ARTICLE
11 October 2023

Ankura CTIX FLASH Update - October 10, 2023

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
23andMe has disclosed that a data scraping incident has taken place, resulting in hackers gaining access to sensitive user information and selling the data in a common hacking forum.
United States Technology
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Malware Activity

23andMe Data Scraping Incident Exposes Data of Users of Chinese and Ashkenazi Heritage

23andMe has disclosed that a data scraping incident has taken place, resulting in hackers gaining access to sensitive user information and selling the data in a common hacking forum. 23andMe is a personal genomics and biotechnology giant that offers DNA testing services and is based in the United States. Samples of data were allegedly stolen from 23andMe and later leaked by a threat actor beginning on October 2, 2023. On October 4, 2023, the threat actor began offering data profiles in bulk, ranging from $1 to $10 per account depending on the number of accounts purchased. The exposed data is associated to customers of Chinese and Ashkenazi heritage specifically. The exposed data includes full name, usernames, profile photos, sex, date of birth, genetic ancestry results, health information, origin estimation, and more. It should be noted that the threat actor "accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches," which is a feature an account would need to opt-in to. A spokesperson for 23andMe has confirmed that the leaked data is legitimate and attributed this leak to a credential-stuffing attack, where threat actors use previously stolen credentials from an organization to access additional accounts at other organizations through recycled passwords. The spokesperson also stated that the organization does not have any indication that a data security incident has taken place within their systems and did not specify the number of customer accounts impacted.

Threat Actor Activity

Semiconductor Industry Targeted by Chinese Hackers using Cobalt Strike

A new espionage campaign linked to Chinese state-backed hackers is underway, targeting Chinese-speaking semiconductor companies in East Asia. The tactics, techniques, and procedures (TTPs) being used in this ongoing campaign overlap considerably with previously reported activities traced back to other People's Republic of China (PRC) backed espionage groups like Budworm (aka APT27) and RedHotel. It's known that the group conducting the current espionage campaign has posed as Taiwan Semiconductor Manufacturing Company (TSMC) - one of the major players in the semiconductor industry - to trick victims into clicking on malicious links. While it's still unclear how they first gained access to the targeted systems, it's likely that phishing emails were used. The HyperBro loader is executed on the victim's computer, disguised as an alleged TSMC PDF file that's used to install a Cobalt Strike beacon and infect the device. Cobalt Strike is a legitimate penetration testing software tool that's often abused by cybercriminals to remotely issue commands and steal information from victims, as is the case for how it was used in this scenario. Additionally, a second variant of the attack leveraged a compromised Cobra DocGuard web server to drop an additional McAfee binary and load more Cobalt Strike shellcode using DLL side-loading. Hackers in this case deployed a previously undocumented Go-based backdoor named "ChargeWeapon", designed to gather and transmit host data to the attacker-controlled command-and-control (C2) server, information which likely aided the threat actor in performing initial reconnaissance efforts to identify high-value targets. The attacks observed in this campaign also utilized many obfuscation techniques that help covertly run the malware in the background and keep firewall defenses from detecting executables and processes.

Vulnerabilities

Critical Vulnerabilities in cURL Force Maintainers to Provide Emergency Patches Outside of their Normal Patching Cycle

The developers and maintainers of the popular open-source command line tool cURL (short for "Client URL") are warning users about the presence of an unpatched critical vulnerability affecting both cURL and libcurl, the portable client-side URL transfer library that powers cURL. The cURL tool allows users to transfer data over various network protocols like FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS. It communicates with a web or application server by specifying a relevant URL and the data that needs to be sent or received. cURL is widely used as both a standalone utility as well as one that is included as part of other software. At this time the technical details are being withheld until patched on October 11, 2023, and according to the cURL maintainers this is "probably the worst curl security flaw in a long time." Although affected versions of cURL haven't been disclosed, the maintainers say organizations should assume it affects all versions over the past few years. In preparation for the October 11 patch, organizations relying on cURL should inventory and scan all systems utilizing curl and libcurl, "anticipating identifying potentially vulnerable versions once details are disclosed with the release of cURL 8.4.0." Alongside the critical vulnerability, the cURL developers will also be patching a low-severity vulnerability, tracked as CVE-2023-38546, that only impacts libcurl. CTIX analysts urge any administrators leveraging cURL to get ahead of this matter as soon as possible. Inventorying all of the configuration and version details prior to the patch will allow them to implement the patch as soon as needed on the 11th. It should be assumed that when the cURL developers publish the technical details, multiple threat actors will be attempting to exploit entities that are still running a vulnerable version of the tool.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Ankura Consulting Group LLC
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More