CyberBakery Chronicles

Your Weekly Cybersecurity Update (9 August 2024)

• Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA
• US Offering $10 Million Reward for Iranian ICS Hackers
• Ronin Network hacked, $12 million returned by "white hat" hackers
• Internet traffic in Bangladesh dropped to near zero
• The Department of Justice (DoJ) and the Federal Trade Commission (FTC) have taken legal action against TikTok for breaching children's privacy laws
• A surge in Magniber ransomware attacks impacts home users worldwide

Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA

The recent findings from Aqua Security shed light on critical vulnerabilities within Amazon Web Services that could have serious implications for account security. The vulnerabilities could have allowed for account takeover, remote code execution, AI data manipulation, and the disclosure of sensitive information. These findings were presented at Black Hat USA, emphasising the importance of addressing these issues. It's important to stay updated on such security developments to ensure the safety and integrity of AWS accounts.

Discovered initially in the CloudFormation service and subsequently found in five other services during a comprehensive investigation, the Shadow Resources flaw allowed attackers to create their own S3 bucket using the predetermined name of a bucket yet to be initialized by the target. In the case of CloudFormation, auto-generated S3 buckets adhered to a specific naming format consisting of a service-wide fixed prefix, a unique hash that remains consistent for a given AWS account, and the region from which the bucket was created.

US Offering $10 Million Reward for Iranian ICS Hackers

The US Department of State has announced a reward of up to $10 million for information on several Iranian nationals accused of hacking industrial control systems (ICS). The individuals targeted are Hamid Homayunfal, Hamid Reza Lashgarian, Mahdi Lashgarian, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian. They have been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), specifically the Cyber-Electronic Command unit.

These individuals are believed to be associated with a hacker group called Cyber Av3ngers. In the fall of 2023, this group targeted a Unitronics Vision programmable logic controller (PLC) owned by the Municipal Water Authority of Aliquippa in Pennsylvania. They also attacked ICS at other water utilities in the United States. The PLCs targeted were exposed to the internet and were protected only by a weak default password.

Although Cyber Av3ngers claims to be a hacktivist group, the US government believes it is actually a persona used by the Iranian government to carry out malicious cyber activities. The members of the Cyber Av3ngers group have previously been sanctioned by the US Treasury Department. Additionally, the US government has announced rewards of $10 million for information on Alphv/BlackCat ransomware operators and affiliates, as well as a member of the North Korean hacking group APT45.

Ronin Network hacked, $12 million returned by "white hat" hackers

The Ronin Network, a gambling blockchain, experienced a security breach early this week when white hat hackers took advantage of an undisclosed vulnerability on the Ronin bridge. They were able to withdraw 4,000 ETH and 2 million USDC, totaling $12 million. This amount represents the maximum ETH and USDC that can be withdrawn from the bridge in a single transaction, so this critical security measure prevented the theft of potentially larger sums.

The white-hat hackers informed the Ronin Network about the exploit as they demonstrated their attack. After verification, the bridge was paused for 40 minutes. Although a detailed post-mortem will be released next week, Ronin has stated that the cause of the exploit was a recent bridge update deployed through the governance process, which introduced a security flaw. This flaw caused the bridge to misinterpret the required vote threshold of bridge operators needed to authorize fund withdrawals, allowing unauthorized actors to take damaging actions.

The Ronin Network team is working on resolving the root cause and mentioned that the fix will undergo thorough audits before it's voted on and deployed by the bridge operators to ensure that similar incidents won't occur again. The bridge will remain paused and undergo intensive checks before reopening. In the meantime, the Ronin Network announced that the current structure will be abandoned for a new solution developed with Ronin validators.

The white-hats have returned the stolen funds and will receive a $500,000 bounty for their "forced audit." Ronin had previously announced that even if the hackers did not return the stolen amounts, all user funds would be guaranteed, and any losses would be fully reimbursed. It is still unclear if the "researchers" exploited the bug before or after notifying Ronin about the flaw and if they demanded a bug bounty reward to return the money.

Internet traffic in Bangladesh dropped to near zero.

The student protests in Bangladesh turned violent as the demonstrators expressed their discontent over the government's policies on job quotas and the increasing unemployment rates. The government's response was to order a nationwide shutdown of mobile internet connectivity on July 18, citing the need to "ensure the security of citizens." However, this directive resulted in an almost complete internet outage in the country, as it also affected broadband networks. Consequently, internet traffic in Bangladesh plummeted to near zero just before 21:00 local time (15:00 UTC), coinciding with a significant drop in the announced IP address space from the country. This effectively disconnected nearly every network in the country from the internet.

The Department of Justice (DoJ) and the Federal Trade Commission (FTC) have taken legal action against TikTok for breaching children's privacy laws.

The U.S. Department of Justice (DoJ) and the Federal Trade Commission (FTC) have jointly filed a lawsuit against TikTok, a widely used video-sharing platform. The lawsuit alleges that TikTok has blatantly violated children's privacy laws in the United States. The DoJ and FTC claim that the company knowingly allowed children to create TikTok accounts, enabling them to view and share short-form videos and messages with adults and other users on the platform.

Additionally, they accuse TikTok of unlawfully collecting and retaining a wide range of personal information from these children without giving prior notice to or obtaining consent from their parents, which is in direct violation of the Children's Online Privacy Protection Act (COPPA).

Furthermore, the authorities argue that TikTok's actions also infringe upon a 2019 consent order between the company and the government. The order required TikTok to notify parents before collecting children's data and to remove videos from users under 13 years old. However, TikTok's alleged practices are said to have disregarded the terms of this agreement.

Surge in Magniber ransomware attacks impact home users worldwide

A widespread and aggressive Magniber ransomware campaign is currently underway, wreaking havoc by encrypting the devices of home users across the globe and demanding exorbitant ransoms in the thousands of dollars to provide a decryptor.

Originating in 2017 as a successor to the notorious Cerber ransomware operation, Magniber was initially identified as being distributed through the Magnitude exploit kit. Since its inception, this ransomware operation has exhibited sporadic bursts of activity, with threat actors employing a variety of methods to disseminate Magniber and encrypt victims' devices. These methods include the exploitation of Windows zero-day vulnerabilities, deceptive fake Windows and browser updates, and the distribution of trojanized software cracks and key generators.

Unlike larger ransomware operations that target organizations, Magniber has primarily honed in on individual users who unwittingly download and execute malicious software on their personal or small business systems. I

n 2018, AhnLab developed a tool to decrypt files affected by Magniber. However, this decryptor is now ineffective as threat actors have rectified the bug that enabled free file decryption.