Background and Sentence: Arion Kurtaj, a member of the Lapsus$ cybercrime group, was sentenced indefinitely to a secure hospital by a UK judge. Kurtaj, 18 and autistic, played a key role in leaking assets from the upcoming video game Grand Theft Auto VI. The court deemed him a high risk to public safety due to his cybercriminal capabilities and intent.
Mental Health Assessment and Criminal Intent: Due to his autism, Kurtaj was deemed unfit to stand trial. A mental health assessment concluded that he is highly motivated to return to cybercrime. A jury was tasked with deciding whether his actions were committed with criminal intent.
Collaboration in High-Profile Breaches: Kurtaj collaborated with another unnamed minor in breaching tech giants and telecom companies, including NVIDIA and BT/EE, and attempted extortion. The minor received an 18-month Youth Rehabilitation Order with strict supervision and a ban on VPN usage.
Lapsus$ Group's Notoriety: Lapsus$ is known for high-profile cyberattacks on companies like Okta, Uber, and Microsoft, often stealing and leaking data for extortion. Kurtaj, arrested twice in 2022, was a significant member of this group.
6 Million Individuals Affected: The Xfinity data breach, caused by exploiting the CitrixBleed vulnerability, impacted approximately 36 million individuals. This number was reported to the Maine Attorney General’s Office and implies that almost all Xfinity customers and possibly some employees were affected.
Vulnerability Exploited for Unauthorized Access: The attack involved the exploitation of a Citrix Netscaler ADC and Gateway vulnerability, CVE-2023-4966, known as CitrixBleed. Despite Citrix releasing patches in October, the vulnerability had been exploited since at least August.
Data Compromised in the Breach: The breach resulted in unauthorized access to customer usernames, hashed passwords, names, dates of birth, contact information, secret questions and answers, and partial social security numbers.
Security Measures and Unclear Ransom Demand: Comcast required customers to change passwords post-incident, but it’s unclear if a ransom demand was made or how the incident has impacted the company’s operations. There’s also no confirmation if this incident was filed with the U.S. Securities and Exchange Commission as per new data breach reporting rules.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
Vulnerability Exploitation Technique: Truffle Security disclosed a Google OAuth vulnerability enabling the creation of shadow accounts using corporate email aliases and "+" sign forwarding. These accounts, undetectable to Google organization administrators, allow continued access to applications like Slack and Zoom.
Detailed Exploitation Process: Attackers can create a non-Gmail Google account with a modified company email, bypassing off-boarding processes. This loophole exploits Google's handling of email claims and domain verifications, leading to potential unauthorized access.
Organizational and Service Provider Remediations: To mitigate this risk, organizations are advised to disable 'Login with Google' and enforce SAML. Service providers need to scrutinize 'HD' claims and prevent just-in-time account creations.
Google's Potential Responses: Google could broadly address this issue by banning Google accounts created with existing organization domains or enhancing administration settings to control such account creations.
Library Compromise and User Warning: Ledger discovered the compromise and immediately warned users against using web3 dApps. They replaced the compromised library with a clean version (1.1.8) and advised users to confirm dApps' use of the safe version before interaction.
Response and Security Measures: Ledger deployed a fix 40 minutes after becoming aware of the breach. The company's core hardware and main software application, Ledger Live, remained unaffected. They reported the hacker's wallet addresses and got stolen USDT frozen by Tether.
Technical Execution of the Attack: The attack involves web injections using a script targeting a page structure common across multiple banks. The malware waits for the user to visit a banking site, then injects malicious content to intercept credentials. Advanced obfuscation techniques are employed, including script retrieval from a remote server, making detection challenging. The script communicates dynamically with its command-and-control server, adjusting actions based on server responses and the state of the targeted webpage.
Complex Attack Flow and Evasion Methods: The script's behavior is highly dynamic, relying on an "mlink" flag from the server, indicating different actions like injecting prompts for phone numbers or OTP tokens, displaying error messages to discourage account access, and introducing a page loading overlay. This sophisticated approach allows the malware to adapt and remain undetected, removing traces of its presence after execution.
Impact and Precautionary Measures: This campaign represents a significant security threat to financial institutions and their customers, with potential for substantial financial loss and data compromise. Users are advised to be vigilant, report suspicious account activities, and follow best practices for password and email security hygiene.
Subscribe to Mandos Way
Join CISOs and Tech Leaders for Information Security Strategies & Weekly Briefs.