Binance Hack, Data Leak and Supply Chain Attack - F5 SIRT This Week in Security - Oct 1st to Oct 7th

This Week in Security

October 1st to October 7th, 2022

Binance Hack, Data Leak, Critical Vulnerbility and Supply Chain Attack

 

Hello Everyone, This week, your editor is Dharminder.

I am back again with another edition of This Week in Security, This time I have security news about a critical vulnerability, supply chain attack, Binance Blockchain hack and DNS Data leak.

We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news. Before we start a gentle reminder about upcoming Quarterly security notification on 19th October 2022. 

 

Fortinet - Remote Authentication Bypass  Critical vulnerability 

Fortinet is in the news lately for a critical vulnerability in the various software versions. Fortinet has published a software version which has a fix for the remote authentication bypass critical vulnerability. But since the vulnerability is being exploited, Fortinet has recommended that all Fortinet customers update the software immediately.

As per the advisory published by Fortinet, the CVSS score of this vulnerability is 9.6 and the CWE is "CWE-288: Authentication Bypass Using an Alternate Path or Channel". Looking at the CVSS score you may find out that attacker can perform the attack remotely and no authentication is required. Impact is high on confidentiality, integrity and availability. Fortinet has provided IOC (indicator of compromise) in the advisory so that customer may look for those logs and, if required, contact Fortinet customer support for help. So if you are Fortinet customer follow the advisory and update the software.

Below mentioned are the list of vulnerable and fixed versions.

Vulnerable versions: 

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Fixed Versions:

FortiOS version 7.2.2 or above
FortiOS version 7.0.7 or above
FortiProxy version 7.2.1 or above
FortiProxy version 7.0.7 or above
FortiSwitchManager version 7.2.1 or above

 

Supply Chaing Attack by LofyGang

These days, we have been listening a lot about supply chain attack, another addition to that list is LofyGang’s supply chain attack. A researcher from Checkmarx has discovered approx 200 malicious packages which includes password stealers, persistent malware etc on code hosting platforms, such as NPM, GitHub etc. As per the researcher, all these malicious packages are linked to LofyGang and their main focus was to steal and share stolen credit cards, credentials of gaming and streaming platforms like Disney + etc.

Interestingly LofyGang has a YouTube channel where they have hosted many video tutorials on how to use its hacking tools.  A bot named "Lofy Boost, on Discord can be used by channel members to purchase Nitro using a stolen credit card on behalf of the user. The stolen credit cards comes from NPM supply chain infections and by backdoored hacking tools on GitHub. Many of the NPMs impersonate Discord development packages or packages for color, strings, and file operations. Tools promoted by the gang on GitHub are a Discord spammer, a Nitro generator, a password stealer, a Discord token grabber, and a Discord webhook hiding module.

Let's discuss Discord malware, per the researcher it modifies the legitimate version of the Discord app on the infected system with a malicious version, then steals credit card information every time the user pays for a subscription. Researcher has also identified that In most cases instead of infecting the main package, malware was fetched as a dependency. 

After knowing the way LofyGang has performed the supply chain attack and increase in overall supply chain attacks, it is best for us to be extra cautious and help each other by sharing the knowledge to better tackle with such and many more other type of attacks.

 

Binance Blockchain Bridge hacked

If you deal in crypto currency, specially in Binance coins then this news is for you. As per the reports, BNB Smart Chain was paused by Binance due to a security incident where hackers have stolen 2 million Binance Coins (BNB) worth worth $566 million, from the Binance Bridge. As per the reports, hackers received a total of 2 million BNB in two transactions of 1 million each. Soon after receiving BNB, the hacker began spreading some of the funds across a variety of liquidity pools, attempting to transfer the BNB into other assets. 

The security incident was also acknowledged by the CEO of Binance using Twitter, in his tweet  he mentioned "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." He also mentioned that the issue has been contained and funds are safe.

Although, Binance has confirmed that they will provide postmortem report in future but meanwhile on Benance website it is mentioned that "There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as “BSC Token Hub.” A total of 2 million BNB were withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library."

Hopefully all cryptocurrency players will be extra cautious after this security incident and take extra steps to avoid such incidents.

 

Russian Retail chain 'DNS' data leaked online

DNS (Digital Network System) Russia's second-largest computer and home appliance store chain, with 2,000 branches and 35,000 employees had recently suffered data breach. Personal data belong to both customers and employees was leaked, which includes usernames, passwords, names, phone numbers, and email addresses. DNS, the company, has confirmed that the attack was carried out by a group of hackers from servers located outside the Russian Federation. They also mentioned that user passwords were not affected and the customers’ payment information which is not stored on DNS servers  could not be affected.

According to some posts, a pro-Ukrainian hacker group ‘NLB team’ was responsible for the attack.  So most likely this data breach could be result of cyber war between Pro-Ukrainian and Pro-Russian hack groups. which has been happening since the war started between Russia and Ukraine. 

Published Oct 13, 2022
Version 1.0