Attackers were able to compromise customers’ personal data by targeting the Accellion FTA server of a third-party vendor.

Morgan Stanley has confirmed a data breach in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server.

The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, the bank said in a letter disclosing the incident. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The data compromised did not include passwords that could be used to access financial accounts.

Morgan Stanley said the compromised files were encrypted; however, attackers were able to obtain the decryption key during the breach.

This makes the bank one of many organizations affected by the vulnerability in the Accellion FTA server, an issue disclosed earlier this year. Following Accellion’s January announcement, several businesses experienced data theft and subsequent extortion attempts.

While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. It says the delay was due to the trouble in determining which files were stored in the Accellion FTA server when it was exposed.

Curtesy: darkreading.com

The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar — but good authentication practices are also imperative.

Last Friday, just before the extended American Independence Day holiday, it was announced that Kaseya, an American software company, was hacked. The malicious actors were able to distribute ransomware by exploiting several vulnerabilities in Kaseya’s Vector Signal Analysis (VSA) software, which gave the attackers the ability to infect multiple organizations via what is known as a supply chain attack.

From Omdia’s perspective, supply chain cybersecurity is hugely complex, and many organizations have not paid it sufficient attention. Organizations can have hundreds or even thousands of suppliers digitally connected, and the risks are rarely quantified, and even when they are, it is frequently a manual process.

The attack is suspected to be the work of REvil (Ransomware Evil; also known as Sodinokibi), a ransomware gang with relative impunity operating out of Russia, where authorities frequently turn a blind eye to such gangs. REvil has demanded $70 million in Bitcoin in return for a universal decryptor that it claims will unlock the files of all victims. It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.

The attack highlights growing concern in the cybersecurity world about supply chain attacks; there are hundreds or thousands of potential victims by attacking a single supplier. The number of companies affected by this attack is unclear and will likely increase. For example, security company Huntress, which was one of the earliest sources to detect the attack, estimates “30 MSPs across the US, AUS, EU, and LATAM” have been breached and that over 1,000 organizations have been infected with ransomware as a result. Moreover, as a result of this attack, around 500 Coop stores in Sweden were also forced to shut.

Rest assured, this isn’t the last of the supply chain attacks we will see this year, or perhaps even this month. Recommendations from the USA’s Cybersecurity and Infrastructure Security Agency (CISA) for mitigating this particular attack include getting VSA servers offline, enforce multifactor authentication (MFA) as soon as possible, ensure that backups are in order and stored in air-gapped systems, and that remote monitoring and management tools be limited to communication among known IP address pairs.

Organizations must be less trusting of their supply chains and increase focus on understanding and reducing the associated risks.

Curtesy: darkreading.com

The world’s largest meat processing company says it paid the equivalent of $11 million to hackers who broken into its computer system late last month.

Brazil-based JBS SA said on May 31 that it was the victim of a ransomware attack, but Wednesday was the first time the company’s U.S. division confirmed that it had paid the ransom.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, the CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

JBS said the vast majority of its facilities were operational at the time it made the payment, but it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.

The FBI has attributed the attack as REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.

The attack targeted servers supporting JBS’s operations in North America and Australia. Production was disrupted for several days.

Earlier this week, the Justice Department announced it had recovered most of a multimillion-dollar ransom payment made by Colonial Pipeline, the operator of the nation’s largest fuel pipeline.

Colonial paid a ransom of 75 bitcoin–then valued at $4.4 million -in early May to a Russia-based hacker group. The operation to seize cryptocurrency reflected a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

It wasn’t immediately clear if JBS also paid its ransom in bitcoin.

JBS said it spends more than $200 million annually on IT and employs more than 850 IT professionals globally.

The company said forensic investigations are still ongoing, but it doesn’t believe any company, customer or employee data was compromised.

Curtesy: securityweek.com

In the aftermath of the Colonial Pipeline hack and the increasing damage done by cybercriminals, the U.S. Department of Justice is intensifying investigations into ransomware assaults to the same level of severity as terrorism, according to a senior department official, as Reuters notes.  

Internal instructions provided to U.S. prosecutors across the country on Thursday said that information about ransomware investigations in the field will be coordinated centrally with a newly formed task force in Washington.

John Carlin, principle associate deputy attorney general at the Justice Department stated, “It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain”.

Last month, a cybercriminal organization operating from Russia penetrated the system of pipeline operator East Coast, locked its systems, and demanded a ransom, according to U.S. authorities. The intrusion led to an outage lasting several days, a jump in gasoline prices, panic buying, and localized fuel shortages in the Southeast.

The scenario changed following the attack on the Colonial Pipeline

Colonial Pipeline opted to pay the hackers who broke into its computers about $5 million to restore access, the company said. Colonial is expressly mentioned in the DOJ advisory as an example of the increasing threat that ransomware and digital extortion pose to the nation.

According to US authorities, the decision by Justice Department, to include ransomware in this unique process shows how the issue is prioritized. In effect, this means that investigators in U.S. Attorney’s Offices dealing with ransomware attacks are required to share both current case files and active technical information with officials in Washington. The directive also suggests offices consider and include other investigations that focus on the larger cybercrime ecosystem.

Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021.

The Indian national carrier first informed passengers that SITA was the victim of cyberattack on March 19.

“This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers,” Air India said in a breach notification sent over the weekend. 

“This incident affected around 4,500,000 data subjects in the world.”

The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021.

Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.

However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.

“The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data,” Air India added.

“However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor.”

The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India

Data breach impacts Star Alliance members

Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA’s Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.

SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March.

At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including:

  • Lufthansa – combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
  • Air New Zealand – flag carrier airline of New Zealand
  • Singapore Airlines – flag carrier airline of Singapore
  • SAS – Scandinavian Airlines
  • Cathay Pacific – flag carrier of Hong Kong
  • Jeju Air – the first and largest South Korean low-cost airline
  • Malaysia Airlines – flag carrier airline of Malaysia
  • Finnair – flag carrier and largest airline of Finland

Some of these air carriers (including Air India) are part of the Star Alliance, a global airline network with 26 members, including Lufthansa, the largest in Europe.

Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits. 

The information is limited to membership names, frequent flyer program membership numbers, and program tier status.

Curtesy: bleepingcomputer.com

Cybercriminals are unleashing a surprisingly high volume of new threats in this short period of time to take advantage of inadvertent security gaps as organisations are in a rush to ensure business continuity.

Cyber Security firm Fortinet on Monday announced that over the past several weeks, it has been monitoring a significant spike in COVID-19 related threats.

An unprecedented number of unprotected users and devices are now online with one or two people in every home connecting remotely to work through the internet. Simultaneously there are children at home engaged in remote learning and the entire family is engaged in multi-player games, chatting with friends as well as streaming music and video. The cybersec firm’s FortiGuard Labs is observing this perfect storm of opportunity being exploited by cybercriminals as the Threat Report on the Pandemic highlights:

  • A surge in Phishing Attacks: The research shows an average of about 600 new phishing campaigns every day. The content is designed to either prey on the fears and concerns of individuals or pretend to provide essential information on the current pandemic. The phishing attacks range from scams related to helping individuals deposit their stimulus for Covid-19 tests, to providing access to Chloroquine and other medicines or medical device, to providing helpdesk support for new teleworkers.
  • Phishing Scams Are Just the Start: While the attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through teleworkers. Majority of the phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
  • A Sudden Spike in Viruses: The first quarter of 2020 has documented a 17% increase in viruses for January, a 52% increase for February and an alarming 131% increase for March compared to the same period in 2019. The significant rise in viruses is mainly attributed to malicious phishing attachments. Multiple sites that are illegally streaming movies that were still in theatres secretly infect malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
  • Risks for IoT Devices magnify: As users are all connected to the home network, attackers have multiple avenues of attack that can be exploited targeting devices including computers, tablets, gaming and entertainment systems and even online IoT devices such as digital cameras, smart appliances – with the ultimate goal of finding a way back into a corporate network and its valuable digital resources.
  • Ransomware like attack to disrupt business: If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems for taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.

“Though organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies for employees to have access to data, organizations must be nimble and adapt quickly to overcome these new problems that are arising”,said Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet – Office of CISO.

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing “a suspicious field value visible in the management interface.”

After investigating the report, Sophos determined this was an active attack and not an error in its product.

HACKERS ABUSED AN SQL INJECTION BUG TO STEAL PASSWORDS

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said today.

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.

Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.

Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.

Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.

The company said that during its investigation, it did not find any evidence that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.

PATCH ALREADY PUSHED TO CUSTOMER DEVICES

The UK company, famed for its antivirus product, said it prepared and already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

The security update will also add a special box in the XG Firewall control panel to let device owners know if their device has been compromised.

sophos-xg-alert.png

For companies that had devices hacked, Sophos is recommending a series of steps, which include password resets and device reboots:

  1. Reset portal administrator and device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature

Researchers revealed two zero-day security vulnerabilities affecting Apple’s stock Mail app on iOS devices.

Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon.

Both vulnerabilities are believed to have been actively exploited by an “advanced threat operator” since 2018.

Both bugs are remotely exploitable by attackers who simply send an email to victims’ default iOS Mail application on their iPhone or iPad

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.

“Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet,” wrote Satnam Narang, principal research engineer with Tenable in a statement.

The first vulnerability is out-of-bounds (OOB) write vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function  “[MFMutableData appendBytes:length:]”

“The implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” researchers said.

The second flaw, a heap-overflow, can also be triggered remotely.

“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” researchers wrote. “The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”

Researchers said both bugs have been exploited in the wild, however researchers believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”

In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device’s Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.

“The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods,” researchers wrote.

The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device, researchers said.

“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail,” Narang wrote. 

Researchers said they first identified suspicious behavior associated with the vulnerabilities in Feb. 19, 2020. After working closely with an impacted customer of theirs, on March 23 the identified the first out-of-bounds (OOB) write vulnerability. On March 31, researchers identified the second bug, a remote heap overflow vulnerability. The same day it shared its research with Apple. Over April 15 and 16, Apple began making a patch available to mitigate the security flaws in its publicly available beta software. On April 22, researchers publicly disclosed their findings.

Courtesy: threatpost.com