Welcome to Security Sunday – Week 1. our weekly summary from the world of cybersecurity (01. 01. – 07. 01. 2024).

We’re collecting notable incident and vulnerability reports from the past week.

Hacker hijacks Orange Spain’s RIPE account and wreaks havoc on BGP

Orange Spain suffered an internet outage today after a hacker penetrated the company’s RIPE account and misconfigured BGP routing and RPKI configuration. Routing traffic on the Internet is provided by the Border Gateway Protocol (BGP), which allows organizations to assign their IP addresses to Autonomous System (AS) numbers and advertise them to other routers to which they are connected, called peers. These create a routing table that is propagated to all other edge routers on the Internet, allowing networks to find the best route to send traffic to a particular IP address. However, if a rogue network reports IP ranges usually associated with a different AS number, these IP ranges can be exploited to redirect traffic to malicious websites or networks. According to Cloudflare, this is possible because BGP is built on trust and the routing table is updated according to which advertiser has the shortest and most specific route.

To prevent this, a new standard called RPKI (Resource Public Key Infrastructure) was created to act as a cryptographic solution to BGP hijacking. “RPKI is a cryptographic method of signing records that associate a BGP route announcement with the correct AS number of origin,” explains an article on RPKI in Cloudflare. By enabling RPKI with a routing authority such as ARIN or RIPE, a network can cryptographically confirm that only routers under its control can advertise the AS number and associated IP addresses. An actor called “Snow” hacked Orange Spain’s RIPE account yesterday and took to Twitter to urge it to contact him about getting new credentials. Since then, the attacker has modified the AS number associated with the company’s IP addresses and enabled an invalid RPKI configuration on them. Reporting IP addresses on a foreign AS number and then enabling RPKI effectively caused those IP addresses to no longer be reported correctly on the Internet.

“As we can see, what they did was create some ROA /12 entries that basically indicate who is the authority over the prefix (i.e., the AS that can announce it),” Felipe Cañizares, CTO of DMNTR Network Solutions, told BleepingComputer.
“These grouped the /22 and /24 prefixes announced by Orange Spain, which means that the AS that should have announced this prefix is AS49581 (Ferdinand Zink trading as Tube-Hosting).”
“Orange’s account in the IP Network Coordination Centre (RIPE) was improperly accessed, affecting the browsing experience of some of our customers. The service is practically restored,” Orange Spain said on Twitter. “We confirm that in no case was our clients’ data compromised, only the navigation of some services was affected.”

Link: https://www.bleepingcomputer.com/news/security/hacker-hijacks-orange-spain-ripe-account-to-cause-bgp-havoc/

US indicts 19 suspects linked to xDedic cybercrime marketplace

The U.S. Department of Justice announced the conclusion of a multinational investigation into the dark web cyber marketplace xDedic, charging 19 suspects with participating in the operation and use of the marketplace’s services. An international operation involving law enforcement authorities from the United States, Belgium, Ukraine, Germany and the Netherlands, with support from Europol and Eurojust, led to the seizure of xDedic’s domains and infrastructure in January 2019. At the time of the seizure, law enforcement estimated that fraudulent activities facilitated through the xDedic cyber marketplace totaled more than $68 million. Prior to its closure, xDedic’s administrators operated servers around the world and used cryptocurrency payments to conceal the location of their servers and the identities of buyers, sellers, and administrators. xDedic allowed users to purchase stolen login credentials to compromised servers around the world and personal information of US residents.

“In total, xDedic offered for sale more than 700,000 compromised servers, including at least 150,000 in the United States and at least 8,000 in Florida,” the DOJ said. The victims whose information was sold on the market came from a variety of industries and locations around the world, including local, state and federal government entities, hospitals, universities, metropolitan transportation authorities, accounting and law firms, and pension funds.

Of the 19 suspects charged as a result of the international investigation into xDedic’s activities, 12 have already been convicted, five are due to be sentenced and two are awaiting extradition from the UK. Two xDedic administrators, Moldovan Alexandru Habasescu and Ukrainian Pavlo Kharmanskyi, were sentenced to 41 and 30 months in prison after being arrested in 2022 in Spain’s Canary Islands and in 2019 at Miami International Airport. Habasescu was also the lead developer and technical brains behind the marketplace, while Charmanskyi was the one who paid the admins, provided support to buyers and promoted the cybercrime website.

“Marketplace vendor Dariy Pankov, a Russian national, was one of the largest marketplace vendors by volume, listing for sale the login credentials of more than 35,000 compromised servers located around the world and receiving more than $350,000 in illicit proceeds,” the DOJ said. Allen Levinson, a Nigerian national, was a prolific buyer in the marketplace, particularly interested in purchasing access to U.S.-based certified public accounting firms. “He used the information he obtained from these servers to file hundreds of false tax returns with the U.S. government and claim fraudulent tax refunds of more than $60 million.” Levinson was sentenced to 78 months in federal prison after being arrested in the United Kingdom and extradited to the United States in 2020.

Last year, law enforcement authorities also seized a marketplace of stolen Genesis credentials and arrested 288 dark web drug sellers and buyers as part of an international law enforcement operation code-named Spector. In June, the FBI seized the hacker forum BreachForums after arresting its owner Connor Brian Fitzpatrick (aka Pompompurino) in March. Last but not least, an international police operation led by Interpol led to the arrest of 3,500 cybercriminals and the seizure of $300 million in December, while German police seized Kingdom Market, a dark web marketplace that traded in cybercrime tools, drugs and fake government IDs.

Link: https://www.bleepingcomputer.com/news/security/us-charged-19-suspects-linked-to-xdedic-cybercrime-marketplace/

Nigerian hacker arrested for stealing $7.5 million from charities

A Nigerian national has been arrested in Ghana and is facing charges in connection with the Business Email Communication (BEC) attacks that cost a charity in the United States more than $7.5 million. Olusegun Samson Adejorin was arrested on 29. Dec. 3 for defrauding two charities in Maryland and New York, according to the eight-count U.S. federal grand jury indictment. Specifically, Adejorin faces charges of fraud, aggravated identity theft and unauthorized access to a protected computer in connection with attacks targeting two Maryland-based charities that culminated in the embezzlement of $7.5 million. In a memo this week, the U.S. Department of Justice (DoJ) said Adejorin’s fraudulent scheme occurred between June and August 2020 and involved unauthorized access to email accounts as well as impersonating employees of charities.

To successfully process withdrawals over $10,000, Adejorin used stolen login credentials to send emails from employee accounts that had to approve the transactions. Following these actions, Adejorin successfully tricked Victim 1 into transferring $7.5 million into bank accounts controlled by the attacker, while the organization believed it was depositing these amounts into Victim 2’s legitimate bank accounts. Adejorin faces a maximum sentence of 20 years for bank fraud, five years for unauthorized access to a protected computer and a mandatory two-year sentence for aggravated identity theft. The U.S. Department of Justice announcement also states that the sentence can be extended by seven years for malicious registration and use of a domain name. BEC attacks, also known as CEO fraud, can result in significant financial damage. An FBI report last summer said that the compromise of corporate email caused billions of US dollars in losses.

Reasonable defensive measures to consider include implementing multi-factor authentication to reduce the likelihood of unauthorised account access, using email filtering to detect and block phishing attempts, and implementing an authentication process that underpins bank transfer requests and includes the use of a secondary communication channel. If you encounter suspicious requests, such as changing bank account details, simply calling your partner on a predetermined number and confirming the action can help save millions.

Link: https://www.bleepingcomputer.com/news/security/nigerian-hacker-arrested-for-stealing-75m-from-charities/

Sea Turtle cyber espionage campaign targets Dutch IT and telecoms companies

Telecommunications, media, internet service providers (ISPs), information technology (IT) providers and Kurdish websites in the Netherlands have been targeted in a new cyber espionage campaign by the Türkiye-nexus threat known as Sea Turtle. “The targets’ infrastructure was vulnerable to supply chain and islanding attacks, which the attack group used to gather politically motivated information such as personal data on minority groups and potential political opponents,” Dutch security firm Hunt & Hackett said in an analysis Friday.

“The stolen information is likely to be used to monitor or gather intelligence on specific groups and/or individuals.” Sea Turtle, also known as Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa. The activities associated with this group are believed to have been ongoing since January 2017 and primarily used DNS hijacking to redirect potential targets attempting to query a specific domain to a server controlled by an actor who was able to obtain their login credentials. “The Sea Turtle campaign almost certainly poses a more serious threat than DNSpionage, given the methodology the actor uses to attack various DNS registrars and registries,” Talos said at the time.

In late 2021, Microsoft noted that an adversary was conducting intelligence gathering to meet strategic Turkish interests from countries such as Armenia, Cyprus, Greece, Iraq and Syria, and attacking telecommunications and IT companies to “establish a foothold in front of a desired target” by exploiting known vulnerabilities. Then last month it was revealed that an adversary is using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to PricewaterhouseCoopers (PwC) Threat Intelligence team. “The web shell is a simple reverse TCP shell for Linux/Unix that has basic functions and is also likely used to create persistence,” the company said. “There are at least two main variants; one that uses OpenSSL to establish a secure connection over TLS, while the other omits this capability and sends requests in clear text.”

Hunt & Hackett’s latest findings show that Sea Turtle continues to be a covert espionage group that performs defense evasion techniques to fly under the radar and harvest email archives. In one of the attacks recorded in 2023, a compromised but legitimate cPanel account was used as the initial access vector to deploy SnappyTCP to the system. It is currently unknown how the attackers obtained the login credentials. “Using SnappyTCP, the threat actor sent commands to the system to create a copy of the email archive created by the tar tool in the public web directory of a website that was accessible from the Internet,” the firm noted. “It is highly likely that the threat actor exfiltrated the email archive by downloading the file directly from the web directory.”

To mitigate the risks posed by such attacks, organizations are advised to enforce strong password policies, implement two-factor authentication (2FA), limit the rate of login attempts to reduce the likelihood of brute force attempts, monitor SSH traffic, and keep all systems and software up-to-date.

Link: https://thehackernews.com/2024/01/sea-turtle-cyber-espionage-campaign.html

SpectralBlur: New backdoor threat for macOS from North Korean hackers

Cybersecurity researchers have discovered a new backdoor to Apple macOS called SpectralBlur that overlaps with a known family of malware attributed to North Korean actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate or hibernate based on commands issued from C2,” said security researcher Greg Lesnewich. This malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that acts as a remote access Trojan capable of taking control of the compromised host. It’s worth noting that KANDYKORN’s activity also intersects with another campaign organized by a Lazarus subgroup known as BlueNoroff (aka TA444), which culminates in the deployment of a backdoor called RustBucket and a late-stage payload called ObjCShellz.

In recent months, a threat actor has been observed combining different parts of these two infection chains and using RustBucket droppers to deliver KANDYKORN. The latest findings are another indication that North Korean threat actors are increasingly targeting macOS to infiltrate high-value targets, particularly those in the cryptocurrency and blockchain sectors. “TA444 is still running fast and furious with new macOS malware families,” said Lesnewich. Security researcher Patrick Wardle, who shared additional insights into the inner workings of SpectralBlur, said the Mach-O binary was uploaded to the VirusTotal malware scanning service in August 2023 from Colombia. Functional similarities between KANDYKORN and SpectralBlur raised the possibility that they could have been created by different developers with the same requirements in mind. What the malware excels at is its attempts to make analysis difficult and evade detection, using grantpt to set up pseudoterminals and execute shell commands received from the C2 server.

The disclosure comes at a time when a total of 21 new families of malware targeting macOS systems have been discovered in 2023, including ransomware, information theft programs, remote access Trojans and nation-state-sponsored malware, up from 13 identified in 2022. “With the continued growth and popularity of macOS (especially in the enterprise!), 2024 is sure to bring plenty of new macOS malware,” Wardle noted.

Link: https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.html

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.