Welcome to Safety Sunday – 10. Week. Our weekly overview of events in the world of cyber security (04.03 – 10.03 2024).

We’re collecting notable incidents and vulnerability reports from the past week.

Russian hackers stole source code and some Microsoft customer secrets

Microsoft revealed on Friday that a Kremlin-backed group known as Midnight Blizzard (and also known as APT29 or Cozy Bear) was able to gain access to some source code repositories and internal systems after a hacking attack that came to light in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information originally exfiltrated from our corporate email systems to gain or attempt to gain unauthorized access,” Microsoft said

Redmond, which continues to investigate the scope of the breach, said the attacker is attempting to exploit various types of secrets found, including those shared between customers and Microsoft via email.

However, it did not disclose what the secrets were or the extent of the compromise, although it said it had directly contacted affected customers. It is not clear what source code was accessed.

Microsoft said it has increased its investment in security, and also noted that adversaries increased password spraying attacks up to tenfold in February compared to the “already high volume” seen in January.

MiTM phishing attack may allow attackers to unlock and steal Tesla car

The researchers demonstrated how they could perform a Man-in-the-Middle (MiTM) phishing attack to compromise Tesla accounts, unlock cars and start them. The attack works on the latest Tesla app version 4.30.6 and Tesla software version 11.1 2024.2.7.

As part of this attack, security researchers Talal Haj Bakry and Tommy Mysk register a new “phone key” that can be used to access Tesla.

The researchers reported their findings to Tesla, adding that the car’s connection to the new phone lacks proper authentication security.

An attacker deployed a Wi-Fi network called “Tesla Guest” at a Tesla charging station, an SSID commonly found at Tesla service centers and known to car owners.

Mysk used a Flipper Zero device to broadcast the WiFi network, but notes that the same can be done using a Raspberry Pi computer or other devices that have WiFi hotspot capability.

Once the victim connects to the spoofed network, they are presented with a fake Tesla login page asking them to log in with their Tesla account credentials. Whatever the victim enters on the fraudulent site, the attacker can see on the Flipper Zero device in real time.

After entering the login credentials for the Tesla account, the fraudulent site will request a one-time password for the account so that the attacker can bypass the two-factor protection.

The attacker must move before the OTP expires and log into the Tesla app using stolen credentials. Once logged into the account, the attacker can track the location of the vehicle in real time.

Adding a new key

Access to the victim’s Tesla account allows the attacker to add a new “phone key.”

Mysk says adding a new Phone Key via the app doesn’t require the car to be unlocked or the smartphone to be inside the vehicle, which is a significant security gap.

To make matters worse, once the new Phone Key is added, the Tesla owner will not receive any notification of this via the app and no notification will appear on the car’s touchscreen.

With the new Phone Key, an attacker can unlock the car and activate all its systems, allowing him to drive away as if he were the owner.

Mysk reports that the attack is successful on a Tesla Model 3. In a report to the automaker, the researcher states that the hijacked Tesla account must belong to the primary driver and that the vehicle must already be linked to the phone key.

The researchers say that requiring a physical Tesla Card Key when adding a new Phone Key would increase security by adding an authentication layer for the new phone.

Hackers steal Windows NTLM authentication passwords in phishing attacks

A hacking group known as TA577 recently changed tactics and used phishing emails to steal NT LAN Manager (NTLM) authentication hashes to carry out an account hijacking.

Email security company Proofpoint reports today that although it has recently seen TA577 show a preference for deploying Pikabot, two recent waves of attacks show a different tactic.

Different campaigns TA577 launched 26. and 27 February 2024 sent out thousands of messages to hundreds of organizations around the world, targeting NTLM hashes of employees.

NTLM passwords are used in Windows to authenticate and secure sessions and can be captured for offline password cracking to obtain the password in clear text.

In addition, they can be used in pass-the-hash attacks

Under certain circumstances and depending on the security measures in place, stolen hashes can allow attackers to elevate their privileges, hijack accounts, gain access to sensitive information, evade security products and move laterally in a compromised network.

Proofpoint states that limiting guest access to SMB servers alone does not mitigate the TA577 attack because it uses automatic authentication from an external server that bypasses the need for guest access.

A potentially effective measure can be to configure the firewall to block all outgoing SMB connections (typically ports 445 and 139) and stop sending NTLM hashes.

Another protective measure would be to implement email filtering that blocks messages containing zipped HTML files, as these can trigger connections to dangerous endpoints when triggered.

It is also possible to configure “Network Security: Restrict NTLM: Outbound NTLM traffic to remote servers’ Windows Group Policy to prevent NTLM hashes from being sent. However, this could lead to authentication problems against legitimate servers.

For organizations using Windows 11, Microsoft has introduced an additional security feature for Windows 11 users that blocks NTLM-based attacks via SMB, which would be an effective solution.

New Golang malware targets Docker, Hadoop, Redis and Confluence

Hackers are targeting poorly configured servers running Apache Hadoop YARN, Docker, Confluence or Redis with new Golang-based malware that automatically detects and compromises hosts.

Researchers at cloud forensics company Cado Security analysed payloads used in the attacks, bash scripts and Golang ELF binaries.

The researchers note that the set of breaches is similar to previously reported cloud attacks, some of which are attributed to groups such as TeamTNT, WatchDog and Kiss-a-Dog.

They began investigating the attack after they received the first alert about access to the Docker Engine API honeypot, with a new Alpine Linux-based container running on the server.

In the next steps, the attacker relies on several shell scripts and common Linux attack techniques to install cryptominer, create persistence, and set up a reverse shell.

According to the researchers, the hackers deployed a set of four new Golang payloads that are responsible for identifying and exploiting hosts with Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh) and Redis (c.sh) services.

More than 225,000 compromised ChatGPT logins for sale on darknet marketplaces

According to new findings from Group-IB, more than 225,000 records containing OpenAI ChatGPT logins were for sale on illicit markets between January and October 2023.

These logins were found within the LummaC2, Raccoon and RedLine stealer malware-related information theft logs.

More than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated between June and October 2023, a 36% increase over what was recorded in the first five months of 2023.

The three most common infostealers are LummaC2 – 70,484 hosts, Raccoon – 22,468 hosts, RedLine – 15,970 hosts

Former Google engineer arrested for stealing AI technology secrets for China

The U.S. Department of Justice announced the indictment of a 38-year-old Chinese national and California resident for allegedly stealing Google’s proprietary information while secretly working for two Chinese technology companies.

Linwei Ding (aka Leon Ding), a former Google engineer who was arrested on 6. March 2024, “transferred Google’s sensitive trade secrets and other confidential information from Google’s network to his personal account while colluding with China-based companies in the artificial intelligence industry,” the DoJ said.

The accused allegedly stole more than 500 confidential files containing artificial intelligence (AI) trade secrets from Google with the aim of passing them on to two unnamed Chinese companies looking to get a head start in the ongoing AI race.

“Although Linwei Ding was employed as a software engineer at Google, he secretly worked to enrich himself and two companies based in the People’s Republic of China,” said U.S. Attorney Ismail Ramsey.

Ding, who joined Google as a software engineer in 2019, was accused of siphoning off protected information related to the company’s supercomputing data center infrastructure used to run AI models, Cluster Management System (CMS) software for managing data centers and AI models, and the applications they supported.

The theft occurred from 21. May 2022 to 2. May 2023 to a personal Google Cloud account, the indictment alleges, adding that Ding secretly teamed up with two China-based tech companies.

Ding was charged with four counts of theft of trade secrets. If convicted, he faces a maximum sentence of 10 years in prison and a fine of up to $250,000 for each count of the indictment.

VMware fixes critical sandbox leak vulnerabilities in ESXi, Workstation and Fusion

VMware has released security updates to fix critical vulnerabilities in VMware ESXi, Workstation, Fusion and Cloud Foundation products that allow attackers to escape virtual machines and gain access to the host operating system.

These types of vulnerabilities are critical because they could allow an attacker to gain unauthorized access to the host system where the hypervisor is installed or to gain access to other virtual machines running on the same host, thus breaking their isolation.

The recommendation describes four vulnerabilities, tracked as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255, with CVSS v3 scores ranging from 7.1 to 9.3, but all with a critical severity rating.

A practical solution to mitigate the CVE-2024-22252, CVE-2024-22253, and CVE-2024-22255 problems is to remove the USB controllers from the virtual machines according to the manufacturer’s instructions. Note that this may affect keyboard, mouse and USB key connections in some configurations.

It is worth noting that VMware has made security patches available for older versions of ESXi (6.7U3u), 6.5 (6.5U3v) and VCF 3.x due to the severity of the vulnerabilities.

Finally, the vendor has published FAQs to the bulletin, emphasizing the importance of timely patching and providing guidance on response planning and implementation of solutions/fixes for specific products and configurations.

VMware has not observed or received any reports indicating active exploitation of these four vulnerabilities. System administrators are advised to subscribe to the VMSA mailing list for proactive notification when the status of an abuse changes.

QEMU emulator exploited as a tunnel to penetrate the corporate network

In a cyber attack targeting an unnamed “large company”, attackers were found to be using the open-source QEMU hardware emulator as tunneling software to connect to its infrastructure.

“We found that QEMU supports inter-virtual machine connectivity: the -netdev option creates network devices (backends) that can then connect to virtual machines,” said Kaspersky researchers Grigory Sablin, Alexander Rodchenko and Kirill Magaskin.

“Each of the many network devices is defined by its type and supports additional options.”

In other words, it is about creating a virtual network interface and a socket network interface that allows the virtual machine to communicate with any remote server.

Kaspersky said it was able to use QEMU to create a network tunnel from an internal host within the corporate network that did not have access to the Internet to a host with Internet access that connected to the attacker’s cloud server running the emulator.

The findings show that attackers are constantly diversifying their attack strategies to combine their malicious traffic with legitimate activity.

The critical Fortinet FortiOS CVE-2024-21762 vulnerability could impact 150,000 devices connected to the Internet.

In February, Fortinet warned that a critical RCE vulnerability identified as CVE-2024-21762 (CVSS score 9.6) in the FortiOS SSL VPN system was being actively exploited.

This is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The manufacturer recommends disabling SSL VPN as a solution.

An out-of-bounds write vulnerability in FortiOS could allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.

Interested in cyber security? Check out the next episodes of our weekly magazine Safety Sunday.