CyberSecurity News Byte – Weekly

Hosted ByJim Guckin

A new podcast has taken possession of my entire soul, like these sweet mornings of spring which I enjoy with my whole heart with souls like mine.

Episode 26: August 29th, 2022

Links

https://thehackernews.com/2022/08/hackers-breach-lastpass-developer.html

https://www.bleepingcomputer.com/news/security/nelnet-servicing-breach-exposes-data-of-25m-student-loan-accounts/?&web_view=true

https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinminer-install-by-a-month-to-evade-detection/

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/?&web_view=true

LastPass Developer System Breached

  • On Thursday (August 25) email was sent out to LastPass Customers
    • Confirmed that a security incident occurred
      • Theft of some source code and technical information
    • No customer data or encrypted passwords were accessed
    • The breach occurred two weeks prior
      • compromised developer account
  • Customers are safe according to LastPass blog post about this
    • No action needs to be taken
    • No vault compromised
    • No Master Password compromised
  • Security Hygiene might have said this
    • Assume the developer system had either anonymized or fake data
    • Developer account/actual accounts
  • Mitigation Techniques not shared
    • Not surprised

Nelnet Servicing breach exposes data of 2.5M student loan accounts

  • Oklahoma Student Loan Authority (OSLA) and EdFinancial
    • Data for 2,501,324 million individuals with student loans
    • hackers breached the systems of technology services provider Nelnet Servicing
  • Shared Technology
    • Technology services from Nelnet Servicing
      • a web portal
      • give students access to taking out or accessing their loans
    • EdFinancial states that not all its clients are hosted by Nelnet Servicing
      • so not all students that took a loan through them are impacted.
  • Attack
    • Sometime in June
      • Stopped on July 22
    • Compromised a network through a vulnerability.
    • August 17th investigation released
      • Determined certain student loan account registration might have been accessed
    • The exposed information includes the following:
      • Full name
      • Physical address
      • Email address
      • Phone number
      • Social Security Number
    • no financial account numbers or any form of payment information were exposed
  • Nelnet Servicing has informed OSLA and EdFinancial
    • who is notifying their customers.
    • EdFinancial and OSLA offer impacted individuals free access to a 24-month identity theft protection

Malware delays coinminer install to evade detection

  • malware campaign
    • disguised as Google Translate or MP3 downloader
    • install cryptocurrency mining malware
    • 11 different countries
    • distributed through legitimate free software sites
    • appears clean of malware
      • provides advertised functionality
  • CheckPoint
    • Created by developer named Nitrokod
    • purposely delays the installation
      • up to a month to evade detection
    • rank high in Google Search results
      • users trust
    • Google Translate applet was also uploaded on Softpedia
      • 112,000 downloads
  • How it works
    • user receives a password-protected RAR
      • evades AV detection
      • contains an executable
    • the software is installed on the user’s system
      • along with two registry keys
    • On the 5th day
      • ‘Wgets’ a dropper from another encrypted RAR
      • clears all system logs using PowerShell commands
    • On the 20th day
      • next encrypted RAR from “intelserviceupdate[.]com.
      • checks for the presence of antivirus software
      • processes that might belong to virtual machines
      • adds a firewall rule and an exclusion to Windows Defender
    • Finale Step
      • loads the last dropper
        • another RAR file
          • containing the XMRig mining malware
        • “.sys” file that has its settings.
      • Determines laptop or desktop
      • Connects to C2 server
        • nvidiacenter[.]com
        • sends a full host system report
          • via HTTP POST
        • C2 responds
          • When to activate
          • How much CPU to use
          • C2 check in times
          • Updated commands

LockBit ransomware gang tries triple-extortion tactic

  • LockBit ransomware group
    • Attacked Entrust on June 18
    • The company confirmed data had been stolen
    • Entrust didn’t pay pay
      • LockBit said it would publish the data on August
    • Entrust Strikes back
      • August 19th came and went
      • DDoS
        • Believed to be connected to Entrust
        • Gangs leak site
    • LockBitSupp
      • the public-facing figure of the LockBit ransomware
      • announced that they have a larger infrastructure
      • “I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum.
    • Triple Extortion
      • looking to add DDoS as an extortion tactic
      • on top of encrypting data and leaking it
    • Torrents
      • Share over torrent 300GB of data stolen from Entrust
      • they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent
        • LockBit has kept its promise and released this weekend a torrent called “entrust.com” with 343GB of files.
        • LockBit made sure that the s data is available from multiple sources
          • they also shared the torrent over at least two file storage services,

Leave a Reply

Your email address will not be published.