Updated: Mar 31
Take a look at this week's Cyber Weekly Digest for a rundown of the biggest cyber security news from across the globe. In this week's Digest, we dive into the Ferrari data breach as well as the shutdown of one of the most popular hacking forums. Keep reading to stay up to date on the latest cyber security stories.
Microsoft has released a script that has made it easier to patch a BitLocker bypass security vulnerability in the Windows Recovery Environment (WinRE). The script is in PowerShell and simplifies the process of securing WinRE images against attempts to exploit, enabling attackers to bypass the BitLocker Device Encryption feature system storage devices. Successful exploitation enables threat actors with physical access to encrypted data in low-complexity attacks. Microsoft says the vulnerability cannot be exploited if the user has enabled BitLocker TPM+PIN protection. The CVE-2022-41099 patch scripts can be run from a Windows PowerShell and allow admins to specify the path and name of the Safe OS Dynamic update package that should be used to update the WinRE image. The PowerShell script can be downloaded from the Microsoft Update Catalogue. After running the script, you must reboot the system to complete the WinRE image patching process.
After hackers gained access to some IT systems, Ferrari was hit with a ransom demand following a data breach. Ferrari released a statement notifying the incident, “We regret to inform you of a cyber incident at Ferrari, where a threat actor was able to access a limited number of systems in our IT environment”. The Italian luxury sports car maker says customer information exposed in the incident includes names, addresses, email addresses, and telephone numbers. Ferrari has stated that they have yet to find evidence that payment details, bank account numbers, and other sensitive information have been leaked. Ferrari has taken measures to secure the compromised systems and says the attack has had no impact on the company’s operations. After discovering the breach, Ferrari also reported the attack to relevant authorities and is working with a cybersecurity firm to investigate the scope of the impact.
The notorious Breached hacking forums have been shut down by administrator Baphomet. He discloses that the Breached staff community believes that law enforcement has access to the site’s servers. Breached was a popular hacking and data leak forum notorious for hosting, leaking, and selling data obtained from breached companies, governments, and various organizations. The community attracted people from all realms of cybercrime, including ransomware gangs, data extortionists, security researchers, and those interested in diving into the darker side of cybersecurity. The owner of Breached Forums, Pompompurin, was recently arrested by the FBI. Since the arrest, admin Baphomet has taken the site offline whilst transferring it to new infrastructure secured from potential compromise by law enforcement. However, this plan has been scrapped, Baphomet announced on his personal website that in a “final update… …The glowies likely have access to Poms machine” – “Glowies” meaning Federal agents. Baphomet has continued to maintain his presence on Telegram, an anonymous chat app, which in itself has become a hotbed of cybercrime activity.
A new trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome web store, accumulating over 9000 downloads while stealing Facebook accounts. The extension pretends to be a copy of the legitimate popular add-on for Chrome named “ChatGPT for Google” which offers ChatGPT integration on search results. However, this malicious version includes additional code that attempts to steal Facebook session cookies, classed as session hijacking. Since March 14th, the malicious extension has had over 9000 downloads, averaging a thousand installations per daySecurity researchers report that the extension is communicating with the same infrastructure used earlier this month by a similar Chrome add-on that managed to gain 4000 installations before Google removed it from the Chrome web store. The stolen Facebook accounts are used to spread malware or promote banned material like ISIS propaganda. As this threat actor, currently not mentioned, likely has got the infrastructure to deploy another malicious chrome extension, taking this extension down will only stop one vector of infection for now. The extension has now been removed from the Chrome Web Store.
The Clop ransomware gang has made another victim of its campaigns, the City of Toronto, in the ongoing GoAnywhere hacking spree. Other victims listed alongside the Toronto city government include UK’s Virgin and the statutory corporation Pension Protection Fund. Clop ransomware gang has exploited a Remote Code Execution flaw in Fortra’s GoAnywhere secure file transfer tool; they have claimed to have breached more than 130 organizations so far. Clop has recently listed www.torono.ca on its data extortion site. The City of Toronto has confirmed that unauthorized access to City data did occur through a third-party vendor. The vulnerability that was exploited is tracked as CVE-2023-0669, enabling attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. Clop ransomware gang has also hit UK’s Virgin Red. However, a Virgin Red spokesman said that no personal or employee data was leaked in Clop’s attack.