This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 5 minute read

Ankura CTIX FLASH Update - August 8, 2023

Malware Activity


Colorado Department of Higher Education Discloses Data Breach Potentially Impacting Sixteen Years Worth of Data

The Colorado Department of Higher Education (CDHE) disclosed on August 4, 2023, that it has suffered a large-scale data breach following a ransomware attack that occurred on June 19, 2023. In their Notice of Data Incident, CDHE explained that an unauthorized actor accessed their systems between June 11 and June 19, 2023, and exfiltrated data that spans sixteen (16) years. CDHE noted that an investigation into the impact of the data breach is still ongoing but specified various types of individuals that may be impacted. The impacted individuals include those who "attended a public institution of higher education in Colorado from 2007-2020, attended a Colorado public high school between 2004-2020, individuals with a Colorado K-12 public school educator license between 2010-2014, participated in the Dependent Tuition Assistance Program from 2009-2013, participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017, or obtained a GED between 2007-2011." CDHE stated that some of the impacted data contains names, Social Security numbers (SSNs), student identification numbers, and other education records. Bleeping Computer, on August 5, 2023, claimed that exfiltrated data actually contained the following information: "full names, social security numbers, dates of birth, addresses, proof of addresses (statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft." CDHE stated that notifications will be sent through mail or email to those impacted by the data breach once the investigation has completed. CTIX analysts will continue to monitor the CDHE data breach and provide updates on the conclusion of the investigation as well as fallout when applicable.


Threat Actor Activity


North Korean Hackers Exploit Russian Engineering Firm

Security researchers have uncovered a malicious intrusion into the Russian military base, Mashinostroyeniya (NPO Mash), that has been ongoing for several months. The compromise was originally discovered after an IT employee leaked internal company communications while uploading evidence to a private cybersecurity portal. Initial indicators are pointing to two (2) North Korean threat organizations tracked as Lazarus Group and APT37 (ScarCruft), both well-established cyberespionage organizations responsible for numerous critical infrastructure attacks worldwide. The Lazarus Group connection stems from the “OpenCarrot” backdoor malware files being found on IT systems, which is a commonly utilized backdoor by the group. At a high level, OpenCarrot is known for its deployment in financial compromises from North Korean hackers, capable of command-and-control (C2) communications, file upload/download, network reconnaissance, and other arbitrary commands that can be utilized by threat actors. The APT37 connection was established when researchers uncovered digital communication from the base's email server to known APT37 infrastructure. Based on the technical aspects of the compromise, researchers believe that the two (2) threat groups worked in tandem to compromise NPO Mash and harvest intelligence from their networks. CTIX will continue to monitor threat actor activity worldwide and provide additional updates accordingly.


Vulnerabilities


PaperCut NG/MF Vulnerable to Remote Code Execution Attacks

A critical vulnerability in the print management solution PaperCut NG/MF puts unpatched PaperCut servers running on Windows at risk of being exploited by threat actors. PaperCut is a powerful print management solution for enabling, tracking, managing, and securing an organization's printing, copying, and scanning needs. Tracked as CVE-2023-39143, the flaw is described by researchers as an unauthenticated remote code execution (RCE) bug stemming from chaining together two (2) path traversal vulnerabilities that exist when the external device integration setting is enabled. The setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF. If malicious actors were able to successfully exploit the vulnerability, they could potentially read, delete, and upload arbitrary files to the PaperCut application server. Shodan searches show that at least 1,800 instances of PaperCut servers are exposed to the public internet, and Horizon3 researchers estimate that the majority of them are running on Windows with the external device integration setting toggled on. At this time, there is no evidence that this flaw is being targeted by threat actors for active exploitation. That being said, in April 2023, PaperCut servers were compromised by several ransomware gangs and state-sponsored threat actors like Cl0p, Muddywater, and APT35, exploiting another critical unauthenticated RCE vulnerability (CVE-2023–27350) and an information disclosure bug (CVE-2023–27351). In their report linked below, researchers offer a simple command to help administrators to check if their servers are vulnerable to the exploitation of CVE-2023-39143. The vulnerability has been patched, and CTIX analysts urge all PaperCut administrators to run the command as well as update their servers immediately. If servers cannot be immediately patched due to the negative impact it would have on critical operations, this vulnerability can be manually mitigated by following the PaperCut security best practices guide, configuring an allowlist of device IP addresses who are explicitly authorized to communicate with the PaperCut servers.


Honorable Mention


New Acoustic Attack Deciphers Keystrokes with 95% Accuracy

Academic researchers have developed a deep learning-based acoustic side-channel attack that can be used to steal data from keyboard keystrokes that are recorded using a nearby microphone or through the device's own microphone. The trained model picked up recorded keystrokes with an accuracy of 95% when recorded from a smartphone microphone placed seventeen (17) centimeters away, 93% accuracy when recorded from Zoom, and 91.7% accuracy from Skype. This research emphasizes how sound-based side channel attacks may be a lot more feasible and dangerous than previously anticipated. The increased abundance of microphone-bearing devices with high-quality audio capture combined with ever escalating advancements in machine learning makes this statement especially true. The process works quickly by reordering the keystrokes on the target's keyboard by either capturing sounds through a nearby microphone, infecting a device with malware that has access to its microphone, or potentially over an online meeting like a Zoom or Skype call. The recorded keystrokes are then transformed into waveforms and spectrograms to produce visualized identifiable images created by differing keystrokes that are then compared against the "CoAtNet" image classifier that was originally trained with sequences of keystroke recordings produced by the researchers. Readers who are potentially at risk of being targeted by this type of attack can mitigate it by using a software-based keystroke audio filter and continuing to use strong passwords as well as two-factor authentication.


The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

cyber response, cybersecurity & data privacy, data privacy & cyber risk, data & technology, report

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with