We have highlighted some of the more pertinent stories from the week below:
Russian Hackers Penetrated Ukraine Telecoms Giant for Months
Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The attack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.
In an interview, Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department, disclosed exclusive details about the hack, which he said caused "disastrous" destruction and aimed to land a psychological blow and gather intelligence. The attack wiped "almost everything", including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator."
The SBU assessed the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained, he said. A Kyivstar spokesperson said the company was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks, adding: "No facts of leakage of personal and subscriber data have been revealed."
A group called Solntsepyok, believed by the SBU to be affiliated with Sandworm, said it was responsible for the attack. Vitiuk said SBU investigators were still working to establish how Kyivstar was penetrated or what type of trojan horse malware could have been used to break in, adding that it could have been phishing, someone helping on the inside or something else.
Kyivstar is the biggest of Ukraine's three main telecoms operators and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other providers, Vitiuk said. People rushed to buy other SIM cards because of the attack, creating large queues. ATMs using Kyivstar SIM cards for the internet ceased to work and the air-raid siren - used during missile and drone attacks - did not function properly in some regions.
Telecoms, along with other critical infrastructure, are prime targets, especially during times of heightened geo-political tension and conflict. The industry must continue to take proactive measures to safeguard against these attacks.
Source:
CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.
The second is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome, discovered by Google's Threat Analysis Group. The flaw was fixed through an emergency update on December 20, marking the eighth zero-day vulnerability addressed in Chrome for 2023. CISA has given federal agencies until January 23 to mitigate these vulnerabilities according to vendor instructions or cease using the affected products. The Known Exploited Vulnerabilities catalog by CISA is an important resource for organizations worldwide for better vulnerability management and prioritization.
The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux. This was the eighth zero-day vulnerability Google fixed in Chrome for 2023, underscoring the persistent effort and time hackers devote to finding and exploiting flaws in the widely used web browser.
CISA's KEV catalog is a valuable resource for organizations across the globe that aim at better vulnerability management and prioritization.
Source:
Malware Abuses Google OAuth Endpoint to ‘revive’ Cookies, Hijack Accounts
Researchers are warning that multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named “MultiLogin” to restore expired authentication cookies to log into user’s accounts. This technique can be used for persistent access even if the account’s password has been reset.
The session cookies abused in this case typically have a limited lifespan, and cannot be used indefinitely, Using this technique however, threat actors have claimed to be able to restore expired Google authentication cookies. Since November of 2023, both the Lumma and Rhadamanthys info stealers have been claiming to restore these session cookies to be used in attacks. These cookies would allow the cybercriminals to gain unauthorized access to Google accounts even after the legitimate owners have logged out, reset their passwords, or their session has expired.
Analyst comments: Researchers from CloudSEK outlined how the zero-day exploit works, and shared details about the scale of the flaw’s exploitation. According to the researchers, the exploit was first revealed by a threat actor named PRISMA on October 20, 2023, who posted on Telegram that they discovered a way to restore expired Google authentication cookies.
The flaw is the result of a legitimate function for synchronizing accounts across different Google services. "This request is used to set chrome accounts in browser in the Google authentication cookies for several google websites (e.g. youtube). This request is part of Gaia Auth API, and is triggered whenever accounts in cookies are not consistent with accounts in browser.”
The info stealers are able to abuse this endpoint to extract tokens and account IDs of Chrome profiles logged into a Google account. From there they can obtain two crucial pieces of data: the GAIA ID and encrypted_token. The encrypted tokens are decrypted using an encryption stored in Chrome's 'Local State' file. This same encryption key is also used to decrypt saved passwords in the browser. Using the stolen token:GAIA pairs with the MultiLogin endpoint, the threat actors can regenerate expired Google Service cookies and maintain persistent access on compromised accounts.
While Lumma and Rhadamanthys were the first to begin using this technique, various other information stealers are now leveraging the zero-day. According to the researchers, at least six info-stealers currently claim the ability to regenerate Google cookies using this API endpoint.
Google has yet to confirm the abuse of the MultiLogin endpoint, but a subsequent release by Lumma updated the exploit to counteract Google's mitigations, which suggests the tech giant knows about the actively exploited zero-day flaw. Specifically, Lumma turned to using SOCKS proxies to evade Google's abuse detection measures and implemented encrypted communication between the malware and the MultiLogin endpoint.
Source:
