CyberBakery Chronicles

Your Weekly Cybersecurity Update (16 August 2024)

• Background Check Company National Public Data Hit by Massive Data Breach Affecting Nearly 3 Billion People
• Trojan Malware Campaign Hijacks Browsers, Steals Data of Over 300,000 Users
• Australian Gold Miner Evolution Hit by Ransomware Attack
• Critical Browser Flaw Exposes Local Networks to Attack via "0.0.0.0"
• Hackers Breach Educational Security Software Company and Wipes 13,000 Students’ iPads and Chromebooks

Background Check Company Data Breach Affecting Nearly 3 Billion People

A recent class action lawsuit alleges that background check company Jerico Pictures, operating under the name National Public Data, suffered a data breach earlier this year, exposing the confidential information of nearly 3 billion people. The lawsuit claims the data was stolen by a hacker group known as USDoD.

The exposed information reportedly includes full names, past and present addresses, Social Security numbers, and personal details of family members. The lawsuit further alleges that National Public Data gathers this data by scraping information from non-public sources without individuals' knowledge or consent.

The breach remained unknown to the public until a plaintiff, Christopher Hofmann, was alerted by an identity theft protection service in July that his information had been compromised and leaked on the dark web. The hacker group reportedly posted a database containing the stolen information on a dark web forum in April and sought $3.5 million from a potential buyer.

This data breach appears to be one of the largest ever recorded, rivalling Yahoo's 2013 breach, which affected 3 billion accounts.

Trojan Malware Campaign Hijacks Browsers, Steals Data of Over 300,000 Users

Cybersecurity firm ReasonLabs has uncovered a large-scale Trojan malware campaign targeting Google Chrome and Microsoft Edge users. The campaign, active since 2021, has affected over 300,000 users by installing malicious browser extensions without their knowledge.

The Trojan spreads through fake download websites disguised as popular services like Roblox, YouTube, and VLC Media Player. Once downloaded, the malware silently installs extensions designed to steal sensitive information and manipulate browser behaviour. These extensions can disable browser updates, tamper with shortcuts, and redirect searches through compromised servers.

The malware achieves persistence through scheduled tasks and modifies registry keys to make manual removal difficult. The latest versions even alter core browser files for deeper integration.

The campaign primarily targets Chrome and Edge users, with extensions like "Micro Search" and "Simple New Tab" garnering thousands of downloads before removal from official stores. New variants continue to emerge, posing a persistent threat.

ReasonLabs has urged users to:

• Check Task Scheduler for suspicious entries referencing PowerShell scripts in System32.
• Remove malicious registry keys responsible for extension installation. (Specific paths provided in the full report)
• Manually search for and delete malware files, particularly in System32.
• Utilize reputable antivirus software.

A complete list of affected extensions is available in the full report by ReasonLabs (https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign). Both Google and Microsoft are taking steps to remove the malicious extensions and prevent further installations. Users are advised to remain vigilant and follow the recommended mitigation steps.

Australian Gold Miner Evolution Hit by Ransomware Attack

Evolution Mining, a major Australian gold producer, has been targeted by a ransomware attack that has affected its IT systems. The company announced the incident on August 8th, 2024, and assured the public that the attack had been contained with the help of external cybersecurity experts.

This incident follows a string of cyberattacks targeting Australian firms in recent years, highlighting the nation's cybersecurity vulnerabilities. The Australian Cyber Security Centre (ACSC) confirmed receiving a report from Evolution Mining but noted a lack of detailed information on the attack.

Evolution Mining did not disclose the type of data potentially compromised or if any encryption occurred. The company expects its mining operations to continue uninterrupted, suggesting the attack may not have targeted production-critical systems.

No ransomware group has claimed responsibility for the attack at this time. BleepingComputer has reached out to Evolution Mining for further details but has not yet received a response.

This incident underscores the growing threat landscape for Australian companies. In June 2024, fellow mining company Northern Minerals suffered a data breach where sensitive information was leaked on the dark web.

The Australian government has bolstered its cyber defences in recent years, including increased law enforcement funding and mandatory reporting of cyberattacks. However, the recent attacks highlight the need for further investment in cybersecurity resources to protect critical infrastructure.

Critical Browser Flaw Exposes Local Networks to Attack via "0.0.0.0"

Cybersecurity researchers have discovered a critical vulnerability affecting all major web browsers (Google Chrome, Mozilla Firefox, Apple Safari) that could allow malicious websites to breach local networks. The flaw, dubbed "0.0.0.0 Day," exploits inconsistencies in how browsers handle network requests and grants attackers potential access to sensitive local services.

The vulnerability arises from the way browsers handle the IP address "0.0.0.0," which typically represents a generic or non-routable address within a network. Oligo Security researchers found that malicious websites can leverage this to bypass security restrictions and communicate with local software running on macOS and Linux devices.

This loophole potentially allows attackers to gain unauthorized access and execute code remotely on the victim's machine, even bypassing Private Network Access (PNA) protections. Notably, Windows systems are not affected as they block access to 0.0.0.0 at the operating system level.

Researchers identified that public websites with ".com" domains can exploit this vulnerability to target local services on the visitor's device using 0.0.0.0 instead of the standard "localhost" (127.0.0.1). This effectively bypasses PNA's intended function of preventing external websites from accessing internal network endpoints.

In response to this critical finding, browser developers are expected to implement a complete block on access to 0.0.0.0, effectively closing the vulnerability and preventing future attacks. This change will likely deprecate the ability of public websites to access private network services directly.

The vulnerability highlights the importance of secure server implementations. As Oligo Security researcher Avi Lumelsky explains, "When services use localhost, they assume a constrained environment. This assumption... results in insecure server implementations."

Users are advised to be cautious when visiting unfamiliar websites and to keep their browsers updated with the latest security patches. The update addressing this vulnerability is expected to be rolled out in the coming months.

Hackers Breaches Educational Security Software Company and Wipes 13,000 Students’ iPads and Chromebooks

Mobile Guardian, a company providing security software for educational institutions, has suffered a major data breach impacting students globally. The company confirmed unauthorized access to its platform resulted in a "small percentage" of devices being remotely wiped.

The breach impacted customers in North America, Europe, and Singapore particularly severely. In Singapore, where Mobile Guardian's software is used to protect all student iPads and Chromebooks in secondary schools, the Ministry of Education (MoE) reported that approximately 13,000 devices from 26 schools were wiped clean.

The extent of the damage and the number of affected institutions beyond Singapore remain unclear. The MoE is working with schools to support affected students by deploying additional IT personnel and providing alternative learning resources. The ministry has also removed Mobile Guardian's software from student devices as a precautionary measure and expressed strong concerns to the company.

Mobile Guardian discovered the security incident on August 4th and took its platform offline to prevent further access. They apologized for the inconvenience caused and are working to rectify the issue.