Brief #20: 23andMe DNA Breach, Atlassian 0-Day Under Attack

TL;DR

Credential Stuffing & Exposed Credentials: The breach was executed via a credential stuffing attack, leveraging login credentials from other breaches. This method bypassed 23andMe's existing security measures, raising concerns about the efficacy of relying solely on password-based authentication.
Data Scope & Celebrity Involvement: The attackers initially focused on Ashkenazi Jews and later expanded their scope. They claimed to possess data on celebrities like Mark Zuckerberg and Elon Musk. The data set includes profile IDs, names, birth years, and even Y-DNA and N-DNA fields.
DNA Relatives Feature Exploited: The attackers scraped data from the "DNA Relatives" feature, which many users had opted into. This feature, intended for finding and connecting with genetic relatives, became an attack vector for additional data scraping.
Two-Factor Authentication & Recycled Credentials: 23andMe promotes the use of two-factor authentication (2FA) and strong, unique passwords. However, the attackers capitalized on recycled login credentials from other platforms, highlighting the need for more robust multi-factor authentication mechanisms.

Privilege Escalation: The vulnerability, CVE-2023-22515, allows attackers to create unauthorized admin accounts in Confluence Data Center and Server versions 8.00 and later. It's remotely exploitable, making public-facing instances highly vulnerable.
Severity and Impact: Atlassian rates this as a critical issue with a likely CVSSv3 score between 9 and 10. The flaw is unusual for a privilege escalation issue, as it's remotely exploitable, which is generally associated with authentication bypass or remote code execution.
Mitigation Steps: Immediate patching is advised. If that's not possible, restrict external network access and block access to setup endpoints. Atlassian has released fixed versions 8.33 or later, 8.43 or later, and 8.52 or later.
Indicators of Compromise (IoCs): Check for unexpected members in the Confluence administrator group, newly created user accounts, and specific log entries. If compromised, immediate isolation of the affected server is recommended.

Advanced Payload Delivery: QakBot continues to operate, now deploying Ransom Knight ransomware and Remcos RAT through spear-phishing emails. The emails contain malicious LNK files and Excel add-in XLL files to initiate the infection chain.
Geo-Specific Targeting and Themes: The group is focusing on Italy, Germany, and English-speaking countries, using filenames and email themes related to urgent financial matters to lure victims.
C2 Resilience and Backend Rebuild: The FBI's actions mainly disrupted the command-and-control servers, leaving the phishing infrastructure intact. This enables the group to rebuild and possibly relaunch QakBot with new backend systems.
Diversified Malware Portfolio: In addition to Ransom Knight and Remcos, the group has incorporated Redline information stealer and Darkgate backdoor into their campaigns, indicating a more sophisticated multi-vector attack strategy.

Attack Vector: The cyberattack in August disrupted Clorox's IT infrastructure, forcing a switch to manual order processing. The exact method of intrusion is not disclosed, but social engineering techniques are suspected.
Operational Impact: The attack led to product outages and supply chain disruptions. It hampered Clorox's ongoing $500 million digital overhaul, revealing gaps in their cybersecurity defenses.
Financial Ramifications: Clorox expects a Q1 loss per share of between 35 and 75 cents. The company has already spent $25 million on forensic investigations and legal assistance, with more costs expected in 2024.
Attribution and Tactics: The attack is attributed to the hacker group "Scattered Spider," known for ransomware and social engineering attacks. They have also targeted MGM Resorts and Caesars Entertainment, indicating a focus on high-impact business sectors.

Exploit Details: Cl0p took advantage of a zero-day vulnerability in Progress Software's MoveIt file transfer platform. RansomedVC allegedly gained source code access, although the extent is unconfirmed.
Data Types: Cl0p's attack compromised personal data, including potentially Social Security numbers, of 6,791 Sony employees. RansomedVC claimed to have source code and internal documents.
Containment Actions: Sony isolated an affected server in Japan for forensic analysis. They also initiated credit monitoring for impacted employees. No customer data is reported to be affected.
Unanswered Queries: It's unclear if the data stolen by Cl0p has been sold or misused. Sony is still investigating the full scope of RansomedVC's infiltration, including the validity of their source code access claims.