Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
Top stories – 09 February 2024
- AnyDesk says hackers breached its production servers, reset passwords
- Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs
- Microsoft Azure HDInsight Bugs Expose Big Data to Breaches
- Google says spyware vendors behind most zero-days it discovers
- ‘ResumeLooters’ Attackers Steal Millions of Career Records
AnyDesk says hackers breached its production servers, reset passwords
- AnyDesk suffered a cyberattack, losing source code and keys, prompting urgent updates and password changes.
- AnyDesk swiftly responded by replacing stolen certificates and urging users to adopt the latest version.
- The incident highlights the escalating threat landscape, joining recent cyberattacks on major companies.
AnyDesk, a popular remote access solution, confirmed a recent cyberattack resulting in the theft of source code and code signing keys. The attack was detected after signs of compromise were noticed on production servers. With 170,000 customers including notable enterprises, activated a response plan with cybersecurity firm CrowdStrike. Although no ransomware was involved, the attackers stole critical assets.
AnyDesk assured customers of safety but recommended updating to the latest version with new code signing certificates. While no authentication tokens were taken, AnyDesk advised password changes as a precaution. The company swiftly replaced stolen certificates, with version 8.0.8 reflecting the change. Although the breach date wasn’t disclosed, a four-day outage occurred starting January 29th, relating to the incident. AnyDesk urged users to adopt the new version and change passwords.
This incident adds to a string of recent cyberattacks, including Cloudflare and Microsoft, highlighting the escalating threat landscape.
Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs
- Cloudflare faced a nation-state cyberattack, compromising its Atlassian server between November 14 and 24, 2023, resulting in the theft of documentation and source code.
- Cloudflare responded by rotating over 5,000 credentials, segmenting systems, and conducting forensic triages on nearly 5,000 systems to contain the intrusion.
- The attack exploited stolen credentials from a previous hack, highlighting the importance of credential rotation, and was limited to the Atlassian environment, with the threat actor targeting network architecture and security information.
Cloudflare disclosed a likely nation-state cyberattack between November 14 and 24, 2023, where threat actors used stolen credentials to access its Atlassian server, obtaining documentation and some source code.
The sophisticated attacker aimed for persistent access to Cloudflare’s global network. Cloudflare took extensive measures, rotating over 5,000 credentials, segmenting systems, and performing forensic triages on 4,893 systems. The intrusion involved reconnaissance to access Atlassian Confluence and Jira portals, followed by creating a rogue user account to establish persistent access and access to Bitbucket source code repositories. Approximately 120 code repositories were viewed, with 76 estimated to be exfiltrated, mostly concerning backups, network configuration, identity management, and cloud infrastructure. The attacker also attempted to access a console server in São Paulo unsuccessfully.
The attack exploited stolen credentials from the Okta support case management system hack in October 2023, emphasising Cloudflare’s failure to rotate these credentials. Cloudflare terminated malicious connections and engaged CrowdStrike for an independent assessment.
The attack was confined to the Atlassian environment, with the threat actor seeking information on network architecture and security.
Microsoft Azure HDInsight Bugs Expose Big Data to Breaches
- Orca Security found three critical vulnerabilities in Microsoft Azure’s HDInsight service, allowing unauthorized access and system slowdowns.
- CVE-2023-38156 lets attackers gain root access in Hadoop clusters via Apache Ambari.
- Microsoft fixed the bugs, but users need to create new clusters with updates for full protection.
Orca Security recently uncovered three high-risk vulnerabilities in Microsoft Azure’s HDInsight big-data analytics service, posing potential security risks.
One vulnerability, CVE-2023-38156, affects Apache Ambari, allowing attackers to gain root access in a Hadoop cluster via manipulation of the JDBC endpoint. The other two vulnerabilities, CVE-2023-36419 and a moderate-severity bug, affect Apache Oozie, enabling XML External Entity (XXE) injection attacks and causing system slowdowns respectively.
These vulnerabilities could lead to unauthorised access and performance issues, compromising sensitive data. HDInsight, used by major corporations for big-data analysis, necessitates diligent patching to safeguard valuable information.
Microsoft has since fixed the bugs, but HDInsight users must create new clusters with the latest updates for full protection, as in-place upgrades are not supported.
Google says spyware vendors behind most zero-days it discovers
- Google found that 80% of 2023 zero-day vulnerabilities were used by spyware vendors to target individuals like journalists and activists.
- These vendors, such as Cy4Gate and NSO Group, offer sophisticated tools for millions of dollars, exploiting both known and unknown vulnerabilities in Android and iOS devices.
- Google calls for stronger regulations and collaboration to combat the spyware industry while enhancing security measures like Safe Browsing and Gmail security.
Google’s Threat Analysis Group (TAG) discovered that 80% of zero-day vulnerabilities in 2023 were exploited by commercial spyware vendors (CSV) to spy on devices globally, often targeting journalists, activists, and political figures. These vendors, including Cy4Gate, RCS Lab, Intellexa, Negg Group, NSO Group, and Variston, offer sophisticated espionage tools for millions of dollars, using undocumented exploits for Android or iOS devices.
While some exploits leverage known flaws, others target unknown vulnerabilities, with at least 33 exploits developed between 2019 and 2023. The majority of zero-days impact Google Chrome, Android, Apple iOS, and Windows. Although white-hat researchers and Google’s security efforts disrupt CSV operations, demand for spyware remains high, prompting Google to call for stronger collaboration among governments, strict regulations, and diplomatic efforts to curb the spyware industry’s proliferation.
Google continues to counter spyware threats through various security measures, including Safe Browsing, Gmail security, and Google Play Protect, while advocating for transparency and information sharing within the tech community.
‘ResumeLooters’ Attackers Steal Millions of Career Records
- “ResumeLooters” used SQL injection and XSS to target 65 websites, stealing 2 million records, mainly in Asia-Pacific.
- They employed tools like Acunetix and Metasploit and sold stolen data on Chinese-speaking Telegram channels.
- The incident highlights the need for cybersecurity measures like parameterised statements and web application firewalls to prevent such attacks.
A cybercrime group named “ResumeLooters” employed SQL injection and cross-site scripting (XSS) techniques to target at least 65 job-recruitment and retail websites, stealing databases containing over 2 million email addresses and other personal records within a month.
Operating since early 2023, the group mainly targeted victims in the Asia-Pacific region but also compromised companies in other regions. They utilised publicly available penetration-testing tools like Acunetix and Metasploit to inject malicious scripts into websites, aiming to steal data from job seekers. The attackers put the stolen data up for sale on Chinese-speaking Telegram channels. Group-IB’s Threat Intelligence Unit discovered similarities between ResumeLooters’ tactics and those of another group, GambleForce, highlighting the damage that can be caused with readily available tools. Group-IB’s investigation revealed the attackers’ methods, including SQL injection via tools like sqlmap and injection of XSS scripts into legitimate job-search sites.
The campaign underscores the importance of cybersecurity for organisations and highlights preventive measures against SQL injection and XSS attacks, such as using parameterised statements, implementing web application firewalls, and validating user inputs.