Links

https://thehackernews.com/2022/08/hackers-breach-lastpass-developer.html

https://www.bleepingcomputer.com/news/security/nelnet-servicing-breach-exposes-data-of-25m-student-loan-accounts/?&web_view=true

https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinminer-install-by-a-month-to-evade-detection/

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/?&web_view=true

LastPass Developer System Breached

• On Thursday (August 25) email was sent out to LastPass Customers
  • Confirmed that a security incident occurred
    • Theft of some source code and technical information
  • No customer data or encrypted passwords were accessed
  • The breach occurred two weeks prior
    • compromised developer account
• Customers are safe according to LastPass blog post about this
  • No action needs to be taken
  • No vault compromised
  • No Master Password compromised
• Security Hygiene might have said this
  • Assume the developer system had either anonymized or fake data
  • Developer account/actual accounts
• Mitigation Techniques not shared
  • Not surprised

Nelnet Servicing breach exposes data of 2.5M student loan accounts

• Oklahoma Student Loan Authority (OSLA) and EdFinancial
  • Data for 2,501,324 million individuals with student loans
  • hackers breached the systems of technology services provider Nelnet Servicing
• Shared Technology
  • Technology services from Nelnet Servicing
    • a web portal
    • give students access to taking out or accessing their loans
  • EdFinancial states that not all its clients are hosted by Nelnet Servicing
    • so not all students that took a loan through them are impacted.
• Attack
  • Sometime in June
    • Stopped on July 22
  • Compromised a network through a vulnerability.
  • August 17^th investigation released
    • Determined certain student loan account registration might have been accessed
  • The exposed information includes the following:
    • Full name
    • Physical address
    • Email address
    • Phone number
    • Social Security Number
  • no financial account numbers or any form of payment information were exposed
• Nelnet Servicing has informed OSLA and EdFinancial
  • who is notifying their customers.
  • EdFinancial and OSLA offer impacted individuals free access to a 24-month identity theft protection

Malware delays coinminer install to evade detection

• malware campaign
  • disguised as Google Translate or MP3 downloader
  • install cryptocurrency mining malware
  • 11 different countries
  • distributed through legitimate free software sites
  • appears clean of malware
    • provides advertised functionality
• CheckPoint
  • Created by developer named Nitrokod
  • purposely delays the installation
    • up to a month to evade detection
  • rank high in Google Search results
    • users trust
  • Google Translate applet was also uploaded on Softpedia
    • 112,000 downloads
• How it works
  • user receives a password-protected RAR
    • evades AV detection
    • contains an executable
  • the software is installed on the user’s system
    • along with two registry keys
  • On the 5^th day
    • ‘Wgets’ a dropper from another encrypted RAR
    • clears all system logs using PowerShell commands
  • On the 20^th day
    • next encrypted RAR from “intelserviceupdate[.]com.
    • checks for the presence of antivirus software
    • processes that might belong to virtual machines
    • adds a firewall rule and an exclusion to Windows Defender
  • Finale Step
    • loads the last dropper
      • another RAR file
        • containing the XMRig mining malware
      • “.sys” file that has its settings.
    • Determines laptop or desktop
    • Connects to C2 server
      • nvidiacenter[.]com
      • sends a full host system report
        • via HTTP POST
      • C2 responds
        • When to activate
        • How much CPU to use
        • C2 check in times
        • Updated commands

LockBit ransomware gang tries triple-extortion tactic

• LockBit ransomware group
  • Attacked Entrust on June 18
  • The company confirmed data had been stolen
  • Entrust didn’t pay pay
    • LockBit said it would publish the data on August
  • Entrust Strikes back
    • August 19^th came and went
    • DDoS
      • Believed to be connected to Entrust
      • Gangs leak site
  • LockBitSupp
    • the public-facing figure of the LockBit ransomware
    • announced that they have a larger infrastructure
    • “I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum.
  • Triple Extortion
    • looking to add DDoS as an extortion tactic
    • on top of encrypting data and leaking it
  • Torrents
    • Share over torrent 300GB of data stolen from Entrust
    • they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent
      • LockBit has kept its promise and released this weekend a torrent called “entrust.com” with 343GB of files.
      • LockBit made sure that the s data is available from multiple sources
        • they also shared the torrent over at least two file storage services,