Cyber News Roundup for June 28, 2024

1. A hacker leaks contact details of over 33,000 Accenture employees

A hacker named “888” has leaked contact details of 33,000 current and former Accenture employees, obtained through a third-party breach. The data, posted on Breach Forums, includes full names and email addresses but no passwords. Accenture, a global IT and consulting firm based in Dublin, operates in over 120 countries. Hackread.com confirmed the authenticity of the leaked information. “888” is known for previous leaks involving major corporations. Accenture employees are advised to be vigilant against phishing and identity theft scams. (Hack Read)

2. IntelBroker claims to have leaked source code from Apple

Notorious hacker IntelBroker, responsible for previous high-profile breaches, has allegedly leaked source code for several of Apple’s internal tools on a dark web forum. IntelBroker claims the June 2024 breach of Apple.com exposed tools including AppleConnect-SSO, an employee authentication system, and two other lesser-known tools. AppleConnect-SSO is crucial for employee access to internal systems, akin to an Apple ID. The breach appears to affect only internal systems, not customer data. IntelBroker, known for targeting major organizations like AMD, Zscaler, and AT&T, has posted this information on BreachForums. The authenticity of the data is uncertain, but IntelBroker’s reputation lends credibility. The FBI is reportedly investigating the incident. (9to5Mac)

3. UEFI vulnerability found on Intel CPUs

A report from Eclypsium details a flaw in Phoenix SecureCore UEFI firmware used by Intel motherboards going back to 2016 across desktop and mobile systems. Delightfully dubbed “UEFIcanhazbufferoverflow,” the flaw comes from an unsafe variable in the TPM that creates a buffer overflow that could be used to execute arbitrary code. There’s no indication this flaw saw exploitation in the wild. Eclypsium disclosed the vulnerability, which Phoenix Technologies patched in April, but given the span of vulnerable devices, many likely remain unpatched. (The Hacker News)

4. Hacking campaign threatens French diplomats

France’s cybersecurity agency ANSSI issued an alert identifying the Russian-linked threat actor Nobelium as targeting numerous French organizations, ranging from the Ministry of Culture to Foreign Affairs. The agency detailed numerous efforts by Nobelium to disrupt the country’s foreign missions, from attempting to install Cobalt Strike on its network to compromising a diplomat’s email to spread misinformation. Overall Nobelium seems focused on capturing strategic intelligence. ANSSI warned these attacks could facilitate future operations by the group, and characterized the attacks as a national security concern. (The Record)

5. Biden administration bans Kaspersky products in the US

The Biden administration will ban Kaspersky from selling its products in the US beginning July 20th, Axios reports. Current Kaspersky customers will stop receiving security updates on September 29th. The US Commerce Department’s Bureau of Industry and Security said in a statement, “Today’s Final Determination and Entity Listing are the result of a lengthy and thorough investigation, which found that the company’s continued operations in the United States presented a national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations—that could not be addressed through mitigation measures short of a total prohibition. Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage.” (BIS)

6. SneakyChef targets government entities with SugarGh0st RAT

Cisco Talos describes a campaign by the suspected Chinese threat actor “SneakyChef” that used the SugarGh0st RAT to target government entities in Angola, India, Kazakhstan, Latvia, Saudi Arabia, and Turkmenistan. The malware was delivered via phishing emails with well-crafted decoy documents that impersonated various government organizations. The researchers note, “The threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script.(Talos)

7. Patch alert: SolarWinds Serv-U vulnerability under active attack

A high severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild. The vulnerability, that has a CVSS score of 8.6, affects a directory transversal bug that could allow attackers to read sensitive files on the host machine. It was patched earlier this month as Serv-U 15.4.2. Cybersecurity firm Rapid7 describes the vulnerability as “trivial to exploit”. It allows access to any arbitrary file on disk, assuming the path is known and that it’s not locked. (The Hacker News)

8. US Treasury Department sanctions twelve Kaspersky executives

The US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned twelve Kaspersky Lab executives “for operating in the technology sector of the Russian Federation economy.” The sanctions did not include the company’s CEO and co-founder Eugene Kaspersky. The US Commerce Department last week barred Kaspersky from selling its products in the United States over the company’s alleged “cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.” (US Treasury)

9. Lockbit claims U.S. Federal Reserve breach

The LockBit ransomware gang has claimed responsibility for an attack against the US Federal Reserve, SecurityAffairs reports. The group claims to have stolen “33 terabytes of juicy banking information containing Americans’ banking secrets,” and says it will leak the data if the banking system refuses to negotiate a ransom. The Federal Reserve hasn’t commented on the alleged breach, and there’s no proof so far that LockBit’s claims are legitimate. (Security Affairs)

10. SEC reports pile in following CDK Global attack

We’re continuing to learn more about the impact from a ransomware attack on CDK Global last week. On Monday, we reported that the BlackSuit ransomware gang has claimed responsibility for the attack, and now we are learning multiple car dealers have reported disruptions to the SEC. Some of those companies include Lithia Motors, Group 1 Automotive, Penske, and Sonic Automotive, who in their SEC filings have said they’ve had to implement incident response plans and that most of them have severed all connections to CDK as a precautionary measure. According to Bloomberg, CDK is planning to pay the ransom, the amount of which has not been disclosed. (The Record)

11. Push notification fatigue causes breach

Another example of how hackers don’t need to recreate the wheel—old tactics work just fine. Following up on a story we first reported on last week, the Los Angeles County Department of Health Services (DHS) suffered a data breach back in April that compromised sensitive information, including individuals’ names, Social Security numbers, and medical information. We have now learned hackers were able to get in using a ‘push notification spamming’ method or push notification fatigue. This method overwhelms the user with MFA prompts until they approve the login attempt. The breach allowed access to 23 DHS employees and compromised more than 6,000 individuals. (Security Week)

12. CISA warns chemical facilities of potential breach

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that its Chemical Security Assessment Tool (CSAT) environment was breached via a vulnerable Ivanti Connect Secure appliance on January 23rd, 2024, BleepingComputer reports. The agency stated, “While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts.” CISA hasn’t specified which vulnerability was exploited, but the agency references a CISA advisory outlining three actively exploited Ivanti vulnerabilities that were disclosed before the breach. BleepingComputer notes that one of the vulnerabilities (CVE-2024-21888) was disclosed the day before CISA’s Ivanti appliance was breached. (Bleepingcomputer, CISA)

13. Julian Assange to plead guilty and return to Australia

On Wednesday, WikiLeaks founder Julian Assange is scheduled to plead guilty to a single criminal charge in a District Court on Mariana Island, a US territory in the western Pacific Ocean. In 2010, Assange released around 750,000 classified or sensitive documents on WikiLeaks, representing one of the largest leaks of state secrets in US history. Initially, the US filed 18 charges carrying a maximum penalty of 175 years in prison. Assange is expected to admit to unlawfully obtaining and disseminating classified information relating to U.S. national defense. The plea deal will end a long extradition battle with the United States government and reportedly allows Assange to avoid further jail time. Assange is then expected to reunite with his wife in his home country of Australia. (Ars Technica)

14. Fresh MOVEit bug under attack just hours after disclosure

A new high-severity vulnerability in Progress Software’s MOVEit Transfer software (CVE-2024-5806) is being actively exploited just hours after it was made public. Researchers determined that attackers could exploit the bug in two ways. The first mehtod uses a “forced authentication” attack with a malicious SMB server and a valid username. In the second scenario, a threat actor could impersonate any user on the system by uploading their own SSH public key to the server without logging in, then use that key to authenticate. Admins should move to patched versions as soon as possible. MOVEit Transfer was infamously targeted last year in a rash of Cl0p ransomware attacks that affected at least 160 victims, including British Airways, the state of Maine, Siemens, and UCLA. (Dark Reading)

15. New Microsoft Management Console attack found in wild

Threat actors are using a new attack technique, dubbed GrimResource, that allows them to gain full code execution of Microsoft Management Console. Researchers at Elastic Security Labs uncovered the new technique after a sample was uploaded to VirusTotal on June 6.  GrimResource leverages specially crafted MSC files to execute arbitrary javascript code in Microsoft Management Console (mmc.exe). The attack takes advantage of an old XSS flaw present in the apds.dll library. While the attack leverages obfuscation techniques to evade ActiveX security warnings, there is hope. The researchers have published detection rules and guidance to help organizations identify signs of the new attack. (The Cyber Express)

16. New Medusa trojan variant emerges

Last week, researchers at Cleafy published an analysis which revealed new fraud campaigns featuring an updated version of the Medusa (TangleBot) banking Trojan. The campaigns target Android users to install the malware known for its remote access Trojan (RAT) capabilities, including keylogging, screen control and SMS reading/writing. However the updated Medusa samples use a more lightweight permission set and new features like full-screen overlay displays and remote uninstallation of applications. Medusa was first discovered in 2020 and targeted Turkish financial institutions. However the new campaigns have expanded their scope to include targets in France, Italy, the United States, Canada, Spain, and the United Kingdom.(Bleeping Computer and Infosecurity Magazine)