Chinese smart TV boxes infected with malware in PEACHPIT ad fraud campaign

Infosec in brief Bot defense software vendor Human Security last week detailed an attack that “sold off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites … preloaded with a known malware called Triada.”

Human named the campaign to infect and distribute the Android devices BADBOX. The infected devices were sold for under $50. Human’s researchers found over 200 models with pre-installed malware, and when it went shopping for seven particular devices found that 80 percent of units were infected with BADBOX.

Analysis of infected devices yielded intel on an ad fraud module Human’s researchers named PEACHPIT. At its peak, PEACHPIT ran on a botnet spanning 121,000 devices a day on Android. The attackers also created malicious iOS apps, which ran on 159,000 Apple devices a day at the peak of the PEACHPIT campaign.

Those infected devices delivered over four billion ads a day – all invisible to users.

Human Security’s technical report [PDF] on BADBOX and PEACHPIT describes the campaign: “A Chinese manufacturer (possibly many manufacturers) builds a wide variety of Android-based devices, including phones, tablets, and CTV boxes.

“At some point between the manufacturing of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor … gets installed and the product boxes are sealed in plastic, priming these devices for fraud on arrival at their destination.”

Human Security worked with Apple and Google to disrupt PEACHPIT, but warned BADBOX devices remain plentiful.

“Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plug it in, and unknowingly open this backdoor malware,” wrote Human Security’s Rosemary Cipriano. “This malware can be used to steal PII, run hidden bots, create residential proxy exit peers, steal cookies and one-time passwords, and more unique fraud schemes.”

– Simon Sharwood

It’s been four months since mass exploitation of vulnerabilities in Progress Software’s MOVEit file transfer software was publicly announced, and only a little more recent that the Clop ransomware gang added Sony to its list of victims.

In early October Sony admitted it was a victim. In a breach notification filed with the US state of Maine, Sony admitted that 6,791 of its US employees had their data exposed due to the MOVEit vulnerability, which was vulnerable to an SQL injection attack allowing hackers to elevate their privileges and gain unauthorized access to target environments.

As of late July, more than 400 organizations and 20 million individuals had fallen prey to the MOVEit vulnerability – including high-profile customers like Sony, energy provider Shell and the US Department of Energy.

According to the breach letter sent to Sony employees and their family members, Sony Interactive Entertainment – the subsidiary dealing with video games and consoles like the PlayStation – had its MOVEit environment compromised as early as May 28, just a few days before Progress announced the vulnerability. It took Sony until June 2 to discover it had been affected, at which time it immediately took its MOVEit system offline in response.

Sony redacted the exposed information in its sample form letter filed with the state of Maine, so it’s not immediately clear what personal information was exposed. Maine’s website only says that names “or other personal identifier[s]” were stolen in combination with social security numbers.

Why Sony waited so long to publicly acknowledge the breach is unclear, though it’s worth noting this isn’t the only breach that Sony is dealing with right now.

Ransomed.vc, which has been targeting Japanese companies of late, claimed it hacked Sony and stole 3.14GB of data from its servers – though that claim has been contested by other hackers. Sony has since confirmed the Ransomed.vc breach, meaning that Sony’s security perimeter has been busted twice in the last four months.

As we also reported this week, mass exploitation of a vulnerability in another piece of Progress software, WS_FTP, has reportedly begun, so expect more high-profile breaches to come.

Critical vulnerabilities: CURL up and die edition

CURL – the command line URL fetching tool used by billions of devices to fetch web content – contains a vulnerability so serious that its developer Daniel Stenberg has seen fit to cut the release cycle short to release a critical patch on October 11.

Stenberg didn’t go into details, saying that if he did it “would help identify the problem area with a very high accuracy.” Stenberg only said that the last several years of releases are affected. Two CVEs are included – both affecting libcurl, and only the higher-severity one affecting the CURL tool itself.

In other vulnerability news:

  • CVSS 10.0 – CVE-2023-2306: Qognify NiceVision IP surveillance camera software version 3.1 and earlier contain hard-coded credentials.
  • CVE 9.8 – multiple CVEs: Various models of Hitachi Energy switches, firewalls and routers contain a bundle of vulnerabilities that can be exploited to have “a high impact” on availability, integrity and confidentiality of devices.
  • Multiple CVEs: X.org has patched five vulnerabilities in the libX11 and libXpm libraries addressing an out-of-bounds memory access bug and other vulnerabilities – be sure to patch.

2020 Blackbaud ransomware attack still paying dividends for regulators

Cast your mind back to 2020, and you may recall hearing about software firm Blackbaud being caught covering up a ransomware attack by paying off the perps and trying to brush the incident under the rug.

As you can guess from the fact that we’re talking about it, that didn’t work. Blackbaud, which builds software for nonprofits and donor management, forked over $3 million to the SEC in March 2023 for not admitting the incident and, once admitting it, not acknowledging that a whole bundle of PII was stolen from 13,000 clients as a result.

Now, attorneys general from all 50 US states have secured another settlement over Blackbaud’s “deficient data security practices and inadequate response” to the incident. The total? Forty-nine and a half million dollars, split between the states.

“Firms that sell software as a service have an obligation to safeguard it at the highest level and must be immediately forthcoming and proactive if a cyber theft does occur,” New Jersey attorney general Matthew Platkin said of the settlement.

Qakbot is back from the dead – sort of

The venerable Qakbot malware operation appears to be alive and well despite an international takedown of the botnet and malware loader in late August.

Qakbot was first detected in 2007, and since then its operators – believed to be Russian – have proven to be very good at adapting to circumstances.

Case in point: a discovery by security researchers from Talos, who have assessed “with moderate confidence” that a Cyclops/Ransom Knight ransomware campaign that began shortly before the August Qakbot takedown is being run by the same people.

“We believe the FBI operation didn’t affect Qakbot’s phishing email delivery infrastructure but only its command and control servers,” Talos said of its findings. Despite the Qakbot operators persisting, the Qakbot malware doesn’t appear to have fared as well.

“We have not seen the threat actors distributing Qakbot post-infrastructure takedown,” Talos said. “Given the operators remain active, they may choose to rebuild Qakbot infrastructure to fully resume their pre-takedown activity.”

Well, thanks for trying, FBI and international law enforcement partners.

Customer genetic data stolen in 23andMe attack

Genetics firm 23andMe has admitted it was hit by a credential stuffing attack leading to the theft of PII that includes genetic ancestry results.

The leakers initially released one million lines of information pertaining to people with Ashkenazi heritage, but have since begun offering to sell bulk account data for a few dollars a pop, and they claim to have data on over 13 million 23andMe customers.

The number of accounts on sale doesn’t reflect the actual number of people who had genetic information stolen – many of the compromised accounts had reportedly opted into a DNA comparison feature that let attackers scrape genetic data belonging to people other than the account holder.

This being a credential stuffing attack, those who had their accounts breached were using the same usernames and passwords on other sites that had been breached. That is to say, 23andMe itself wasn’t hacked – its users had their usernames and passwords found out from other sites, and these credentials were then used to access their 23andMe accounts due to the login details being the same. This is why it’s important to use unique passwords per site or account.

23andMe offers two-factor authentication, but those affected by the breach probably weren’t using it. There’s your lesson. ®

READ MORE HERE