501
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
502
New BitForge cryptocurrency wallet flaws lets hackers steal crypto
Image: Midjourney
Multiple zero-day vulnerabilities named 'BitForge' in the implementation of widely used cryptographic protocols like GG-18, GG-20, and Lindell 17 affected popular cryptocurrency wallet providers, including Coinbase, ZenGo, Binance, and many more.
These vulnerabilities could allow attackers to steal digital assets stored in impacted wallets in seconds without requiring interaction with the user or the vendor.
The flaws were discovered by the Fireblocks Cryptography Research Team in May 2023, which collectively named them 'BitForge.'
Today, the analysts publicly disclosed BitForge in the "Small Leaks, Billions Of Dollars: Practical Cryptographic Exploits That Undermine Leading Crypto Wallets" BlackHat presentation, by which time Coinbase and ZenGo have applied fixes to address the problem.
However, Fireblocks says that Binance and dozens of other wallet providers remain vulnerable to BitForge, with Fireblocks Creating a status checker for projects to check if they're exposed to risks due to improper multi-part computation (MPC) protocol implementations.
The BitForge flaw
The first flaw (CVE-2023-33241) discovered by Fireblock impacts the GG18 and GG20 threshold signature schemes (TSS), which are considered pioneering and also foundational for the MPC wallet industry, allowing multiple parties to generate keys and co-sign transactions.
Fireblock's analysts discovered that depending on the implementation parameters, it is possible for an attacker to send a specially crafted message and extract key shards in 16-bit chunks, retrieving the entire private key from the wallet in 16 repetitions.
The flaw stems from a lack of checking on the attacker's Paillier modulus (N) and the status of its encryption based on the existence of small factors or biprimes.
"If exploited, the vulnerability allows a threat actor interacting with the signatories in the TSS protocol to steal their secret shards and ultimately obtain the master secret key," reads Fireblock's report.
"The severity of the vulnerability depends on the implementation parameters, so different parameter choices give rise to different attacks with varying degrees of effort/resources required to extract the full key."
The vulnerability discovered in the Lindell17 2PC protocol (CVE-2023-33242) is of similar nature, allowing an attacker to extract the entire private key after approximately 200 signature attempts.
The flaw lies in the implementation of the 2PC protocol rather than the protocol itself and manifests through a mishandling of aborts by wallets, which forces them to continue signing operations that inadvertently expose bits of the private key.
"The attack takes advantage of a mishandling of aborts by wallets using the 2PC protocol given an "impossible choice" between aborting operations, which is an unreasonable approach given funds might be locked in the wallet, or to continue signing and sacrificing additional bits of the key with every signature." - Fireblock
The attack that exploits this flaw is "asymmetric," meaning it can be exploited by corrupting the client or the server.
In the first scenario, the attacker corrupts the client to make it send commands to the server on their behalf, which will reveal a bit of the server's secret key.
Fireblock says 256 such attempts are required to gather enough data to reconstruct the server's entire secret share.
However, since there's no limit in place, the attacker can poke the server with many quickly succeeding requests, so the attack can be carried out in a short time.
The second scenario targets the secret key of the client, using a compromised server to retrieve it via specially crafted messages. Again, 256 requests are required for complete key extraction.
The analysts have also published two proof-of-concept (PoC) exploits for each of the protocols on GitHub.
Coinbase told BleepingComputer that they fixed the flaws in its Wallet as a Service (WaaS) solution after the flaws were disclosed, thanking the researchers for their responsible disclosure.
"We would like to thank Fireblocks for identifying and responsibly disclosing this issue. While Coinbase customers and funds were never at risk, maintaining a fully trustless cryptographic model is an important aspect of any MPC implementation," said Jeff Lunglhofer, Chief Information Security Officer at Coinbase. "Setting a high industry bar for safety protects the ecosystem and is critical to the broader adoption of this technology."
503
Hackers use open source Merlin post-exploitation toolkit in attacks
Ukraine is warning of a wave of attacks targeting state organizations using 'Merlin,' an open-source post-exploitation and command and control framework.
Merlin is a Go-based cross-platform post-exploitation toolkit available for free via GitHub, offering extensive documentation for security professionals to use in red team exercises.
It offers a wide range of features, allowing red teamers (and attackers) to obtain a foothold on a compromised network.
- Support for HTTP/1.1 over TLS and HTTP/3 (HTTP/2 over QUIC) for C2 communication.
- PBES2 (RFC 2898) and AES Key Wrap (RFC 3394) for agent traffic encryption.
- OPAQUE Asymmetric Password Authenticated Key Exchange (PAKE) & Encrypted JWT for secure user authentication.
- Support for CreateThread, CreateRemoteThread, RtlCreateUserThread, and QueueUserAPC shellcode execution techniques.
- Domain fronting for bypassing network filtering.
- Integrated Donut, sRDI, and SharpGen support.
- Dynamic change in the agent's JA3 hash & C2 traffic message padding for evading detection.
However, as we saw with Sliver, Merlin is now being abused by threat actors who use it to power their own attacks and spread laterally through compromised networks.
CERT-UA reports that it detected it in attacks that started with the arrival of a phishing email that impersonated the agency (sender address: [email protected]) and supposedly provided the recipients with instructions on how to harden their MS Office suite.
Sample of the malicious email
Source: CERT-UA
The emails carry a CHM file attachment that, if opened, executes JavaScript code which in turn runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that contains the executable "ctlhost.exe."
If the recipient runs this executable, their computer gets infected by MerlinAgent, giving the threat actors access to their machine, data, and a foothold to move laterally in the network.
Executable that loads Merlin agent on the system
Source: CERT-UA
CERT-UA has assigned this malicious activity the unique identifier UAC-0154, and the first attacks were recorded on July 10, 2023, when the threat actors used a "UAV training" bait in their emails.
Using open-source tools like Merlin to attack government agencies or other important organizations makes attribution harder, leaving fewer distinct traces that can be linked to specific threat actors.
504
505
1
LastPass Announces Availability of FIDO2 Authenticators for Passwordless Login
(www.darkreading.com)
506
1
Symmetry Systems Closes $17.7M To Scale its AI-Powered Data Security Platform
(www.darkreading.com)
507
508
509
510
511
1
Researchers Detail Vuln That Allowed for Windows Defender Update Process Hijack
(www.darkreading.com)
512
513
514
515
516
Missouri warns that health info was stolen in IBM MOVEit data breach
Missouri's Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.
The attack was conducted by the Clop ransomware gang, who began hacking MOVEit Transfer servers on May 27th using a zero-day vulnerability tracked as CVE-2023-34362.
These attacks allowed the threat actors to steal data from over 600 companies worldwide, including companies, educational orgs, federal government agencies, and local state agencies.
The ransomware gang is expected to make $75-100 million from these attacks.
Missouri health data exposed
Yesterday, the Missouri Department of Social Services disclosed a data breach that exposed health information related to Medicaid services in the state.
"The Missouri Department of Social Services (DSS) is responding to a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved Progress Software's MOVEit Transfer software," reads the DSS data breach notification.
"IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS. DSS took immediate steps in response to this incident that are ongoing."
IBM confirmed to BleepingComputer yesterday that their MOVEit Transfer server was breached in these attacks, allowing data theft.
"IBM has worked in partnership with the Missouri Department of Social Services to determine and minimize the impact of the incident involving MOVEit Transfer, a non-IBM data transfer program provided by Progress Software," IBM told BleepingComputer in a statement.
"Upon receiving a security bulletin from Progress, we severed interaction of MOVEit Transfer with the department's IT systems to avoid any further impact to Missouri citizens and their data. No IBM systems were impacted."
After analyzing the stolen data, DSS confirmed that it contained protected health information for Medicaid participants in Missouri.
"The information involved in this incident may include an individual's name, department client number (DCN), date of birth, possible benefit eligibility status or coverage, and medical claims information," explains the DSS notification.
"DSS is still reviewing the files associated with this incident. This will take us some time to complete. These files are large, are not in plain English, and are not easily readable because of how they are formatted."
The agency told BleepingComputer that the investigation has revealed that only two (2) social security numbers were exposed and no banking information has been identified.
DSS warns that due to the size of the stolen files and how they are formatted, it may take some time to analyze the data and fully determine the scope of the data breach.
However, DSS told BleepingComputer that out of an abundance of caution they are sending notifications to all Missouri Medicaid participants that were enrolled in May of 2023.
The Missouri Department of Social Services suggests that individuals freeze their credit to prevent threat actors from opening new accounts or borrowing money under their name.
The agency also recommends that those impacted monitor their credit reports for unusual activity.
The MOVEit Transfer attacks have impacted other state agencies, including the Louisiana and Oregon Department of Motor Vehicles, who warned in June that millions of state IDs were stolen.
517
518
519
Rhysida ransomware behind recent attacks on healthcare
The Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has forced government agencies and cybersecurity companies to pay closer attention to its operations.
Following a security bulletin by the U.S. Department of Health and Human Services (HHS), CheckPoint, Cisco Talos, and Trend Micro have all released reports on Rhysida, focusing on different aspects of the threat actor's operations.
Previously, in June, Rhysida drew attention for the first time after leaking documents stolen from the Chilean Army (Ejército de Chile) on its data leak site.
At the time, a preliminary analysis of the Rhysida encryptor by SentinelOne showed that the ransomware was in early development, missing standard features seen in most strains like persistence mechanisms, Volume Shadow Copy wiping, process termination, etc.
"This is an automated alert from cybersecurity team Rhysida," reads the Rhysida ransom note.
"An unfortunate situation has arisen – your digital ecosystem has been compromised, and a substantial amount of confidential data has been exfiltrated from your network."
Rhysida ransom note
Source: BleepingComputer
Rhysida targets healthcare orgs
While some ransomware operations claim not to intentionally target healthcare organizations and even provide free decryption keys if done by mistake, Rhysida does not appear to follow the same policy.
The Rhysida dark web data leak site lists a healthcare organization in Australia, giving them a week to pay a ransom before the stolen data is leaked.
Rhysida dark web data leak site
Source: BleepingComputer
A bulletin published by the U.S. Department of Health and Human Services (HHS) last week warned that while Rhysida still uses an elementary locker, the scale of its activities has grown to dangerous proportions, and recently, the threat actors demonstrated a focus on the healthcare and public sector.
"Its victims are distributed throughout several countries across Western Europe, North, South America, and Australia," reads HHS's bulletin.
"They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector."
Sources have told BleepingComputer that Rhysida is behind a recent cyberattack on Prospect Medical Holdings, which still experiences a system-wide outage impacting 17 hospitals and 166 clinics across the United States.
However, Rhysida has not taken responsibility for the attack yet, and PMH has not responded to emails on whether the ransomware gang is behind the attack.
If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731.
A Trend Micro report released today focuses on the most commonly observed Rhysida attack chain, explaining that the threat group uses phishing emails to achieve initial access, then deploys Cobalt Strike and PowerShell scripts, and eventually drops the locker.
An interesting observation from Trend Micro's analysts is that the PowerShell scripts used by Rhysida operators terminate AV processes, delete shadow copies, and modify RDP configurations, indicating the locker's active development.
A ransomware encryptor itself usually handles these tasks, but for the Rhysida operation, they use external scripts to achieve the same purposes.
Rhysida's latest attack chain (Trend Micro)
Cisco Talos' report confirms that the most recent Rhysida locker uses a 4096-bit RSA key with the ChaCha20 algorithm for file encryption and now excludes several directories as well as the following filetypes:
.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr .sys .ini thumbs .db .url .iso and .cab
Directories excluded from encryption
Source: Cisco
CheckPoint's report goes a step further, linking Rhysida to the now-defunct Vice Society ransomware operation, based on the victim publishing times on the two extortion sites and their similar victim targeting patterns..
Comparison of activity change in Vice Society and Rhysida (CheckPoint)
In conclusion, Rhysida has established itself in the ransomware space quickly, targeting organizations in various sectors and showing no hesitation in attacking hospitals.
Although the RaaS appeared to move too quickly in terms of operations while the technical aspect lagged behind, developments on that front show that the locker is catching up.
520
521
522
523
524
Popular open source project Moq criticized for quietly collecting data
Open source project Moq (pronounced "Mock") has drawn sharp criticism for quietly including a controversial dependency in its latest release.
Distributed on the NuGet software registry, Moq sees over 100,000 downloads on any given day, and has been downloaded over 476 million times over the course of its lifetime.
Moq's 4.20.0 release from this week quietly included another project, SponsorLink, which caused an uproar among open source software consumers, who likened the move to a breach of trust.
Seemingly an open-source project, SponsorLink is actually shipped on NuGet as closed source and contains obfuscated DLLs that collect hashes of user email addresses and send these to SponsorLink's CDN, raising privacy concerns.
Moq breaks user trust
Last week, one of Moq's owners, Daniel Cazzulino (kzu), who also maintains the SponsorLink project, added SponsorLink to Moq versions 4.20.0 and above.
This move sent shock waves across the open source ecosystem largely for two reasons—while Cazzulino has every right to change his project Moq, he did not notify the user base prior to bundling the dependency, and SponsorLink DLLs contain obfuscated code, making it is hard to reverse engineer, and not quite "open source."
"It seems that starting from version 4.20, SponsorLink is included," Germany-based software developer Georg Dangl reported referring to Moq's 4.20.0 release.
"This is a closed-source project, provided as a DLL with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service."
The scanning capability is part of the .NET analyzer tool that runs during the build process, and is hard to disable, warns Dangl.
"I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint."
SponsorLink describes itself as a means to integrate GitHub Sponsors into your libraries so that "users can be properly linked to their sponsorship to unlock features or simply get the recognition they deserve for supporting your project."
GitHub user Mike (d0pare) decompiled the DLLs, and shared a rough reconstruction of the source code. The library, according to the analyst, "spawns external git process to get your email."
It then calculates a SHA-256 hash of the email addresses and sends it to SponsorLink's CDN: hxxps://cdn.devlooped[.]com/sponsorlink.
Telemetry code hidden within Moq and SponsorLink (GitHub)
"Honestly Microsoft should blacklist this package working with the NuGet providers," writes Austin-based developer Travis Taylor.
"The author can't be trusted. This was an incredibly stupid move that's just created a ton of work for lots of people."
Developer defends change
In a comment, Cazzulino explained his reasons, admitting that the "4.20" version was "a jab so that people wouldn't take it so seriously."
"I've been testing the waters with SponsorLink for a while now (~6 mo since the announcement)," says Cazzulino.
"It has been hard getting actual feedback, so even if the comments are a "bit" harsh, I really appreciate it!"
Cazzulino further updated the SponsorLink project's README with a lengthy "Privacy Considerations" section shown below that clarifies that no actual email addresses, just their hashes, are being collected. The update came as of a few hours ago—after the backlash emerged.
There was some concern that SponsorLink might be collecting your email without your explicit consent. This is incorrect, and can easily be verified by running Fiddler to see what kind of traffic is happening.
Specifically, the actual email is never sent when performing the sponsoring check. The email on your local machine is hashed with SHA256, then Base62-encoded. The resulting opaque string (which can never reveal the originating email) is the only thing used.
The only moment SponsorLink actually gets your email address (to perform the backend- side association of that opaque string with your actual email and GH user to link your sponsorship), is after you install the SponsorLink GitHub app and give it explicit permission to do so.
Also, the moment you suspend or uninstall the app, we delete all records associated with your account and your email(s).
"The notice seems to be a reactive response to the online backlash rather than the project being upfront about what data was being harvested," Ankita Lamba, senior security researcher at Sonatype told BleepingComputer after spotting the update.
In the past, Cazzulino has also defended his decision to keep SponsorLink closed source and obfuscated so as to prevent some of its checks being bypassed. In his words, the opaque features of the library are "by design."
A potential privacy concern
The quiet inclusion of SponsorLink in projects, such as moq, is a matter of privacy from an ethical and legal standpoint.
First comes the question of an obscure, closed source dependency (SponsorLink) being distributed via open source channels, and being included in popular OSS projects, such as GitInfo—which is also created by Cazzulino and downloaded millions of times.
Collection of email address hashes may not altogether be anonymous either.
In theory at least, SponsorLink's developer could compare the harvested hashes against a database of email addresses leaked somewhere and identify users.
"I consider your hashing more as a security by obscurity. Even hashed mail should be sent only after consent," states Michał Rosenbaum.
"I'd say serious concerns have now been raised. The vast majority of users don't even know this change has been made and would have a problem," states another software engineer, Kevin Walter.
"Trust with moq is now broken as has GDPR. This is underhanded to say the least. Be one of the good guys," Walter urged Cazzulino to be more transparent with regards to the obscure SponsorLink package.
In reaction, several developers either threatened to discontinue use of Moq [1, 2] in the favor of alternatives, and building tools that would detect and block any projects that run SponsorLink.
Some went a step further, suggesting they would boycott projects that use SponsorLink or even report "SponsorLink" as malware to the NuGet registry [1, 2].
BleepingComputer has contacted SponsorLink's creator, Cazzulino, for comment prior to publishing.
525