🔓 [CyberFacts Weekly - Issue 0x04] Happy Halloween 🎃

EU Digital COVID Certification Issuers Exposed / 150ppl arrested in dark web drug bust / Conti ransom gang sells access to victims / Cracking WiFi at scale / DarkSide transfer $7M worth of BTCs / Mozilla removes add-ons using proxy API / Ransomware at San Carlo Italian chips maker / New Tesla forensics driving data can be acquired / Shrootless vulnerability can bypass macOS SIP

Oct 29, 2021

Greetings! 🎃

Interesting week in Europe, right? It’s interesting to see the parallel between (1) the social protests happening in Italy about the regulations that require all workers to possess a valid EU Digital COVID Certificate (a.k.a., “GreenPass”) and (2) the incident at one (potentially more) cert-issuance sites, which have been found to be exposed on the public Internet without protection. Of course, in a matter of hours, there was an explosion of Telegram groups selling generated certificates.

At the beginning, it didn’t seem like a big deal, because the EU Digital COVID Certificate system has this scenario figured out already. But, as more clearly forged but accepted passes have started to circulate ( archived), more details bubbled up, revealing what seems to be a larger “compromise” of the certificate issuing infrastructure. Technically, nothing has been actively compromised: It’s just some unwanted service exposure.

Just scroll down and you’ll find more details.

Other highlights:

150 people arrested in dark web drug bust,
Conti ransom gang starts selling access to victims,
Using phone numbers as Wi-Fi passwords makes cracking them easy (of course!),
DarkSide transfer $7M worth of BTCs,
Mozilla makes breaking changes to the add-ons proxy API,
Ransomware at San Carlo Italian chips maker,
New Tesla forensics driving data can be acquired,
Shrootless vulnerability can bypass macOS SIP.

If you like this digest, consider subscribing!

Top Picks
Also Noteworthy
Vulnerabilities
Tools

Top Picks

A Researcher Cracked 70% of Tel Aviv’s Wifi Networks Using a Mask Attack

by Ido Hoorvitch // CyberArk Threat Research Blog

The magic combo was (1) the terrible habit many people living in Israel have of using their cellphone numbers as WiFi passwords, (2) a recent WiFi attack, and (3) a decent cracking rig (8 x QUADRO RTX 8000 48GB GPUs).

Exposed Certificate Issuance Systems Have been Used to Generate Valid EU Digital COVID Certificates

by @Xiloeee // Twitter

At the beginning, it didn’t seem like a big deal, because the EU Digital COVID Certificate system has this scenario figured out already (check here, or here, here, here, and here, some are in Italian). As more clearly forged but accepted passes have started to circulate ( archived), more details bubbled up, revealing what seems to be a larger “compromise” of the certificate issuing infrastructure. Technically, nothing has been actively compromised: It’s just some unwanted service exposure.

What most likely has/is happening is that someone has found the certificate issuing web frontend (probably by luck, info leak, or by scanning web services matching fingerprints derived by inspecting the source code) of some countries (MK, DE, PL, FR) exposed with no protection (or with known credentials) and have used that to generate vaccination certificates.

The first reaction, as predicted, is that some countries have started to remove keys (e.g., FR, MK) form the trust list. This only marginally fixed the problem. Indeed, since no private/signing key has been compromised, some countries rolled back the revocation. In addition to having to re-generate all certificates issued by those countries, more and more exposed certificate issuing web frontends could have been (and will be) abused to generate other certificates. So, if issuers don’t keep audit trails (and it seems that it’s possible to generate certificates without leaving an audit log), and if issuers don’t urgently lock down their incidentally exposed services, the problem will soon be global and all keys will have to be revoked, potentially.

Suspected cyberattack temporarily disrupts gas stations across Iran

by Catalin Cimpanu // The Record by Recorded Future

A software glitch believed to have been caused by a cyberattack has disrupted gas stations across Iran and defaced gas pump screens and gas price billboards.

The incident, which took place earlier this morning, impacted the IT network of NIOPDC, a state-owned gas distribution company that manages more than 3,500 gas stations across Iran.

Italian Chips Maker San Carlo Hit by Conti Ransomware

by Time News // Time News

The prosecutor office and Italian LEA are investigating. Here’s one of the many original articles that announced the attack (in Italian).

150 arrested in dark web drug bust as police seize €26 million

by Europol // Europol

More than €26.7 million (USD 31 million) in cash and virtual currencies have been seized in this operation, as well as 234 kg of drugs and 45 firearms. The seized drugs include 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills.

Operators Behind DarkSide Ransomware Transfer $7M Worth of BTCs Into 7 New Wallets

by Prajeet Nair // Data Breach Today

According to a crypto-wallet tracking service, the operators behind DarkSide ransomware moved $7M worth of BTCs from the wallet that received the Colonial Pipeline ransomware into 7 wallets.

How the FBI Obtains Data From US Cellular Network Operators

by Joseph Cox // Motherboard

AT&T retains “cloud storage internet/web browsing” data for 1 year. When asked what this detail entails exactly, such as websites visited by customers on the AT&T network, AT&T spokesperson Margaret Boles said in an email that “Like all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law.” The document also mentions that law enforcement can request records related to wearable devices from AT&T.

Full document obtained by Property of the People.

Conti Ransom Gang Starts Selling Access to Victims – Krebs on Security

by Brian Krebs // Krebs on Security

The Conti ransomware affiliate program […] updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.

Firefox Blocks Add-ons (Ab)using the Proxy API

by Rachel Tublitz, Stuart Colville // Mozilla Security Blog

The Proxy API can be (ab)used to essentially create a in-browser firewall that blocks or otherwise interferes with Mozilla’s upgrade functionality, which is critical (as you may understand). So, Mozilla has decided that all add-on using the Proxy API must be blocked and future add-ons using the Proxy API will have to include a special entry in their manifest to expedite review of legitimate add-ons.

Tesla's Autopilot Further Reverse Engineered

by Nick Carey // Reuters

“These data contain a wealth of information for forensic investigators and traffic accident analysts and can help with a criminal investigation after a fatal traffic accident or an accident with injury,” Francis Hoogendijk, a digital investigator at the NFI, said in a statement.

Also Noteworthy

Android smartphones infected with rare rooting malware

by Catalin Cimpanu // The Record by Recorded Future

The rooting package contained exploits for the following five vulnerabilities: CVE-2020-0041, CVE-2020-0069, CVE-2019-2215, CVE-2015-3636, and CVE-2015, 1805.

Full analysis by Lookout here.

Emergency Google Chrome update fixes zero-days used in attacks

Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.

Full analysis here (in Chinese).

Ransomware Hackers Freeze Millions in Papua New Guinea

by Jamie Tarabay // Bloomberg

Papua New Guinea’s finance department acknowledged late Thursday that its payment system, which manages access to hundreds of millions of dollars in foreign aid money, was hit with a ransomware attack.

Free Decryptor for AtomSilo, Babuk, and LockFile Released by Avast

by Catalin Cimpanu // The Record by Recorded Future

Antivirus maker and cyber-security firm Avast has released today free decryption utilities to recover files that have been encrypted by three ransomware strains—AtomSilo, Babuk, and LockFile.

FBI Releases Indicators of Compromise Associated with Ranzy Locker Ransomware | CISA

by CISA // CISA

In a Flash report the FBI releases IOCs associated with attacks using Ranzy Locker, a ransomware variant first identified targeting victims in the United States in late 2020.

Are Baby Boomers Really Less Vulnerable Online Than Younger Generations?

by Bryson Medlock Threat Researcher at ConnectWise’s Cyber Research Unit October 26, 2021 // Dark Reading

[…] older generations are more suspicious of any electronic communication. They espouse paranoia and distrust with any form of online communication. Their attitudes are the very essence of the zero-trust cybersecurity model.

North Korean state hackers start targeting the IT supply chain

by Sergiu Gatlan // BleepingComputer

North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities.

US Online Payment Processing Service FIS Replaces PAX Terminals Over Security Concerns

by Brian Krebs // Krebs on Security

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

And then we learn the reason behind that, and that PAX security exec resigns the day after the raid.

DDoS has Been Hitting UK VoIP Providers for 4+ Weeks

by Eli Katz // Comms Council UK

Several Comms Council UK members and international IP-based communications service providers have been subjected to Distributed Denial of Service (DDoS) attacks over the past four weeks which appear to be part of a coordinated extortion-focused international campaign by professional cyber criminal.

Quishing: Abusing QR Codes to Bypass Phishing Filters

by Rachelle Chouinard // Abnormal

these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist.

New Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns | Proofpoint US

by Selena Larson, Joe Wise // Proofpoint Threat Insight

Proofpoint identified a new cybercriminal threat actor impersonating Philippine health, labor, and customs organizations, and other entities based in the Philippines

Nobellium Now Targeting Resellers and Cloud-customization Service Providers

by Tom Burt // Microsoft On the Issues

This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

How to Perform Timing Attacks on NFC Tags Using the CR95HF Reader

by Federico Cerutti // ceres-c

[The word] “secure” is put into quotation marks as the company’s security model is based upon NDA’d documentation and a custom mutual authentication algorithm.

Runbox, Fastmail, Posteo Temporarily Down Because of DDoS Attacks

by Catalin Cimpanu // The Record by Recorded Future

For a couple of hours before reading this piece I noticed numerous “random” reports on Reddit by users noticing Fastmail hiccups.

Malware Discovered in Popular NPM Package, ua-parser-js | CISA

by CISA // CISA

Versions of a popular NPM package named ua-parser-js was found to contain malicious code.

Initial Access Broker Landscape

by Trevor Giffen // Curated Intelligence

An “initial access broker” is an individual who compromises systems or user accounts with the intent of gaining privileged access, to later sell. Initial access sales happen both publicly and privately, across many contexts.

Too Many Scientific Papers in the Largest Fields Mean Ideas Won't Rack Up

by Johan S. G. Chu, James A. Evans // Proceedings of the National Academy of Sciences

Examining 1.8 billion citations among 90 million papers across 241 subjects, we find a deluge of papers does not lead to turnover of central ideas in a field.

Among the examined fields, computer science and artificial intelligence are among those with the most substantial citation decay.

The advancement of scientific knowledge is kind of becoming a victim of its own success.

Vulnerabilities

Microsoft Finds a new Vulnerability that Could Bypass macOS System Integrity Protection (CVE-2021-30892)

the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process.

Popular CI/CD Pipeline Used by Fortune 500 and NGOs Just Fixed Broken Authentication Vulnerabilities

by Simon Scannel // SonarSource Blog

The vulnerabilities allowed an unauthenticated user to access sensitive information and read arbitrary files on a GoCD server instance.

Discourse Patches Critical RCE (CVE-2021-41163)

by CISA // CISA

Discourse, one of the most popular open-source discussion platform, has just patched a critical RCE vulnerability ( CVE-2021-41163).

Vulnerability in BillQuick Payment Exploited in the Wild to Deploy Ransomware (CVE-2021-42258)

by Caleb Stewart // Huntress Blog

The Huntress ThreatOps team discovered [active exploitation of] CVE-2021-42258 […] to gain initial access to a US engineering company—and deploy ransomware across the victim’s network.

Tools

FormatFuzzer: Generate Binary Inputs and Parsers from Templates

FormatFuzzer is a framework for high-efficiency, high-quality generation and parsing of binary inputs. It takes a binary template that describes the format of a binary input and generates an executable that produces and parses the given binary format. From a binary template for GIF, for instance, FormatFuzzer produces a GIF generator - also known as GIF fuzzer.

Check the paper for details.

An Analysis of EU Digital COVID Certificates

by Denys Vitali // GitHub

An up-to-date analysis of valid certificates circulating after the EU Digital COVID Certificate incident. I’ve archived this repository here just in case.

GreenPass Experiments

by Alessandro Mazzeo // GitHub

I don’t think this is in any way related to the EU Digital Covid Certificate incidents.

An ATT&CK-like Matrix Focused on CI/CD Pipeline Specific Risks

by Hiroki Suezawa // GitHub

Technically not a tool, but a handy reference.

Phishious: The VirusTotal of Secure Email Gateways

by Rices // GitHub

Phishious exploits a common misconfiguration where many organisations broadcast overly sensitive information in email bounce responses and non-delivery reports. The sensitive information typically comes in the form of original untampered inbound message headers.

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede