Researchers Stopped XZ Utils-Type Malicious Actors Targeting Three JavaScript Projects

In a joint statement, the Open Source Security Foundation and the OpenJS Foundation said the attempt to insert a secret backdoor into XZ Utils "may not be an isolated incident,” with unnamed individuals targeting at least three different JavaScript projects demanding suspicious updates or asking to be made maintainers of the targeted software.

Omkhar Arasaratnam, the Open Source Security Foundation's general manager, said that one of the targeted packages alone saw tens of millions of downloads a week. Arasaratnam also noted that while it wasn't clear what the suspected malicious actors hoped to do, "we stopped them before they got that far." He suspected they hoped to build backdoors into those projects as well.

The OpenJS and Open Source Security Foundations said they had warned the US Cybersecurity & Infrastructure Security Agency about the suspected infiltration. (Raphael Satter / Reuters)

Related: OpenSSF, OpenJS. Computer Weekly, ET Telecom, The Record, TechCentral, Infosecurity Magazine

The new ransomware and extortion gang RansomHub has published some of what it says are the private and sensitive patient records of millions of Americans stolen during the ransomware attack on Change Healthcare in February.

RansomHub published several files on its dark web leak site containing personal information about patients in various documents, including billing files, insurance records, and medical information.

Some files also contain contracts and agreements between Change Healthcare and its partners. RansomHub threatened to sell the data to the highest bidder unless Change Healthcare pays a ransom.

UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing,” said Tyler Mason, a spokesperson for UnitedHealth Group.

What’s more likely is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.

A Russia-based ransomware gang, ALPHV, took credit for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment that Change Healthcare allegedly paid to prevent the public release of patient data.

An ALPHV affiliate went public claiming to have carried out the data theft at Change Healthcare but that the main ALPHV/BlackCat crew stiffed them out of their portion of the ransom payment and vanished with the lot. The contractor said the millions of patients’ data was “still with us.” (Zack Whittaker / TechCrunch)

Related: Axios, Bleeping Computer, SC Media, Cyber Daily, PYMNTS, Cybernews

Nebraska man Charles O. Parks III is expected in federal court in Omaha today for allegedly running a “cryptojacking” operation that defrauded cloud computing service providers out of millions in services.

Prosecutors said Parks was arrested on April 13 and charged with wire fraud, money laundering, and engaging in unlawful monetary transactions.

According to an indictment unsealed on Monday, from January 2021 through August 2021, Parks registered accounts with several cloud providers using email addresses with domains linked to his corporate entities, including MultiMillionaire LLC. Using their “immense amounts of computer processing and storage,” Parks allegedly mined over $970,000 in cryptocurrency.

According to prosecutors, Parks defrauded the two unnamed but “well-known” cloud providers of $3.5 million worth of computing resources.

He allegedly set up five accounts at one company using various names and email addresses and tricked them into giving him certain benefits, such as deferred billing and elevated levels of cloud computing services.

Prosecutors allege that twice, Parks began using a new account within a day of his previous one being suspended for “nonpayment and fraudulent activity.” (James Reddick / The Record)

Related: Justice Department, Justice Department, Ars Technica, CCN, USA Today, Brooklyn Daily Eagle, CoinGape, crypto.news, Crypto Daily, Cointelegraph, The Crypto Times, Bitcoin.com, Bleeping Computer, Cryptonews

Cisco Duo's security team warns that hackers stole some customers' VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider.

Cisco Duo is a multi-factor authentication and single sign-on service corporations use to provide secure access to internal networks and corporate applications.

In emails sent to customers, Cisco Duo says an unnamed provider who handles the company's SMS and VOIP multi-factor authentication (MFA) messages was compromised on April 1, 2024.

The notice explains that a threat actor obtained employee credentials through a phishing attack and then used those credentials to gain access to the telephony provider's systems.

The intruder then downloaded SMS and VoIP MFA message logs associated with specific Duo accounts between March 1, 2024, and March 31, 2024.

Cisco Duo confirmed that the threat actor did not access any contents of the messages or use their access to send messages to customers but warned customers impacted by this breach to be vigilant against potential SMS phishing or social engineering attacks using the stolen information. (Bill Toulas / Bleeping Computer)

Related: Cisco Duo, Dark Reading, Security Affairs, Security Week, Cybernews, GBHackers, The Cyber Express, The Record

On March 7, 2024, the US Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks, but the lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021.

Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and, after decompiling, found that they were storing passwords and private key strings in a file.”

Using those hard-coded credentials, Brown found an attacker could connect to an application programming interface (API) that Chirp uses, managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.

Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.

Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 to develop multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.

In October 2022, ProPublica investigated RealPage’s dominance in the rent-setting software market and found that it “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”

Last year, the US Department of Justice backed a massive lawsuit filed by dozens of tenants who accuse the $9 billion apartment software company of helping landlords collude to inflate rents.

In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly. (Brian Krebs/ Krebs on Security)

Related: The Register

Following a series of embarrassing attacks and a blistering report from the US Cyber Safety Review Board, Microsoft has pledged its most ambitious security overhaul in two decades, but critics question whether Microsoft has sufficient incentives to make deep and lasting changes.

Microsoft says that under its Secure Future Initiative, announced last November, it will take faster action to address cloud vulnerabilities, make it harder for hackers to steal credentials, and automatically enforce multifactor authentication for employees.

However, because customers rely on the company’s software, they can’t easily switch to other providers. Microsoft’s cybersecurity operation, meanwhile, generates more than $20 billion in sales per year and has been among the company’s fastest-growing sources of revenue. Many of the anti-hacking tools are sold as a bundle with Microsoft’s software, prompting some critics to accuse the company of anticompetitive business practices.

Citing Microsoft’s “shambolic cybersecurity,” US Senator Ron Wyden introduced draft legislation on April 8 requiring the government to set mandatory cybersecurity standards for collaboration software. The Oregon Democrat said “vendor lock-in, bundling, and other anticompetitive practices” result in the government spending “vast sums” on insecure software.

In an interview, security chief Charlie Bell described the company as “ground zero” for hackers working on behalf of foreign governments. That’s partly because Microsoft dominates the corporate productivity and desktop operating system software market.

Microsoft went through a similar security crisis in the early aughts. At the time, computer worms were disrupting computers running Windows. In January 2002, co-founder Bill Gates issued his “trustworthy computing” memo urging software developers to prioritize security.

“So now, when we face a choice between adding features and resolving security issues, we need to choose security,” Gates wrote. “Our products should emphasize security right out of the box.” (Andrew Martin and Dina Bass / Bloomberg)

Related: Wired, Dark Reading, r/Technology

The US Federal Trade Commission announced a proposed order under which telehealth company Cerebral will limit the consumer health data it uses for advertising purposes and pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises.

Cerebral promised safe and private services to convince people to join and share their personal information. However, the complaint said Cerebral did not clarify that it would share consumers' data with platforms such as Snapchat and TikTok.

Cerebral will pay $5.1 million to give some money back to customers affected by the company's cancellation methods. In addition, the company was required to pay a $10 million fine, but it will pay only $2 million because it cannot afford the whole penalty. (Naomi Diaz / Becker’s Hospital Review)

Related: Federal Trade Commission, Fierce Healthcare, Modern Healthcare, GovInfoSecurity, StatNews

An analysis of dozens of cybercrime forums around the time hackers breached South Carolina’s revenue department in 2012 and stole tax and bank account information for 3.6 million people suggests the identity of the heretofore unnamed threat actor is the notorious Russian cybercriminal who goes by the handle Rescator, a.k.a. Mikhail Borisovich Shefel.

Rescator is the same actor who stole millions of payment card records from big-box retailers like Home Depot and Target in the following years.

The stolen tax and financial data appear to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews. While there are no indications from the forum posts that Rescator ever sold the data, his sales threads came when the incidence of tax refund fraud was skyrocketing.

Questions about who stole tax and financial data on roughly three-quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division.

Keel was careful not to release many details about the breach at his hearing, telling lawmakers that he knows who did it but that he wasn’t ready to name anyone. (Brian Krebs / Krebs on Security)

Related: Associated Press

A Ukrainian hacker group that calls itself Cyber Resistance claims to have breached the Russian drone developer Albatross, leaking 100 gigabytes of data, including internal documentation, technical data, and drawings of various types of unmanned aerial vehicles.

Cyber Resistance said it shared the documents with the international volunteer community InformNapalm, which conducts investigations based on data leaks.

InformNapalm released a report analyzing the Albatross data. However, not all of the obtained data made it into the report. The hackers said some of the information couldn’t be disclosed because “it has been used for several months” by Ukraine’s military.

InformNapalm said that the documents leaked from the Russian drone developer Albatross confirm, among other things, the previous findings about the company's involvement in the development of Iran-designed Shahed drones, which Russia deployed against Ukraine during the ongoing war.

InformNapalm also claims that the Cyber Resistance leak unveils fresh details about Albatross operations, such as the identities of those engaged in assembling Russia-made Iranian drones, along with insights into the workings of the Russian special economic zone Alabuga, a purported hub of the Iran-supported effort to enhance Russia’s drone manufacturing capabilities.

The InformNapalm investigation contains screenshots of leaked documents, maps, and photos of people allegedly related to the Albatross operation. (Daryna Antoniuk / The Record)

Related: Inform Napalm

Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls.

This maximum severity security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled.

Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don't require user interaction.

The company has now fixed the security flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. In the coming days, more hotfixes will be rolled out for later PAN-OS versions.

Admins still waiting for a hotfix can disable the device telemetry feature on vulnerable devices until a patch is deployed. Those with an active 'Threat Prevention' subscription can also block ongoing attacks by activating 'Threat ID 95187' threat prevention-based mitigation. (Sergiu Gatlan / Bleeping Computer)

Related: Security Week, Palo Alto Networks, The Record, Dark Reading

Researchers at Imperva report that 49.6 percent of all internet traffic came from bots in 2023, a two percent increase over the previous year and the highest level since the company began monitoring automated traffic in 2013.

The proportion of web traffic associated with bad bots grew to 32 percent in 2023, up from 30.2 percent in 2022, while traffic from human users decreased to 50.4 percent. Automated traffic is costing organizations billions of dollars annually due to attacks on websites, APIs, and applications.

Looked at by country, Ireland (71 percent), Germany (67.5 percent), and Mexico (42.8 percent), saw the highest levels of bad bot traffic in 2023. The US also saw a slightly higher ratio of bad bot traffic at 35.4 percent compared to 2022 (32.1 percent).

By industry, gaming (57.2 percent) saw the largest proportion of bad bot traffic. Meanwhile, retail (24.4 percent), travel (20.7 percent), and financial services (15.7 percent) experienced the highest volume of bot attacks.

The proportion of advanced bad bots, those that closely mimic human behavior and evade defenses, was highest on law and government (75.8 percent), entertainment (70.8 percent), and financial services (67.1 percent) websites.

The rapid adoption of generative AI and large language models has resulted in the volume of simple bots increasing to 39.6 percent in 2023, up from 33.4 percent in 2022. The technology uses web scraping bots and automated crawlers to feed training models while enabling non-technical users to write automated scripts for their own use. (Ian Barker / BetaNews)

Related: Imperva, Infosecurity Magazine

Best Thing of the Day: Better Late Than Never

In partnership with the US Cybersecurity and Infrastructure Security Agency, the FBI, and the cyber arms of the Five Eyes alliance, the National Security Agency released a set of best practices for deploying AI systems securely.

Worst Thing of the Day: More Reason to Ignore Premium X Subscribers

Non-profit think tank The Institute for Strategic Dialogue (ISD) found that within seven hours of Iranian drones being launched toward Israel last weekend, 34 false, misleading, or AI-generated images and videos claiming to show the ongoing conflict received over 37 million views on X (formerly Twitter), with 77% of the accounts posting this content bearing the verified premium user blue checks.

Closing Thought