Tag: Exposed | Page 3

North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder

July 28, 2023/in Internet Security

North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address.

Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors.

UNC4899 also overlaps with APT43, another hacking crew associated with the Democratic People’s Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies.

The adversarial collective’s modus operandi is characterized by the use of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker’s true point of origin, with commercial VPN services acting as the final hop.

“There have been many occasions in which DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on operations on the victim’s network,” the company said in an analysis published Monday, adding it observed “UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24 subnet.”

The intrusion directed against JumpCloud took place on June 22, 2023, as part of a sophisticated spear-phishing campaign that leveraged the unauthorized access to breach fewer than five customers and less than 10 systems in what’s called a software supply chain attack.

Mandiant’s findings are based on an incident response effort initiated in the aftermath of a cyber attack against one of JumpCloud’s impacted customers, an unnamed software solutions entity, the starting point being a malicious Ruby script (“init.rb”) executed via the JumpCloud agent on June 27, 2023.

A notable aspect of the incident is its targeting of four Apple systems running macOS Ventura versions 13.3 or 13.4.1, underscoring North Korean actors’ continued investment in honing malware specially tailored for the platform in…

Source…

Source code of BlackLotus UEFI bookit malware exposed – SC Media

July 14, 2023/in Computer Security

Source code of BlackLotus UEFI bookit malware exposed SC Media

Source…

A Zero-Day Flaw in Hacked MOVEit Software Was Exposed on Twitter

June 19, 2023/in Internet Security

(Bloomberg) — John Hammond, a senior researcher at the cybersecurity firm Huntress, had already lost a few nights of sleep when someone he’d been messaging with privately over Twitter delivered a bombshell.

The person, who declined to provide his name but describes himself as an exploit writer, told Hammond on June 15 that he had inadvertently stumbled upon a new zero-day vulnerability in MOVEit file-transfer software — the type of flaw that doesn’t have a fix, or patch, leaving users vulnerable to hackers. What’s more, the anonymous researcher publicly shared details about the flaw on Twitter — a potentially disruptive move that could’ve enabled attackers to exploit the vulnerability before the software owner could respond.

This was not the standard practice of cybersecurity researchers. They generally give organizations notice about such flaws before going public in an effort to avoid aiding bad actors. (The US Department of Homeland Security says that it gives organizations 45 days to respond to vulnerability reports before a public disclosure.)

It stood to exacerbate what was already a crisis over MOVEit, the software at the center of an ongoing hacking campaign by a Russian-speaking criminal group called Clop that exploited a different, zero-day flaw to access files from at least dozens of companies and organizations. The researcher’s discovery ended up adding to the woes of Progress Software Corp., the company behind MOVEit software.

Progress had already issued a patch soon after it discovered the initial zero-day flaw exploited by Clop. And based on a tip from Huntress, issued another fix to a second zero-day earlier this month, Hammond said.

Read More: Clop Gang Wreaked Havoc Long Before MOVEit Hacking Spree (1)

Now there was a third. In a private message on Twitter, the anonymous researcher told John he had realized what he had discovered was a zero-day event, according to screenshots of the thread shared with Bloomberg News. The researcher, a self-described exploit writer and “white-hat” hacker — someone who finds and reports flaws rather than exploiting them — capped the note off with an emoji of an astonished face.

Hammond, who had spent recent…

Source…

Raidforums member data leaked on new ‘Exposed’ hacking forum

May 31, 2023/in Computer Security

A recently launched hacking site has published the member database of RaidForums, a notorious hacking forum taken offline in 2022.

Founded in 2015, RaidForums operated on the regular internet and was a popular hacking and data leak forum. Although it offered various illegal services, it was best known for trading stolen credentials.

The site was taken down in 2022 following an international law enforcement investigation and its founder, Diogo Santos Coelho of Portugal, was arrested. RaidForums was quickly replaced by a nearly identical site called BreachForums, but that site was taken down after its founder Conor Brian Fitzpatrick was arrested in March.

It’s often said that law enforcement operations targeting illicit sites are like a game of “Whac-A-Mole”: Every time one site is taken down, another appears. The story of RaidForums and its successors are the same. The new player in town, complete with the same design and similar illegal services, goes by the name “Exposed,” and it’s on this forum that the RaidForums data has been leaked.

A user on Exposed, going by the name of “Impotent” and claiming to be both the owner and administrator of the site (pictured), has leaked 374.7 megabytes of RaidForums data. Bleeping Computer reported today that the data consists of a single SQL file that contains the registration information of 478,870 RaidForums members, including their usernames, email addresses, hashed passwords, registration dates and a variety of other information.

How the data was obtained was not shared. Impotent told Bleeping Computer that it knows where the data came from but has promised not to disclose any details about the source. Impotent added that the member database table contains 99% of the original lines, with some removed to “cause no drama.”

“There’s no telling how this data was gathered, whether it was a new breach or just reusing data from another older breach, but it continues a well-worn pattern of malicious websites leaking customer data,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “It turns out that most malicious websites are no better…

Source…

Tag Archive for: Exposed