over-1700-ivanti-vpn-appliances/

Critical Security Flaw in GoAnywhere MFT Allows Unauthorized Admin Access

A severe security flaw, identified as CVE-2024-0204, has been discovered in Fortra’s GoAnywhere Managed File Transfer (MFT) software. The flaw, which has a CVSS score of 9.8 out of 10, could potentially allow an unauthorized user to create a new administrator user. The issue was present in versions of the software prior to 7.4.1. Fortra released an advisory about this on January 22, 2024.

Users who are unable to upgrade to version 7.4.1 can apply temporary workarounds. For non-container deployments, this involves deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, it’s recommended to replace the file with an empty file and restart.

The flaw was discovered and reported by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in December 2023. Cybersecurity firm Horizon3.ai published a proof-of-concept (PoC) exploit for CVE-2024-0204, attributing the issue to a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint. To detect a compromise, users can check for new additions to the Admin Users group in the GoAnywhere administrator portal. If an attacker has left a user here, its last logon activity may provide an approximate date of compromise. While there’s no evidence of active exploitation of CVE-2024-0204, another flaw in the same product (CVE-2023-0669, CVSS score: 7.2) was exploited by the Cl0p ransomware group to breach nearly 130 victims last year.

Read: https://thehackernews.com/2024/01/patch-your-goanywhere-mft-immediately.html

Mozilla Unveils New Security Updates for Thunderbird and Firefox

Mozilla has rolled out updates to enhance the security of Thunderbird and Firefox, addressing existing vulnerabilities.

To check the updates:
https://www.cisa.gov/news-events/alerts/2024/01/24/mozilla-releases-security-updates-thunderbird-and-firefox

German Court Charges Programmer after Cybersecurity Issue Disclosure

A German court has charged a programmer investigating an IT problem with hacking and fined them €3,000 ($3,265) for what it deemed was unauthorized access to external computer systems and spying on data.

According to the original report by Heise, the programmer, operating as a freelance IT service provider, was initially tasked by a client to resolve excessive log generation issues with the merchandise management software they were using.

The programmer examined the software and found that it established a MySQL connection with a remote server belonging to Modern Solution GmbH, the management software vendor.
After connecting to the database, it was determined that it not only contained his customer’s data but also the data for nearly 700,000 of Modern Solution’s other customers, constituting a significant data privacy issue.

Upon realizing that the database contained data for other companies, the programmer disconnected from the remote database and worked with a tech blogger to help notify the software vendor of the cybersecurity and privacy issue.

Modern Solution GmbH took the server offline to fix the problem, denying there was a security gap in their systems. The programmer and tech blogger quickly disclosed the issue the same day without waiting for a comment from the management software vendor.
Soon after, the company reported the programmer to the police for unauthorized access to the exposed data and their database server.

Read:
https://www.bleepingcomputer.com/news/security/court-charges-dev-with-hacking-after-cybersecurity-issue-disclosure/

 
Elsewhere Online:

3000 Dark Web Posts Expose Surprising Spike in Cybercrime Fueled by ChatGPT
Read: https://www.infosecurity-magazine.com/news/chatgpt-cybercrime-revealed-dark/

Federal Court Rules Trudeau-led Liberal Government Overreached its Powers by Invoking Emergencies Act to Freeze Protestors’ Bank Accounts
Read: https://reclaimthenet.org/court-rules-trudeau-freezing-civil-liberties-protesters-bank-accounts-violated-canadas-charter

Massive Data Privacy Breach: Trello API Abused to Connect Email Addresses with 15 Million Accounts
Read: https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-email-addresses-to-15-million-accounts/

Security Breach Alert: Malicious NPM Packages Leak 1600 Developer SSH Keys via GitHub
Read: https://thehackernews.com/2024/01/malicious-npm-packages-exfiltrate-1600.html


Creator of Infamous Pegasus Spyware, NSO Group Spends Millions on Lobbying Washington Under Cover of Israel
Read: https://www.wired.com/story/nso-group-lobbying-israel-hamas-war/

Previously on #AxisOfEasy