Incident & Breach Response
,
Security Operations
Also: Ivanti Exploitation Continues; Apple Fixes First Zero-Day of 2024
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, U.S. short seller lender EquiLend Holdings was hacked, the Ivanti exploitation continued, Apple addressed the first zero-day of 2024, Ukraine said hackers had hit a Russian research center, Kasseika ransomware evolved, North Korean hackers were active, and Trello experienced a data leak.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
EquiLend Faces Cyberattack, Systems Offline
New York City financial technology company EquiLend Holdings disclosed a cyberattack that has taken several of its systems offline. The restoration process is expected to extend over several days. The company on Monday attributed the system outage to a “technical issue” but later confirmed the incident had been a cyberattack.
Established by a consortium of banks and broker-dealers in 2000, EquiLend is a key player in the securities-lending market, managing transactions valued at approximately $2.44 trillion in Dec. 2023 alone. Securities lending, in which a company loans company shares to another trader – for a fee – is a critical part of short selling. It is a bet that company shares will go down in value, rather than up.
The Wall Street Journal reported that a financial researcher called the attack evidence that cyberattacks against a single target can have outsize effects when market operators come to heavily depend on a single provider.
Ivanti Exploitation Continues
The ongoing worldwide attack against Ivanti virtual private network appliances has infected 492 out of 26,000 exposed devices, said researchers at security company Censys. The United States recorded the highest number of affected VPNs, followed by Germany, South Korea, China and Japan. The majority of the infected VPNs were identified as being hosted by Microsoft’s customer cloud service. More than 400 of the hosts had a backdoor used for credential theft.
The U.S. Cybersecurity and Infrastructure Security Agency issued a mandate for civilian governmental agencies to take corrective action.
Apple Addresses First Zero-Day of 2024
Apple released security updates detailing its first zero-day vulnerability of the year, which affected iPhones, Macs and Apple TVs. Tracked as CVE-2024-23222 and affecting iOS, macOS, tvOS and Safari, the zero-day involves a type confusion issue in WebKit that attackers could use for remote code execution. Apple warned that hackers appear to be exploiting the vulnerability.
WebKit is the open-source web browser engine that Apple requires all iOS apps to use when displaying web content, including browsers with a different brand than Apple’s default Safari browser and browsers embedded into apps.
Apple backported patches to older iPhone and iPad models for two other WebKit zero-days, CVE-2023-42916 and CVE-2023-42917, which were originally patched in November 2023 for newer devices.
Russian Space Research Center Hit
Ukrainian authorities said on Wednesday that volunteer hackers aligned with Kyiv had bricked the database of Planeta, a Russian space hydrometeorology research center. The Ukrainian Main Intelligence Directorate said in a Telegram post that hackers from the “BO Team” had destroyed about 2 petabytes worth of data and equipment likely worth at least $10 million.
Russia faces wartime sanctions making the replacement of advanced technology difficult – although not impossible, given Moscow’s ability to obtain technology from intermediaries such as China, according to a January report from Ukrainian think tank KSE Institute and the Yermak-McFaul International Working Group.
Hackers wiped out meteorological and satellite data – information that is vital to supporting military operations.
The New Voice of Ukraine reported that the cyberattack also isolated a Russian Arctic station on Bolshevik Island that performs important military tasks.
A Dec. 31 assessment of Russia’s ongoing invasion of Ukraine by the Institute for the Study of War says there has been an uptick in the number of missile drones avoiding Ukrainian air defenses and heavy Russian losses in infantry-heavy offensive operations on multiple fronts have been reported.
Kasseika Ransomware Uses BYOVD Tactics
A novel ransomware operation named Kasseika has adopted “bring your own vulnerable driver” tactics to disable antivirus software before encrypting files, which is a growing trend among threat actors. Kasseika exploits the Martini driver Martini.sys/viragt64.sys
, part of TG Soft’s VirtIT Agent System, to incapacitate antivirus products safeguarding the targeted system, Trend Micro found.
Trend Micro analysts uncovered Kasseika in December and said it found several attack chain and source code similarities with BlackMatter ransomware. The Kasseika attack initiates phishing emails targeting employees, aiming to pilfer their account credentials for initial access to the corporate network. Ransomware operators leverage the Windows PsExec lightweight telnet replacement, to execute malicious batch files on the infected system and others within the network.
Using BYOVD attacks, Kasseika gains privileges to terminate processes of numerous antivirus products, security tools, analysis tools and system utilities. The ransomware uses ChaCha20 and RSA encryption algorithms to encrypt files, appending a pseudo-random string to filenames, similar to BlackMatter.
North Korean Hackers Target Media and Academia
A SentinelLabs report reveals that North Korean hackers, tracked as ScarCruft or APT37, are engaging in a fresh espionage campaign. The group is targeting experts in North Korean affairs from South Korea’s academic sector and journalists on the North Korean beat.
The attacks are meant to give Pyongyang a better understanding of how it is perceived by the world outside its hard shell. The infection chain involves the use of RokRAT malware delivered through phishing emails disguised as scientific reports. RokRAT, a custom-written backdoor associated with ScarCruft, enables surveillance on targeted entities. ScarCruft has been previously linked to the North Korean hacker group Kimsuky, which uses similar targeting and pseudonyms.
The term “bandi,” used as a pseudonym by both groups, adds to the suspected relations between them. In North Korea, bandi is the pseudonym of an author suspected of publishing dissident writing. It means “firefly” in Korean.
Trello Data Leak Exposes Private Email Addresses
An exposed Trello API led to the exposure of private email addresses associated with Trello accounts, potentially creating millions of data profiles containing both public and private information, Bleeping Computer first reported. The Atlassian-owned online project management tool’s data leak came to light when an individual using the alias “emo” attempted to sell data from Trello members on a hacking forum. While most of the information in these profiles is public, the email addresses were not.
The scraper used an exposed API to associate email addresses with public Trello profiles. The API, designed for developers to integrate the service into applications, allowed querying for public information based on Trello ID or username. But the individual found that the API could also be queried using an email address, to retrieve associated public profile information.
The Trello leak has been added to the Have I Been Pwned service so people can check to see if their email addresses were among the 15 million exposed.
Other Coverage From Last Week
With reporting from Information Security Media Group’s Mihir Bagwe in Mumbai, India