This Week in Cyber 09th February 2024

Analyst Insight

This week in cybersecurity, we're witnessing several significant developments. Firstly, an emerging trend with ResumeLooters is catching attention. While not entirely new, their prevalence is on the rise. The rationale is quite straightforward: job seekers disclose a plethora of personal information during the application process, making them prime targets for data theft.

Additionally, vulnerabilities discovered in Jetbrains and Glibc are cause for concern. Glibc, in particular, serves as a fundamental component in many Linux distributions, which are the backbone of the internet. Any weaknesses found in such core libraries become enticing targets for attackers seeking to exploit system vulnerabilities.

On a related note, ransomware groups have recently been exposed for dishonesty regarding purported 'breaches.' This underscores the importance of scrutinising claims made by threat actors, as misinformation can lead to unnecessary panic and misinformation.

Lastly, the spotlight is on AnyDesk, not for its association with scammers' favourite tool for hijacking systems, but due to its own security breach. The company has urged users to promptly change their passwords in response to the incident, highlighting the ongoing challenges in safeguarding digital assets and user privacy.

AnyDesk Mandates Password Reset after Hack

Remote desktop software provider AnyDesk recently uncovered a cyber attack on its production systems, clarifying that it was not a ransomware incident. The German company, following a security audit, promptly revoked security certificates, remediated or replaced compromised systems, and plans to replace the existing code signing certificate. As a precautionary measure, AnyDesk has revoked all passwords to its web portal, my.anydesk.com, urging users to change their passwords, especially if reused elsewhere. Users are also advised to download the latest software version, which incorporates a new code signing certificate.

Although AnyDesk has not disclosed specifics regarding the timing and method of the breach, the company asserts that there is no evidence of any impact on end-user systems. The cyber attack revelation follows earlier maintenance notices from January 29, subsequently addressed on February 1, and prior alerts on January 24 regarding intermittent timeouts and service degradation with its Customer Portal. Cybersecurity firm Resecurity reported two threat actors advertising a substantial number of AnyDesk customer credentials for sale, potentially exploitable for technical support scams and phishing.

Ransomware Groups Have Been Lying

This should not come as a surprise, but cyber criminals aren’t always the most reliable or truthful individuals.

We have only just entered 2024 but already many companies have fallen victim to ransomware. Or have they? For example, two high profile “breaches” this year have already been proven fake. Rental car company Europcar and defence contractor Technica both refuted claims that they had been involved in major breaches in late January, pointing to the obviousness of sample data being faked. This post-truth fear tactic is effective in generating hype and notoriety for groups. Even if the breach turns out to be fake, the public is rarely interested. The catchy headline is always the breach, not the redemption. A group can leverage the fear and notoriety they generate to force payouts from genuine victims in future.

This does not mean ransomware groups are to be ignored, on the contrary we should be paying more attention now than ever. Whether these groups are “bottom feeders chasing clout” as some experts have suggested or exacting a genuine strategy to gain infamy. The result is the same. Ransomware is a real threat to every organisation. Whilst we must avoid feeding the fear, we must also continue to raise awareness about the processes to prevent and detect these threats. 

Emergence of ResumeLooters: A Closer Look at Targeted Data Theft in the APAC Region

A previously undisclosed threat actor named ResumeLooters has been targeting employment agencies and retail companies primarily located in the Asia-Pacific (APAC) region since early 2023. The group's main objective is to steal sensitive data, particularly from job search platforms, by exploiting vulnerabilities such as SQL injection attacks. Between November and December 2023, ResumeLooters compromised approximately 65 websites, resulting in the theft of over 2 million user data records, including email addresses and personal information of job seekers.

The modus operandi of ResumeLooters involves leveraging tools like sqlmap to execute SQL injection attacks and deploy additional payloads such as the BeEF penetration testing tool and malicious JavaScript code. These attacks are financially motivated, with the stolen data being sold through Telegram channels established by the threat actor.

Group-IB, a cybersecurity firm, has also identified evidence of cross-site scripting (XSS) infections on legitimate job search websites, highlighting the group's use of diverse methods to exploit vulnerabilities. Despite the prevalence of such attacks in the region, ResumeLooters' persistence and adaptability underscore the importance of robust security measures and effective vulnerability management practices to combat evolving threats.

Linux Glibc Vulnerability

A newly discovered security flaw in the GNU C library (glibc) poses a serious threat to major Linux distributions, including Debian, Ubuntu, and Fedora. Tracked as CVE-2023-6246 with a CVSS score of 7.8, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, used for system logging by syslog() and vsyslog().

Accidentally introduced in glibc 2.37 in August 2022, the flaw allows malicious local attackers to gain full root access by exploiting specific conditions, such as unusually long argv[0] or openlog() ident arguments. The impact is significant due to the widespread use of the affected library. Further analysis revealed two additional flaws (CVE-2023-6779 and CVE-2023-6780) in __vsyslog_internal() and a separate bug in the library's qsort() function, affecting all glibc versions since 1992 and highlighting the critical need for stringent security measures in core libraries widely used across systems and applications.

Urgent Patching Needed for Critical JetBrains TeamCity Flaw

JetBrains has alerted users to a concerning critical security flaw (CVE-2024-23917) in its TeamCity On-Premises CI/CD software, with a severity rating of 9.8 out of 10. This vulnerability could be exploited by attackers to gain administrative control over vulnerable instances. The impacted versions range from 2017.1 through 2023.11.2, and users are strongly advised to update to version 2023.11.3 or apply the provided security patch plugin.

While there's no current evidence of active exploitation, previous similar vulnerabilities in TeamCity quickly became targets for ransomware gangs and state-sponsored groups. Users unable to update immediately should take precautionary measures to restrict internet accessibility to their servers.