Brief #13: LinkedIn Hack, Google's Quantum Security, PS Vulns

Mandos Brief, Week 33 2023: LinkedIn hacking campaign, Google's quantum-resilient security, vulnerabilities in CODESYS, PowerShell Gallery flaws, and more.

7 min read
mandos brief #13 - week 33 2023


LinkedIn Accounts Under Attack in Recent Hacking Campaign

In recent weeks, a significant wave of LinkedIn account hacks has been observed, affecting individuals worldwide. The attacks follow two distinct scenarios. In the first, LinkedIn temporarily locks the account due to suspicious activity, such as brute force attacks or attempts to breach two-factor authentication. The user is then notified and asked to verify the account and update the password.

In the second, more unfortunate scenario, the attackers fully hack the account, changing the associated email address and password, making recovery impossible. Some victims have received ransom messages, while others have seen their accounts deleted outright.

The motive behind this campaign remains unclear, but the implications are deeply concerning. Compromised profiles could be exploited for social engineering, blackmail, data gathering, and reputational damage. The consistent modus operandi indicates a comprehensive campaign targeting LinkedIn accounts.

The Cyberint research team has observed an alarming trend in this hacking campaign, with a significant surge in Google searches related to hacked LinkedIn accounts. While LinkedIn has not yet commented publicly, the high volume of support requests indicates that something is amiss.

Users are strongly advised to log in to their accounts and confirm access promptly, ensure all contact information is genuine, and add two-step verification to further secure their profiles against compromise. The potential impact on victims is serious, and substantial efforts in building connections and reputations could be destroyed in seconds.

Google Introduces First Quantum Resilient FIDO2 Security Key Implementation

Google's cybersecurity team, in collaboration with ETH Zurich, has taken a significant step toward quantum-resistant cryptography with the release of the first quantum-resilient FIDO2 security key implementation. This implementation is part of OpenSK, Google's open-source security key firmware, and leverages a novel ECC-Dilithium hybrid signature schema. This schema combines the security of ECC against standard attacks with Dilithium's resilience against quantum threats.

The hybrid approach is critical, as the security of newly standardized quantum-resistant algorithms hasn't yet stood the test of time. By combining the ECDSA signature algorithm with Dilithium, the implementation offers the best of both worlds. A significant technical challenge was to create a Dilithium implementation small enough to run on security keys' constrained hardware. Through careful optimization, a Rust memory-optimized implementation was developed, requiring only 20 KB of memory.

The move toward quantum-resilient security keys is vital as progress toward practical quantum computers accelerates. While quantum attacks are still in the distant future, deploying cryptography at internet scale is a massive undertaking, and early preparation is essential. Google's efforts in this direction signify a clear path to secure security keys against quantum attacks, with further improvements and standardization expected in the future. 

Vulnerabilities in CODESYS Can Shut Down Power Plants

Microsoft's cyber-physical system researchers have recently identified multiple high-severity vulnerabilities in the CODESYS V3 Software Development Kit (SDK), a platform widely used to program and engineer programmable logic controllers (PLCs). These vulnerabilities, which affect all versions of CODESYS V3 prior to version, could put operational technology (OT) infrastructure at risk of attacks such as remote code execution (RCE) and denial of service (DoS).

The discovery highlights the critical importance of securing industrial control systems. CODESYS is compatible with approximately 1000 different device types from over 500 manufacturers, and several million devices use the solution to implement the international industrial standard IEC 61131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices, allowing attackers to tamper with operations or steal critical information.

Exploiting these vulnerabilities requires user authentication and deep knowledge of the proprietary protocol of CODESYS V3. Microsoft reported the discovery to CODESYS in September 2022 and worked closely with them to ensure that the vulnerabilities are patched.

Recent findings by Aqua Nautilus have exposed significant flaws in the PowerShell Gallery's policy regarding package names and owners. These flaws make typosquatting attacks inevitable, allowing attackers to mimic popular Microsoft PowerShell modules, downloaded millions of times. The PowerShell Gallery lacks protection against typosquatting, enabling malicious actors to upload malicious PowerShell modules that appear genuine. For example, the popular module "aztable" could be easily impersonated with a new name like "az.table," deceiving users into installing a malicious module.

Furthermore, attackers can forge module metadata, faking details like authors, copyright, and description fields, making the spoofed package appear legitimate. Another flaw allows the discovery of unlisted packages, uncovering deleted secrets within the registry. These flaws pave the way for potential supply chain attacks on the registry's vast user base, especially popular around AWS and Azure.

Despite reporting the flaws to Microsoft and claims of ongoing fixes, the issues remain reproducible as of August 2023, indicating that no tangible changes have been implemented. Users of the PowerShell Gallery are advised to adopt policies that allow execution of only signed scripts, utilize trusted private repositories, regularly scan for sensitive data in module source code, and implement real-time monitoring systems in cloud environments to detect suspicious activity.

LabRat Campaign Exploits GitLab Flaw for Stealthy Cryptojacking and Proxyjacking

The LabRat campaign is a new financially motivated operation that has been observed exploiting a critical GitLab flaw. This flaw, known as CVE-2021-22205, has been weaponized for cryptojacking and proxyjacking activities. The attacker employs sophisticated tools, including undetected signature-based tools and kernel-based rootkits, to hide their presence.

One notable aspect is the use of compiled binaries written in Go and .NET, which helps the attacker fly under the radar. The attacker also abuses legitimate services like tryCloudflare to obfuscate their C2 network, making detection more challenging.

Proxyjacking allows the attacker to rent the compromised host to a proxy network, while cryptojacking refers to the abuse of system resources to mine cryptocurrency. The LabRat operation also provides backdoor access to infected systems, potentially leading to follow-on attacks, data theft, and ransomware.

The attack chain begins with the exploitation of the GitLab vulnerability, followed by the retrieval of a dropper shell script that sets up persistence and conducts lateral movement. The attacker also uses tryCloudflare to redirect connections to a password-protected web server hosting malicious scripts.

The Sysdig team discovered that the attacker linked directly to a private GitLab repository to download binaries related to malicious activity. This repository has been active since September 2022, with some of the latest commits being very recent.

The LabRat campaign emphasizes stealth and defense evasion, with the attacker continuously updating their tools. The goal is not only financial but also potentially opens doors for other malicious activities. Users impacted by the vulnerability should follow security incident and disaster recovery processes to deprovision the compromised instance and restore to a new GitLab instance. The vulnerability has been patched since 2021, but the impact remains on customers who are on vulnerable versions.

Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 7 min read