Malware Activity
23andMe Data Scraping Incident Exposes Data of Users of Chinese and Ashkenazi Heritage
23andMe has disclosed that a data scraping incident has taken place, resulting in hackers gaining access to sensitive user information and selling the data in a common hacking forum. 23andMe is a personal genomics and biotechnology giant that offers DNA testing services and is based in the United States. Samples of data were allegedly stolen from 23andMe and later leaked by a threat actor beginning on October 2, 2023. On October 4, 2023, the threat actor began offering data profiles in bulk, ranging from $1 to $10 per account depending on the number of accounts purchased. The exposed data is associated to customers of Chinese and Ashkenazi heritage specifically. The exposed data includes full name, usernames, profile photos, sex, date of birth, genetic ancestry results, health information, origin estimation, and more. It should be noted that the threat actor "accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches," which is a feature an account would need to opt-in to. A spokesperson for 23andMe has confirmed that the leaked data is legitimate and attributed this leak to a credential-stuffing attack, where threat actors use previously stolen credentials from an organization to access additional accounts at other organizations through recycled passwords. The spokesperson also stated that the organization does not have any indication that a data security incident has taken place within their systems and did not specify the number of customer accounts impacted.
- The Record: 23andMe Data Scraping Incident Article
- Bleeping Computer: 23andMe Data Scraping Incident Article
Threat Actor Activity
Semiconductor Industry Targeted by Chinese Hackers using Cobalt Strike
A new espionage campaign linked to Chinese state-backed hackers is underway, targeting Chinese-speaking semiconductor companies in East Asia. The tactics, techniques, and procedures (TTPs) being used in this ongoing campaign overlap considerably with previously reported activities traced back to other People's Republic of China (PRC) backed espionage groups like Budworm (aka APT27) and RedHotel. It's known that the group conducting the current espionage campaign has posed as Taiwan Semiconductor Manufacturing Company (TSMC) - one of the major players in the semiconductor industry - to trick victims into clicking on malicious links. While it's still unclear how they first gained access to the targeted systems, it's likely that phishing emails were used. The HyperBro loader is executed on the victim's computer, disguised as an alleged TSMC PDF file that's used to install a Cobalt Strike beacon and infect the device. Cobalt Strike is a legitimate penetration testing software tool that's often abused by cybercriminals to remotely issue commands and steal information from victims, as is the case for how it was used in this scenario. Additionally, a second variant of the attack leveraged a compromised Cobra DocGuard web server to drop an additional McAfee binary and load more Cobalt Strike shellcode using DLL side-loading. Hackers in this case deployed a previously undocumented Go-based backdoor named "ChargeWeapon", designed to gather and transmit host data to the attacker-controlled command-and-control (C2) server, information which likely aided the threat actor in performing initial reconnaissance efforts to identify high-value targets. The attacks observed in this campaign also utilized many obfuscation techniques that help covertly run the malware in the background and keep firewall defenses from detecting executables and processes.
- The Hacker News: Semiconductor Campaign Article
- The Record: Semiconductor Campaign Article
- Bleeping Computer: Semiconductor Campaign Article
- ElectricIQ: Semiconductor Campaign Research
- GBHacker: Semiconductor Campaign Article
Vulnerabilities
Critical Vulnerabilities in cURL Force Maintainers to Provide Emergency Patches Outside of their Normal Patching Cycle
The developers and maintainers of the popular open-source command line tool cURL (short for "Client URL") are warning users about the presence of an unpatched critical vulnerability affecting both cURL and libcurl, the portable client-side URL transfer library that powers cURL. The cURL tool allows users to transfer data over various network protocols like FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS. It communicates with a web or application server by specifying a relevant URL and the data that needs to be sent or received. cURL is widely used as both a standalone utility as well as one that is included as part of other software. At this time the technical details are being withheld until patched on October 11, 2023, and according to the cURL maintainers this is "probably the worst curl security flaw in a long time." Although affected versions of cURL haven't been disclosed, the maintainers say organizations should assume it affects all versions over the past few years. In preparation for the October 11 patch, organizations relying on cURL should inventory and scan all systems utilizing curl and libcurl, "anticipating identifying potentially vulnerable versions once details are disclosed with the release of cURL 8.4.0." Alongside the critical vulnerability, the cURL developers will also be patching a low-severity vulnerability, tracked as CVE-2023-38546, that only impacts libcurl. CTIX analysts urge any administrators leveraging cURL to get ahead of this matter as soon as possible. Inventorying all of the configuration and version details prior to the patch will allow them to implement the patch as soon as needed on the 11th. It should be assumed that when the cURL developers publish the technical details, multiple threat actors will be attempting to exploit entities that are still running a vulnerable version of the tool.
- The Record: cURL Vulnerabilities Article
- The Hacker News: cURL Vulnerabilities Article
- Github: cURL Vulnerabilities Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.