TL;DR
- LinkedIn Accounts Under Attack in Recent Hacking Campaign
- Google Introduces First Quantum Resilient FIDO2 Security Key Implementation
- Vulnerabilities in CODESYS Can Shut Down Power Plants
- PowerShell Gallery Vulnerabilities Expose Users to Spoofing and Supply Chain Attacks
- LabRat Campaign Exploits GitLab Flaw for Stealthy Cryptojacking and Proxyjacking
LinkedIn Accounts Under Attack in Recent Hacking Campaign
- LinkedIn users globally are experiencing account hacks, with some being pressured into paying ransoms.
- The attacks fall into two categories - temporary account locks and full account compromises.
- LinkedIn's support response time has lengthened, but the company has not yet issued an official statement.
- Users are advised to verify their accounts, update passwords, and enable two-step verification.
In recent weeks, a significant wave of LinkedIn account hacks has been observed, affecting individuals worldwide. The attacks follow two distinct scenarios. In the first, LinkedIn temporarily locks the account due to suspicious activity, such as brute force attacks or attempts to breach two-factor authentication. The user is then notified and asked to verify the account and update the password.
In the second, more unfortunate scenario, the attackers fully hack the account, changing the associated email address and password, making recovery impossible. Some victims have received ransom messages, while others have seen their accounts deleted outright.
The motive behind this campaign remains unclear, but the implications are deeply concerning. Compromised profiles could be exploited for social engineering, blackmail, data gathering, and reputational damage. The consistent modus operandi indicates a comprehensive campaign targeting LinkedIn accounts.
The Cyberint research team has observed an alarming trend in this hacking campaign, with a significant surge in Google searches related to hacked LinkedIn accounts. While LinkedIn has not yet commented publicly, the high volume of support requests indicates that something is amiss.
Users are strongly advised to log in to their accounts and confirm access promptly, ensure all contact information is genuine, and add two-step verification to further secure their profiles against compromise. The potential impact on victims is serious, and substantial efforts in building connections and reputations could be destroyed in seconds.
Google Introduces First Quantum Resilient FIDO2 Security Key Implementation
- Google announces the release of the first quantum-resilient FIDO2 security key implementation as part of OpenSK.
- The implementation uses a novel ECC-Dilithium hybrid signature schema, co-developed with ETH Zurich, to ensure resilience against quantum attacks.
- Combines the battle-tested ECDSA signature algorithm with the recently standardized quantum-resistant signature algorithm, Dilithium.
- Through careful optimization, a Rust memory-optimized implementation was developed, requiring only 20 KB of memory, with further improvements expected.
Google's cybersecurity team, in collaboration with ETH Zurich, has taken a significant step toward quantum-resistant cryptography with the release of the first quantum-resilient FIDO2 security key implementation. This implementation is part of OpenSK, Google's open-source security key firmware, and leverages a novel ECC-Dilithium hybrid signature schema. This schema combines the security of ECC against standard attacks with Dilithium's resilience against quantum threats.
The hybrid approach is critical, as the security of newly standardized quantum-resistant algorithms hasn't yet stood the test of time. By combining the ECDSA signature algorithm with Dilithium, the implementation offers the best of both worlds. A significant technical challenge was to create a Dilithium implementation small enough to run on security keys' constrained hardware. Through careful optimization, a Rust memory-optimized implementation was developed, requiring only 20 KB of memory.
The move toward quantum-resilient security keys is vital as progress toward practical quantum computers accelerates. While quantum attacks are still in the distant future, deploying cryptography at internet scale is a massive undertaking, and early preparation is essential. Google's efforts in this direction signify a clear path to secure security keys against quantum attacks, with further improvements and standardization expected in the future.
Vulnerabilities in CODESYS Can Shut Down Power Plants
- Microsoft has discovered multiple high-severity vulnerabilities in CODESYS V3 SDK, affecting all versions prior to 3.5.1.90.
- These vulnerabilities could lead to remote code execution (RCE) or denial of service (DoS) attacks, potentially shutting down power plants or tampering with industrial operations.
- CODESYS is used in over 1000 different device types across various industries, including power generation, factory automation, and energy automation.
- Microsoft has worked with CODESYS to release patches, and users are urged to apply these security updates as soon as possible to mitigate the risks.
Microsoft's cyber-physical system researchers have recently identified multiple high-severity vulnerabilities in the CODESYS V3 Software Development Kit (SDK), a platform widely used to program and engineer programmable logic controllers (PLCs). These vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.1.90, could put operational technology (OT) infrastructure at risk of attacks such as remote code execution (RCE) and denial of service (DoS).
The discovery highlights the critical importance of securing industrial control systems. CODESYS is compatible with approximately 1000 different device types from over 500 manufacturers, and several million devices use the solution to implement the international industrial standard IEC 61131-3. A DoS attack against a device using a vulnerable version of CODESYS could enable threat actors to shut down a power plant, while remote code execution could create a backdoor for devices, allowing attackers to tamper with operations or steal critical information.
Exploiting these vulnerabilities requires user authentication and deep knowledge of the proprietary protocol of CODESYS V3. Microsoft reported the discovery to CODESYS in September 2022 and worked closely with them to ensure that the vulnerabilities are patched.
PowerShell Gallery Vulnerabilities Expose Users to Spoofing and Supply Chain Attacks
- Lax policies for package naming in Microsoft's PowerShell Gallery allow threat actors to perform typosquatting attacks, spoofing popular packages.
- Attackers can spoof module details, including author and copyright, making it difficult for users to distinguish between legitimate and malicious packages.
- A flaw allows attackers to expose unlisted packages on the platform, gaining unrestricted access to the complete PowerShell package database.
- Despite acknowledging the flaws and claiming to have implemented short-term solutions, Microsoft has not fully remediated the issues, leaving users vulnerable.
Recent findings by Aqua Nautilus have exposed significant flaws in the PowerShell Gallery's policy regarding package names and owners. These flaws make typosquatting attacks inevitable, allowing attackers to mimic popular Microsoft PowerShell modules, downloaded millions of times. The PowerShell Gallery lacks protection against typosquatting, enabling malicious actors to upload malicious PowerShell modules that appear genuine. For example, the popular module "aztable" could be easily impersonated with a new name like "az.table," deceiving users into installing a malicious module.
Furthermore, attackers can forge module metadata, faking details like authors, copyright, and description fields, making the spoofed package appear legitimate. Another flaw allows the discovery of unlisted packages, uncovering deleted secrets within the registry. These flaws pave the way for potential supply chain attacks on the registry's vast user base, especially popular around AWS and Azure.
Despite reporting the flaws to Microsoft and claims of ongoing fixes, the issues remain reproducible as of August 2023, indicating that no tangible changes have been implemented. Users of the PowerShell Gallery are advised to adopt policies that allow execution of only signed scripts, utilize trusted private repositories, regularly scan for sensitive data in module source code, and implement real-time monitoring systems in cloud environments to detect suspicious activity.
LabRat Campaign Exploits GitLab Flaw for Stealthy Cryptojacking and Proxyjacking
- The LabRat campaign leverages a critical flaw in GitLab (CVE-2021-22205) to initiate cryptojacking and proxyjacking.
- The attacker uses undetected signature-based tools, cross-platform malware, and kernel-based rootkits for stealth.
- Services like tryCloudflare are abused to obfuscate the command-and-control (C2) network.
- Besides financial gains, the malware provides backdoor access, potentially paving the way for data theft, ransomware, and other attacks.
The LabRat campaign is a new financially motivated operation that has been observed exploiting a critical GitLab flaw. This flaw, known as CVE-2021-22205, has been weaponized for cryptojacking and proxyjacking activities. The attacker employs sophisticated tools, including undetected signature-based tools and kernel-based rootkits, to hide their presence.
One notable aspect is the use of compiled binaries written in Go and .NET, which helps the attacker fly under the radar. The attacker also abuses legitimate services like tryCloudflare to obfuscate their C2 network, making detection more challenging.
Proxyjacking allows the attacker to rent the compromised host to a proxy network, while cryptojacking refers to the abuse of system resources to mine cryptocurrency. The LabRat operation also provides backdoor access to infected systems, potentially leading to follow-on attacks, data theft, and ransomware.
The attack chain begins with the exploitation of the GitLab vulnerability, followed by the retrieval of a dropper shell script that sets up persistence and conducts lateral movement. The attacker also uses tryCloudflare to redirect connections to a password-protected web server hosting malicious scripts.
The Sysdig team discovered that the attacker linked directly to a private GitLab repository to download binaries related to malicious activity. This repository has been active since September 2022, with some of the latest commits being very recent.
The LabRat campaign emphasizes stealth and defense evasion, with the attacker continuously updating their tools. The goal is not only financial but also potentially opens doors for other malicious activities. Users impacted by the vulnerability should follow security incident and disaster recovery processes to deprovision the compromised instance and restore to a new GitLab instance. The vulnerability has been patched since 2021, but the impact remains on customers who are on vulnerable versions.
