Take a look at February 2023's first Cyber Weekly Digest where we dive into the latest cyber security news, including the JD Sports data breach and how the infamous threat operation LockBit is utilising the Conti ransomware source code in attacks. Keep reading to stay up to date with this week's biggest stories.
Microsoft is urging customers to keep their Exchange servers updated as well as take steps to bolster the environment, such as enabling Windows Extended Protection and configuring certificate-based signing of PowerShell serialisation payloads. Exchange Servers have been a popular attack vector in recent years, with a number of security flaws in the software weaponised as zero-days to compromise systems. In the past two years alone, several sets of vulnerabilities have been discovered in Exchange Server – including ProxyLogon, ProxyOracle, ProxyShell, ProxyToken, ProxyNotShell, and a ProxyNotShell mitigation bypass known as OWASSRF. Microsoft's Exchange team has emphasised that "attackers looking to exploit unpatched Exchange servers are not going to go away" in a post this week.
Ten million customers of UK apparel chain JD Sports have been warned after a data breach where a server was hacked that contained customers' data. In the data breach notice shared by affected customers, the company warns that the “attack” exposed customer information for orders placed between November 2018 and October 2020. JD Sports says it detected the unauthorised access immediately and responded quickly to secure the breached server, preventing subsequent access attempts. The leaked information contained the Full Name, Emails, Billing, Delivery addresses, Phone number, Order details, and the last four digits of the payment card. Security codes/CVVs and customers’ passwords were not breached. However, the leaked data can still be used in phishing attacks. In the breach data, it is seen that JD Sports kept order data from over four years ago, which could open up possibilities for a data leak. If you have an account on JD Sports, it would be advisable to reset passwords out of an abundance of caution.
The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to export the entire database in plain text. KeePass is a popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted service such as LastPass. Users need to secure these databases with master passwords and encryption so a threat actor cannot exfiltrate the data stored on the instance. A CVE tracked as CVE-2023-24055 enables threat actors to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control. KeePass developers dispute this vulnerability because of how the threat actors will need administrator/kernel permissions to access the data. They state, “KeePass cannot magically run securely in an insecure environment.” It is highly recommended that you follow best practices for installing software and keep your AV/EDR up to date.
A new exploit called “Sh1mmer” allows users to unenroll an enterprise-managed Chromebook, enabling them to install any apps they wish and bypass device restrictions. In educational and professional environments, endpoints are managed using management software with policies enabled to facilitate a good working environment and maintain the safety of its users. It allows admins to force-install browser extensions, apps, and to restrict how a device can be used. Also, it is almost impossible to unenroll the device without either exploiting the device or letting the administrator unenroll it for you. The exploit that unenrolls the Chromebook is by utilizing RMA shims, where disk images are stored on USB devices that contain a combination of the ChromeOS factory bundle components used to reinstall the operating system and manufacturer tools to perform repair and diagnostics. To use the exploit, you need to download an RMA shim for your Chromebook board, use an online builder from researchers and then run the Chrome Recovery utility. Google is working on a fix but did not provide information on how admins can prevent the exploit or detect exploited devices.
Conti ransomware source code is being utilized by the infamous threat operation LockBit. Conti source code was leaked 10 months ago publicly on GitHub. LockBit developers have based their encryptors on the leaked Conti source code and named it “LockBit Green, " as reported by VX Underground. The Conti ransomware gang disbanded after they had an embarrassing data breach caused by leaking 170000 internal messages and the source code for their encryptor. Soon after this leak, many threat operations added Conti source code to their arsenal. A malware analyst reverse-engineered a sample of LockBit Green and reported that it was definitely based on the Conti encryptor they previously analysed. The reason for their Conti utilization in the LockBit Green operation is that Ex-Conti members are more comfortable working with Conti-based encryptors while working for LockBit. LockBit runs an affiliate ransomware program, it is not confirmed whether or not LockBit Green is an official operation of the original LockBit gang, or from an Affiliate with Ex-Conti members.