Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

This week’s newsletter covers a range of critical cybersecurity issues, including a hack on Oregon Zoo’s ticketing service affecting 118,000 customers, a large-scale SMS phishing attack leveraging cloud APIs through the Xeon Sender Tool, and Microsoft’s latest patch for a zero-day flaw exploited by North Korea’s Lazarus Group. We also examine a breach at National Public Data exposing Social Security numbers and explore the widespread data leaks from thousands of Oracle NetSuite e-commerce sites due to misconfigurations. Stay informed on these significant threats and their security implications.

Oregon Zoo Ticketing Service Hack Impacts 118,000

The Oregon Zoo recently disclosed a security breach affecting approximately 118,000 individuals, compromising names and payment card details, including numbers, CVVs, and expiration dates. The breach, which occurred between December 20, 2023, and June 26, 2024, was identified on June 26.

The attack involved threat actors redirecting transactions from the zoo’s third-party online ticketing vendor, resulting in the exfiltration of sensitive information. Upon discovery, the affected website was promptly taken offline, and a new secure platform was implemented for ticket purchases. The zoo has notified affected individuals through written communication, with nearly 118,000 people receiving notification letters as of August 16. The Oregon Zoo reported the incident to federal law enforcement and is reviewing internal policies to mitigate future risks. To assist affected individuals, the zoo is offering one year of complimentary credit monitoring and identity protection services.

While the zoo has not disclosed the specific method of attack, it is believed to be a web skimming operation. Web skimmers, also known as JavaScript-sniffers or JS-sniffers, are malicious scripts injected into checkout pages of legitimate websites to steal payment information. These infections can persist undetected for extended periods, as in the Oregon Zoo incident, allowing attackers to conduct fraudulent activities with the stolen data. Currently, over 130 known web skimmer families have been identified by cybersecurity researchers.

Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks

Malicious actors are increasingly leveraging a cloud-based attack tool called Xeon Sender to carry out large-scale SMS phishing (smishing) and spam campaigns by exploiting legitimate software-as-a-service (SaaS) providers, according to a report by SentinelOne’s security researcher, Alex Delamotte.

Xeon Sender enables attackers to send bulk messages using valid credentials for a variety of legitimate services, including Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio. Importantly, these campaigns do not exploit any technical vulnerabilities within the service providers themselves; rather, the tool abuses the legitimate APIs of these services to facilitate mass SMS distribution for malicious purposes.

This tool is part of a broader trend in which threat actors use SaaS platforms to conduct bulk smishing attacks. Xeon Sender is distributed through Telegram channels and hacking forums, with some older versions traced back to cracked hacktool communities. The latest version, named XeonV5 or SVG Sender, was released on Telegram by a group called Orion Toolxhub, which has a history of offering various hacking tools, including brute-force attack programs, reverse IP lookup utilities, web shells, and unlimited SMS senders. Originally developed as a Python-based program, Xeon Sender has been repurposed by multiple threat actors since its detection in 2022. One version of the tool has been adapted to run on a web server with a graphical user interface (GUI), making it accessible to less skilled attackers who may lack proficiency in managing Python-based tools.

Regardless of the version, Xeon Sender operates through a command-line interface that interacts with the backend APIs of chosen service providers to orchestrate bulk SMS campaigns. Attackers using the tool must already possess the necessary API keys, which allow them to create API requests that include sender IDs, message content, and recipient phone numbers pulled from predefined lists. Additionally, the tool features account validation capabilities for Nexmo and Twilio, phone number generation for specific country and area codes, and number validation functions.

Despite the tool’s crude design, it is challenging to detect. The source code is deliberately obfuscated with ambiguous variable names to complicate debugging. Xeon Sender’s reliance on provider-specific Python libraries for crafting API requests adds another layer of complexity for detection teams, as each library and provider’s logs are unique. To mitigate the risk posed by tools like Xeon Sender, SentinelOne recommends that organizations monitor any activities related to changes in SMS sending permissions or suspicious alterations to distribution lists, such as the sudden upload of large volumes of new recipient phone numbers.

Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

A newly patched vulnerability in Microsoft Windows, exploited as a zero-day by North Korea’s Lazarus Group, has brought renewed attention to the group’s sophisticated cyber tactics. The flaw, identified as CVE-2024-38193 and given a CVSS score of 7.8, is a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock. If exploited, this bug enables attackers to gain SYSTEM-level privileges, a significant breach of security controls.

Microsoft issued a fix for the flaw during its recent Patch Tuesday update, following its discovery by researchers Luigino Camastra and Milánek of Gen Digital, a firm that manages prominent security brands such as Norton, Avast, and Avira. Gen Digital disclosed that the vulnerability was actively exploited by Lazarus Group, allowing them unauthorized access to restricted system areas typically off-limits to both users and administrators. The exploitation was first observed in June 2024.

Central to these attacks was the use of a rootkit named FudModule, which the Lazarus Group deployed to avoid detection. Although specific technical details remain undisclosed, this attack bears a strong resemblance to a previous Lazarus campaign that leveraged another privilege escalation vulnerability, CVE-2024-21338, in February 2024. That vulnerability, located in the AppLocker driver (appid.sys), also allowed Lazarus to circumvent security controls and deploy the same FudModule rootkit.

What makes these incidents particularly concerning is that they represent an evolution beyond the common “Bring Your Own Vulnerable Driver” (BYOVD) strategy. Instead of introducing a new vulnerable driver to the system, Lazarus exploited security flaws in existing drivers already installed on compromised Windows hosts, making the attacks even more insidious.

Earlier research from Avast shed light on the Lazarus Group’s use of a remote access trojan known as Kaolin RAT to deliver the FudModule rootkit. Avast noted that while the rootkit is part of Lazarus’ malware toolkit, it is used selectively and with caution, deployed only under specific conditions when it can maximize stealth and impact.

National Public Data Confirms Breach Exposing Social Security Numbers

National Public Data (NPD), a background check service, has confirmed a significant data breach after threat actors leaked millions of records containing highly sensitive personal information. The stolen data, now circulating online, includes names, email addresses, phone numbers, social security numbers (SSNs), and mailing addresses.

In its disclosure, NPD acknowledged breaches of this nature in both April and summer 2024, and suspects that the attacks date back to late December 2023. The company has since conducted an internal investigation, coordinated with law enforcement, and reviewed the affected records. They have pledged to notify impacted individuals should any substantial developments arise. Despite the company’s public disclosure, access to NPD’s statement has been restricted from many U.S. and international IP addresses. However, archived versions of the statement remain accessible online.

The breach has been linked to a series of leaks that began in April when a hacker, using the alias “USDoD,” offered to sell 2.9 billion records allegedly stolen from NPD for $3.5 million. Earlier this month, another threat actor known as “Fenice” released the most comprehensive version of the stolen database, containing 2.7 billion records. Notably, many of these records reference multiple entries for single individuals, complicating the situation further. It remains unclear exactly how many people have been affected, though individuals who confirmed their details in the leaked records noted that information about both themselves and their family members, including deceased relatives, was exposed.

Troy Hunt, the creator of the Have I Been Pawned (HIBP) service, analyzed a portion of the leaked dataset and found 134 million unique email addresses. However, there are inconsistencies; some individuals were found associated with incorrect names, and Hunt himself discovered his email linked to two incorrect birth dates. BleepingComputer also reported that some details in the database appeared outdated, as the current addresses of checked individuals were not included.

The fallout from the breach has already triggered legal action, with at least one class action lawsuit filed against Jerico Pictures, the operator of NPD. The company’s data sources are believed to include government records at various levels, containing legal documents tied to individuals. Those affected by the breach are advised to monitor their financial accounts for suspicious activity and promptly report any anomalies to credit bureaus. Given the leaked contact information, phishing attempts are also likely, as attackers may exploit the breach to obtain further personal details for fraudulent purposes.

Thousands of Oracle NetSuite E-Commerce Sites Expose Sensitive Customer Data

A significant misconfiguration in Oracle NetSuite’s SuiteCommerce enterprise resource planning (ERP) platform has exposed sensitive customer data across thousands of websites, posing a serious risk to businesses and their clients.

AppOmni, a leading SaaS security firm, recently uncovered this issue, revealing that many organizations utilizing NetSuite for e-commerce have inadvertently exposed customer data through poorly configured access controls on custom record types (CRTs). These CRTs, often containing sensitive data such as personal addresses and phone numbers, have become highly vulnerable to exploitation by cybercriminals due to these lapses in security.

Aaron Costello, Chief of SaaS Security Research at AppOmni, highlighted the severity of the issue, stating, “Thousands of organizations are leaking sensitive customer data to the public through misconfigurations in their access controls. The scale of these exposures is alarming.” The problem stems not from the core functionality of NetSuite but rather from how some administrators configure their e-commerce stores. These misconfigurations allow unauthorized users to query and retrieve sensitive data through insecure APIs, often by manipulating URLs. This flaw primarily affects externally facing stores running on SuiteCommerce, resulting in unauthorized access to personally identifiable information (PII) such as customer addresses and mobile numbers.

In response, NetSuite has urged its customers to review their security configurations and adhere to best practices for safeguarding CRTs. However, many organizations may remain unaware of these vulnerabilities or whether they have been exploited. One key issue is that NetSuite does not provide easy access to transaction logs, making it challenging for businesses to detect breaches or unauthorized data access.

The report also emphasizes the growing complexity of SaaS environments and the difficulties many organizations face in maintaining robust SaaS security programs. As vendors introduce more sophisticated functionalities, the risk of misconfigurations and associated vulnerabilities increases. Many of these risks can only be uncovered through specialized research, making proactive security measures and awareness critical.

This incident follows other recent security breaches, including attacks on customer accounts hosted on the Snowflake platform, further illustrating the rising threats in SaaS environments. SaaS platforms have significantly altered the traditional attack surface, simplifying certain attack vectors for adversaries. For instance, while the classic Lockheed Martin cyber kill chain outlines a multi-step attack process, in SaaS environments, attackers can streamline their efforts to focus primarily on initial access, credential theft, and data exfiltration.

Threat actors, including well-known cybercriminal gangs like Scattered Spider, are increasingly targeting enterprise data within SaaS applications, recognizing the vulnerabilities in these platforms. These groups, previously focused on traditional cloud environments and on-premises infrastructure, are now pivoting toward SaaS environments as businesses expand their reliance on cloud-based services.

References:

Canary Trap’s Bi-Weekly Cyber Roundup