Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Social Engineering
Also: MOVEit Victims Confirm Attack, Ukrainian Government FB Page Hacked
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Charming Kitten targeted nuclear experts; over 130,000 solar energy monitoring systems are exposed; organizations confirmed a breach due to the MOVEit zero-day; Russian hackers took over a Ukrainian government agency’s Facebook page; and a WordPress plug-in gave admin privileges to users.
See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security
Charming Kitten Targets Western Nuclear Experts
Researchers at Proofpoint discovered the Iranian cyberespionage group TA453, aka Charming Kitten, engaging in a phishing campaign targeting nuclear weapons experts. This group, believed to have connections to the Iranian government, has a history of targeting government officials, politicians, think tanks and critical infrastructure in the United States and Europe.
The recent campaign, which took place between March and May, involved the group impersonating think tank employees to establish a rapport with Western foreign policy researchers. They initiated contact through benign emails and later sent phishing emails containing a password-protected Dropbox URL. The victims were lured into believing that the URL would provide access to relevant research, but instead it executed malicious files and installed a backdoor on their systems. The backdoor then reached out to a cloud hosting provider to download additional malware payloads.
Proofpoint researchers said this campaign was highly targeted – fewer than 10 individuals are known to have received phishing emails from the group. But so far, no proof of infection has been detected.
In the latest campaign, TA453 targeted Macintosh computers. When its initial malware failed to work on an employee’s Mac, the group promptly developed a Mac-compatible version and distributed it via a password-protected ZIP file disguised as a RUSI-themed virtual private network program.
The threat actor, in an effort to evade detection and ensure uninterrupted espionage activities, demonstrated a remarkable ability to adapt its infection chain, the researchers said.
Over 130,000 Solar Energy Monitoring Systems Exposed
Cyble’s threat analysts discovered tens of thousands of photovoltaic monitoring and diagnostic systems are at risk of being targeted by hackers due to their accessibility over the public web. These systems play a crucial role in remote performance monitoring, troubleshooting and optimizing renewable energy production.
Researchers conducted a scan of internet-exposed PV utilities and discovered 134,634 products exploitable from various vendors, including Solar-Log, Danfoss Solar Web Server, Contec SolarView, and SMA Sunny WebBox, among others. Although the exposed assets may not be directly vulnerable or misconfigured, unauthenticated visitors can access information such as settings that could be exploited in potential attacks.
The report highlights the presence of vulnerabilities in the products, despite some having a proof-of-concept exploit code available, and it warns that information-stealing malware could collect login credentials for these PV control systems.
To mitigate these risks, PV system administrators are advised to employ strong and unique credentials, enable multifactor authentication where possible, keep systems up to date, and – if possible – segregate the equipment on its own network.
MOVEit Update: With Data Leaks, Orgs Confirm Breach
A significant number of organizations affected by the recent mass hacks exploiting a security flaw in the MOVEit file transfer tool confirmed that hackers had accessed sensitive data. Over 130 organizations have been affected by the vulnerability in Progress Software’s MOVEit service, resulting in at least 33 data breach disclosures so far. The total number of affected individuals has surpassed 17.5 million people, according to Brett Callow, a threat analyst at Emsisoft.
Oil producer Shell confirmed this week that hackers had accessed “some personal information relating to employees” through the exploitation of the MOVEit Transfer tool. The company did not disclose the specific data accessed, the number of affected individuals or the extent of the breach.
The Clop ransomware group, which was responsible for the mass MOVEit hacks, claimed to have published Shell’s data after the company refused to negotiate.
Indiana-based banking giant First Merchants Bank also confirmed a data breach resulting from the MOVEit hacks. The hackers accessed sensitive customer information, including addresses, Social Security numbers, online banking usernames and financial account information. First Merchants Bank clarified that online and mobile banking passwords had not been compromised.
Several other organizations, including Siemens Energy, Schneider Electric, Proskauer, City National Bank, Cambridgeshire County Council, Dublin Airport and Madison College also confirmed MOVEit-related data breaches. Schools, in particular, have been heavily affected. The National Student Clearinghouse and the Teachers Insurance and Annuity Association of America faced security incidents.
Russian Hackers Take Over Ukrainian Agency Facebook Page
A hacked Ukrainian government agency Facebook page ran a disinformation campaign for a short time after Russian hacktivists had gained administrator access to the page. The hackers claimed the attack had disrupted communications with other government agencies on “the spheres of economy, demography, population, employment and labor migration, with the general Staff of the Armed Forces of Ukraine.”
Access to the Facebook page of the State Statistics Service of Ukraine is now restored, and information infrastructure remains unaffected, according to the State Service of Special Communications and Information Protection of Ukraine, which said the disruption was “greatly exaggerated.”
The primary objective of the hackers was deployment of data-wiping malware, not targeting the social media account, according to the Computer Emergency Response Team of Ukraine. Several work computers of SSSU employees were affected during this attempt, according to the SSSCIP, which said one of the computers was used to gain access to the service’s Facebook page. Hackers settled for spreading disinformation instead of wiping computers, the agency said.
Ultimate Member WordPress Plug-In Gives Admin Privileges to Users
Hackers are exploiting a zero-day privilege escalation vulnerability in the popular WordPress plug-in called Ultimate Member to compromise websites. The flaw, tracked as CVE-2023-3460, allows attackers to bypass security measures and register rogue administrator accounts. The vulnerability affects all versions of the plug-in, including the latest one, v2.6.6. Although the developers have attempted to address the issue in recent versions, hackers can still exploit it, and they are actively working on a complete fix.
The attacks were discovered by Wordfence, a website security specialist. Attackers exploited the flaw by manipulating the plug-in’s registration forms to set arbitrary user meta values, specifically modifying the wp_capabilities
value to gain administrator privileges and thus complete control over the compromised website.
Indicators of a hacked WordPress site using this vulnerability include the appearance of new administrator accounts with usernames such as wpenginer
, wpadmins
, and wpengine_backup
. Access logs may show malicious IPs accessing the registration page, including IP addresses such as 146.70.189.245 and 103.187.5.128. Other signs include the presence of user accounts associated with the email domain exelica.com
and the installation of unauthorized WordPress plug-ins and themes.
Website owners are urged to stay vigilant, uninstall the plug-in, and conduct thorough security checks to ensure their sites are free from compromise.
Other Coverage From Last Week
ISMG Global News Desk Principal Correspondent Mihir Bagwe contributed to this report.