This Week in Cyber 3rd February 2023

JD Sports Has Been Hit by Massive Cyber Attack

The clothing/sports brand JD Sports has recently stated that it has been a victim of a cyber attack and 10 million customers data might be at risk. The data in question is related to all online orders between 2018 and 2020 which includes names, addresses, email accounts, phone numbers, order details and the final four digits of bank cards. The full scale of this attack is not yet known however JD Sports have reported this to the relevant authorities and have contacted any customers that may have been affected. Online clothing stores have become an attractive target for threat actors due to the amount of data they store which can be used for identity and credential fraud. Interestingly, this attack was only detected last week however the threat actors have been in the network since 2018 which is almost 5 years without detection.

Hive Ransomware Campaign Taken Down by FBI

Since July 2022, the FBI had managed to covertly infiltrate the network of prolific Ransomware-as-a-Service (Raas) group, Hive. Recently, with the help of law enforcement from 13 different countries, the operation was shutdown and around $130 million in ransom payments saved due to the seizure of 336 decryption keys. In a related announcement, the US Department of State said it was offering rewards of up to $10 million for information that could link threat actors to foreign governments. Hive first appeared in June 2021 and had since launched attacks against more than 1500 victims over a wide range including healthcare, government facilities, communications, and critical manufacturing, spanning more than 80 countries and extorting more than $100 million in ransom payments. It is suggested that this could only provide short term relief as the group reform and establish new infrastructure, but It’s described by CrowdStrike head of intelligence Adam Meyers as a ‘major setback to the adversary’s operations’.

ISC Releases Security Patches for DNS Vulnerabilities

The ISC (Internet Systems Consortium) has recently released patches to mitigate 4 high severity vulnerabilities in the open-source Berkeley Internet Name Domain 9 (BIND9) DNS software suite, that could lead to a DoS (denial-of-service) attack. BIND9 is used in a lot of critical organisations including financial firms, internet service providers (ISP's) and retailers. In an advisory released on Friday 27th of January, the US Cyber Security and Infrastructure Security Agency (CISA) commented "A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions and system failures". The vulnerabilities include cache termination bugs and memory leaks and are tracked as: CVE-2022-3094, CVE-2022-3488, CVE-2022-3736, CVE-2022-3924, and are all rated at 7.5 /10 on the CVSS system. The affected versions are: 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.11.4-S1 to 9.11.37-S1, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1. There is currently no evidence to suggest they are being actively exploited.

Over 1,200 Redis Servers Have Been Compromised with HeadCrab Malware

An incredibly skilled threat actor has compromised 1,200 Redis database servers with a stealthy malware named HeadCrab. A researcher at Aqua Security stated, “This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers”. The attack works by abusing the SLAVEOF command within Redis to connect to an already compromised Redis server. This allows the ‘master’ server to synchronize with the newly infected server and downloads a malicious payload HeadCrab. This malware is mainly used for crypto-mining however it has other functionalities such as execute shell commands, load fileless kernel modules and data exfiltration capabilities. Users are urged to disable the SLAVEOF command in any public facing Redis database servers and configure the servers to only accept connections from a trusted host.