March was a busy month for cyber activity: a new Denial of Service vulnerability was found in the HTTP/2 protocol, Google introduced a new security feature for Chrome to combat account hijacking, and a novel new phishing technique was detected in the wild.
Over 400,000 people have had their personal information stolen by a breach at MediaWorks, while Fujitsu discovered a malware outbreak on some of their systems. German Authorities successfully shut down two major cybercrime marketplace platforms, Crimemarket and Nemesis.
New/Improved Techniques
Google to Introduce Device Bound Session Credentials for Chrome
Google have announced a new security feature in their Chrome browser named ‘Device Bound Session Credentials’ (DBSC), to limit cookies to a single device, stopping hackers from using these to hijack accounts.
Once enabled, the feature links the authentication process to a public/private key pair generated using the device’s Trusted Platform Module (TPM) chip, binding these to the device. TPM is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys and increase security against firmware based attacks. This step comes as a response to a discovery that multiple threat actors have been abusing an undocumented Google OAuth endpoint name ‘Multilogin’ to restore expired authentication cookies that they have been stolen, allowing access beyond when the cookie was due to expire – The endpoint was even capable of restoring cookies if the password for the account associated with the cookie was changed.
Google have announced plans to integrate DBSC into their Google Workspace and Google Cloud portals, and the feature is expected to go live around the time Google phases out third-party cookies in Chrome. We hope other browsers will follow suit – cookie theft session hijacking is currently widely utilised in Business Email Compromise (BEC) attacks.
HTTP/2 CONTINUATION Flood DoS
Late in 2023 an exploit was discovered in the HTTP/2 protocol named Rapid Reset allowing for large scale targeted Denial of Service (DoS) attacks, and more recently – another DoS vulnerability has been found in the same protocol. This vulnerability differs from the Rapid Reset vulnerability, as instead of utilising the HTTP/2 protocol to perform a massive DoS attack against other targets, the new vulnerability exploits the continuation flag in headers to overwhelm the server running the protocol to eventually crash the server.
The HTTP/2 protocol includes the functionality to split headers, to allow headers that do not fit within a single frame, by utilising a continuation frame. If the header frame does not contain an ‘end_headers’ flag, the server expects and is willing to continue to accept and process continuation frames until it encounters an ‘end_headers’ flag. This vulnerability allows attackers to continue to send these frames, until the CPU resource available to the server is entirely consumed, leading to slow response times. In some instances of the HTTP/2 protocol implementation, the frames will continue to be read into memory, where there is no timeout on the frames, which will eventually force the Operating System (OS) to kill the process.
Although multiple CVEs have been raised for the various implementations of HTTP/2, analysis and remediation steps are yet to be identified and published.
Thread Hijacking – Curiosity Killed the Cat
Thread hijacking is a phishing technique where adversaries will use a breached business email account to insert themselves into existing conversations, using this to further build trust and deliver malicious links into the conversation hoping to target new individuals.
A new spin on the technique has been discovered, preying on people’s natural curiosity, where a breached account will appear to accidentally begin CC’ing an additional person within a series of sensitive email communications between a known (but breached) email address and another account. They will use this technique, while sharing sensitive links or documents, in the hopes that the third party will follow the link, or open the document to cure their curiosity, leading to further breached accounts.
An instance of this technique was identified and reported on by a reporter at a Pennsylvania news outlet LancasterOnline.com after they began to receive bizarre emails from Adam Kidan, a wealthy (somewhat ex) con. These emails appeared to contain sensitive documents and links in a communication thread between Kidan and another party, but were discovered to contain links to credential phishing pages. The FBI investigated the incident, and found that Kidan had his email account breached, and the actors utilised this, and known bad blood between Kidan and the news outlet in an attempt to phish the organisation.
Attacks / Threats
[NZ] MediaWorks Breach
Over 400,000 people have had their information stolen in an attack on MediaWorks from a database of online competitions, dating as far back as 2016. The stolen information includes names, DOBs, addresses, email addresses, phone numbers, and in some instances images or videos that were included in competition entries.
Although initially the attackers claimed that the breach included 2.5million records, an investigation by MediaWorks located the database and found the number of affected records to substantially less. MediaWorks have released an apology, and the findings of their investigation which point to a previously unidentified system vulnerability as the ingress point. Some individuals affected by the breach have received emails purportedly from the attackers offering the opportunity to pay a $500 USD fee to delete the information, although the legitimacy of these emails is uncorroborated.
[Global] Over 90,000 D-Link NAS Devices Exposed
A researcher going by the pseudonym ‘Netsecfish’ has disclosed a hardcoded backdoor and an arbitrary command injection flaw in four end of life (EOL) model D-Link NAS devices (Network Attached Storage), affecting over 92,000 devices currently connected to the internet.
The issues when exploited together allow for full remote execution of commands on the device, and successful exploitation will provide full access to data stored on the device. D-Link when asked if patches will be made available, indicated that as these devices were end of life, that no fix would be provided, and that anyone using these devices should retire them immediately. Although D-Link released a security bulletin, the impacted devices do not have automatic online update capabilities, nor any customer outreach notification features, and the company does not maintain a record of users of these devices, so has no way to contact individuals. A list of the affected devices has been provided on the D-Link website.
[Japan] Fujitsu Confirm Malware Found on Systems
In a statement on their website, Fujitsu’s IT Division disclosed that a major cybersecurity incident had taken place that had compromised systems and data, including sensitive customer information. The announcement confirmed that they had the presence of malware on multiple devices at the company and as a result of the investigation it was discovered that files containing personal and customer information may have been exfiltrated.
Fujitsu disconnected the impacted systems from its network, and believed the breach had been contained, but has yet to specify the number of affected individuals, the malware they found, or the nature of the cyber attack. Although the tech giant had reported the breach to Japan’s Personal Information Protection Commission, they remain tight lipped around the specific details of the incident.
Fujitsu came under renewed fire earlier in the year for their part in the wrongful convictions of hundreds of British Post Office workers between 1999 and 2015, accused of theft and false accounting. The issue was found to be a bug in the Fujitsu created Horizon software used by the Post Office since 1998, with the Post Office expected to pay out nearly 1 billion Pounds in compensation.
Microsoft Don’t Know How Exchange Key MSA was Stolen
In May 2023, email accounts belonging to more than 500 individuals at 22 organisations were compromised by Chinese state affiliated hacking group Storm-0558. The accounts were accessed using forged authentication tokens signed with the compromised MSA key, that was created in 2016, and was due to be revoked in 2021.
After almost 10 months of investigation by Microsoft there is still no definitive evidence of how the threat actor managed to obtain the signing key. The MSA keys power authentication for consumer-based platforms and are used as the token signing keys to validate authentication tokens. As part of its mandate, the Cyber Safety Review Board (CSRB) conducted deep fact finding relating to the incident, and compiled a scathing report, putting the world’s largest company on notice.
As a result of the breach and CSRB report, Microsoft decided to double their default log retention period and implement other premium logging features in lower licensing tiers for customers, as the incident was only discovered after notification from the U.S State Department. The State Department themselves were only able to identify the breach due to a custom rule not available to those on lower licensing tiers.
Germany Takes Down Cybercrime Markets
In has been a busy month for German Authorities, who have taken down two cybercrime marketplace platforms, Crimemarket and Nemesis – two of the largest in the country. The websites were known for selling a range of cyber services, including DoS for hire, breached accounts, as well as illicit substances, but stopped short of violence for hire and child pornography, to avoid the true ire of authorities.
Over the two operations, German authorities seized nearly 700,000 euros in cash and assets, as well as various narcotics, ecstasy tablets, and marijuana. Six people have been arrested so far, with the authorities confident that the websites will provide enough information to allow them to indite further criminals and co-conspirators. In both instances, the platforms were left live for some time after the initial seizure to collect further information about the criminals using the platforms.
The German authorities have yet to release information around individual inditements but indicate that these takedown operations were the result of years of investigation. The German Authorities were also responsible for a takedown of the Kingdom Market cybercrime marketplace in December of 2023, and the world’s largest darknet market Hydra in 2022.