Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: LockBit Claims Wichita Attack
Also: New Attack Threatens VPN User Privacy; Android Malware Targets FinlandEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, LockBit claimed responsibility for an attack on Wichita, Kansas, British Columbia probed an attack, the "TunnelVision" flaw threatened VPN users' privacy, a CEO was sentenced for a Cisco equipment scam, attackers exploited a WordPress plug-in flaw, cybersecurity firm ZScaler investigated a breach, and Finland warned about Android malware scams.
See Also: Gartner Guide for Digital Forensics and Incident Response
LockBit Claims Responsibility for Kansas Cyberattack
The LockBit ransomware gang claimed responsibility for a cyberattack on the Kansas city of Wichita. The incident prompted authorities to shut down IT systems, including those used for online bill payment (see: Ransomware Attack Shuts Down Kansas City Systems).
City authorities announced the cyber assault on Sunday, after ransomware encrypted sections of the network. The LockBit ransomware group listed Wichita on its extortion portal on the same day that U.S. law enforcement agencies publicly identified the leader of the ransomware gang "LockBitSupp" as 31-year-old Russian national Dmitry Yuryevich Khoroshev. The group is threatening to expose all stolen files on Wednesday unless the city pays the ransom.
Various services remain unavailable in Wichita, including auto payments for water bills, public Wi-Fi at some locations, certain library services, email communications for library staff, self-service stations, and phone services at neighborhood resource centers. Public safety services such as the fire and police departments have resorted to manual reporting, and Wichita Transit buses and landfill services are only accepting cash payments.
British Columbia Investigates Cybersecurity Incident
The government of western Canadian province British Columbia is investigating "sophisticated cybersecurity incidents involving government networks," the office of Premier David Eby said Wednesday.
"There is no evidence at this time that sensitive information has been compromised. However, the investigation is ongoing and we have more work to do to determine what information may have been accessed," the statement says.
Civil servants received an email late Wednesday telling them to upgrade passwords from 10 to 14 characters, The Canadian Press reported. The email was a follow-up to a request from the province's chief information officer sent last week, portrayed at the time as a routine preventative safeguard. Eby vowed the government will be "as transparent as we can without compromising the investigation."
'TunnelVision' Attack Threatens VPN Users' Privacy
Leviathan Security researchers uncovered a new attack method capable of compromising the privacy of VPN users by intercepting and monitoring their traffic on the same local network. The threat is dubbed "TunnelVision" and tracked as CVE-2024-3661.
The TunnelVision attack method has the potential to operate without detection for extended periods as it subtly manipulates network infrastructure, allowing attackers to intercept VPN traffic. In the context of VPN usage, HTTPS traffic - which is encrypted - appears as unintelligible data to attackers using the TunnelVision technique. But unencrypted HTTP traffic can be intercepted and read by attackers, exposing the content of communications as well as the destinations to which they are sent.
TunnelVision leverages an option for configuring a DHCP server. Specifically, it allows the DHCP server to supply static routes to the client's routing table using classless IP addressing. Classful IP routing has been obsolete for decades. The classless addressing allows rogue DHCP servers to manipulate routing tables and reroute VPN traffic to local networks. By setting up such servers within the user's network, attackers divert traffic to themselves so they can snoop while maintaining the appearance of a secure VPN connection.
Although the attack doesn't directly breach DHCP, routing tables or VPN security, it effectively bypasses VPN encryption by rerouting traffic outside the tunnel.
CEO Sentenced for $100M Counterfeit Cisco Equipment Scheme
Onur Aksoy, CEO of a conglomerate that oversees various online storefronts, received a six-and-a-half-year prison sentence for orchestrating the sale of approximately $100 million worth of counterfeit Cisco network equipment. Authorities arrested the 40-year-old Floridian in Miami in June 2022 for charges including including trafficking counterfeit goods and committing mail and wire fraud.
Aksoy admitted guilt in June 2023, acknowledging his involvement in the operation through 19 companies and 25 eBay and Amazon storefronts, collectively known as Pro Network Entities. The scam involved importing tens of thousands of modified networking devices from Hong Kong and Chinese counterfeiters, marked with fake Cisco labels and packaging.
Sold as genuine online platforms, these products are used by government, healthcare, education and military organizations.
Aksoy's evasion tactics included using fake aliases and delivery addresses to sidestep law enforcement attention. Despite warnings from Cisco and law enforcement interventions, Aksoy persisted until his arrest in July 2021, resulting in the seizure of over $7 million worth of counterfeit devices.
In addition to his prison sentence, Aksoy must pay $100 million in restitution to Cisco and forfeit seized counterfeit goods.
WordPress Plug-In Flaw Allows Unauthorized Admin Access
Threat actors are exploiting a high-risk vulnerability in the LiteSpeed Cache plug-in for WordPress that allows them to generate unauthorized admin accounts on vulnerable websites. Tracked as CVE-2023-40000 with a CVSS score of 8.3, the flaw facilitates stored cross-site scripting attacks, enabling attackers to escalate privileges via specially crafted HTTP requests.
LiteSpeed patched the vulnerability in version 5.7.0.1 last October and the latest version of the plug-in is 6.2.0.1, released on April 25. WordPress' security wing, WPScan, found 16.8% of websites still running unpathed versions.
The flaw permits threat actors to inject malicious JavaScript code into WordPress files and unauthorized admin accounts can grant attackers full control over compromised websites and the ability to execute malicious actions, including malware injection and plug-in installation.
Zscaler Investigating Suspected Data Breach
Security firm Zscaler is investigating a suspected breach involving its test environment after a hacker allegedly listed compromised access belonging to the company for sale on a criminal forum.
Threat actor IntelBroker posted what it claims are "confidential and highly critical logs packed with credentials." The listing first came to light after dark web analyst Dark Web Informer on Wednesday posted the group's advertisement on social media platform X.
Zscaler on Wednesday said the leak likely stemmed from an isolated test environment that was exposed to the internet. The company later took down the server and said the targeted IT environment did not contain any customer data. Zscaler did not immediately respond to a request for comment.
IntelBroker has a track record of posting information belonging to governments and companies on criminal forums. It recently listed the data of a U.S. Department of State contractor and data pertaining to General Electric's collaborative projects with the U.S. Defense Advanced Research Projects Agency (see: Apparent GE Hack Raises National Security Concerns).
Finland Warns of Android Malware Targeting Bank Accounts
Finland's Transport and Communications Agency alerted the public about an ongoing Android malware campaign aimed at compromising online bank accounts. The scam involves deceptive SMS messages in Finnish from banks or payment service providers such as MobilePay. Recipients are instructed to call a specified number, where scammers advise installing a McAfee app for protection. The app is a malware, granting threat actors access to victims' bank accounts.
Major financial institution OP Financial Group issued a similar warning about fraudulent messages containing links. The campaign exclusively targets Android devices and urges affected individuals to contact their bank immediately if they've installed the malware.
Other Coverage From Last Week
- UK Regulator Tells Platforms to 'Tame Toxic Algorithms'
- Report: Undetectable Threats Found in F5's Central Manager
- Ransomware Attack Shuts Down Kansas City Systems
- LockBitSupp's Identity Revealed: Dmitry Yuryevich Khoroshev
- Operation Cronos Again Threatens to Reveal LockBitSupp
With reporting from Information Security Media Group's Akshaya Asokan in southern England and David Perera in Washington, D.C.