Ransomware/Malware Activity
Nelnet Data Breach Affects Over 2.5 Million Individuals Borrowing from OSLA and EdFinancial
Over 2.5 million individuals with federal student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial Services, LLC (EdFinancial) have been impacted by the recent data breach of Nelnet Servicing, LLC (Nelnet), a technology services provider. Nelnet's services, including their web portal, are used by OSLA and EdFinancial to give borrowers the ability to create and access their loan accounts. In June of 2022, unauthorized and currently undisclosed actors breached Nelnet’s systems and persisted in them until July 22, 2022. Nelnet currently suspects that a vulnerability was exploited to gain this access and the notification letter emphasized that no Nelnet-serviced borrowers were impacted by this incident. The data that has been exposed in this data breach includes name, address, email address, phone number, and Social Security number (SSN). No individual's payment information or account numbers were impacted. In their notification letters, EdFinancial and OSLA noted that there is currently no evidence of any actual or attempted misuse of information from this incident and offered impacted individuals free access to the Experian 24-month identity theft protection service. Due to the breach involving Federal Student Aid (FSA) providers and the risk of exposure being magnified, law firm "Markovits, Stock & DeMarco" has already launched an investigation on the "potential of a class action lawsuit." Threat actors have the ability to utilize exposed data in phishing campaigns, social engineering, and impersonation schemes. As a result, those impacted by this data breach must remain vigilant against suspicious communications as well as fraudulent charges.
- Bleeping Computer: Nelnet Servicing Data Breach Article
- Nelnet Servicing: Collection of Breach Letters
- Markovits, Stock & DeMarco: Nelnet Data Breach Class Action Investigation Posting
HYPERSCRAPE Extortion Tool Downloads Victims' Gmail, Yahoo!, and Microsoft Outlook Inboxes
Threat Analysis Group (TAG) researchers at Google have published a new report regarding an emerging extortion tool called "HYPERSCRAPE". HYPERSCRAPE allows the exfiltration of inboxes from Gmail, Yahoo!, and Microsoft Outlook accounts using previously exposed credentials. Researchers detailed that Charming Kitten (APT35), an alleged state-sponsored Iranian hacking group, created this tool and has currently deployed it against fewer than twenty-four (24) accounts located in Iran. The attack begins by the threat actor spoofing a user agent to appear as an outdated browser in order to enable the HTML view and, once logged in using the victim's account credentials, HYPERSCRAPE "changes the account's language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread." Once the data is finished downloading, the tool "reverts the language back to its original settings and deletes any security emails from Google." Researchers noted that the tool's functionality may differ for Yahoo! and Microsoft Outlook (as they tested the tool with a fake Gmail account), and that this tool is designed to run on the threat actor's machine. Earlier versions of the tools allowed for data from Google Takeout to also be exfiltrated. In this scenario, the tool will "spawn a new copy of itself and initialize a pip communication channel to relay cookies and account name, both of which are required to accomplish the Takeout." Once the desired information is received, the tool requests and later downloads the exported data from the official Takeout link. As HYPERSCRAPE is still under active development, CTIX analysts will provide details regarding new advancements as they become available. Indicators of compromise as well as technical details can be viewed in Google's report linked below.
Threat Actor Activity
MuddyWater Continues Exploiting Log4Shell in Cyber War
Since its discovery in December 2021, the Log4Shell vulnerability has allowed threat actors to compromise organizations worldwide. Nine (9) months later, threat actors such as MuddyWater (a.k.a “Static Kitten”, “MERCURY”, “Seedworm”) continue to utilize the attack chain to compromise assets throughout the Israeli region. MuddyWater is a well-known Iranian threat organization that has compromised assets in telecommunications, IT services, and oil industries in the Middle East and European regions. Recently, MuddyWater began a new operation targeting Israeli corporate networks as a response to the ever-growing cyberwar between the two countries. MuddyWater has slightly shifted recently to targeting vulnerabilities within SysAid, a widely used Israeli IT management software. Once exploited, threat actors have the ability to drop additional tools to enable further reconnaissance, establish persistence, and facilitate lateral movement within the compromised network. Leveraging the unauthorized access, MuddyWater threat actors collect network information, Active Directory environment information, create administrator-level user accounts, and exfiltrate credentials from sensitive network resources to command-and-control (C2) servers. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Actor Profile: TA423 and Recent Espionage Campaign
A Chinese-backed threat group has been targeting organizations throughout the manufacturing and energy sectors, as well as federal agencies in several countries. The threat group, tracked as TA423 and Red Ladon, is an espionage-motivated organization that has been active since 2013. TA423 often plans its attacks around significant political events within the Asia-Pacific region, with a concentration on Southern China. Throughout TA423's nearly decade long activity, they have targeted entities within government agencies, universities, legal firms, defense contractors, and foreign businesses tied to South China Sea operations. TA423's most recent campaign heavily targeted local and federal Australian government agencies, media companies, and manufacturing organizations specifically associated with the maintenance of wind turbines. Threat actors often posed as employees of the Australian Morning News in this phishing campaign in an attempt to lure users to visit actor-controlled infrastructure via malicious link. Once opened, the user is taken to a malicious website where the ScanBox framework was being hosted. With ScanBox, TA423 has the capability to configure specific plugins to execute on the infected system and exfiltrate targeted data back to command-and-control (C2) servers. CTIX continues to urge users to validate the integrity of all email correspondence prior to clicking any links or downloading any files to lessen the risk of threat actor compromise.
Vulnerabilities
Severe Vulnerability in Atlassian Bitbucket Data Center and Server Allows Unauthenticated RCE
Development and collaboration software company Atlassian has published a security advisory urging their customers to patch a critical command injection vulnerability existing in multiple API endpoints for their Bitbucket Data Center and Server products. These software solutions allow organizations to self-manage source code collaboration for their professional development teams. A feature of Bitbucket Data Center and Server is the ability for administrators to allow public access to their code repositories. This open-source cloud development methodology allows unauthenticated users across any distance to browse specific repositories or entire projects. It also allows those anonymous users to clone repositories, without needing to have a Bitbucket account. If successfully exploited, the flaw, tracked as CVE-2022-36804, could allow attackers with access to a public repository or with read permissions to a private Bitbucket repository to send maliciously crafted HTTP packets to a vulnerable instance, allowing for arbitrary remote code execution (RCE). Security researcher Max Garrett first identified this vulnerability and reported it to Atlassian as part of their bug bounty program. In a Twitter post, Garrett promised to publish a proof-of-concept (PoC) exploit for this flaw in the next thirty (30) days, giving organizations time to patch their vulnerable instances. This vulnerability is potentially very dangerous, with a CVSS score of 9.9/10, and CTIX analysts recommend that system administrators apply the latest patch immediately. If the negative impact to critical business processes is too great to update all at once, then administrators should apply a temporary mitigation using “feature.public.access=false” to turn off public repositories, meaning that only authorized users have access. It should be noted however, that this is not a full-proof plan, and attackers who gain access to the affected platforms via stolen credentials would still be able to exploit this vulnerability.
- Bleeping Computer: CVE-2022-36804 Article
- Atlassian: CVE-2022-36804 Security Advisory
- Max Garrett Twitter Post
Cisco Patches Multiple Critical Vulnerabilities Inducing DoS Conditions
The IT and networking brand Cisco has patched two (2) critical vulnerabilities affecting the NX-OS network operating system, which powers Nexus-series ethernet switches and MDS-series Fibre Channel storage area network switches. If successfully exploited, each vulnerability could induce denial-of-service (DoS) conditions, rendering the devices inoperable. The first flaw, tracked as CVE-2022-20823, was given a CVSS score of 8.6/10, and affects the OSPF version 3 (OSPFv3) feature of Cisco NX-OS, stemming from improper input validation of specific OSPFv3 packets. If exploited, an unauthenticated remote attacker could craft and send malicious OSPFv3 link-state advertisements (LSA) to a vulnerable switch, causing the process itself to crash and restart over and over again, creating a DoS. The second vulnerability, tracked as CVE-2022-20824, is also due to improper input validation, this time within the Cisco Discovery Protocol feature. If exploited, an attacker could craft and send maliciously crafted Discovery Protocol packets to a vulnerable device, allowing attackers to execute arbitrary code with root privileges, as well as induce a DoS through repeated forced crashes and restarts. It should be noted that for CVE-2022-20824 to be exploited, the attackers must have gained access to a device adjacent to the vulnerable switch, meaning that the packets can't be passed through another device before reaching their target. CTIX analysts urge all organizations leveraging Cisco business routers and switches to ensure that they have installed the latest patch to avoid exploitation.
Honorable Mention
FTC Sues Geolocation Data Broker Kochava
The U.S. Federal Trade Commission (FTC) has announced on August 29th it will be pursuing a lawsuit against an Idaho-based location data broker named "Kochava." Kochava aggregates sensitive and precise (down to the meter) geolocation data collected from hundreds of millions of mobile devices. Kochava's clients use this information to identify and track mobile users' movements and the locations they visit. Their clients keep logs of users who travel to reproductive health centers, mental care and addiction rehabilitation facilities, and domestic violence and homeless shelters. Kochava collected this data and turned it into a feed that its clients can access through a $25,000 subscription service. A free 7-day data set was also available as a trial of their services until it was shut down in June 2022. Kochava marketed this service on the Amazon Web Services (AWS) Marketplace since its inception. In a description of the service, Kochava marketed itself as a product that "delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device." The FTC has taken action against Kochava due to the potential "threats of stigma, stalking, discrimination, job loss, and even physical violence" the identified individuals could face. The lawsuit brought by the FTC could shut down Kochava's sale of sensitive geolocation data and the company may be required to delete all of the sensitive information it has collected. In response, the data broker has sued the FTC for overreaching when the lawsuit was first announced. Kochava stated in a press release that the company would introduce a "privacy block" that aims to be "privacy-first approach to block health services locations from the Kochava Collective marketplace." This would address some of the concerns the FTC had and could allow Kochava to continue selling other types of location data. This lawsuit is the newest development in the FTC's mission to crack down on businesses behind mass-surveillance data. CTIX analysts are continuing to monitor the FTC's mission and will provide updates on future developments.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
