CYBERSECURITY NEWS V. June – Codecov supply chain attack, Colonial Pipeline returned most of ransom paid to hackers


hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

ChaChi is the new GoLang Trojan

The team of BlackBerry Threat Research and Intelligence has discovered a new malware – the ChaChi Trojan written in Go. It was first spotted in the first half of 2020, when it attacked local governments in France. The PYSA Ransomware group is behind the Trojan.

ChaChi has functions and properties typical of a Remote Access Trojan (RAT). The danger of ChaChi is its ability to dump credentials through the Windows Local Security Authority Subsystem Service.

Audi and Volkswagen data leakage affected 3.3 Million Customers

Volkswagen Group of America (VWGoA) has warned of a data breach coming from a third-party vendor working with the group on sales and marketing. According to the notice, between August 2019 and May 2021, the supplier left unprotected data on the Internet. The incident affected 3.3 million customers, over 97% of whom are Audi owners or interested buyers.

The data breach affected contact information (first and last name, personal or work mailing address, email address, or phone number) and social security and credit card numbers.

Codecov replaces uploader after recent supply chain attack

In April, Codecov announced that unknown attackers compromised the company's platform and added a credential collector to one of the tools. It was done through Bash Uploader, which allows Codecov customers to submit code coverage reports for analysis. It is known that the attackers took advantage of the vulnerability in the process of creating Docker images and were able to modify the Bash Uploader script.

The attacker gained access to the script back on January 31, 2021 and gradually made changes to it, adding malicious code that intercepted downloads, detected and collected sensitive information, including credentials, tokens, and keys. The hack was only discovered on April 1, 2021.

What’s worse, the Bash Uploader script is built into many other products, including Codecov actions for Github, Codecov CircleCl Orb, and Codecov Bitrise Step.

The company says it has already notified its clients, which include giants such as Atlassian, P&G, GoDaddy, Washington Post, Tile, Dollar Shave Club, and Webflow. Codecov continues the investigation to find out all the details of how the attackers acquired access keys to the source code. Additionally, the company promises to implement monitoring tools to prevent unauthorized code modification in the future.

Codecov customers who have used any of the listed tools are encouraged to change any credentials they have submitted to Codecov platforms in the past two months. Those who have used Bash Uploader locally are also advised to check their version for malicious changes and, if necessary, replace it with a "clean" script of the latest version.

Codecov phases out the development of the Bash Uploader and presents a new tool written in NodeJS. The new uploader is already available in beta as a static executable binary that currently supports Windows, Linux, Alpine Linux, and macOS systems.

750 GB of data stolen from Electronic Arts including source codes

Unknown attackers hacked into Electronic Arts and stole over 750 GB of data, including game source codes and debugging tools. Electronic Arts continues the investigation and assures that the personal data of users did not fall into the hands of hackers.

The cybercriminals stated they have access to all EA services and offer the stolen data for $ 28,000,000.

The hackers claim to have acquired data like:

  • FrostBite game engine source code and debug tools;
  • FIFA 21 matchmaking server code
  • FIFA 22 API keys and SDK & debug tools;
  • debug tools, SDKs and API keys;
  • proprietary EA games frameworks;
  • XBOX and SONY private SDK & API key;
  • XB PS and EA pfx and crt with key.

Colonial Pipeline returned most of ransom paid to hackers

After the DarkSide attack on Colonial Pipeline, the largest pipeline network in the United States, the FBI was able to return a significant part of the ransom paid to the hackers. Investigative authorities seized 63.7 bitcoins worth almost $ 2.3 million. In total, the company paid 75 bitcoins ($ 4.4 million at that time).

The FBI examined the records of bitcoin transactions and identified the bitcoin wallet used to store digital currency. After that, the money was seized by the decision of a San Francisco judge. The FBI received a private encryption key used to transfer funds from the digital wallet.

WD My Book Live devices wiped through 0-day vulnerability

The massive deletion of data from Western Digital My Book devices is due to a previously unknown vulnerability. In addition to the disclosed CVE-2018-18472, a zero-day CVE-2021-35941 allowed attackers to remotely reset devices to factory settings.

The vulnerability exists in the system_factory_restore file, which contains a PHP script to reset settings, restore default configurations, and delete all stored data.

The exploitation of the old, unpatched bug CVE-2018-18472 by attackers makes accessible My Book Live devices part of the botnet. With this bug, hackers download a script from a remote site to the device and then execute it.

Some My Book Live devices jailbroken through CVE-2021-18472 have been infected with .nttpd, 1-ppc-be-t1-z malware written specifically for the PowerPC hardware on My Book Live devices. The malware includes compromised devices in the Linux.Ngioweb botnet. My Book Live devices can be used to carry out DDoS attacks, execute commands, or steal files.

RCE attacks detected in VMware vCenter

There has been a spike in scans aimed at identifying vulnerable vCenter Server instances. Hackers are trying to leverage the recently patched RCE CVE-2021-21985, which scored 9.8 out of 10 on the CVSS vulnerability rating scale. Currently, there are more than 4 thousand instances of vCenter Server with that vulnerability.

CVE-2021-21985 was detected in the default Virtual SAN Health Check plug-in included with vCenter. An attacker could use this bug to run whatever they want on a vulnerable host (provided they can access port 443). Unauthenticated attackers can exploit the vulnerability, and attacks do not require any user interaction.

Exploits for this bug have already been published online.

red team

Try Hive now

online demo
red team