Cyber Bakery Chronicles

Keeping Up with Cybersecurity News with CyberBakery.net....Your Weekly Update.

Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (06 December 2024)

  • Russian hackers hijack Pakistani hackers' servers for their own attacks
  • Brain Chiper claims a computer attack on Deloitte. 1 Tera Byte of data
  • U.S. Officials Urge Encrypted Apps Amid Expanding Cyberattack
  • Cloudflare Suffers Major Log Loss Incident
  • New Phishing-as-a-Service Platform, Rockstar 2FA, Leverages AiTM Attacks

Russian hackers hijack Pakistani hackers' servers for their own attacks

In an unprecedented display of cyber-warfare, the Russian state-sponsored hacking group Turla, also known as Secret Blizzard, has exploited the infrastructure of its rival, the Pakistani group Storm-0156, to launch stealthy cyberattacks. This ingenious move not only highlights the sophisticated tactics used in modern cyber espionage but also exposes vulnerabilities within even the most advanced hacking operations. 

Turla, a notorious player in the world of cyber espionage, infiltrated Storm-0156’s command-and-control (C2) servers. This allowed them to repurpose the compromised servers to deliver malware to high-profile targets. By hijacking its rival’s infrastructure, Turla successfully masked its operations, making detection by security teams more difficult. 

The campaign primarily focused on government entities in Afghanistan and India, deploying advanced malware such as TinyTurla and TwoDash backdoors. Afghan organisations, including the Ministry of Foreign Affairs and the General Directorate of Intelligence, were among the primary targets. Indian government networks were also breached, with attackers using Wi-Fi pineapple tools and other advanced techniques to establish persistence.

What makes this operation particularly notable is Turla’s double-pronged approach:

Hijacking Infrastructure:

By exploiting Storm-0156’s compromised C2 servers, Turla avoided building its own infrastructure, reducing the risk of exposure and simplifying their campaign. 

Turning the Tables:

Turla didn’t stop at using Storm-0156’s servers—they went further, infiltrating the Pakistani group’s internal systems. This gave them access to valuable tools, including CrimsonRAT, Go-based remote access software, and stolen credentials.

 

Chain of targets compromiseSource: Microsoft

 Why This Matters

 This incident sheds light on a critical evolution in cyber espionage: attackers are now targeting traditional victims and rival hacking groups. This tactic allows them to:

·       Exploit established footholds for stealthy operations.

·       Access new tools and data to enhance their own capabilities.

·       Evade detection by piggybacking on the activities of another group.

For Storm-0156, this attack exposes a glaring vulnerability: even nation-state hacking groups are not immune to breaches. Turla’s move highlights the need for cybersecurity practices even among threat actors themselves. 

Overview of Turla's operations from within Storm-0156's infrastructureSource: Lumen

 

Turla’s actions have far-reaching consequences:

For Cybersecurity Professionals:

The incident underscores the importance of monitoring unusual C2 activity and strengthening defences against advanced threats.

For Governments and Organisations:

The campaign highlights the persistent risks of state-sponsored cyber espionage and the need for proactive measures to secure critical infrastructure.

For the Cybercrime Ecosystem:

It reveals a competitive, cutthroat environment where even allies or neutral actors can become adversaries, complicating the landscape of cyber warfare. 

This case is a stark reminder of the ever-evolving nature of cyber espionage. With adversaries increasingly turning against each other, organisations must stay vigilant, invest in robust cybersecurity measures, and foster global collaboration. Turla’s hijacking of Storm-0156’s servers exemplifies the complexity and sophistication of modern cyber campaigns, signalling a need for heightened awareness and preparedness across all sectors. 


Brain Chiper claims a computer attack on Deloitte. 1 Tera Byte of data

The Brain Cipher ransomware group claims to have breached Deloitte’s UK operations, exfiltrating 1 terabyte (TB) of data. While Deloitte has not yet confirmed the breach, a countdown on Brain Cipher’s dark website suggests the data will be publicly released within 10 days. 

The Attack:

  • Brain Cipher claims Deloitte failed to uphold basic cybersecurity practices, allowing them to infiltrate systems relatively easily.
  • The ransomware group suggests they still maintain persistence within Deloitte’s networks.
  • Stolen data reportedly includes internal security protocols and client-sensitive information. 

Threat Actor Profile:

  • Brain Cipher is a relatively new player in the ransomware space. In June 2024, it attacked Indonesia’s National Data Centre, impacting over 200 government agencies.
  • Known for their bold tactics, they often criticise victims for lax cybersecurity measures.

This incident underscores that even cybersecurity giants are not immune to sophisticated attacks. The countdown is on, and businesses globally should reassess their defences to stay ahead of emerging threats. 


U.S. Officials Urge Encrypted Apps Amid Expanding Cyberattack

A recent high-profile cyberattack, identified as “Salt Typhoon,” has prompted U.S. officials to advise citizens and organisations to adopt encrypted communication platforms. This marks a significant departure from historical hesitance toward encryption by government agencies like the FBI and Cybersecurity and Infrastructure Security Agency (CISA). 

Here’s what you need to know:

The Attack:

Salt Typhoon, attributed to Chinese state-sponsored hackers, targeted major U.S. telecommunications companies. The breaches compromised sensitive communications and impacted government officials, private individuals, and businesses.

Scope of Impact:

The attack highlights systemic vulnerabilities within the U.S. telecom infrastructure. Hackers exploited weak security protocols, gaining access to sensitive data and disrupting critical communications.

  • Government Response:

In response to the escalating threat, the FBI and CISA have strongly recommended the use of encrypted messaging apps. This shift indicates an urgent need for citizens to adopt secure communication practices, including apps with end-to-end encryption.

  • The Bigger Picture:

Experts argue this attack serves as a wake-up call for the United States to overhaul its cybersecurity policies and infrastructure. Calls for stricter regulations on telecom providers and investments in more resilient, secure networks are growing louder.

  • What This Means for You:

Whether you’re a business owner, government worker, or private citizen, this attack emphasises the importance of prioritising cybersecurity:

    • Use encrypted apps like Signal or WhatsApp for sensitive communications.
    • Regularly update devices and software to protect against known vulnerabilities.
    • Stay informed about potential threats and best practices in cybersecurity.

 Key Takeaway:

The Salt Typhoon attack underscores a critical gap in U.S. cyber defences. By adopting encrypted communication tools and demanding systemic improvements, Americans can reduce exposure to future threats.


Cloudflare Suffers Major Log Loss Incident 

Cloudflare, a major internet infrastructure company, experienced a significant outage in its log collection service on November 14, 2024. This outage resulted in the loss of approximately 55% of customer logs over a 3.5-hour period.

  • The Root Cause:

The incident was triggered by a misconfiguration in the Logfwdr system, a key component responsible for forwarding logs to downstream systems. This misconfiguration led to a cascade of failures:

  1. Blank Configuration: A bug in the configuration update caused Logfwdr to believe there were no customers configured for log forwarding, leading to the discarding of logs.
  2. Failsafe Overload: The failsafe mechanism designed to prevent data loss was overwhelmed by the sudden influx of logs, leading to its failure.
  3. Buftee Outage: The Buftee system, responsible for buffering logs, was unable to handle the increased load and shut down, further exacerbating the issue.
  • Impact on Customers:

The loss of logs can have significant consequences for customers who rely on these logs for security analysis, troubleshooting, and performance optimisation. While Cloudflare has taken steps to mitigate future incidents, the impact of this outage highlights the importance of robust logging and monitoring systems.

  • Lessons Learned and Future Improvements:

Cloudflare has implemented several measures to prevent similar incidents in the future:

    • Misconfiguration Detection: A new system will monitor for anomalies in log forwarding configurations.
    • Buftee Configuration: Buftee will be configured to handle unexpected spikes in log volume.
    • Regular Overload Testing: Cloudflare will conduct regular tests to ensure the resilience of its systems.

This incident underscores the critical role that reliable logging plays in modern cybersecurity and highlights the need for robust fail-safe mechanisms to prevent data loss.


New Phishing-as-a-Service Platform, Rockstar 2FA, Leverages AiTM Attacks

 A new phishing-as-a-service (PhaaS) platform, known as Rockstar 2FA, has emerged, enabling cybercriminals to launch sophisticated phishing attacks targeting Microsoft 365 accounts.

How Rockstar 2FA Works:

  • AiTM Attacks: The platform facilitates adversary-in-the-middle (AiTM) attacks, allowing attackers to intercept authentication requests and steal session cookies.
  • Phishing Page Deployment: The platform provides tools to create and deploy highly convincing phishing pages that mimic legitimate Microsoft 365 login pages.
  • Credential Theft: Once a victim enters their credentials on the fake page, the attacker captures them and uses them to access the victim's account.

Key Features of Rockstar 2FA:

  • Advanced Phishing Techniques: The platform offers features like Cloudflare Turnstile integration to bypass bot detection and enhance the legitimacy of phishing pages.
  • Automated Delivery: It automates the delivery of phishing emails using various methods, including compromised accounts and legitimate email marketing platforms.
  • User-Friendly Interface: The platform's user-friendly interface makes it easy for cybercriminals to launch and manage phishing campaigns.

The Growing Threat:

The emergence of Rockstar 2FA underscores the ongoing threat posed by phishing attacks. Cybercriminals continue to refine their techniques, making it increasingly difficult to distinguish between legitimate and malicious emails.

Protecting Yourself:

To protect yourself from phishing attacks, consider the following tips:

  • Be Cautious of Unexpected Emails: Be wary of unsolicited emails, especially those that claim to be from trusted organizations.
  • Verify the Sender: Double-check the sender's email address and look for any inconsistencies or typos.
  • Avoid Clicking Suspicious Links: Never click on links or download attachments from unknown or suspicious sources.
  • Use Strong, Unique Passwords: Create strong, unique passwords for all your online accounts.
  • Enable Two-Factor Authentication: Use two-factor authentication to add an extra layer of security.
  • Stay Informed: Keep up-to-date with the latest cybersecurity news and trends.

By staying vigilant and following these best practices, you can significantly reduce your risk of falling victim to phishing1 attacks.


Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2024 the year of shared knowledge and community growth