Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s round-up, we will explore recent developments in cybersecurity, including Intel’s response to new vulnerabilities in its SGX technology, a guilty plea from three men involved in running an MFA bypass service, and the ongoing cyberattack affecting Transport for London (TfL). We’ll also examine a global phishing scam targeting Canadian pizza chains for credit card data, and the LockBit ransomware attack on the Toronto District School Board (TDSB), highlighting the growing complexities and challenges in securing critical infrastructures and personal data.

  • Intel Responds to SGX Hacking Research

Intel recently addressed concerns following claims by security researcher Mark Ermolov, who reported significant progress in compromising the company’s Software Guard Extensions (SGX) data protection technology. Ermolov, known for his expertise in Intel products and affiliated with the Russian cybersecurity firm Positive Technologies, disclosed that his team had successfully extracted cryptographic keys critical to Intel SGX.

SGX is designed to safeguard code and data against various software and hardware attacks by isolating them in a secure, encrypted enclave. Ermolov announced on social media that after years of research, his team had managed to extract the Intel SGX Fuse Key0 (FK0), also known as the Root Provisioning Key, alongside the Root Sealing Key (FK1). These keys form the foundational elements of trust within the SGX security framework.

Pratyush Ranjan Tiwari, a cryptography researcher at Johns Hopkins University, provided further context on the implications of this breakthrough. He explained that compromising FK0 and FK1 could have profound ramifications, as it would allow an attacker to decrypt sealed data and fabricate attestation reports, thereby undermining the core security guarantees of the SGX platform. Tiwari also pointed out that the affected processors—Apollo Lake, Gemini Lake, and Gemini Lake Refresh—though reaching end-of-life status, remain prevalent in embedded systems.

In response to these developments, Intel issued a public statement on August 29, clarifying that the research was conducted on systems to which the researchers had physical access. Intel also noted that these systems lacked the latest security mitigations and were not properly configured. The company highlighted that the researchers exploited vulnerabilities that had been addressed as far back as 2017, utilizing what Intel refers to as an “Unlocked” or “Red Unlocked” state, making the findings less surprising.

Intel further emphasized that the extracted key is encrypted, meaning that breaking the encryption would be necessary for any malicious use. Even then, the vulnerability would only apply to the specific system under attack. Ermolov acknowledged that the extracted key is protected by a Fuse Encryption Key (FEK) or Global Wrapping Key (GWK) but expressed confidence that decryption is possible, citing past successes in obtaining similar decryption keys. He also noted that the GWK is not unique and is shared across all chips within the same microarchitecture, potentially allowing an attacker to decrypt FK0 across multiple chips. Ermolov clarified that the most significant threat posed by the leak of the Intel SGX Root Provisioning Key is not merely local enclave data access, which requires physical access and has already been mitigated by patches, but rather the potential to forge Intel SGX Remote Attestation. This feature is crucial for establishing trust, as it verifies that software is running within an Intel SGX enclave on a fully updated system with the latest security measures.

  • Three Men Plead Guilty to Running MFA Bypass Service OTP.Agency

Three individuals, ages 22, 21, and 19, have plead guilty to operating OTP.Agency, an online platform that allowed criminals to bypass Multi-Factor Authentication (MFA) for various banks and services.

Launched in November 2019, OTP.Agency provided tools for intercepting one-time passcodes (OTPs) used in MFA, enabling unauthorized access to victims’ bank accounts. Criminals paid a monthly fee to exploit the platform’s capabilities, which included socially engineering victims into revealing sensitive information, such as OTPs and personal details, under the guise of security alerts.

As reported by cybersecurity expert Brian Krebs, OTP.Agency allowed its users to target individuals by entering their phone numbers and names into the service, which would then initiate automated calls warning them of supposed unauthorized activities on their accounts. These fraudulent alerts manipulated victims into giving away their OTPs, enabling criminals to bypass MFA and carry out fraudulent transactions.

The platform offered different pricing tiers, with a basic plan costing £30 per week, enabling access to accounts at banks like HSBC, Monzo, and Lloyds. A more advanced “elite” plan, priced at £380 per week, granted access to Visa and Mastercard verification sites, allowing for more extensive theft from personal bank accounts.

The National Crime Agency (NCA) began investigating OTP.Agency in June 2020, ultimately discovering that over 12,500 individuals were targeted by the service between September 2019 and March 2021, when it was shut down following the arrests of the trio. The NCA estimates the platform could have generated revenues ranging from £30,000 to £7.9 million, depending on subscription plans purchased by its users.

According to the NCA, the group advertised the service on a Telegram group with over 2,200 members, boasting that it was a professional and unrivaled service for stealing OTPs. The group was later deleted after Krebs on Security published an exposé in 2021.

Despite initially denying their involvement, all three individuals have now admitted to the charges of conspiracy to create and distribute fraud tools. Sentencing is scheduled for November 2, 2024, at Snaresbrook Crown Court.

  • Transport for London (TfL) Is Dealing with an Ongoing Cyberattack

Transport for London (TfL) is currently managing an ongoing cyberattack and has confirmed that, so far, there is no evidence of any compromise to customer information.

In an official statement, TfL assured the public that the security incident has not impacted its transport services. “We are actively addressing a cybersecurity incident. At this time, we have no indication that customer data has been compromised, and TfL services continue to operate as normal,” said the UK transport agency. 

TfL is coordinating with government agencies, including the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), to respond effectively to the attack. While the incident appears to primarily affect internal systems at TfL’s corporate headquarters, staff have been advised to work remotely where possible.

Shashi Verma, TfL’s Chief Technology Officer, emphasized the organization’s commitment to safeguarding its systems and customer data. “We have implemented several measures to protect our internal systems in response to the ongoing cybersecurity incident. The security of our systems and customer data is paramount, and we will continue to monitor and evaluate the situation throughout and after the incident,” Verma stated. He also reiterated that, although a comprehensive assessment is still underway, there is currently no evidence that customer data has been compromised.

  • Global Phishing Scam Hits Canadian Pizza Chains for Credit Card Data

A sophisticated phishing campaign targeting pizza restaurant chains, particularly in Canada, has been identified by cybersecurity experts at BforeAI. Active since 2023, this campaign has resulted in significant financial losses, with multiple victims reported globally.

The campaign came to light following a warning from Singaporean authorities regarding phishing attacks on Domino’s Pizza. In late 2023, seven victims in Singapore were defrauded of approximately $27,000 through this scam. The attackers employed domain spoofing and other deceptive tactics to create fraudulent websites that closely mimicked legitimate pizza delivery sites.

BforeAI’s investigation revealed that the attackers used “typosquatting”—registering domains with minor misspellings of legitimate ones—and homograph attacks that utilize characters resembling those in authentic domain names. These tactics were combined with the use of readily available webpage templates and generative AI to rapidly develop convincing fake websites.

One common tactic involved replicating the Order pages of legitimate pizza websites. Customers were prompted to enter a one-time password (OTP) as part of the ordering process. However, this OTP was intercepted by the attackers, allowing them to gain access to customers’ credit card information and make unauthorized purchases.

Initially believed to be a targeted attack on Domino’s Pizza in Singapore, further analysis uncovered a broader campaign affecting multiple pizza brands worldwide, including prominent Canadian chains like Pizzaiolo, PizzaPizza, Boston Pizza, Panago Pizza, and Little Caesars Pizza. International brands such as Blaze Pizza and 241 Pizza were also affected.

The attackers have been persistent, frequently registering new domains and updating existing ones to avoid detection. They have utilized various IP addresses and top-level domains (TLDs) to further disguise their activities. The infrastructure supporting these malicious operations has been traced back to VPS services provided by Stark Industries in Singapore and Canada, with some domains undergoing updates as recently as April 2024.

To mitigate the risk of falling victim to these scams, customers are advised to remain vigilant when visiting pizza delivery websites. Key precautions include carefully checking domain names for minor discrepancies, reviewing the domain’s registration date, enabling multi-factor authentication on accounts, and promptly reporting any suspicious transactions to the authorities.

  • Lockbit Gang Claims the Attack on the Toronto District School Board (TDSB)

The Toronto District School Board (TDSB) confirmed that students’ information was compromised following a ransomware attack that was discovered in June.

The TDSB is the largest school board in Canada with 582 schools and about 235,000 students. In June, the organization informed parents that unauthorized activity was detected in a test system used by their technology department. This test environment is separate from the board’s official networks. In response, the TDSB’s cybersecurity team quickly acted to secure data and protect critical systems.

Exposed student information could include name, school name, grade, TDSB email address, TDSB student number and day/month of birth.

“At that time, TDSB became aware that an unauthorized third party gained access to TDSB’s technology testing environment, which is a separate environment used by TDSB IT Services to test programs before they are run live on TDSB systems.” reads the update published by TDSB. “We have now confirmed that the testing environment contained 2023/2024 student information that could include name, school name, grade, TDSB email address, TDSB student number and day/month of birth.”

The Toronto District School Board (TDSB) assured parents that the risk to students from the security breach is low. TDSB confirmed that it is not aware of public disclosure of student data on the clear and dark web. The TDSB took immediate actions, such as isolating and securing affected systems, disconnecting the test environment, enhancing security measures, and notifying law enforcement. The organization reported the incident to the Office of the Information and Privacy Commissioner of Ontario.

The researcher Dominic Alvieri reported that the Lockbit gang claimed responsibility for the ransomware attack on the Toronto District School Board and threatened to leak the stolen data if the organization won’t pay a ransom within 2 weeks. However, doubts about the legitimacy of these claims have emerged. The notorious ransomware group has taken responsibility for numerous attacks against various organizations, but some of their announcements are riddled with inaccuracies or appear to reference data breaches that were previously disclosed by other ransomware gangs.

The LockBit ransomware operation has been active since January 2020, the group hit over 2,500 victims across 120 countries, including 1,800 in the U.S. The group targeted individuals, businesses, hospitals, schools, and government agencies. The group extracted approximately $500 million in ransom payments, causing billions in broader losses.

 

References:

Share post: