Press Release
Heroku acknowledges that a cyberattack resulted in the theft of user credentials.
The GitHub integration OAuth tokens that were taken last month also contributed to the vulnerability of an internal client database, according to a recent statement from Heroku.
The cloud platform, which is owned by Salesforce, acknowledged that the same compromised token was utilised by attackers to steal client credentials that had been hashed and salted from “a database.”
Following yesterday’s contact between BleepingComputer and Salesforce, Heroku released an update.
Even though BleepingComputer doesn’t have any OAuth integrations that leverage Heroku apps or GitHub, we unexpectedly received a password reset email from Heroku, like many other users. This suggested that there was another reason for these password resets.
Forced password resets are explained by Heroku.
Following the security breach from last month, Heroku began this week forcing password resets for a portion of its user accounts without providing a detailed justification.
Some Heroku users received emails on Tuesday evening informing them that their account passwords would be changed as a result of the security breach, with the subject line “Heroku security notification – resetting user account passwords on May 4, 2022.” The email noted that the reset will also invalidate all API access tokens and force users to create new ones.
However, the original security problem being discussed involves threat actors stealing OAuth tokens given to Heroku and Travis-CI and utilising them to retrieve data from secure GitHub repositories belonging to a variety of companies, including npm.
According to a previous statement from GitHub, “On April 12, GitHub Security started an investigation that uncovered evidence that an attacker exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organisations, including npm.”
These tokens had previously been used by the OAuth integrations of the Travis-CI and Heroku platforms to link with GitHub and release apps.
Threat actors could access and download data from GitHub repositories belonging to users who gave their accounts permission to the stolen Heroku or Travis CI OAuth apps by stealing these OAuth tokens. Notably, the issue had no effect on GitHub’s infrastructure, processes, or private repositories.
But up until this point, it was still unclear why Heroku would need to reset some user account passwords.
It turns out that threat actors were able to access Heroku’s internal database of client accounts through the compromised token for a Heroku machine account:
Heroku updates its security warning: “Our research also discovered that the same compromised token was used to access a database and exfiltrate the hashed and salted passwords for users’ accounts.”
“Because of this, Salesforce is making sure that all Heroku user passwords are changed and that any potentially vulnerable credentials are updated. We have added more detections and rotated internal Heroku credentials. We are still looking into the token compromise’s origin.”
A reader of YCombinator Hacker News suggested that the “database” being discussed might be what was formerly known as “core-db.”
Craig Kerstiens of the PostgreSQL platform CrunchyData, a former employee of Heroku, is the reader in question.
According to Kerstiens, the internal database is referenced in the most recent report as “a database.”
“It appears [the attacker] had access to internal systems, but I don’t want to guess too much. It was discovered, noted, and reported to Heroku by GitHub. You can’t argue against the need for further clarity, but it would be wise to follow up with Salesforce on that.”
After being contacted by BleepingComputer, Kerstiens acknowledged writing these statements.
Clients refer to ambiguous disclosure as a “train crash.”
In its initial statement about the security breach, Heroku said that accounts using compromised OAuth tokens from Heroku had exploited GitHub repositories to gain unauthorised access.
The business has previously said that “The compromised tokens could give the threat actor access to customer GitHub repos, but not customer Heroku accounts.”
However, the password reset emails legitimately raised consumer worries that Heroku’s investigation might have turned up additional malicious activity by the threat actors that wasn’t being made public.
The disclosure was termed “a complete train wreck and a case study on how not to interact with your customers,” by some YCombinator Hacker News readers.
Heroku has started to shed some light on the issue in an effort to be more open with the community.
According to Heroku, “We embrace transparency and recognise that our customers are looking for a deeper understanding of the implications of this incident and our reaction thus far.”
The cloud platform added that it had reached a stage where more material could be disclosed without jeopardising the ongoing investigation after cooperating with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry:
A different third-party integrator, Travis-CI, revealed, however, that no client data had been harmed by the event on the business day that followed GitHub’s initial notice.
Users of Heroku are urged to keep checking the security notification page for updates concerning the incident.
As of right now, Microsoft has admitted to signing a malicious driver that is disseminated in gaming contexts.
This “Netfilter”-named driver is actually a rootkit that has been seen interacting with Chinese C2 IP addresses.
Last week, the whole infosec. community joined G Data malware specialist Karsten Hahn in tracking down and analysing the malicious drivers that bore the Microsoft logo.
This incident exposed vulnerabilities to software supply-chain security once more, but this time it was caused by a flaw in the code-signing procedure used by Microsoft.
Rootkit “Netfilter” driver is Microsoft-signed.
A Microsoft signed driver dubbed “Netfilter” was detected last week by G Data’s cybersecurity alert systems as what at first glance appeared to be a false positive, but wasn’t.
The driver in question was observed interacting with C&C IPs based in China, which had no valid functionality and raised red flags.
This is when Karsten Hahn, a malware analyst at G Data, disclosed this publicly and contacted Microsoft at the same time:
Since Windows Vista, all code that operates in kernel mode must be tested and certified before being made available to the public in order to maintain the stability of the operating system.
According to Hahn, “Drivers without a Microsoft certificate cannot be deployed by default.”
At that time, BleepingComputer started tracking C2 URL behaviour and approached Microsoft for a comment.
A list of further routes (URLs), denoted by the pipe (“|”) symbol, are returned by the first C2 URL:
Each of these, in Hahn’s opinion, has a function:
The URL that ends in “/p” refers to proxy settings, “/s” offers encoded redirection IPs, “/h?” is for getting CPU-ID, “/c” offered a root certificate, and “/v?” refers to the malware’s self-updating capabilities.
For instance, as observed by BleepingComputer, the malicious Netfilter driver in question (residing at “/d3”) was accessible via the “/v?” path at the following URL:
After thoroughly examining the driver, the G Data researcher came to the conclusion that it was malware.
In a thorough blog post, the researcher examined the driver, its ability to self-update, and Indicators of Compromise (IOCs).
According to Hahn, the sample features a self-update routine that transmits its own MD5 hash to the server via the URL hxxp:/110.42.4.180:2081/v?v=6&m=.
An illustration of a request would be as follows:
hxxp:/110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab
“The server then replies with either ‘OK’ if the sample is current or the URL for the most recent sample, such as hxxp:/110.42.4.180:2081/d6. As a result, the malware replaces its own file “further information from the researcher
Other malware specialists like Johann Aydinbas, Takahiro Haruyama, and Florian Roth worked with Hahn during his analysis.
Roth has offered YARA rules for recognising them in your network environments after being able to compile the list of samples in a spreadsheet.
Microsoft is looking at a bad actor who spreads harmful drivers inside of gaming environments.
“In order to be certified by the Windows Hardware Compatibility Program, the actor supplied drivers. A third party created the drivers.”
Microsoft stated yesterday, “We have stopped the account and checked their uploads for additional indicators of malware.”
Microsoft claims that the threat actor primarily targeted the gaming industry in China with these malicious drivers and that there is currently no evidence that enterprise environments have been impacted.
Microsoft is waiting before blaming nation-state actors for this incident.
Sophisticated threat actors may take advantage of falsely signed binaries to help launch extensive software supply-chain attacks.
A well-known event in which code-signing certificates were taken from Realtek and JMicron to assist the comprehensive Stuxnet attack on Iran’s nuclear programme.
However, this specific instance has shown flaws in a reliable code-signing procedure, which threat actors have exploited to obtain Microsoft-signed code without jeopardising any certifications.
In an attack just before the holidays, the accounts of over three million customers of the American appointment scheduling service FlexBooker were taken, and they are now being exchanged on hacker forums.
The same hackers are also selling databases they claim to be from two other organisations: the Australian case management system rediCASE and the racing media outlet Racing.com.
Holiday breaches before
A few days before Christmas, there were supposedly three breaches, and the intruder posted the information on a hacking forum.
A popular programme for booking appointments and syncing employee calendars, FlexBooker, appears to be the source of the most recent data dump.
Owners of any company that needs to plan appointments, such as accountants, barbers, doctors, mechanics, lawyers, dentists, gyms, salons, therapists, trainers, spas, and the list goes on, are among FlexBooker’s clients.
The group claiming responsibility for the attack appears to go by the name of Uawrongteam, and they published links to files and archives containing personal information, including pictures, driver’s licences, and other IDs.
The database, according to Uawrongteam, has a table with 10 million lines of client data, including everything from payment forms and charges to pictures taken for driver’s licences.
Names, emails, phone numbers, password salt, and hashed passwords are among the database’s “juicy columns,” according to the actor.
Customers of FlexBooker have received a data breach notification that confirms the attack and that data on the service’s Amazon cloud storage system was “accessed and downloaded” by the intruders.
The letter states that “our account on Amazon’s AWS servers was compromised on December 23, 2021, starting at 4:05 PM EST,” adding that the attackers did not obtain “any credit card or other payment card information.”
FlexBooker advised consumers to be on the lookout for strange or fraudulent activities, and to monitor account statements and credit reports.
For further information, the developer also directed users to a report on a distributed denial-of-service (DDoS) attack. It was then determined that some customers’ personal information had been obtained by the hackers.
The FlexBooker assault exposed email addresses, names, partial credit card information, passwords, and phone numbers for more than 3.7 million users, according to the data breach reporting service Have I Been Pwned.
Prior to FlexBooker, the threat actor known as Uawrongteam distributed links to material that was purportedly taken from Racing.com, a digital television station that broadcasts horse racing and offers news, stats, and event calendars associated with the sport.
The data from the Redbourne Gang’s rediCASE Case Management Software, which is utilised by numerous enterprises in addition to health and community agencies, looks to be another target of the same group.
Press Release
The New York Times reports that investigators are investigating whether solarwinds has been hacked via offices in Czech, Polish, and Belorussia, where many of the company’s engineering has taken place (NEW YORK TIMES).
Sources: investigators are checking if SolarWinds was hacked via its offices in Czechia, Poland, and Belarus, where the company moved much of its engineering — Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defenses and gave away nothing to American monitoring of their systems.
-
Social Media10 months agoWho is Rouba Saadeh?
-
Apps10 months agoWhy is Everyone Talking About Hindi Keyboards?
-
Social Media10 months agoMati Marroni Instagram Wiki (Model’s Age, Net Worth, Body Measurements, Marriage)
-
Entertainment10 months ago12 Online Streaming Sites that Serve as Best Alternatives to CouchTuner
-
Apps10 months agoThings you need to know about Marathi keyboard today
-
Apps10 months agoStuck with Your default Bangla keyboard? Isn’t it time for a change?
-
Entertainment10 months agoMovierulz Website: Movierulzz 2021 Latest Movies on Movierulz.com
-
Social Media10 months agoBrooke Daniells: Everything About Catherine Bell’s Partner