Information Technology

A hacker has leaked the details of millions of users registered on Teespring, a web portal that lets users create and sell custom-printed apparel.
The user data was leaked last Sunday on a public forum dedicated to cybercrime and the sale of stolen databases.
The Teespring data was made available as a 7zip archive that includes two SQL files. The first file contains a list of more than 8.2 million Teespring users’ email addresses and the date the email address was last updated.

Image: ZDNet
The second file includes account details for more than 4.6 million users.
Details included in this second SQL file a hashed version of the email address, usernames, real names, phone numbers, home addresses, and Facebook and OpenID identifiers users used to log into their accounts.
Other details related to a user’s Teespring online account information is also included and is not believed to be sensitive.
The good news is that not all accounts have this information filled, which reduces how the breach affected each Teespring user to the amount of granular data they provided to the company. Secondly, password data was not included; however, it is unclear if hackers gained access to passwords and just chose not to release them.

Image: ZDNet

The hacker who leaked the data goes by the name of ShinyHunters, a threat actor that has leaked billions of user records from hundreds of companies.
However, ShinyHunters is not believed to have been the person who breached Teespring.
The company’s data was initially offered for sale on the same forum and via private Telegram channels in December 2020, before being leaked for free last week by ShinyHunters in a common practice where data brokers sabotage each others’ sales.
A request for comment sent to an email address previously used by ShinyHunters also remained unanswered.
Teespring breach ocurred via Waydev app
A Teespring spokesperson told ZDNet the company was aware of the breach, which it disclosed on December 1, 2020. The company said the incident took place in June 2020 when a hacker managed to steal user data from its cloud infrastructure.
“Teespring had previously evaluated a 3rd party service called Waydev which required access to some of our data. This access was implemented via a technology called OAuth,” the company said.
“Unfortunately, Waydev retained the OAuth token for Teespring (and several other companies) which was accessed from Waydev without authorization by a third party. The token was then used to gain access to some of the Teespring infrastructure.”
The Waydev incident is well known and was previously covered by ZDNet in July 2020.
Teespring, founded in 2011, is currently ranked as one of the most popular 1,500 sites on the internet, on #1,410, according to the Alexa web traffic ranking.
Updated at 12:30pm ET with comment from Teespring. More

It’s known that the hackers behind the SolarWinds supply chain attack were highly-skilled and patient. But now Microsoft’s security researchers have outlined some of the operational security (OpSec) techniques and anti-forensic tricks the hackers displayed, which allowed them to remain undetected for long enough — not just on government agency networks, but in the networks of the US’ top cybersecurity firms. 

Microsoft and FireEye only detected the Sunburst or Solorigate malware in December, but Crowdstrike reported this month that another related piece of malware, Sunspot, was deployed in September 2019, at the time hackers breached SolarWinds’ internal network.  Other related malware includes Teardrop aka Raindrop.
Sunburst, a component of software called a dynamic link library (DLL), was injected into SolarWinds’s Orion infrastructure monitoring software to create a backdoor on networks that used Orion. Several of its payloads included custom loaders for the Cobalt Strike penetration testing kit. These loaders included Teardrop.     
Also: Best VPNs • Best security keys • Best antivirus   
“One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader,” Microsoft security researchers said in a new blogpost. 
“Our investigations show that the attackers went out of their way to ensure that these two components are separated as much as possible to evade detection.”
Based on SolarWinds’ recent disclosure that the attackers removed the Sunburst backdoor from SolarWinds’ software build environment in June 2020 after being distributed broadly to Orion customers in March 2020, Microsoft reckons the attackers – most likely Russian-backed – started “real hands-on-keyboard activity” as early as May. 

Microsoft researchers also estimate that the attackers “spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure.”
While the initial backdoor could have been on over 18,000 government agency and private sector networks, it was the”hands-on-keyboard” activity that led to the breach of valued targets, at which point the focus turned to lateral movement on the intended compromised networks. 

SolarWinds Updates

Microsoft said it found the attackers put in “painstaking planning of every detail to avoid discovery”.
The attackers also tried to separate the Cobalt Strike loader’s execution from the SolarWinds process “as much as possible” in order to protect the Cobalt Strike implant.
“Their hope is that, even if they lose the Cobalt Strike implant due to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed,” Microsoft explains. 
Some of the OpSec methods used by the attackers included methodically avoiding shared indicators of compromise for each compromised host, and exercising an “extreme level of variance” to avoid setting off alarms. 
“Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched,” Microsoft explains 
The attackers also renamed tools and binaries and put them in folders that looked like files and programs already present on a machine. 
They even prepared special firewall rules to minimize outgoing packers for certain protocols and then removed the rules after finishing reconnaissance. 
Microsoft’s report is unlikely to be the final report on how these attackers pulled off such an audacious hack. Investigations into the SolarWinds breach and the tools and techniques the attackers users are still ongoing. You can expect more reports from Microsoft, Crowdstrike, FireEye and other firms to shed more light on how the attackers operated, which will be useful for defending against future attacks.  More

Illustration set of flags made from binary code targets.
Getty Images/iStockphoto
Cyber-security firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran.

The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.
Tencent said it saw MrbMiner launching brute-force attacks against Microsoft SQL Servers (MSSQL) databases to gain access to weakly secured administrator accounts.
Once inside, the botnet would create a backdoor account with the Default/@fg125kjnhn987 credentials and download and install a cryptocurrency miner from domains such as mrbftp.xyz or mrbfile.xyz.
In a report today, Sophos researchers said they analyzed this botnet’s modus operandi in more depth. They looked at the malware payloads, domain data, and server information and found several clues that led them back to a legitimate Iranian business.
“When we see web domains that belong to a legitimate business implicated in an attack, it’s much more common that the attackers simply took advantage of a website to (temporarily, in most cases) use its web hosting capabilities to create a ‘dead drop’ where they can host the malware payload,” said Sophos researchers Andrew Brandt and Gabor Szappanos.
“But in this case, the domain’s owner is implicated in spreading the malware.”

Sophos said that multiple MbrMiner domains used to host the cryptominer payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm.
Furthermore, the vihansoft.ir domain was also used as the command and control (C&C) server for the MbrMiner operation and was also seen hosting malicious payloads that were downloaded and deployed on hacked databases.
One of the reasons the Iranian company did not bother covering its tracks better is because of its location. In recent years, Iranian cybercriminals have become brasher and more careless as they realize that the Iranian government won’t extradite its citizens to western governments.
Notable Iranian-linked cybercrime operations seen in the past have included the likes of the SamSam and Pay2Key ransomware gangs and the Silent Librarian phishing group, just to name the most notable –although there are many other smaller operations [1, 2].
Despite the Sophos report ousting the MrbMiner group today, the botnet is expected to continue to operate with impunity. More

Ransomware is the biggest cybersecurity concern facing businesses, according to those responsible for keeping organisations safe from hacking and cyberattacks.
A survey of chief information security officers (CISOs) and chief security officers (CSOs) by cybersecurity Proofpoint found that ransomware is now viewed as the main cybersecurity threat to their organisation over the course of the next year.

More on privacy

Almost half – 46% – of CSOs and CISOs surveyed said that ransomware or other forms of extortion by outsiders represents the biggest cybersecurity threat.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Ransomware continues to be one of the most damaging and disruptive cyberattacks, while for cybercriminals, encrypting networks and demanding bitcoin in exchange for the decryption key is the easiest way to quickly make a large amount of money from a hacked network.
A significant percentage of organisations will pay the ransom – which can amount to millions of dollars – because they perceive it as the quickest means of restoring the network and the least amount of further disruption to the business. And it’s because these ransoms are paid that ransomware remains so appealing – and lucrative – for cybercriminals.
Some of the other cyberattacks that CISOs consider the to be the biggest threats this year include cloud account compromise, insider threats, phishing and business email compromise attacks.

While not as visible as ransomware attacks, all of these cyber threats can also cause problems for organisations – especially if hackers are able to combine attacks like phishing and compromising cloud account login credentials in order to gain further access to networks.
Often, these kinds of attacks are used in the early stages of efforts to compromise networks with ransomware, so securing the network against one particular form of cyberattack could go a long way to protecting it from others as well.
Fortunately, improving IT security in one way or another appears to be a priority for the majority of – although not all – organisations. Half of CISOs listed improving employee awareness of cybersecurity as a priority over the next 12 months, while almost as many said upskilling the organisation by hiring new talent or developing the skills of current employees is something their organisation is looking at.
Nonetheless, cybercriminals will also continue to adapt and evolve – and it’s important for organisations not to get complacent when it comes to cybersecurity and to have a firm understanding of their own networks.
“Cybercriminals are focused and constantly improving their skills and techniques. This makes it difficult for CISOs to pre-empt the timing, size, and shape of the next attack, even though they recognise the growing cyber risks facing their organisation,” Andrew Rose, resident CISO at Proofpoint told ZDNet.
“It is easy to become overwhelmed by this, so my advice to CISOs is to focus on gaining a deep understanding of who within your organisation is being attacked and who is most vulnerable. This is vital to be able to understand which threats should be prioritised,” he added.
In addition to training and awareness schemes, organisations can help protect against ransomware and other attacks by applying security patches when they’re released, preventing hackers from exploiting known vulnerabilities.
Using additional protection like two-factor authentication across the organisation can also help prevent damaging attacks by making it much harder for hackers to move around the network, even if they’ve got the correct credentials.
MORE ON CYBERSECURITY More

Automated probes for servers containing a severe vulnerability in SAP software have been detected a week after a working exploit was published online. 

The vulnerability, tracked as CVE-2020-6207, is a bug in SAP Solution Manager (SolMan), version 7.2. 
The vulnerability has been awarded a CVSS base score of 10.0 — the highest severity rating available — and is caused by a missing authentication check.
SolMan is a centralized application used to manage on-premise, hybrid, and cloud IT systems. While describing the bug at Black Hat USA in August, Onapsis researchers called the application the “technical heart of the SAP landscape.”
SolMan’s End user Experience Monitoring (EEM) function contained the authentication issue. EEM can be used to deploy scripts in other systems, and as a result, compromising EEM can lead to the hijack of “every system” connected to SolMan via remote code execution (RCE), according to Onapsis. 
SAP issued a patch for CVE-2020-6207 in March 2020 (SAP Security Note #2890213). However, for any servers left unpatched, there is now a heightened risk of compromise with the public release of a working Proof-of-Concept (PoC) exploit code.
Last week, Dmitry Chastuhin released a PoC for CVE-2020-6207 as a project for educational purposes. The security researcher said the script “check[s] and exploit[s] missing authentication checks in SAP EEM servlet.”

Speaking to ZDNet, Onapsis said that “hundreds of requests” have already been detected in the wild, likely from automated tools, and they are probing for SAP systems still vulnerable to the critical vulnerability. The cybersecurity firm believes that the tools were developed quickly after the release of the PoC code. 
The requests are mainly coming from Europe and Asia and a variety of IPs have been documented, so far. 
If enterprise IT staff have applied the patch, there is no need for concern. However, if the security fix is yet to be implemented and SolMan setups are exposed online, the creation of automated exploit tools should spur admins on to resolve the security flaw as quickly as possible. 
“While exploits are released regularly online, this hasn’t been the case for SAP vulnerabilities, for which publicly available exploits have been limited,” Onapsis says. “The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.”
ZDNet has reached out to SAP and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

On Thursday, Check Point Research published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains. 
The recent phishing attack began with one of several fraudulent email templates and would mimic Xerox/Xeros scan notifications including a target company employee’s name or title in the subject line. 
Also: Best VPNs • Best security keys • Best antivirus   
Phishing messages originated from a Linux server hosted on Microsoft Azure and were sent through PHP Mailer and 1&1 email servers. Spam was also sent through email accounts that had been previously compromised to make messages appear to be from legitimate sources. 
Attackers behind the phishing scam included an attached HTML file containing embedded JavaScript code that had one function: covert background checks of password use. When credential input was detected, they would be harvested and users would be sent to legitimate login pages. 
“While this infection chain may sound simple, it successfully bypassed Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials,” Check Point says. 

The attackers’ infrastructure includes a web of websites, backed by the WordPress content management system (CMS), that were hijacked. Check Point says that each domain was used as “drop-zone servers” for processing incoming, stolen credentials. 
However, once stolen user data was sent to these servers, it was saved in files that were public and were indexed by Google — allowing anyone to view them through a simple search. 
Each server would be in action for roughly two months and would be linked to .XYZ domains that would be used in phishing attempts. 
“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations,” the team noted. “The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors.”
Based on a subset of roughly 500 stolen credentials, the researchers found a wide range of target industries, including IT, healthcare, real estate, and manufacturing. However, it appears that the threat actors have a particular interest in construction and energy. 

Check Point reached out to Google and informed them of the credential indexing. 
While attribution is often a challenge, a phishing email from August 2020 was compared with the latest campaign and was found to use the same JavaScript encoding, suggesting that the group behind this wave has been in operation for some time. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: kt000545 on Reddit
The US National Security Agency has issued a security advisory [PDF] this month urging system administrators in federal agencies and beyond to stop using old and obsolete TLS protocols.

“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used,” the agency said.
“Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not,” the agency added.
Also: Best VPNs • Best security keys • Best antivirus
Even if TLS 1.2 and TLS 1.3 are deployed, the NSA warns against configuring these two protocols with weak cryptographic parameters and cipher suites.
“Especially weak encryption algorithms in TLS 1.2 are designated as NULL, RC2, RC4, DES, IDEA, and TDES/3DES; cipher suites using these algorithms should not be used,” the agency added.
“TLS 1.3 removes these cipher suites, but implementations that support both TLS 1.3 and TLS 1.2 should be checked for obsolete cipher suites.”

The US cybersecurity agency has published a list of tools on its GitHub profile to help system administrators with the task of identifying systems on their internal networks still using obsolete TLS protocol configurations.
Similar messaging from the Netherlands
The NSA advisory, published on January 5, was echoed yesterday by the agency’s counterpart in the Netherlands, the Dutch National Cyber Security Center.
In a similar alert [PDF], the Dutch NCSC also recommended that Dutch government agencies and private companies move to TLS 1.3 as part of a “future-proof” configuration approach.
The two alerts come after, in mid-2020, major web browsers stopped supporting TLS 1.0 and TLS 1.1, citing security reasons. In March 2020, security firm Netcraft reported that around 850,000 websites were still using TLS 1.0 and TLS 1.1 to encrypt their HTTPS traffic, a number that has since slowly gone down.
In its advisory, the NSA warned that new attacks against TLS protocols are always being discovered and that organizations should use the latest TLS protocol versions to “always stay ahead of malicious actors’ abilities and protect important information.” More

The variety of techniques used by the SolarWinds hackers was sophisticated yet in many ways also ordinary and preventable, according to Microsoft. 
To prevent future attacks of similar levels of sophistication, Microsoft is recommending organizations adopt a “zero trust mentality”, which disavows the assumption that everything inside an IT network is safe. That is, organizations should assume breach and explicitly verify the security of user accounts, endpoint devices, the network and other resources. 
Also: Best VPNs • Best security keys • Best antivirus 

As Microsoft’s director of identity security, Alex Weinert, notes in a blogpost, the three main attack vectors were compromised user accounts, compromised vendor accounts, and compromised vendor software.  
Thousands of companies were affected by the SolarWinds breach, disclosed in mid-December. The hackers, known as UNC2452/Dark Halo, targeted the build environment for SolarWinds’ Orion software, tampering with the process when a program is compiled from source code to a binary executable deployed by customers. 
US security vendor Malwarebytes yesterday disclosed it was affected by the same hackers but not via the tainted Orion updates. The hackers instead breached Malwarebytes by exploiting applications with privileged access to Office 365 and Azure infrastructure, giving the attackers “access to a limited subset” of Malwarebytes’ internal emails.
According to Weinert, the attackers exploited gaps in “explicit verification” in each of the main attack vectors. 

“Where user accounts were compromised, known techniques like password spray, phishing, or malware were used to compromise user credentials and gave the attacker critical access to the customer network,” Weinert writes.  
He argues cloud-based identity systems like Azure Active Directory (Azure AD) are more secure than on-premises identity systems because the latter lack cloud-powered protections like Azure AD’s password protection to weed out weak password, recent advances in password spray detection, and enhanced AI for account compromise prevention.
In cases where the actor succeeded, Weinert notes that highly privileged vendor accounts lacked additional protections such as multi factor authentication (MFA), IP range restrictions, device compliance, or access reviews. Microsoft has found that 99.9% of the compromised accounts it tracks every month don’t use MFA. 
MFA is an important control as compromised high privilege accounts could be used to forge SAML tokens  to access cloud resources. As the NSA noted in its warning after the SolarWinds hack was disclosed: “if the malicious cyber actors are unable to obtain a non-premises signing key, they would attempt to gain sufficient administrative privileges within the cloud tenant to add a malicious certificate trust relationship for forging SAML tokens.”
This attack technique could be thwarted too if there were stricter permissions on user accounts and devices. 
“Even in the worst case of SAML token forgery, excessive user permissions and missing device and network policy restrictions allowed the attacks to progress,” notes Weinert. 
“The first principle of Zero Trust is to verify explicitly—be sure you extend this verification to all access requests, even those from vendors and especially those from on-premises environments.” 
The Microsoft veteran finally offers a reminder why least privileged access is critical to minimizing an attackers opportunities for moving laterally once inside a network. This should help to compartmentalize attacks by restricting access to an environment from a user, device, or network that’s been compromised.
With Solorigate — the name Microsoft uses for the SolarWinds malware — the attackers “took advantage of broad role assignments, permissions that exceeded role requirements, and in some cases abandoned accounts and applications which should have had no permissions at all,” Weinert notes. 
Weinert admits the SolarWinds hack was a “truly significant and advanced attack” but the techniques they used can be significantly reduced in risk or mitigated with these best practices. More