Welcome to Safety Sunday – 5. Week. our weekly round-up of the world of cyber security (29 Jan – 04 Feb 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

AnyDesk Discloses Security Breach; Passwords Reset by Hackers

AnyDesk has acknowledged a recent cyber intrusion that compromised the integrity of the company’s production systems. According to insights obtained by BleepingComputer, hackers successfully infiltrated the system, absconding with both source code and private code signing keys. AnyDesk, a prominent remote access solution facilitating remote computer connectivity, is widely embraced by enterprises for tasks like remote support and accessing colocated servers. Unfortunately, it’s also favored by malicious actors seeking persistent access to compromised networks and devices.

The clientele of AnyDesk encompasses 170,000 entities, including notable names such as 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations. Incident Overview According to a statement on a late Friday afternoon, AnyDesk became aware of the breach upon detecting unusual activity within their production servers. Subsequently, a comprehensive security audit confirmed the compromise, prompting AnyDesk to engage cybersecurity experts from CrowdStrike to mitigate the situation. Although AnyDesk refrained from disclosing specifics regarding data exfiltration, it has been confirmed that the perpetrators obtained valuable assets such as source code and code signing certificates. Fortunately, ransomware was not part of the breach scenario. AnyDesk’s Remedial Measures In response to the breach, AnyDesk swiftly took remedial actions, revoking compromised security certificates and undertaking necessary system remediation and replacement efforts. Assuring its customer base, AnyDesk asserted the safety of its platform and affirmed the absence of evidence indicating compromised end-user devices. “We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate,” AnyDesk conveyed in a public statement. Although AnyDesk stated that no authentication tokens were pilfered, as a precautionary measure, all passwords for their web portal are being invalidated. Users are advised to update their passwords, especially if they are reused across multiple platforms. In response to inquiries regarding the breach, AnyDesk reassured that its design prevents the theft of session authentication tokens, as they are confined to end-user devices and intricately linked to device fingerprints. Consequently, the company emphasized, “We have no indication of session hijacking, as to our knowledge this is not possible.”

Researchers Uncover Remote Exploitation Risks in Aircraft Management Systems

Recent research has unveiled potential vulnerabilities in the systems managing safe aircraft takeoffs and landings, raising concerns about remote tampering with critical flight data. In a scenario reminiscent of the tense airplane scene in Die Hard 2, researchers investigating electronic flight bags (EFBs) have identified vulnerabilities in the app utilized by Airbus pilots. These vulnerabilities could allow for remote manipulation of essential data under specific circumstances. While the Die Hard scene in question may have been fictionalized and subsequently debunked by researchers months ago, the possibility of similar exploits remains a topic of concern. EFBs, typically tablet-like portable computers, host aviation-specific applications designed to aid in various flight deck and cabin tasks, including performance calculations aimed at improving aircraft operations.

The identified vulnerability lies within Flysmart+ Manager, a component of the Flysmart+ suite used by Airbus pilots to synchronize data across various applications crucial for safe takeoffs and landings. Developed by NAVBLUE, a subsidiary of Airbus, Flysmart+ Manager was found to have disabled app transport security (ATS) by setting the NSAllowsArbitraryLoads property list key to “true.” ATS, a fundamental security feature, mandates the use of HTTPS, thereby safeguarding communications between the app and its update server. Antonio Cassidy, a partner at Pen Test Partners involved in the research, highlighted the implications: “An attacker could use this weakness to intercept and decrypt potentially sensitive information in transit.” Despite the identified vulnerability, executing an attack would require precise conditions, including intercepting data transmission to the app. Even Ken Munro, another partner at Pen Test Partners, acknowledged the unlikelihood of successful exploitation in a real-world scenario.

Interpol’s ‘Synergia’ Operation Dismantles 1,300 Cybercrime Servers

In a coordinated international effort named ‘Synergia,’ law enforcement agencies have successfully dismantled over 1,300 command and control servers utilized in ransomware, phishing, and malware schemes. Command and control servers (C2) serve as pivotal devices operated by threat actors to oversee malware operations and gather data transmitted from compromised devices. These servers enable threat actors to deploy additional payloads or execute commands on infected devices, forming a critical infrastructure in various cyberattacks. Between September and November 2023, the Synergia operation, involving 60 law enforcement agencies from 55 countries, targeted and neutralized command and control servers associated with malicious activities. Approximately 70% of the identified C2 servers linked to ransomware, malware, and phishing campaigns were successfully shut down, dealing a significant blow to cybercriminal operations.

Most of the seized servers were located in Europe, with notable numbers traced to Singapore and Hong Kong. In Africa, South Sudan and Zimbabwe witnessed heightened activity, while operations in the Americas, particularly Bolivia, were also dismantled. In addition to server takedowns, Synergia led to the apprehension of 31 individuals suspected of involvement in cybercrime, with another 70 suspects identified. Law enforcement authorities executed 30 house searches and confiscated pertinent evidence to aid in ongoing investigations. Bernardo Pillot, Interpol’s Assistant Director of Cybercrime, emphasized the collaborative effort’s significance, stating, “The results of this operation, achieved through the collective efforts of multiple countries and partners, show our unwavering commitment to safeguarding the digital space.”

Cloudflare Breach: Okta Compromise Leads to Unauthorized Access

Cloudflare has revealed a security breach wherein a suspected ‘nation state attacker’ infiltrated its internal Atlassian server, gaining access to its Confluence wiki, Jira bug database, and Bitbucket source code management system. According to Cloudflare’s CEO, CTO, and CISO, the threat actor initially breached the company’s self-hosted Atlassian server on November 14. Subsequently, they infiltrated the Confluence and Jira systems after conducting reconnaissance. The attackers returned on November 22, establishing persistent access to Cloudflare’s Atlassian server using ScriptRunner for Jira. They then accessed the source code management system (Atlassian Bitbucket) and attempted, unsuccessfully, to breach a console server with access to Cloudflare’s São Paulo data center, which was not yet operational.

The attackers leveraged one access token and three service account credentials stolen during the Okta breach in October 2023, which Cloudflare had failed to rotate among the thousands compromised. Cloudflare detected the breach on November 23, terminated the hacker’s access on November 24, and initiated a forensic investigation on November 26. In response, Cloudflare rotated all production credentials, physically segmented test and staging systems, conducted forensic analysis on 4,893 systems, and reimaged and rebooted all systems across its global network, including Atlassian servers. Although the threat actors attempted to breach Cloudflare’s São Paulo data center, their efforts were unsuccessful. All equipment in the Brazil data center was returned to manufacturers to ensure complete security. Remediation efforts concluded on January 5th, but Cloudflare continues to focus on software hardening, credential management, and vulnerability mitigation.

Technica Corporation, a U.S. Federal Government Supporter, Breached by Blackcat Ransomware Group

In a recent cyber threat incident, the notorious ransomware gang known as ALPHV, or Blackcat, has claimed responsibility for breaching Technica Corporation, a company providing support to the U.S. Federal Government. ALPHV declared on the dark web that it successfully exfiltrated 300GB of data, including classified and top-secret documents related to U.S. intelligence agencies such as the FBI. The group issued a threat to publicly release or sell the data unless Technica contacted them promptly. A sample of the stolen data, featuring 29 documents including Department of Defense contracts and personal details of Technica employees, was shared in the dark web post. The Daily Dot reached out to Technica for confirmation but received no response at press time. Brett Callow, a threat analyst at Emsisoft, underscored the severity of the situation, stressing that such incidents should not be viewed in isolation. The exfiltrated data could be merged with information from other breaches, intensifying the impact. ALPHV’s recent attack follows the FBI and global intelligence agencies’ takedown of their dark web homepage last month. Despite this, the group swiftly relaunched its site elsewhere on the dark web.

ALPHV gained notoriety for previous attacks on Las Vegas casinos, causing significant disruption. The group has also targeted critical infrastructure and medical facilities, including plastic surgery clinics. The FBI, when questioned about the alleged breach and documents obtained by ALPHV, did not respond to inquiries from the Daily Dot. In the cybersecurity realm, the recent breach has raised concerns about the potential exposure of classified information. Experts emphasize the importance of considering these incidents within a broader context, highlighting that combining data from various breaches could lead to more significant consequences than initially anticipated. ALPHV’s history of targeting diverse sectors underscores the necessity for heightened cybersecurity measures across industries. As the situation unfolds, it underscores the evolving challenges organizations face in safeguarding sensitive information from increasingly sophisticated cyber threats. The ongoing threat posed by ransomware groups like ALPHV underscores the urgency for organizations to fortify their cybersecurity defenses and collaborate with law enforcement agencies to combat the growing menace of cyber attacks on critical infrastructure and government institutions.

Akira Ransomware Emerges as a Menacing Threat Targeting North American Companies

In the dynamic landscape of cybersecurity, organizations are facing a pressing need to enhance their defenses against the escalating sophistication of ransomware attacks. At the forefront of concern is Akira, a newly identified ransomware strain, spearheading a cohort of cyber adversaries equipped with advanced tactics and led by highly proficient individuals. Recent analysis of blockchain and source code data has brought Akira ransomware into the spotlight, rapidly solidifying its position as one of the fastest-growing threats in the cyber domain. Its ascent is attributed to its adept utilization of double extortion strategies, adoption of a ransomware-as-a-service (RaaS) distribution model, and implementation of innovative payment mechanisms. Debuting in March 2023, Akira has set its sights on companies across the United States and Canada. Notably, its distinctive Tor leak site, reminiscent of “1980s green-screen consoles” as per Sophos’ report, requires users to input specific commands to navigate the interface—a feature garnering attention within cybersecurity circles.

What adds to the intrigue is that, despite sharing the .akira file extension for encrypted files, the new Akira bears little resemblance to its 2017 namesake in terms of underlying code. This evolution underscores the dynamic nature of cyber threats, wherein old adversaries resurface with new tactics and a revamped modus operandi. Initially discovered by MalwareHunterTeam, Akira ransomware exhibits a significant functionality upon activation—it systematically deletes Windows Shadow Volume Copies on the infected device. Moreover, emerging connections between the Akira ransomware group and the now-defunct Conti ransomware gang suggest a potential affiliation. Conti, renowned as one of the most notorious ransomware families in recent memory, is believed to have evolved from the highly targeted Ryuk ransomware, marking a lineage of prolific cyber threats. These intricate associations highlight the adaptive nature of cyber threats and the relentless efforts of criminal organizations to evolve and expand their malicious activities.

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.