Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).
Top stories – 7 July 2023
- Swedish data protection watchdog advises against Google Analytics due to surveillance risks
- TeamsPhisher” tool exploits Microsoft Teams vulnerability to deliver malicious files
- Japan’s Port of Nagoya hit by ransomware attack, disrupting operations
- Researchers discover potentially massive campaign targeting cloud-native environments
- Dozor-Teleport, Russian satellite internet provider, faces cyberattack
Swedish data protection watchdog advises against Google Analytics due to surveillance risks
- Swedish data protection authority warns companies about using Google Analytics due to U.S. government surveillance concerns.
- IMY audit reveals personal data is transmitted to the U.S. via Google Analytics, and technical security measures are insufficient.
- Tele2 fined $1.1 million, CDON fined less than $30,000 for inadequate data anonymisation, and instructed to discontinue Google Analytics use.
The Swedish data protection authority, IMY, has cautioned companies about using Google Analytics due to concerns over U.S. government surveillance. This move follows similar actions taken by Austria, France, and Italy in the previous year. The warning came as a result of an audit conducted by IMY on four companies: CDON, Coop, Dagens Industri, and Tele2.
IMY determined that the data transmitted to the U.S. via Google’s statistics tool qualifies as personal data because it can be linked with other unique information that is transferred. Additionally, the authority concluded that the technical security measures implemented by the companies were insufficient to ensure a level of protection equivalent to that guaranteed within the EU/EEA.
Tele2, a Swedish telecom service provider, received a fine of $1.1 million, while local online marketplace CDON was fined less than $30,000. These penalties were imposed for failing to implement adequate measures to anonymise data before its transfer.
Furthermore, CDON, Coop, and Dagens Industri have been instructed to discontinue their use of Google Analytics, while Tele2 has voluntarily ceased using the service.
The investigation was initiated based on a complaint filed by the privacy non-profit organisation, None of Your Business (noyb), alleging violations of the General Data Protection Regulation (GDPR).
The decision is grounded in the fact that E.U.-U.S. data transfers have been deemed unlawful due to concerns over potential access to data by U.S. intelligence agencies. Similar concerns resulted in Meta (formerly Facebook) being issued a record $1.3 billion fine by E.U. data protection agencies. Efforts are underway to finalise a new data transfer framework, known as the E.U.-U.S. Data Privacy Framework, to replace the now-invalid Privacy Shield.
TeamsPhisher” tool exploits Microsoft Teams vulnerability to deliver malicious files
- “TeamsPhisher” tool exploits Microsoft Teams vulnerability, targeting organisations with internal-external user communication.
- Tool leverages Insecure Direct Object Reference (IDOR) technique to deliver malicious payloads to victims’ Teams inboxes.
- Microsoft’s response and impact on vulnerability remediation remains unknown, organisations advised to reassess internal-external user communication.
A new tool called “TeamsPhisher” has emerged on GitHub, allowing attackers to take advantage of a recently disclosed vulnerability in Microsoft Teams. This tool specifically targets organisations that permit communication between their internal Teams users and external Teams users, enabling attackers to deliver malicious payloads directly to victims’ inboxes without relying on traditional phishing or social engineering techniques.
TeamsPhisher incorporates the Insecure Direct Object Reference (IDOR) technique, previously revealed by researchers from JUMPSEC Labs. By exploiting an IDOR issue in Teams, attackers can manipulate the internal and external recipient IDs, tricking the system into hosting the payload on the sender’s SharePoint domain and delivering it to the victim’s Teams inbox. This vulnerability affects all organisations running Teams in the default configuration and could be exploited to bypass anti-phishing measures and other security controls.
Developer Alex Reid, a member of the US Navy’s Red Team, designed TeamsPhisher to automate the cyberattack process. The tool leverages the techniques discovered by JUMPSEC researchers and incorporates earlier research on Microsoft Teams by independent researcher Andrea Santese. It also integrates the functionalities of TeamsEnum, a tool released on GitHub by a researcher from Secure Systems Engineering GmbH, for enumerating Teams users.
TeamsPhisher begins by enumerating a target user and confirming their ability to receive external messages. It then creates a new thread with the target user, utilising a technique to bypass the typical warning screens. The initial message containing a link to the malicious attachment is sent, and subsequent interactions can be conducted manually if necessary.
Microsoft has not yet responded to inquiries regarding the impact of the TeamsPhisher tool on their stance regarding remediation of the vulnerability. JUMPSEC advises organisations to reassess the need for enabling communication between internal Teams users and external tenants, recommending tightened security controls or the removal of this option if not essential.
Japan’s Port of Nagoya hit by ransomware attack, disrupting operations
- Japan’s largest port, Port of Nagoya, hit by ransomware attack, causing major disruptions.
- Ransomware attack on “Nagoya Port Unified Terminal System” (NUTS) leads to cancellation of container operations and financial losses.
- Efforts underway to restore system, previous cyberattacks experienced, but current attack considered most significant.
The Port of Nagoya, Japan’s largest and busiest port, has fallen victim to a ransomware attack, causing significant disruptions to container terminals. The port, accounting for around 10% of Japan’s total trade volume, handles over two million containers and 165 million tons of cargo annually. It is also utilised by Toyota Motor Corporation for exporting a substantial portion of its vehicles.
The administrative authority of the port, in a notice, revealed that the “Nagoya Port Unified Terminal System” (NUTS), which controls all container terminals, experienced a malfunction due to a ransomware attack on July 4, 2023, at approximately 06:30 AM local time. The attack prompted the cancellation of container loading and unloading operations, resulting in substantial financial losses and disrupting the flow of goods to and from Japan.
Efforts are underway to restore the NUTS system by 6 PM on the same day, with operations expected to resume by 08:30 AM the following day. The identity of the threat actor behind the attack remains unknown, as no group has claimed responsibility publicly. The Port of Nagoya has previously faced cyberattacks, including a distributed denial-of-service (DDoS) attack in September 2022 by the pro-Russian group Killnet, although the impact of the current ransomware attack is deemed the most significant to date.
Researchers discover potentially massive campaign targeting cloud-native environments
- Cybersecurity researchers uncover extensive attack campaign targeting cloud-native environments.
- Aggressive cloud worm deployed to target JupyterLab and Docker APIs, propagate Tsunami malware.
- Campaign named Silentbob, possibly linked to cryptojacking group TeamTNT, posing significant threat to cloud security.
Cybersecurity researchers have uncovered an attack infrastructure that is part of a potentially extensive campaign against cloud-native environments. Cloud security firm Aqua revealed the existence of this infrastructure, which includes an aggressive cloud worm designed to target exposed JupyterLab and Docker APIs. The worm’s purpose is to deploy the Tsunami malware, hijack cloud credentials, hijack resources, and further propagate the worm.
The campaign, named Silentbob after an AnonDNS domain used by the attacker, is believed to be linked to the cryptojacking group known as TeamTNT due to similarities in tactics, techniques, and procedures (TTPs). However, it is also possible that this is the work of an advanced copycat.
Aqua’s investigation began following an attack on its honeypot in early June 2023. The attack led to the discovery of four malicious container images designed to identify exposed Docker and JupyterLab instances and deploy a cryptocurrency miner and the Tsunami backdoor.
The attack utilises a shell script that launches upon container start-up, deploying the Go-based ZGrab scanner to locate misconfigured servers. Docker has taken down the images from the public registry.
Aqua identified 51 servers with exposed JupyterLab instances that have been actively exploited or show signs of exploitation. One server was subjected to a live manual attack using masscan to scan for exposed Docker APIs.
The attackers initially target misconfigured servers and then deploy containers or use the Command Line Interface (CLI) to scan for and infect additional victims. The secondary payload includes a crypto miner and a backdoor, with the Tsunami malware being the weapon of choice for the backdoor.
This campaign poses a significant threat to cloud-native environments, highlighting the importance of proper configuration and security measures to prevent exploitation.
Dozor-Teleport, Russian satellite internet provider, faces cyberattack
- Russian satellite internet provider Dozor-Teleport hit by cyberattack, causing communication disruptions.
- Wagner Group claims responsibility, but experts skeptical about their involvement.
- Uncertainty surrounds true identity of threat actors and their motives as investigation progresses.
Dozor-Teleport, a Russian satellite internet provider, suffered a significant cyberattack on June 29, causing disruptions in communication for its customers, including Russian military and energy entities. The Wagner Group, a former mercenary army aligned with Russia but now seemingly opposing the government, claimed responsibility for the attack. However, experts are skeptical about their involvement.
According to Russian reports, it may take up to two weeks for Dozor-Teleport to fully recover. The company’s general director, Alexander Anosov, confirmed the breach, stating that initial investigations indicate a third-party cloud provider as the entry point for the attack.
The threat actors behind the compromise communicated via Telegram, explaining that they successfully delivered malware to satellite terminals, resulting in their offline status. They also posted internal data stolen from Dozor-Teleport’s network.
While the cyberattack is initially attributed to the Wagner Group, their official Telegram channel has not made any mention of the incident. Cybersecurity expert Oleg Shakirov, who has been monitoring the breach, expressed doubts about Wagner’s involvement. Instead, he suspects the Ukrainian military might be responsible and suggests that certain defaced Russian websites purportedly attributed to Wagner are part of a Ukrainian false flag operation.
The true identity of the threat actors and their motives remain uncertain as the investigation continues.