In our first roundup for 2024, we have noted a new technique for delivering cryptocurrency stealing scrips, and a breach designed to manipulate the price of Bitcoin. We are still working through the fallout from the 2023 Okta breach, with CloudFlare displaying a masterclass in incident management and response, while the US made historic legal steps towards blocking data brokers access to sensitive data.

New/Improved Techniques

MacOS Applications Steal Crypto using DNS

Researchers at Kaspersky discovered a campaign that uses software ‘cracks’ (tools to unlock software without paying for licensing) to steal cryptocurrency from the people using them. The ‘cracks’ reach out and retrieve a cryptocurrency stealing script stored in DNS records. The scripts are encoded in base64 and are retrieved as TXT records from the DNS. Once run, the scripts act as a downloader for an additional Python script that provides backdoor access and gathers system information from the victim device.

The script then looks for cryptocurrency wallets, and replaces these with altered versions, which allows the attackers to obtain the seed phrase, name, password, and balance of the wallet. Researchers from Kaspersky revealed that in the time they have been monitoring this campaign, that they have seen multiple iterations of the script indicating continuous development, but have yet to see a malicious command execution be included in the software. These types of campaigns are generally untargeted, with a spray and pray approach, and show the high cost that can be incurred by using unofficial/cracked versions of applications – something we strongly recommend all users avoid for these very reasons.

China Develop AirDrop Cracking Technique

The Beijing Wangshendongjian Judicial Appraisal Institute has developed a methodology to extract phone numbers, email addresses, and device names of those who have sent and received AirDropped images from within the device logs  on an iPhone. The institute says that this information is hashed, and included on both the sending and receiving devices, and was cracked using a rainbow table (pre-calculated tables of hash values).

AirDropping content was widely used by pro-democracy protestors during the 2019 Hong Kong protests, to share slogans, and information while remaining anonymous. Furthermore, in 2022, anti-Xi Jinping protestors used Apple’s AirDrop feature to share photos of anti-government graffiti, slogans, and pictures of other protesters. These photos were disseminated widely amongst university students and on public transport and resulted in a Chinese government operation to scrub all traces of the dissent from the internet, including closing many social media accounts, and prohibiting all discussion of the events online. This technique now allows for arrested dissidents to have their device searched, and used to identify further political protestors.

Following this, Apple released a China only update shortly after the 2022 protests, limiting shared AirDrops with ‘Everyone’ permissions to being available for 10 minutes, although it is not clear if this was voluntarily undertaken, or as a result of Chinese regulation.

Attacks / Threats

[Russia] Russian Centre for Space and Hydrometeorology Hack

Ukraine’s Ministry of Defence claim that state affiliated volunteers, known as the BO Team, successfully breached a branch of the Russian Centre for Space and Hydrometeorology (known as Planeta) and destroyed 280 servers that held over 2000TB of data. The cost and difficulty of backing the data up, due to its enormous size, is believed to have been prohibitive, with Ukrainian intelligence services believing that it is very unlikely that the data is recoverable and puts the value of the lost data at $10,000,000 USD. The data is believed to have contained meteorological and satellite data that is actively used, and that the supercomputer cluster is paralyzed, and may never be restored. Ukraine intelligence also alleges that the cyberattack damaged HVAC cooling and power supply to the buildings and cut them off from the main network.

This attack follows another earlier in the month from a different pro-Ukraine hacking group, who claimed to have breached Russian internet services provider (ISP) M9com. The attackers claimed to have disrupted M9com services and stolen data from the company, including full names, email addresses, usernames, and plain text passwords, as well as defacing the main website. The hacking group, known as ‘Blackjack’ claimed that the attack was in retaliation to the Kyivstar cyber-attack perpetrated by Russian state-sponsored actors late last year.

(Kyivstar is Ukraine’s largest telecommunications service provider and was reduced to around 12% throughput by an attack in December 2023).

[Global] Cloudflare hacked using stolen Okta Auth Tokens

Cloudflare disclosed that their internal Atlassian server was breached in November 2023 by a suspected nation state actor, who accessed its Jira bug database, Confluence wiki and Bitbucket source code management system. The malicious actor first gained access to the self-hosted Atlassian server on November 14th 2023 for reconnaissance and returned on the 22nd to establish persistence.

Cloudflare initially detected the breach on November 23rd and had removed the malicious actor’s persistence by the morning of the 24th. The remediation effort was completed by the 5th of January 2024, and Cloudflare had rotated all production credentials, performed triage on nearly 5,000 systems, and had reimaged and rebooted all of the systems on their global network. The company then spent the next 3 weeks undertaking proactive hardening, credential management, and vulnerability management. Cloudflare stated that the breach did not impact any customer data or systems, and that there was no impact to their services or configurations.

[US/Global] Ivanti VPN Appliances – 3 Zero-Day Vulnerabilities – CISA directs federal agencies to disconnect

The Cybersecurity & Infrastructure Security Agency (CISA) used an emergency directive to order all federal agencies to disconnect Ivanti VPN appliances by the end of January. A combination of two zero-day vulnerabilities that were initially disclosed in December 2023 have been seen in the wild in targeted attacks, providing authentication bypass and command injection attack opportunities malicious actors. Ivanti have since revealed a third actively exploited zero-day, also allowing actors to bypass authentication on vulnerable ICS, IPS and ZTA gateways.

Although patches have been deployed to remediate the issues, Ivanti also released communications urging customers to factory reset their vulnerable appliances before patching, to block any persistence attempts – providing customers with very little confidence that these issues will not be ongoing. The CISA mandate require agencies to complete forensic investigations on all networks where the insecure devices were connected, and to assume that all linked domain accounts have been breached. The offline devices must be completely reset and updated while isolated, with progress reports being provided back to CISA as each stage is complete.

Shodan and Shadowserver are monitoring for impacted devices, with over 22,000 exposed devices, and nearly 400 breached devices being discovered with their VPNs exposed online, as of the 31st of January.

[US] Securities and Exchange Commission X Account Hacked – Fake Bitcoin Approval

The U.S Securities and Exchange Commission (SEC) had their X (formerly Twitter) account breached in a SIM-swap attack in early January 2024. The malicious actors used their access to the SEC X account to make a false announcement approving the listing of Bitcoin exchange traded funds (ETFs) on registered national securities exchanges, creating a brief spike in the price of the cryptocurrency. The malicious post was quickly taken down, but strangely enough, the hack came one day before the SEC made a real announcement that Bitcoin was approved for listing on 11 ETFs.

The malicious actors are believed to have tricked the mobile carrier into swapping the number, as there is no indication of any malicious access to the agency’s internal systems, or other social media accounts. The actors then used the mobile number to reset the password on the X account. Unfortunately, the SEC X account did not have MFA enabled, as they had asked X support to disable it when they were having issues logging in, and had never re-enabled this critical control.

[US] FTC Data Broker Crackdown

The U.S Federal Trade Commission has put data brokers on notice with two ground-breaking settlements banning companies from selling sensitive geolocation data, after years of warnings for the industry’s failures to adequately protect consumer information.

Two companies, X-Mode Social and InMarket Media were barred from selling sensitive location data and were accused of failing to obtain informed consent from users as to how their data would be used. The FTC allege that data such as visits to reproductive health clinics and religious institutions could be used to cause harm to consumers.

Unfortunately, for the US (alongside many other countries) there is no clear definition of what ‘sensitive’ means in this context, leaving wiggle-room that these seemingly amoral companies will no doubt use to effect – but it’s a start.

FBI vs BlackCat/ALPHV

BlackCat/ALPHV, a notorious ransomware operation who are believed to have made over $300 million USD in ransomware payments since its emergence in 2021, had their operations disrupted by law enforcement in December of 2023. The FBI seized a number of servers, and captured upwards of 400 decryption keys, which has led the primary operator of BlackCat to openly discuss (predominantly with the operator of the LockBit gang) the creation of a cyber cartel to more effectively combat law enforcement efforts.

As part of the seizure, the FBI managed to capture the Tor private keys for the BlackCat data leak and negotiation sites, and replace these sites with FBI ‘Seized URL’ notices. Unfortunately for the FBI, the BlackCat gang managed to retain a copy of the private keys, leading to a multi-day tug of war over the domains, with each group re-seizing and re-hosting their own content multiple times. Some see this as a failure on the behalf of law enforcement, and the sites were eventually taken offline, only to pop up again under a new domain.