TL;DR
- Revolut's $20 Million Lesson: The Cost of a Payment System Exploit
- ScarletEEL's Exploits terraform, Kubernetes, and AWS Exploited
- US Government Emails Compromised by China-Based Espionage Group
- Windows Policy Loophole Is A Gateway for Malicious Drivers
- ToiToin: The Rising Threat to Latin American Banking
Revolut's $20 Million Lesson: The Cost of a Payment System Exploit
- Cyber criminals exploited a flaw in Revolut's payment systems, stealing more than $20 million of the company's funds.
- The breach was due to discrepancies between Revolut's US and European systems, causing funds to be erroneously refunded when transactions were declined.
- The issue was first detected in late 2021, but before it could be fixed, criminal groups leveraged the loophole, making expensive purchases that would be declined and then withdrawing the refunded amounts.
- The exact technical details associated with the flaw are currently unclear, but the mass fraud scheme resulted in a net loss of about $20 million for Revolut.
The cyberattack on Revolut, a fintech startup, resulted in a significant loss of $20 million. The attackers exploited a flaw in the company's payment systems, which was due to discrepancies between its US and European systems. This flaw caused funds to be erroneously refunded when transactions were declined.
The issue was first detected in late 2021, but before it could be fixed, organized criminal groups leveraged the loophole. They encouraged individuals to make expensive purchases that would be declined. The refunded amounts would then be withdrawn from ATMs.
The exact technical details associated with the flaw are currently unclear. However, it's evident that the attackers exploited a software bug that tricked Revolut into refunding too much money. This mass fraud scheme resulted in a net loss of about $20 million for Revolut.
The breach was not publicly disclosed, and Revolut decided not to comment on the attack. However, the company managed to recover some funds by pursuing those who had withdrawn cash. Despite this, the incident highlights the importance of robust security measures and the need for continuous monitoring of payment systems.
ScarletEEL's Exploits Terraform, Kubernetes, and AWS
- ScarletEEL, a sophisticated cloud operation, exploited a containerized workload and escalated privileges into an AWS account to steal proprietary software and credentials.
- The attack started from a compromised Kubernetes container and spread to the victim's AWS account, demonstrating the attacker's knowledge of AWS cloud mechanics such as EC2 roles, Lambda serverless functions, and Terraform.
- The attacker used a Terraform state file to attempt to pivot to other connected AWS accounts, aiming to spread their reach throughout the organization.
- Cyberattacks in the cloud have increased by 56% over the past year, with motives ranging from exfiltrating sensitive data, creating new resources for cryptomining, and more espionage-focused motives.
ScarletEEL represents a sophisticated cloud operation that exploits containerized workloads to perform privilege escalation into AWS accounts. The attack begins within a compromised Kubernetes container and then spreads to the victim's AWS account. This demonstrates the attacker's deep understanding of AWS cloud mechanics, including EC2 roles, Lambda serverless functions, and Terraform.
The attacker uses a Terraform state file to attempt to pivot to other connected AWS accounts, aiming to broaden their reach throughout the organization. This level of sophistication is indicative of the increasing complexity of cloud-based attacks, which have risen by 56% over the past year.
In addition to exploiting vulnerabilities for privilege escalation, the attacker also seeks to exfiltrate sensitive data and create new resources for cryptomining. This multi-pronged approach underscores the diverse range of motives behind these attacks, which can range from financial gain to more espionage-focused objectives.
The ScarletEEL operation highlights the importance of robust cloud security measures, including vulnerability management, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), runtime threat detection, and secrets management. These tools can help organizations reduce their risk from advanced threats and ensure the security of their cloud-based infrastructure.
US Government Emails Compromised by China-Based Espionage Group
- A China-based cyber espionage group, Storm0558, infiltrated US and Western European government agencies, compromising email accounts.
- The cyber attackers exploited a flaw in Microsoft's cloud email service, gaining access to accounts since May 2023.
- The State Department and Commerce Department were among the affected agencies.
- Microsoft, upon being alerted by the US government, mitigated the attack, although it's unclear if any sensitive data was exfiltrated.
The cyber espionage group, Storm0558, believed to be based in China, managed to breach the email accounts of more than two dozen organizations worldwide, including US and Western European government agencies. The group exploited a flaw in Microsoft's cloud email service, specifically in Outlook Web Access and Outlook.com. They forged authentication tokens to access user accounts, a sophisticated technique that allowed them to impersonate Azure AD users and gain access to enterprise email accounts.
The cyber attackers had access to these accounts since May 2023, and their activities went undetected until customers reported unusual mail activity to Microsoft in mid-June. The affected agencies include the US State and Commerce Departments, among others. The National Security Council confirmed the breach, and Microsoft was immediately contacted to identify the source and vulnerability in their cloud service.
While Microsoft has successfully mitigated the attack and the cyber attackers no longer have access to the compromised accounts, it remains unclear whether any sensitive data was exfiltrated during the month-long period the attackers had access. This incident highlights the ongoing threat of cyber espionage and the need for robust cybersecurity measures, particularly in government agencies.
Windows Policy Loophole Is A Gateway for Malicious Drivers
- Cyber attackers are exploiting a Windows policy loophole to forge signatures on kernel-mode drivers.
- The loophole allows the loading of drivers signed before July 29, 2015, using open-source tools such as HookSignTool and FuckCertVerifyTimeValidity.
- The policy was designed to maintain compatibility with older software, allowing them to load older drivers in Windows 10 and Windows 11 without Microsoft's safety review.
- Microsoft has blocked the offending drivers and suspended the developer program accounts involved in the incident.
The Windows policy loophole being exploited by cyber attackers is a significant threat to system security. This loophole allows the loading of drivers signed before July 29, 2015, using open-source tools such as HookSignTool and FuckCertVerifyTimeValidity. These tools alter the signing date of kernel-mode drivers, enabling the loading of malicious and unverified drivers signed with expired certificates.
The policy that permits this was designed to maintain compatibility with older software, allowing them to load older drivers in Windows 10 and Windows 11 without needing to be reviewed by Microsoft for safety implications. However, this has opened a gateway for cyber attackers to deploy thousands of malicious signed drivers without submitting them to Microsoft for verification.
Microsoft has taken steps to mitigate the threat by blocking all certificates used in this exploit and suspending the developer program accounts involved in the incident. However, the underlying policy loophole remains, and the tech giant faces a challenge in finding a better solution without compromising the backward compatibility of Windows with older software.
ToiToin: The Rising Threat to Latin American Banking
- ToiToin is a new Windows-based banking trojan active since 2023, primarily targeting businesses in Latin America.
- The trojan employs a multistage infection chain and custom-made modules to carry out malicious activities such as injecting harmful code into remote processes, circumventing user account control, and evading detection by sandboxes.
- ToiToin can collect data from installed web browsers and system information. It also checks for Topaz Online Fraud Detection (OFD), an anti-fraud module embedded into financial platforms in the Latin America region.
- The infection begins with a phishing email, leading to a zip archive hosted on an Amazon EC2 instance. The archive contains a downloader executable that sets up persistence and communicates with a remote server to retrieve next-stage payloads.
ToiToin is a sophisticated banking trojan that has been active since 2023. It primarily targets businesses in Latin America and employs a multistage infection chain along with custom-made modules to carry out its malicious activities. These activities include injecting harmful code into remote processes, circumventing user account control (UAC), and evading detection by sandboxes.
The trojan begins its attack with a phishing email. The email contains a malicious link that leads to a zip archive hosted on an Amazon EC2 instance. This archive contains a downloader executable that sets up persistence on the victim's system and communicates with a remote server to retrieve next-stage payloads.
ToiToin is capable of collecting data from installed web browsers and system information. It also checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module embedded into financial platforms in the Latin America region. This information is then sent back to the cyber attackers in an encoded format.
The trojan uses various evasion techniques and encryption methods throughout its infection chain. For example, it uses Amazon EC2 instances to host the malware, which helps it evade domain-based detections. It also generates a new and randomly generated file name with each download, allowing it to evade detection based on static file-naming patterns.
