company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Access Token

GitLab

loading..
loading..
loading..

Internet Archive Faces Another Breach Due to Exposed GitLab Auth Tokens

An analysis of the Internet Archive's data breach via exposed GitLab tokens, compromising user data and personal IDs, highlighting security lapses.

21-Oct-2024
5 min read

Related Articles

loading..

ESET

Data Wiper

Hackers breached ESET Israel's partner, Comsecure, using legitimate servers to s...

Hackers have breached Comsecure, ESET's exclusive partner in Israel, to conduct a sophisticated phishing campaign targeting Israeli businesses. The attackers utilized legitimate ESET infrastructure to distribute data wiper malware disguised as antivirus software, aiming for destructive attacks on Israeli organizations. ### What Happened? #### Compromise of ESET Israel's Partner On October 8th, a phishing campaign was launched where emails branded with ESET's logo were sent from the legitimate domain eset.co.il. This indicates that the email servers of ESET's Israeli distributor, Comsecure, were compromised. #### Phishing Emails Sent from Legitimate Servers The phishing emails appeared authentic as they passed SPF, DKIM, and DMARC authentication checks. This means that the emails originated from verified ESET servers, making them highly convincing to recipients and difficult for security systems to detect. ### Phishing Campaign Details #### Disguised as ESET's Advanced Threat Defense Team The emails pretended to be from _"ESET's Advanced Threat Defense Team,"_ warning recipients about state-backed attackers targeting their devices. The message leveraged fear of sophisticated threats to prompt immediate action. ### Introduction of "ESET Unleashed" To counter the alleged threat, the email offered a download link to _"ESET Unleashed,"_ purportedly a more advanced antivirus tool. The download link was hosted on the legitimate eset.co.il domain, adding further credibility. #### Malicious Payload Contents of the Downloaded ZIP File The ZIP archive contained: Four legitimate ESET DLL files digitally signed by ESET's code-signing certificate. An unsigned Setup.exe file, which was the malicious data wiper. ### Advanced Evasion Techniques The data wiper employed several evasion tactics: **Anti-Virtualization:** The malware detected virtual environments, making it difficult for researchers to analyze it in virtual machines. **Mutex Usage:** It used a Mutex associated with the [Yanluowang ransomware](https://www.secureblink.com/threat-research/yanluowang-ransomware-linked-to-thieflock-operators) group, potentially to confuse attribution efforts. ### Connection to Legitimate Israeli Websites Upon execution, the malware reached out to www.oref.org.il, a legitimate Israeli news site. This could be a tactic to blend in with normal traffic or verify internet connectivity. ### Impact on Israeli Organizations #### Targeting Cybersecurity Professionals Initial reports indicate that the phishing emails were sent to cybersecurity personnel within Israeli organizations. Compromising these individuals could allow attackers deeper access into secure systems. #### Irreversible Data Destruction The malware is a data wiper designed to irreversibly delete files and corrupt partition tables, making data recovery extremely difficult, if not impossible. #### Lack of Immediate Disclosure Despite the severity of the breach, there was a notable delay in public disclosure from ESET and Comsecure. This lack of transparency may have hindered affected organizations from taking prompt defensive actions. ### Attribution and Political Motivations Embedded Threats and Dates Analysis by cybersecurity experts revealed embedded messages within the malware: > _"Hey ESET, wait for the leak... Doing business with the occupiers puts you in scope!"_ An embedded date was also found, possibly correlating with significant events or other attacks. ### Links to Iranian Threat Actors There are indications that the attack may be linked to Iranian groups such as Handala and CyberToufan, known for: - Using data wipers in attacks against Israel. - Embedding political messages in their malware. - Aiming to sow chaos and disrupt Israel's economy rather than financial gain. ### Technical Details #### File Hashes of Malicious Files **ZIP Archive:** `2d55c68aa7781db7f2324427508947f057a6baca78073fee9a5ad254147c8232` **Setup.exe:** `2abff990d33d99a0732ddbb3a39831c2c292f36955381d45cd8d40a816d9b47a` ### YARA Rule for Detection A YARA rule has been shared by Kevin Beaumont to aid in detecting the malware: `rule ESETIsraelWiper` { `strings:` `$a = "Hey ESET, wait for the leak.. Doing` `business with the occupiers puts you in scope!"` `condition:` `$a` `}` ### ESET's Response ESET has added an antivirus signature Win32/Agent.AGFH to detect related malicious activity. ### Recommendations for Organizations #### Immediate Actions - Update Antivirus Definitions: Ensure that all antivirus software is updated to detect the latest threats. - Educate Staff: Inform employees about the phishing campaign, emphasizing caution with unexpected emails, even from legitimate sources. - Monitor Network Traffic: Watch for unusual outbound connections, especially to known legitimate websites from unexpected applications. ### Long-Term Strategies - Strengthen Email Security: Implement advanced email security solutions that can detect anomalies beyond standard SPF, DKIM, and DMARC checks. - Regular Security Audits: Conduct frequent audits of partner and supplier security measures to prevent supply chain attacks. - Incident Response Planning: Develop and regularly update incident response plans to handle breaches promptly and effectively. Conclusion The breach of ESET's Israeli partner, Comsecure, underscores the evolving tactics of threat actors exploiting trusted infrastructure and employing sophisticated evasion techniques; attackers can deliver destructive payloads with devastating effects. Organizations must remain vigilant, prioritize transparency, and foster collaboration within the cybersecurity community to combat such threats. --- ### FAQs #### What is a data wiper? - A data wiper is malware designed to irreversibly delete files on a computer and often corrupts the partition table, making data recovery extremely difficult. #### How did the phishing emails bypass security systems? - The emails were sent from legitimate ESET servers and passed SPF, DKIM, and DMARC authentication checks, making them appear authentic to both recipients and email security systems. #### Who is believed to be behind the attack? - While not definitively attributed, evidence suggests possible involvement of Iranian-linked threat actors like Handala and CyberToufan, known for politically motivated attacks against Israel. #### What should I do if I receive such an email? - Do not download or execute any files from the email. Contact your IT security team immediately and report the incident. ### Has ESET released an official statement? - Yes, ESET has acknowledged the incident and released antivirus signatures to detect the malware. However, there was a delay in public disclosure, which has raised concerns.

loading..   19-Oct-2024
loading..   5 min read
loading..

Linux

FASTCash

North Korean hackers deploy a new Linux FASTCash malware variant enabling unauth...

A newly identified [Linux](https://www.secureblink.com/cyber-security-news/new-regre-ss-hion-critical-open-ssh-vulnerability-allows-root-access-on-linux) variant of the notorious FASTCash malware has been discovered, expanding the attack surface of North Korean hackers targeting financial institutions. Previously known to compromise IBM AIX and Microsoft Windows systems, this malware now poses a threat to Linux-based payment switch servers, enabling unauthorized cash withdrawals from ATMs. This development underscores the evolving tactics of threat actors like Hidden Cobra (also known as APT38 or [Lazarus Group](https://www.secureblink.com/cyber-security-news/lazarus-targets-spanish-aerospace-with-lightless-can)) and highlights the urgent need for robust security measures in the financial sector. ### Background #### Evolution of FASTCash Malware The term FASTCash refers to a malware family [attributed](https://doubleagent.net/fastcash-for-linux/) to North Korean hackers, designed to infiltrate payment switch systems within compromised networks. Since at least 2016, FASTCash has facilitated unauthorized ATM cash-outs by manipulating transaction messages, resulting in the theft of tens of millions of dollars per incident across multiple countries. **2018:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) [first warned](https://www.cisa.gov/news-events/alerts/2018/10/02/hidden-cobra-fastcash-campaign) about FASTCash, linking it to Hidden Cobra. **2019:** The first Windows variant surfaced, expanding the malware's reach beyond IBM AIX systems. **2020:** CISA updated its advisory to include the Windows variant, noting significant developments in the malware's capabilities. **2021:** Indictments were announced for three North Koreans involved in these schemes, responsible for over $1.3 billion in theft. ### Technical Analysis of the Linux Variant #### Compilation & Deployment The newly discovered Linux variant was compiled for Ubuntu Linux 20.04 using GCC 11.3.0. Analysis suggests that the malware was developed after April 21, 2022, likely within a [VMware](https://www.secureblink.com/cyber-security-news/patch-critical-v-mware-v-center-vulnerabilities-to-prevent-rce-now) virtual machine environment. The use of Ubuntu indicates a shift, as traditional payment switch systems often run on proprietary UNIX systems or Windows. #### Similarities to Previous Variants The Linux variant shares operational similarities with its Windows and AIX predecessors: Currency Manipulation: Both the Linux and Windows variants operate in Turkish Lira (TRY), while the AIX variant used Indian Rupee (INR). ISO8583 Message Manipulation: The malware intercepts and manipulates ISO8583 messages, the standard for financial transaction card-originated messages. Approval of Declined Transactions: It authorizes previously declined transactions by injecting fraudulent response messages before they reach the acquirer. ### Intercepting Transaction Messages #### Payment Switch Systems Payment switches act as intermediaries, routing transaction messages between ATMs/POS terminals and financial institutions. By compromising these systems, the malware can manipulate transaction data undetected. #### ISO8583 Protocol Exploitation The malware hooks into the recv function of network processes to intercept ISO8583 messages, specifically targeting: Message Type Indicators (MTIs): Focuses on authorization requests (1xx) and financial transactions (2xx). Data Elements (DEs): Manipulates fields such as DE2 (Primary Account Number), DE3 (Processing Code), DE4 (Transaction Amount), DE49 (Transaction Currency Code), and DE54 (Additional Amounts). ![diagram.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/diagram_5d10d93578.jpg) ***FASTCash Operational Flow (Source:doubleagent.net)*** ### Process Injection Techniques Using the ptrace system call, the malware injects itself into running processes on the payment switch server. It employs shared libraries (libMyFc.so) to hook network functions, allowing it to monitor and alter transaction messages in real-time. ### Fraudulent Transaction Approval Upon intercepting a declined transaction due to insufficient funds (Processing Code 51), the malware: 1. Generates a Random Amount: Between 12,000 and 30,000 TRY (~$350 to $875). 2. Modifies Response Codes: Sets DE38 (Approval Code) and DE39 (Action Code) to indicate approval. 3. Adjusts Data Elements: Removes specific DEs related to security and authentication to avoid detection. 4. Sends Manipulated Response: Forwards the fraudulent approval to the bank's central systems, enabling unauthorized cash withdrawals. ### Indicators of Compromise (IoCs) The following SHA-256 hashes are associated with the Linux variant: f34b532117b3431387f11e3d92dc9ff417ec5dcee38a0175d39e323e5fdb1d2c 7f3d046b2c5d8c008164408a24cac7e820467ff0dd9764e1d6ac4e70623a1071 (UPX packed) ### Impact and Implications #### Expanded Attack Surface The discovery of a Linux variant indicates that North Korean hackers are broadening their targets to include a wider range of operating systems. This expansion poses significant risks to financial institutions that may rely on Linux-based systems for payment processing. #### Financial and Reputational Damage Unauthorized cash withdrawals facilitated by FASTCash can lead to substantial financial losses and damage the reputation of affected institutions. The malware's ability to evade detection exacerbates these risks. #### Challenges in Detection As of its discovery, the Linux variant had zero detections on VirusTotal, highlighting the difficulty traditional security tools face in identifying such threats. ### Detection and Prevention #### Implementing Robust Security Measures Financial institutions should adhere to CISA's recommendations: **Message Authentication Codes:** Require and verify MACs on issuer financial request and response messages. **Chip and PIN Requirements:** Implement chip and PIN authentication for debit and credit cards. **Cryptogram Validation:** Perform authorization response cryptogram validation for chip and PIN transactions.

loading..   16-Oct-2024
loading..   5 min read
loading..

IntelBroker

Cisco

Cisco is found to be currently investigating a possible data breach following re...

Cisco is found to be currently investigating a possible data breach following reports that allegedly stolen data has surfaced for sale on a hacking forum. The stolen data claims have been linked to a threat actor known as "IntelBroker" who, along with two others— "EnergyWeaponUser" and "zjj"—claims to have breached Cisco on June 10, 2024. According to IntelBroker, the breach compromised a whole host of sensitive information, including: - GitHub and GitLab project repositories - Source code - Hard-coded credentials - SSL Certificates - Docker builds - API tokens - AWS and Azure storage bucket data - Confidential Cisco documents, and more. ## Cisco’s Response A Cisco spokesperson confirmed the company is aware of the alleged breach and that an investigation is ongoing to assess the extent of the situation. At this time, Cisco has not confirmed the authenticity of the claims or the data samples that have been leaked. **Cisco's statement:** > _"We have launched an investigation to assess this claim, and our investigation is ongoing."_ ## Alleged Attacker’s Claims IntelBroker which has been involved in many targeted cyberattacks namely [Facebook](https://www.secureblink.com/cyber-security-news/200-000-facebook-marketplace-records-leaked-claims-intel-broker) & [General Electronics](https://www.secureblink.com/cyber-security-news/intel-broker-offers-ge-s-pipelines-for-500-amid-cyberattack-probe) along with their associates have provided samples of the alleged stolen data on a hacking forum. These samples include: - A customer database - Customer information - Documentation related to customers - Screenshots from internal customer management portals. While details of how the data breach has transpired remain still unclear, the type of data presented suggests access to core developer infrastructure and proprietary code repositories, potentially via compromised DevOps systems. ### Critical Data at Risk The threat actor’s post indicated that many of Cisco’s most crucial assets were allegedly infiltrated. Some of the more alarming categories include: 1. **Source Code Repositories**: IntelBroker claims access to multiple source code repositories hosted on GitHub, GitLab, and SonarQube. This can pose a serious risk to Cisco’s intellectual property, potentially allowing attackers to identify vulnerabilities in Cisco products. 2. **Hard-Coded Credentials and API Tokens**: The presence of hard-coded credentials within the code repositories could allow further exploitation of other systems if not remediated promptly. 3. **Confidential Cisco Documents**: Exposure of internal documentation could reveal sensitive corporate strategies, undisclosed technologies, and private communications. 4. **Cloud Infrastructure Access**: AWS private buckets, Azure storage, and Docker build data are all listed as compromised. Breaching cloud infrastructure is a serious issue as it can lead to further compromise of confidential services or data leakage. 5. **Private & Public Keys, SSL Certificates**: If SSL certificates or cryptographic keys have been compromised, the breach could extend to disrupting secure communication channels. ## Analysis of Previous Incidents This is not the first time IntelBroker has been associated with major data breaches. Since June 2024, the group has been involved in leaking or selling data from various high-profile companies such as [T-Mobile](https://www.secureblink.com/cyber-security-news/second-t-mobile-data-breach-of-2023-attackers-access-info-of-hundreds), [AMD](https://www.secureblink.com/cyber-security-news/sink-close-a-high-severity-amd-cpu-vulnerability-enables-undetectable-malware), and [Apple](https://www.secureblink.com/cyber-security-news/apple-urgently-releases-i-os-update-to-fix-voice-over-password-flaw). These previous attacks reportedly exploited vulnerabilities in third-party DevOps and software development services providers. It remains unclear whether the Cisco breach is related to those earlier incidents, but the scope of the alleged data exfiltration suggests that a third-party service provider might have been targeted once again. However, this isn't an isolated intrusion where Cisco has been involved, previously the company suffered many intrusions such as detection of backdoor vulnerability in there [smart licensing utility](https://www.secureblink.com/cyber-security-news/cisco-patches-critical-backdoor-vulnerability-in-smart-licensing-utility-1), there [VPN have been exploited](https://www.secureblink.com/cyber-security-news/ransomware-group-exploit-cisco-vpn-zero-day-vulnerability) by ransomware group, their [CISCO SPA 112 Phone Adapters](https://www.secureblink.com/cyber-security-news/cisco-spa-112-phone-adapters-vulnerable-to-arbitrary-code-execution) were vulnerable to arbitrary code execution, [Cisco AnyConnect](https://www.secureblink.com/cyber-security-news/any-connect-security-flaw-being-exploited-in-the-wild-cisco-warned) had been exploited in the wild and many more. Third-party vendors in DevOps often possess extensive access to company infrastructure, making them a high-value target for cybercriminals. ## Implications of the Cisco Data Breach If IntelBroker’s claims prove to be accurate, this breach could have severe implications for Cisco’s customers and partners. Compromised source code, credentials, and API tokens could potentially lead to: 1. **Intellectual Property Theft**: With source code and product designs in hand, competitors or criminal groups could clone or exploit Cisco products. 2. **Secondary Attacks**: The use of compromised credentials, API tokens, or customer documentation could lead to follow-up attacks, including ransomware, phishing, or fraud targeting Cisco’s customers. 3. **Loss of Trust**: A breach of this magnitude could significantly damage Cisco's reputation, especially among enterprise clients who rely on its technologies for secure networking solutions. 4. **Regulatory and Legal Consequences**: Cisco could face significant regulatory scrutiny, especially if customer or proprietary data is found to have been insufficiently protected. ### Potential Remediation Strategies While Cisco continues its investigation, there are several immediate steps the company should consider: - **Revocation of Exposed Certificates and Credentials**: Any SSL certificates, private keys, or hard-coded credentials that were potentially compromised must be revoked and replaced immediately. - **Patch and Secure DevOps Systems**: Since DevOps infrastructure appears to be the common thread in IntelBroker’s past breaches, Cisco should audit and strengthen security controls around its own DevOps tools and those of any third-party vendors. - **Customer Communication and Incident Response**: If customer information is indeed part of the compromised data, Cisco will need to proactively inform affected customers and assist them in securing their systems. - **Security Audit of Code Repositories**: A thorough audit of all GitHub, GitLab, and SonarQube repositories should be conducted to identify any potential vulnerabilities or further exposures of sensitive information. As more companies integrate third-party services into their core development workflows, they become increasingly vulnerable to attacks targeting those services. In the short term, it is critical for Cisco to validate IntelBroker’s claims, secure any exposed infrastructure, and collaborate with affected customers to mitigate potential risks. The long-term challenge will be fortifying the security of its development pipelines to prevent similar breaches in the future.

loading..   15-Oct-2024
loading..   6 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303