DevSecOps: How to develop and deploy software, while cultivating an enterprise culture
17 November 2023Cyberattack Journal – June 2023
A cyberattack instruction manual ?
This was revealed by a former computer hacker, who worked for well-known groups like Lockbit or REvil. First sold for $10,000, the manual then leaked, making the business obsolete. The hacker then decided to publish the manual for free, decreeing that there was no point in keeping it secret.
In his manual, he explains how to compromise companies, claiming “there is no need for 0day”, but simply based on “the stupidity of Webmasters, even in the world's largest companies”. According to him, the main attack vector is the weakness of the configuration passwords on certain tools, allowing him initial access to EXSI servers via the SSH protocol.
First known for having exploited CVE-2021-21974, a 0day allowing remote code execution, he has visibly changed his methods for simpler biases, reminding at the same time that it is not useful to have perfect security systems, if the password protecting it is 12345678. In short, have complex passwords, and more generally, it is important to be aware of the most common attack vectors: attacks on human error.
Rennes University Hospital : a service provider account misused for the cyber attack
Another attack on a medical establishment, since the Rennes University Hospital suffered an attack which led to an exfiltration of data to an external source. This time, the culprit is not the establishment itself, but a service provider account which would have been compromised, and would have allowed access to the network via a VPN connection.
Engineers spotted abnormal traffic, synonymous with a cyberattack, on Wednesday June 21, around 4:30 p.m. The SOC reportedly “spotted abnormal IP address data leaks,” leading a shutdown of all Internet connections in order to investigate. The conclusion is unanimous, there was no ransomware installed, but data exfiltration did take place. So the next question is the entry point.
And this time, no doubt, it was the account of a service provider that was used to connect to the VPN, giving access to the entire network. The service provider, a business software publisher, had access for application maintenance. However, there is no indication of compromise of this publisher, so there is no information as to how the account used was stolen. The most likely clue being that these identifiers were lying around in the Web browser and were then stolen, since we remind you: browsers store these passwords in “clear” (not exactly, but almost).
ChatGPT accounts for sale on the dark web
It’s the new fashion of the moment: AI and especially ChatGPT are at the forefront of tech at the moment. And obviously, it doesn’t only attract beautiful people.
More than 100,000 accounts have been compromised around the world, and our country is very concerned since it is the only European country affected by this hack. The countries mainly concerned are France and India, but we also find the United States, Brazil and Egypt on the list. But why do you want to have ChatGPT accounts?
Well, firstly, it’s because hackers love to compromise accounts. They may try to reuse words from compromised accounts on other sites, in order to connect to more sensitive services for example.
The other reason, more targeted to ChatGPT, is that your conversation histories are kept by default. All users' personal information can then be recovered and used for dishonest purposes, mainly phishing and identity theft. We can also imagine personal or technical information about users' companies, which could facilitate attacks against the structure.
In short, collecting information being one of the favorite pastimes, be very careful about what you share on ChatGPT and more broadly on applications. On the other hand, protect your accounts as much as possible, by activating MFA (Multi-Factor Authentication), this will prevent your password from being the only key necessary to compromise yourself.
