Roku Declares 576,000 Accounts Hacked Post Second Security Breach

Streaming giant Roku has confirmed a second security incident in as many months, with hackers this time able to compromise more than half a million Roku user accounts.

In a statement Friday, the company said about 576,000 user accounts were accessed using a technique known as credential stuffing, where malicious hackers use usernames and passwords stolen from other data breaches and reuse the logins on other sites.

Roku said in fewer than 400 account breaches, the malicious hackers made fraudulent purchases of Roku hardware and streaming subscriptions using the payment data stored in those users’ accounts. Roku said it refunded customers affected by the account intrusions.

The company, which has 80 million customers, said the malicious hackers “were not able to access sensitive user information or full credit card information.”

Roku said it discovered the second incident while it was notifying some 15,000 Roku users that their accounts were compromised in an earlier credential stuffing attack.

Following the security incidents, Roku said it rolled out two-factor authentication to users. Two-factor authentication prevents credential stuffing attacks by adding an additional layer of security to online accounts. By prompting a user to enter a time-sensitive code along with their username and password, malicious hackers cannot break into a user’s account with just a stolen password.

Read: https://techcrunch.com/2024/04/12/roku-second-user-accounts-hacked/

Kaspersky Researchers Discover LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim’s network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions.

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. “The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim’s infrastructure, as well as covering their tracks,” says Cristian Souza, an incident response specialist at Kaspersky.

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky’s Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. “However, we detected other incidents that used the leaked builder in other regions,” he says.

Read: https://www.darkreading.com/endpoint-security/lockbit-3-0-variant-generates-custom-self-propagating-malware

Study maps which countries the most cybercriminals are based in, Canada not even in Top 15

The first-ever World Cybercrime Index has been released, ranking countries based on the level of cybercrime threat they pose. The three-year research reveals that a small number of countries, including Russia, Ukraine, China, the USA, Nigeria, and Romania, pose the greatest cybercriminal threat. The Index will help public and private sectors focus resources on key cybercrime hubs, potentially saving time and funds on countermeasures in countries where cybercrime is less significant.

The data for the Index was collected through a survey of 92 leading cybercrime experts worldwide. They considered five major categories of cybercrime and ranked countries based on the impact, professionalism, and technical skill of their cybercriminals. The researchers hope that the Index will aid in the fight against profit-driven cybercrime by providing a clearer understanding of its geography and how different countries specialize in different types of cybercrime.

The World Cybercrime Index is a joint partnership between the University of Oxford and UNSW, funded by CRIMGOV, a European Union-supported project. The researchers also hope to expand the study to determine whether national characteristics like educational attainment, Internet penetration, GDP, or levels of corruption are associated with cybercrime. This supports the view that, much like forms of organized crime, cybercrime is embedded within particular contexts.

Read:
https://www.unsw.edu.au/newsroom/news/2024/04/World-first-Cybercrime-Index-ranks-countries-by-cybercrime-threat-level

Read the study: https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0297312

Hackers Exploit a Maximum-Severity Zero-Day Vulnerability in Palo Alto Networks Firewall

Highly capable hackers are rooting multiple corporate networks by exploiting a maximum-severity zero-day vulnerability in a firewall product from Palo Alto Networks, researchers said Friday.

The vulnerability, which has been under active exploitation for at least two weeks now, allows the hackers with no authentication to execute malicious code with root privileges, the highest possible level of system access, researchers said. The extent of the compromise, along with the ease of exploitation, has earned the CVE-2024-3400 vulnerability the maximum severity rating of 10.0. The ongoing attacks are the latest in a rash of attacks aimed at firewalls, VPNs, and file-transfer appliances, which are popular targets because of their wealth of vulnerabilities and direct pipeline into the most sensitive parts of a network.

The zero-day is present in PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry. Palo Alto Networks has yet to patch the vulnerability but is urging affected customers to follow the workaround and mitigation guidance they have provided. The advice includes enabling Threat ID 95187 for those with subscriptions to the company’s Threat Prevention service and ensuring vulnerability protection has been applied to their GlobalProtect interface. When that’s not possible, customers should temporarily disable telemetry until a patch is available.

Volexity, the security firm that discovered the zero-day attacks, said that it’s currently unable to tie the attackers to any previously known groups. However, based on the resources required and the organizations targeted, they are “highly capable” and likely backed by a nation-state. So far, only a single threat group—which Volexity tracks as UTA0218—is known to be leveraging the vulnerability in limited attacks. The company warned that as new groups learn of the vulnerability, CVE-2024-3400 is likely to come under mass exploitation, just as recent zero-days affecting products from the likes of Ivanti, Atlassian, Citrix, and Progress have in recent months.

Read: https://arstechnica.com/security/2024/04/highly-capable-hackers-root-corporate-networks-by-exploiting-firewall-0-day/

Recently Discovered Vulnerability, “LeakyCLI”, Exposes Weaknesses in Google and Amazon Cloud Infrastructure

Cloud infrastructure is the backbone of modern technology, and its security hinges on the tools developers use to manage it. However, a recently discovered vulnerability dubbed “LeakyCLI” exposes a critical weakness in these tools, potentially granting unauthorized access to sensitive cloud credentials.

This vulnerability affects the command-line interfaces (CLIs) used by major cloud providers like Amazon Web Services (AWS) and Google Cloud Platform (GCP). Security researchers at Orca Security identified LeakyCLI, which can inadvertently expose environment variables containing sensitive information like passwords and access keys within logs.

CLIs are typically designed for use in secure environments. However, the integration with Continuous Integration and Continuous Deployment (CI/CD) pipelines, which automate development processes, introduces a security risk. LeakyCLI bypasses secret labeling mechanisms within CI/CD pipelines, potentially printing sensitive credentials to logs that shouldn’t contain them.

“CLI commands are by default assumed to be running in a secure environment,” explains an Orca advisory. “But coupled with CI/CD pipelines, they may pose a security threat.” This vulnerability creates a prime target for attackers employing social engineering tactics.

In some way, the LeakyCLI vulnerability resembles a recent incident involving the open-source project XZ Utils, a popular data compression tool. In that case, a malicious actor gained the maintainer’s trust through flattery, claims of expertise, and ultimately, malicious code insertion. LeakyCLI exposes credentials, making them even more valuable to attackers who might also leverage social engineering to compromise projects.

While both AWS and Google Cloud Platform were notified of LeakyCLI, they maintain that the current behavior falls within the expected design parameters. However, the security community is urging cloud providers to consider implementing additional protection within their CLIs to prevent sensitive information from leaking into logs, especially within automated CI/CD workflows.

Read: https://www.hackread.com/vulnerability-leakycli-leaks-aws-google-cloud-credentials/

Arrests in Hive RAT Scheme: Suspects Apprehended in Australia and U.S.

Authorities in Australia and the U.S. have apprehended suspects linked to an alleged plot involving the development and dissemination of a remote access trojan (RAT) named Hive RAT, previously known as Firebird. The U.S. Justice Department (DoJ) revealed that the malware facilitated unauthorized access to victims’ computers, enabling control over private communications, login credentials, and personal information.

In Los Angeles, California, 24-year-old Edmond Chakhmakhchyan, known as “Corruption,” was arrested for selling Hive RAT licenses to an undercover law enforcement officer. He faces charges of conspiracy and advertising a device for interception, each carrying a potential penalty of five years in prison. Chakhmakhchyan has pleaded not guilty and awaits trial.

Court documents allege Chakhmakhchyan’s collaboration with the malware’s creator, involving advertisement postings on a cybercrime forum, cryptocurrency transactions, and customer support. Hive RAT is equipped with capabilities to terminate programs, record keystrokes, access files, and steal passwords and credentials.

Meanwhile, the Australian Federal Police (AFP) announced charges against a citizen for their alleged involvement in Hive RAT’s creation and sale. The suspect faces multiple charges, including producing, controlling, and supplying data with intent to commit computer offenses, with each offense carrying a maximum penalty of three years’ imprisonment.

Remote Access Trojans pose significant threats, allowing criminals full access and control over devices. The developments come amidst federal prosecutors in the U.S. indicting Charles O. Parks III for operating an illegal cryptojacking scheme, defrauding cloud computing providers of millions. Parks faces charges of wire fraud, money laundering, and engaging in unlawful monetary transactions.

Parks illicitly obtained computing resources to mine cryptocurrencies like Ether, Litecoin, and Monero, laundering the proceeds through various channels to conceal transactions. The acquired funds were used for extravagant purchases, including luxury cars, jewelry, and travel expenses.

Read: https://thehackernews.com/2024/04/hive-rat-creators-and-35m-cryptojacking.html

Elsewhere Online:

Omni Hotel Chain Declares Customer Information Stolen in Daixin Team Ransomware Attack
Read: https://www.securityweek.com/omni-hotels-says-personal-information-stolen-in-ransomware-attack/

Chirp Systems’ Smart Locks Vulnerable to Remote Unlocking Due to Critical Security Flaw
Read: https://www.theregister.com/2024/04/15/critical_vulnerability_chirp_lock/

NOBELIUM’s Midnight Blizzard Breach Triggers Worldwide Cybersecurity Concerns
Read: https://www.hackread.com/global-hack-exposes-personal-data-protection-axios-security-group/

UK Lawmakers Push for TikTok Misinformation Strategy Amid Concerns Over Youth Influence
Read: https://reclaimthenet.org/uk-lawmakers-target-tiktok-in-the-name-of-fighting-misinformation

Introducing Kaspersky Next for Advanced Endpoint Protection
Read: https://www.darkreading.com/endpoint-security/kaspersky-unveils-new-flagship-product-line-for-business-kaspersky-next

Previously on #AxisOfEasy