CDK breach, Qilin Synnovis attack, Velvet Ant and Nobelium Threat Groups
Hello, ArvinFyour editor for F5 SIRT's This Week in Security covering 17-23 June 2024. Here's a summary of the security news. CDK Global had a cyber security incident and affected car dealerships across the US that use their DMS and had to go offline. There were no specifics in the reference article on what the cause of the outage was, but it’s speculated it may be related to a ransomware attack. It also coincided during a US public holiday. Qilin, a suspected Russia-based ransomware gang, executed a cyber attack on Synnovis and affected London-based hospitals. Many surgeries and appointments were pushed back due to this ransomware event. The ransomware gang dumped extracted data from Synnovis as it perceived it stalled during the negotiation phase. Kraken cryptocurrency exchange accuses blockchain security company CertiK of extortion — "the researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or to return funds withdrawn via the vulnerability." per Kraken's representative. This stemmed from a "UX change that would credit client accounts before assets actually cleared to create an artificial sense of real-time cryptocurrency trades" security researchers from Certik who found the flaw and had a dispute in the awarding of the bounty when Kraken fixed the flaw. Kraken claims the vulnerability exploited by Certik researchers allowed them to widthdraw $3M US from the platform. Certik says "Kraken' security operation team threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time, even without providing repayment addresses". A report published by France’s computer emergency response team (CERT-FR) highlights the Nobelium, a Russian cyber crew latest tricks as the country prepares for a major election and to host this year's Olympic and Paralympic Games. The researchers say its main focus is espionage, and claim it often targets the email accounts of diplomatic staff, their institutions, embassies, and consulates using phishing emails sent from foreign institutions that have already been previously compromised by Nobelium. CERT-FR's report states that the French public sector has been attacked several times by the group using this business email compromise (BEC) style of attack. The forensic report from Sygnia documents how a threat group maintained persistence in a major organization and one of the pivot point were BIG-IP appliances with outdated software and exposed interfaces to the public internet. Quote "Velvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a prolonged presence in the organization’s on–premises network for about three years. The overall goal behind this campaign was to maintain access to the target network for espionage." "One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C)." "The compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the internet, and both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances." Ransomware gangs and suspected state-sponsored cyber threat groups are continuously exploiting known and unknown vulnerabilities. Organizations should implement wholistic protections such as security awareness training and safe use of business tools. Phishing and spear phishing is the age-old vector for delivering malware, and a well-trained and security-aware business user is the human firewall that prevents the initial execution of malware in business email compromise by identifying the potential malicious email and flagging it with the IT Security organization for further handling. Organizations should/must keep their systems software up to date to minimize potential vulnerabilities or flaws that can be exploited. Strong and intelligent email phishing filters/protection should be implemented. Anti-malware software such as Anti-virus and EDR/XDR solutions would be helpful in the protection of an organization's systems to detect, prevent further spread of malware and contain it. Implementing network micro-segmentation helps in preventing further spread of malware by limiting attackers’ lateral movement options. From a F5/BIG-IP perspective, keep your BIG-IP / F5 software updated, secure access to your device management interfaces , andallow access only to trusted users and networks. I hope these news items are informative. Credit to the original articles/source. Till next time, stay safe and secured. Car dealer software bigshot CDK pulls systems offline twice amid 'cyber incident' The vendor behind the software on which nearly 15,000 car dealerships across the US rely says an ongoing "cyber incident" has forced it to pull systems offline for a second time in as many days. CDK Global first shut down its systems in the early hours of June 19 and brought key products such as its Dealer Management System (DMS), phone line support, Digital Retail platform, and the Unify portal page, back online later in the day. That means thousands of dealerships throughout the United States have been left to operate without their usual IT systems, sparking disruption. The business began notifying dealerships and other stakeholders of a service disruption at around 0200 ET, before updating them again at 0800 ET blaming the problems on a "cyber incident," according to a trade mag Automotive News, which cited various industry sources and missives from CDK. We'd give you good odds on the attack being timed to coincide with the US public holiday Juneteenth – June 19 – to cause maximum disruption. When disclosures mention third-party experts being drafted after an outage, it often signals the potential for ransomware being involved. As of today and following the most recent development, some dealerships are preparing for systems to be down all weekend, according to one Reddit post, while others are simply cracking on with the old-fashioned pen-and-paper methods. https://www.theregister.com/2024/06/20/cdk_global_offline/ Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals Cybercriminals claim they used a zero-day to breach pathology provider’s systems The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview. Qilin says Synnovis, a partnership between pathology services company Synlab and two London NHS Trusts, wasn't targeted by accident. Asked if it knew a healthcare crisis in the UK capital would ensue as a result of its attack on that organization, should they be successful, a spokesperson for the group said: "Yes, we knew that. That was our goal." Louise Ferrett, senior threat intelligence analyst at Searchlight Cyber, questioned the alleged idealogy of the attack, suggesting it could have been fabricated given the media attention surrounding the incident. "Qilin was considered a financially-motivated threat actor so political targeting doesn't align with their usual modus operandi," she said. "It is possible that, in this case, the gang decided to mix financial gain with proving a political point. Despite the deliberate intent of the attack, Qilin somewhat backhandedly said it was sympathetic to the people of London who are now suffering as a result. Zero-day claim Asked about how Qilin gained an initial foothold in Synnovis' systems, Qilin wouldn't reveal much in the way of details. Despite being named after a Chinese mythological creature, Qilin is widely believed to be an operation running out of Russia. It operates much like others in Russia have in the past and appears to target Western organizations and not those in countries allied to Russia, which would allow it to maintain its protected status at the Kremlin. https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/?td=rt-3a Qilin cyber scum leak data they claim belongs to London hospitals’ pathology provider The ransomware gang responsible for the chaos at London hospitals kept true to its word and released a trove of data that it claims belonged to pathology services provider Synnovis. National Health Service (NHS) officials have battled crippling service disruptions across various hospitals in the UK capital after Synnovis – a partnership between Synlab and two London NHS Trusts – pulled its systems offline following a Qilin cyberattack. Qilin told The Register in an interview earlier this week that it would publish the data on June 20, as it did, after the gang severed communications with Synnovis over its perceived unacceptable stalling during the negotiation phase. Without reviewing the data that's been made available via the group's Telegram channel, which is Qilin's typical preferred method of leaking victim data, we can see that more than 400GB worth of compressed files were made available for download. Qilin claimed that it stole over 1TB worth of Synnovis' data. The publication of the data, coupled with Qilin's claims that it grew tired of Synnovis during negotiations, all but confirms the company adhered to the UK's official stance on not paying cybercriminals' ransom demands. NHS issues another update For two weeks now, the UK's health service has published once-weekly updates on the situation at London hospitals, and this week's edition illustrated just how bad things have become in the space of seven days. In total, 1,134 elective surgeries have been postponed because of Qilin's attack on Synnovis, which began June 4, and 2,194 outpatient appointments have also been pushed back. https://www.theregister.com/2024/06/21/qilin_cyber_scum_leak_the/ https://www.synnovis.co.uk/news-and-press/cyberattack-update-21-june-2024 Crypto exchange Kraken accuses blockchain security outfit CertiK of extortion Researchers allegedly stole $3M using the vulnerability, then asked how much it was really worth Kraken, one of the largest cryptocurrency exchanges in the world, has accused a trio of security researchers of discovering a critical bug, exploiting it to steal millions in digital cash, then using stolen funds to extort the exchange for more. The exchange wrote about the issue yesterday, saying the exploit allowed some users "to artificially increase the value of their Kraken account balance without fully completing a deposit." Kraken chief security officer Nicholas Percoco said on X that the researchers didn't provide any details in their bug bounty report, but that his team discovered the bug within an hour. Simply reporting the bug would have been enough for a sizable bounty, Percoco added. The researcher who disclosed the vulnerability, who Kraken didn't name "because they didn't comply with any [bug bounty] industry expectations," didn't stop there, however. According to Percoco, the analyst behind the find shared it with a couple of coworkers, who then exploited the vulnerability to withdraw nearly $3 million from the platform. Kraken noted that the funds stolen in this way were from the Kraken treasury and weren't client assets. Percoco said the researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or to return funds withdrawn via the vulnerability. "Instead, they demanded a call with their business development team … and have not agreed to return any funds until we provide a speculated [dollar] amount that this bug could have caused if they had not disclosed it," Percoco said. "This is not white-hat hacking, it is extortion!" Researchers strike back Kraken may not have wanted to name the researchers behind the alleged extortion attempt, but the researchers themselves aren't being quiet — they're accusing Kraken of misconduct. US-based blockchain security firm CertiK said on X that it was the other party in this dispute, and said the conversation began well enough until Kraken's security team fixed the issue. "After initial successful conversions on identifying and fixing the vulnerability, Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," CertiK said on X. CertiK also claimed that it had offered to return the funds and never tried to withhold them, however, the crypto community on X isn't going easy on the company. A number of respondents have claimed that wallets associated with CertiK have been caught using US-sactioned cryptocurrency mixers like TornadoCash and crypto-swapping platform ChangeNOW, while others highlighted what they claim were inconsistencies with CertiK's public disclosures and records on the blockchain. Additionally, while Percoco said all funds have been returned, minus a portion that was lost to blockchain fees, several commentators allege that the amount CertiK said it owed Kraken was tens of thousands of dollars less than what Kraken said was stolen. https://www.theregister.com/2024/06/20/kraken_certik_crypto_dispute/ Russia's cyber spies still threatening French national security, democracy Publishing right before a major election is apparently just a coincidence A fresh report into the Nobelium offensive cyber crew published by France's computer emergency response team (CERT-FR) highlights the group's latest tricks as the country prepares for a major election and to host this year's Olympic and Paralympic Games. Most infoseccers will know Nobelium/Midnight Blizzard as the Russian intelligence (SVR)-linked criminals responsible for the major supply chain attack on SolarWinds in 2021, but CERT-FR believes sharing information about the latest exploits may stifle the gang's threat to national security in the coming months. Nobelium's activity is often also tied to the APT29 moniker, but the French cybersecurity agency (ANSSI) believes Nobelium is in fact a distinct intrusion set. It says the true APT29 was active between 2008-2019 and was responsible for the attack on the US DMC, while Dark Halo was the group that carried out the SolarWinds breach. To ANSSI, Nobelium is a separate entity but like the other two, is linked to the Russian intelligence service. ANSSI says it was spun up in October 2020. It's targeting diplomats, ministry officials The researchers say its main focus is espionage, and claim it often targets the email accounts of diplomatic staff, their institutions, embassies, and consulates using phishing emails sent from foreign institutions that have already been previously compromised by Nobelium. CERT-FR's report states that the French public sector has been attacked several times by the group using this business email compromise (BEC) style of attack. China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence Key Takeaways In late 2023, a large organization was the victim of a serious cyber attack. Sygnia’s forensic investigation into the attack revealed a sophisticated threat actor who exhibited robust capabilities and employed a methodical approach. The evidence gathered suggests the involvement of a China-nexus state-sponsored threat actor. Velvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a prolonged presence in the organization’s on–premises network for about three years. The goal behind this campaign was to maintain access to the target network for espionage. The threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the victim company’s environment. One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C). After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection. The threat actor exploited various entry points across the victim’s network infrastructure, indicating a comprehensive understanding of the target’s environment. This incident highlights the importance of establishing resilient defense strategies against sophisticated threats — particularly those posed by state-sponsored groups. A holistic approach to mitigating these threats combines continuous monitoring with proactive response mechanisms – including periodic and systematic threat hunts – alongside stringent traffic control and system hardening practices for both legacy and public-facing devices. By embracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent threat presented by state-sponsored groups. The compromised organization had two F5 BIG-IP appliances, which provided services such as firewall, WAF, load balancing, and local traffic management. These appliances were directly exposed to the internet, both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances. However, visibility limitations hinder the ability to identify exactly how the appliances were compromised. https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/ https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/ K000140032: China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence https://my.f5.com/manage/s/article/K000140032 Recommended Actions To protect systems from exploitation F5 recommends customers: Run the most current version to optimize the security and performance of their systems Do not expose the control plane network to untrusted sources including the Internet Utilize the BIG-IP iHealth Diagnostic Tool to verify the proper operation of their system and ensure it is functioning at peak efficiency. F5 does not have any additional information beyond the public analysis and is not aware of any zero-day or unknown vulnerabilities being exploited by this threat actor. Based on the public information available, it seems most likely that the devices were compromised because their management interfaces were exposed to the Internet (which is contrary to F5 advice and best practices) and they were running an old version of BIG-IP software impacted by a disclosed vulnerability for which a fixed version is available.66Views1like0CommentsApple Passwords, Microsoft Recall, and DJI - May 10th - 16th - This Week In Security
This time we touch on Apple's new password manager, Microsoft's attempt to AI everything in Windows and ongoing attempts to ban DJI drones from use in the United States. Included at the end is a roundup of other news from last week.224Views4likes0CommentsSORBS Shutdown, Microsoft Recall and TikTok's Zero-day and Apple's Passwords App
Notable security news for the week of June 2nd-8th 2024, SORBS spam blacklist service which was shutdown by the owner Proofpoint, Tiktok's zero-day vulnerability which was used by attackers to compromise high profile user accounts, Microsoft's Recall feature changed from default to opt-in in Windows 11 and Apple's new "Passwords" app.258Views4likes1CommentDell & Ticketmaster breaches, CVE & patch roundup and ProxyShell is back
Notable security news for the week of May 20th-26th, 2024, brought to you by the F5 Security Incident Response Team. This week, AaronJB is taking a look at breach news from Dell, a novel DNS attack technique, how threat actors still exploit old CVEs (like Exchange's ProxyShell CVE-2021-34473, CVE-2021-34523 & CVE-2021-31207), why Industrial Control Systems shouldn't be connected to the Internet and a quick round-up of vendor patches you should take a look at from Ivanti, Fortinet, TP-Link and F5. Huge breaches, still in fashion I originally had this segment planned so that I could talk about the recentDell data breach which exposed the records of 49 million customers- name,physical address, Dell order information - you know, the usual kind of information that an adversary could use to construct averyconvincing spearphishing attack (yet Dell consider low risk, apparently); but there is some late breaking news which potentially makes this breach look tiny. I'll get onto that later. The Dell breach is interesting though as it was actually achieved using one of the most basic techniques (which I thought was long since 'fixed') - web scraping. The attackers simply registered a partner account using fake company details and then used a generated list of service tags to scrape the details of every order relating to those service tags - they sent 5000 requests per minute for three weeks straight, and nobody noticed a thing. Dell Service Tags are a unique asset identifier consisting of seven alphanumeric digits - consider them a serial number - so the attackers just needed to generate every possible combination of service tag and then, one by one, request the details of the order behind that tag. Apparently, the attackerseven tried to disclose this security issue to Dellbut received no response and set about monetizing their discovery instead. It strikes me that there are so many places this could have been fixed ahead of time: Least privilege: Doeseverypartner accountreallyneed to be able to access the details ofeverypossible service tag? (I would have thought no!) Rate limiting: Does that APIreallyneed to be able to support endless requests from a single partner account? (I would have thought no!) Logging: I don't know what the base requests-per-second rate is for that API, but shouldn't there at least have been some logging happening to a central SIEM about suspicious activity? Any of the above could have stopped this attack dead - heck, I get the impression that Dell could have stopped the attack had they interacted with the original report sent to them; though perhaps the original report (in part redacted) was looking for a bounty and Dell declined to interact on such basis. Still, the published partial email does seem to indicate that the attackers provided a full PoC from the outset.. But wait, I said there was something bigger? Yes! This is late breaking and we don't have all the facts yet, but a couple of days ago posts began appearing on X suggesting thatTicketmaster had suffered a breachof1.3TBof data which included names, physical addresses, email addresses, phone numbers andthe last four digits and expiryof payment cards associated with orders - 560 million rows of data. The validity of this wasinitially questionedbut, unfortunately for us,later verified to be true; as vx-underground says: Sometime in April an unidentified Threat Group was able to get access to Ticketmaster AWS instances by pivoting from a Managed Service Provider. At least this wasn't a simple web scraping attack, I suppose, but it highlights something for me: You need to beverycareful who you trust to manage your systems, becauseyoursecurity is entirely intheirhands. Meanwhile, your reputation is entirely in your hands - when and if you are breached, your customers won't come with pitchforks for your MSP, they will come foryou. This is also true of SaaS services, of course, and why SaaS companies (including ours) invest heavily in internal training, processes and patch management.. I wonder if the MSP did, in this case? Vendor patch watch It's like Spring Watch (for UK readers; for the rest of the world, that's a daytime TV show where cameras get shoved in badger sets, bird houses etc and people watch baby animals that were born in springtime), but for vulnerabilities.. Ivanti published patches forsixCritical severity vulnerabilities (plus four High)in Ivanti EPM, and a handful of other Ivanti products; if you use any of those youreallyshould patch ASAP, although none have appeared inCISA's Known Exploited Vulnerabilities (KEV) listyet. Proof of Conceptexploits were released for Fortinet's CVE-2024-23108(disclosed in January) so if you haven't patched, you absolutely must as the time from PoC availability to widespread exploitation is typically 24 hours or less. Rather unfortunately, the PoC reveals that CVE-2024-23108 is basically CVE-2023-34992 just in a different argument - still, we have all been there! TP-Link discloseda CVSS10.0 vulnerability in their Archer C5400Xgaming router and if you have one of those then you really need to patch - home routers are common targets for attackers looking to create botnets to carry out further attacks, andearlier TP-Link CVEs quickly appeared in CISA's KEV listas well asF5 Labs' Sensor Intel Serieswhich showed that CVE-2023-1389 (TP-Link Archer AX-21) wasthe most targeted vulnerabilityin March 2024! Finally, and not to be outdone, F5 had two disclosures in May; this is unusual for us as we typically coordinate our disclosures for Quarterly Security Notifications however, this month, we had both a QSN and an Out-of-Band notification affecting NGINX products. You can find the details of our May 8th QSN inK000139404and details of our NGINX-specific May 29th OOBSN inK000139628; fortunately for us the highest CVSS in our QSN was an 8.0, and in our OOBSN a 6.5 (and the OOBSN NGINX issues are all specific to QUIC, as well). As I say, we try to coordinate our disclosures for QSNs so that our customers can have a predictable cadence around which to plan updates & upgrades; we are committed to security, to working with external researchers, and to the security of the open-source community however, and in some cases we must disclose issues out of band in order to best protect and serve our customer base, and maintain the balance between transparency and security. Novel DNS attack - DNSbomb DNSbomb- I originally spotted this a couple of weeks ago, but last week it was the topic of a talk at the2024 IEEE Symposium on Security and Privacyso has had a bit more coverageandthere is now an easy-to-digestslide setavailable (with a video to follow) and even a one-pageposterfor your wall (seriously though, I actually love the idea of a one-page poster like this for new research; it's great for those of us who are attention-span challenged!). The idea behind this attack is to use a low-rate of requests from a large number of hosts to fly under the radar, but rather than simply having those hosts query the target victim, those hosts send their queries to some intermediary concentrator (which could be a recursive resolver, CDN or similar) which will queue all of those requests up and send them in one big burst to the target victim (hence the "bomb" part of the name). The technique is interesting and novel, promising a theoretical amplification factor of 20,000x or greater and a peak "bomb" in the 9Gb/s range, but I must admit that I haven't been able to properly go through the research paper or try to replicate their findings yet. Perhaps that will be the basis of a future DCCO article! If anyone has had chance to really understand the research - or better still, was at the IEEE Symposium - I'd love to hear from you! Don't put your Industrial Control Systems on the Internet? I thought this fell under the heading of "obvious news" but apparently, not so obvious;Rockwell Automation and CISA have "encouraged" customers to assess and secure their public internet exposed ICS assets. Personally, I'm struggling to understand why Industrial Control Systems would be exposed to the Internet, ever, but perhaps I am being naïve here? Is the public internet just considered "easy connectivity" for ICS & IoT systems? Certainly, a quick google for things like "water treatment plant internet" shows plenty of articles discussing IoT for waste treatment monitoring, but do you really want the gate valves separating brown water from clean being controlled by a PLC hooked up to the Internet? OK, silly example, but my point stands - industrial controls typically look after things that are mission- or human-critical, toxic waste, nuclear power stations, manufacturing plants and so on. Noneof that stuff shouldeverbe connected to the internet, and it terrifies me that Rockwell & CISA felt the need to reiterate that... One last thing.. An article about MS Exchange flaws being leveraged todeploy keyloggers in highly targeted attacks. What caught my eye there wasn't the keylogger part (although thatis neat; at least neat to see something that isn't just ransomware!) but rather that the threat actor is leveraging Exchange vulnerabilities from2021in the form of ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). I talk about this often, but as an industry wehaveto get better at patching exposed systems; perhaps the problem is we simply don't know what systems are exposed, perhaps the problem is a lack of time to patch, or a lack of corporate will to suffer potential downtime and push-back by Change Advisory Boards, but whatever the problem is we really have to tackle it. I'd love to hear your stories from the front lines of patching things like ProxyShell; how long did it take, was there any fallout, management push-back etc? Ancient Exchange flaws exploited -https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html216Views5likes2CommentsPowerPoint, ArcaneDoor, the Z80 and Kaiser Permanente
Notable security news from the week of April 21st with a small side of nostalgia for the Z80 CPU; we'll dive into the exploitation of an old PowerPoint CVE from 2017, ArcaneDoor and the targeting of Cisco perimiter devices and an enormous breach of Kaiser Permanente user information!331Views3likes2CommentsGhostStripe, Sec Clearance bill, JR EAST, Vulnrichment, and Solar Storm
This weekKoichi is back as editor for another round-up of the news. This time I chose these security news: GhostStripe, Security Clearance bill, and RISS, Suspected attack on Japan Railway (JR) East, Vulnrichment; and Solar Storm.132Views2likes0Comments