Ransomware/Malware Activity
General Motors Discloses Data Breach Follow Credential Stuffing Attack
General Motors (GM) disclosed a data breach following a credential stuffing attack that occurred in April 2022. A credential stuffing attack is an attack conducted through collections of username and password combinations previously leaked in other sites' data breaches to gain access to user accounts on a targeted website. GM revealed in their notification letter, sent out to impacted individuals on May 16, 2022, that suspicious login activity occurred between April 11 and April 29, 2022. The manufacturer confirmed that there is currently no evidence that the login credentials were obtained from GM itself and that the unauthorized threat actors behind the compromise may have gained access to limited personal information, such as "first and last name, personal email address, personal address, username and phone number for registered family members tied to [the] account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points." GM emphasized that individuals' dates of birth, Social Security numbers, driver's license numbers, and credit card or bank account information were not impacted by this unauthorized access, as the information is not stored in user accounts. There are approximately 4,900 individuals impacted by General Motors' data breach. CTIX analysts will continue to monitor for credential stuffing attacks and recommend that multi-factor authentication (MFA) is implemented to mitigate this risk.
- BleepingComputer: General Motors Article
- Office of the Attorney General: General Motors Notification Letter
Threat Actor Activity
Unknown Threat Group Targeting Russian Government
Russian government organizations are continuously being targeted with spear phishing campaigns from an unknown threat organization. Since February 2022, threat actors have attacked these government entities with at least four (4) different phishing themes to lure in victims. The first occurred a few days after Russia invaded Ukraine, when threat actors injected a customized malware into a fake interactive map of Ukraine, deploying the malicious payload when executed. The next campaign utilized the Log4J exploit where threat actors distributed phishing emails to the Russia Today television network. The malicious Log4J-themed emails contained numerous file attachments which were laced with more custom malware by the threat actor. These files claimed to be from the state-backed Russian defense conglomerate Rostec. Another campaign unleashed by these threat actors utilized fake job description documents supposedly from Saudi Aramco which were infected with macro-malware, set to be deployed once the user enabled editing of the document. Once deployed, the malware communicated to actor-controlled command-and-control (C2) servers leaving behind some indicators for attribution. All four (4) campaigns utilize malware that is essentially identical with small code differences. Based on the indicators discovered by the Malwarebytes Threat Intelligence Team, there is a loose IP connection to China, but attribution cannot be assessed with high confidence at this time because this threat actor uses a variety of false flags to thwart analysts from tracing activity back to its origin. CTIX analysts continue to urge users to validate the integrity of suspicious emails prior to downloading any attachments or visiting embedded links to lessen the risk of threat actor compromise.
Vulnerabilities
Cisco Health Check RPM Vulnerability Allows Unauthenticated Attackers to Connect to Redis Instances
After observing active attempts at exploitation In-the-Wild, Cisco has patched a critical zero-day vulnerability affecting the health check Route Processor Module (RPM) of their IOS XR Software for 8000 series routers. The flaw, tracked as CVE-2022-20821, is described as a privilege escalation vulnerability stemming from a default configuration in the health check RPM that automatically opens TCP port 6379. Port 6379 is the default port for the Redis database service, an open-source in-memory NoSQL key-value data structure used as a database, cache, or message broker. It is deployed both as an open source and an enterprise service, mainly used to scale and quickly handle sudden peaks in resource demands while providing low latency and high throughput when real-time response times are vital. The exploitation of this vulnerability could allow unauthenticated attackers to remotely access internet-facing Redis instances running in NOSi Docker containers, allowing them to "write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database." Although this is a critical vulnerability, it is on the lower end of critical because the NOSi Docker containers are sandboxed; the vulnerable Redis instance is isolated from the host system, making it impossible for the attacker to execute code remotely. CTIX analysts recommend all Cisco customers and network administrators update to the latest stable version immediately. Applying this patch in enterprise instances may induce a substantial negative impact to business processes, and to mitigate as much loss as possible, Cisco has also published mitigation techniques, such as disabling health check RPM or manually blocking port 6379 via an Infrastructure Access Control List (iACLs). This is not an alternative to patching vulnerable systems, and administrators should implement mitigation techniques so that they can best plan for patching their infrastructure. It should be noted that Redis is designed to only be accessible by trusted clients inside of trusted environments, and as a rule of thumb, exposing the Redis instance directly to the internet is considered a bad practice.
Unpatched PayPal Vulnerability Allows for Clickjacking Attacks
The popular online payment company PayPal has become aware of an unpatched vulnerability in its money transfer service that leaves unsuspecting users at risk for a social engineering technique known as clickjacking. Clickjacking, also known as UI redressing, is an attack that uses maliciously crafted webpages and webpage elements designed to look like legitimate sites to trick users into clicking on overlaid elements that download and execute malware, and/or type sensitive information into text boxes that redirect the user data to a command-and-control (C2) system. This is typically done by overlaying malicious HTML website elements on top of legitimate websites, via an HTML inline frame (iframe) used for embedding an HTML document within the current HTML document. Users may think they are clicking the "Login" button, when in reality they have clicked on an invisible malware link or a redirect that secretly sends the sensitive login information back to the C2. Security researcher "h4x0r_dz" first identified the vulnerability on the "paypal[.]com/agreements/approve" endpoint designed for Billing Agreements, and although it is only supposed to accept the "billingAgreementToken", h4x0r_dz alleges that other token types work as well. An attacker could embed this vulnerable money transfer endpoint within a maliciously crafted HTML iframe, causing whatever funds are being sent to be redirected to an attacker-controlled PayPal account. Although this is a critical flaw on an individual PayPal account level, it poses an even greater risk to enterprise online payment portals that offer PayPal as a form of payment at checkout. In this case, a UI redress overlaid on a website PayPal checkout page could potentially send any PayPal transactions to an attacker-controlled account instead of the company's payment account. Though h4x0r_dz reported the flaw to the PayPal bug bounty program in October of 2021 along with a Proof-of-Concept exploit, the flaw remains unpatched. The CTIX team will continue to monitor this matter and may provide an update once PayPal has made an official statement.
Honorable Mention
The United Kingdom is the Next Government to Ban Clearview AI, Imposes £7.5 Fine
The United Kingdom government announced a fine of over £7.5 million against facial recognition company Clearview AI and ordered them to cease collection of information on UK residents and delete the data already collected. ClearView has been targeted by other countries in the past for its data gathering practices as well. Both Australia and Canada ordered the company to stop collecting information on its citizens in November and December 2021, respectively. In the UK announcement, John Edwards, the UK Information Commissioner, stated “the company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable.” The fine and order follows a joint investigation from the Information Commissioner's Office and the Office of the Australian Information Commissioner between July 2020 and November 2021. In response, Clearview's founder and CEO Hoan Ton-That stated, "he was 'deeply disappointed' that the U.K. data authority 'misinterpreted' his company’s technology and intentions." He also "welcomes" conversations with leaders and lawmakers to assist law enforcement in using the technology to "continue to make communities safe." While Clearview claims to assist law enforcement, privacy advocates such as the EFF have advocated against the use of facial recognition in law enforcement due to bias and privacy concerns. The governments of the United Kingdom, Australia, and Canada, as well as multiple US municipalities have shown that they agree with these privacy concerns, opting to ban the service rather than utilizing it themselves.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
