Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero-day exploits. Show all posts

Sony Discloses Data Leak Affecting Thousands in the U.S.

 

Sony Interactive Entertainment (Sony) recently informed current and former employees, as well as their families, of a data breach that exposed private data. 

The company notified around 6,800 people about the data breach, confirming that the attack occurred when an unauthorised party exploited a zero-day vulnerability in the MOVEit Transfer platform. 

The Clop ransomware took advantage of the zero-day, CVE-2023-34362, a critical-severity SQL injection vulnerability that can result in remote code execution, in massive attacks that affected several organisations across the world. 

The intrusion took place on May 28, three days before Sony was informed of the vulnerability by Progress Software (the MOVEit vendor), according to the data breach notification, although it wasn't discovered until early June. 

The notice states that “on June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability.” 

“An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony further explained in the data breach notification. 

Sony claims that the problem was confined to a particular software platform and had no bearing on any of its other systems. Yet 6,791 Americans' private data was compromised, including sensitive information. Although each letter from the firm contains a list of the exposed facts, the sample notification provided to the Office of the Maine Attorney General has them suppressed. 

Now that they have received a notification, the recipients can sign up for Equifax's identity protection and credit monitoring services by providing their special access code through February 29, 2024. 

Following claims on hacking forums that Sony had experienced another security breach and that 3.14 GB of data had been taken from the company's servers, the firm responded by stating that it was looking into the allegations. 

The SonarQube platform, certifications, Creators Cloud, incident response guidelines, a device emulator for creating licences, and other information were all included in the leaked material, which at least two distinct threat actors owned. 

The following statement, which a Sony representative provided to BleepingComputer, confirms a small security breach: A Sony spokesman confirmed the following security breach to BleepingComputer: 

"Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business. Sony has taken this server offline while the investigation is ongoing. 

There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony's operations." 

This proves that Sony experienced two security lapses during the previous four months.

Russian Zero-Day Vendor Proposes $20 Million for Hacking Android and iPhones

 

A company specializing in acquiring and trading undisclosed software vulnerabilities, known as zero-day exploits, has announced a substantial increase in payouts to researchers. 

Operation Zero, based in Russia and established in 2021, revealed on both its Telegram and X (previously Twitter) accounts that it is now offering $20 million for hacking tools capable of breaching iPhones and Android devices. This is a significant escalation from their previous offering of $200,000.

The company emphasized its commitment to collaborating with developer teams by boosting premiums and providing attractive incentives for contractual work. 

Operation Zero explicitly stated that its clientele exclusively comprises private and governmental entities within Russia. When asked about this limitation to non-NATO countries, CEO Sergey Zelenyuk declined to provide specific reasons, citing them as "obvious."

Zelenyuk hinted that the current bounties could be temporary and reflect the current market dynamics, especially considering the challenges associated with hacking iOS and Android systems. He explained that prices are influenced by the availability of specific products in the zero-day market. 

Presently, complete chain exploits for mobile phones are the most coveted and, consequently, the most expensive products, primarily sought after by government entities willing to pay a premium for exclusive access.

For over a decade, companies worldwide have been offering rewards to security researchers who uncover software vulnerabilities and the corresponding hacking methods. 

Unlike conventional bug bounty platforms like Hacker One or Bugcrowd, Operation Zero opts not to inform the affected vendors. Instead, they sell these exploits to undisclosed government customers. This operates within a gray market where prices fluctuate, and the identities of clients remain confidential. However, certain companies, including Operation Zero, have published public price lists.

For instance, Zerodium, established in 2015, provides up to $2.5 million for a sequence of vulnerabilities that permit the hacking of an Android device with no interaction required from the target. For a similar chain of exploits on iOS, Zerodium offers up to $2 million.

Crowdfense, a competitor headquartered in the United Arab Emirates, matches or exceeds these payouts by offering up to $3 million for comparable vulnerabilities in both Android and iOS.

Zelenyuk expressed skepticism that the bounties offered by Zerodium and Crowdfense will ever drop to lower levels. He contended that while Zerodium's price sheet may be outdated, the company continues to make competitive purchases, demonstrating the resilience of the zero-day market.

The zero-day market operates largely without regulation. However, companies in some regions may be required to obtain government-issued export licenses. This entails seeking permission to sell to specific countries, which may be subject to restrictions. This has led to a segmented market increasingly influenced by political factors. 

Notably, a recent law in China mandates that security researchers notify the Chinese government of discovered vulnerabilities before alerting the software developers. 

“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft said in a report from last year.

A Constant Battle Between Apple and Zero-Day Security Vulnerabilities

 


Recently, there has been a noticeable increase in the number of attackers targeting Apple, especially by using zero-day exploits. Among the main reasons why hackers like zero-day exploits so much are because they might just become the most valuable asset in a hacker's portfolio. As of 2022, Apple has discovered seven zero-day vulnerabilities in its products and has followed up on these discoveries with relevant updates to address these issues. Even so, it seems as though there will not be an end to this classic cat-and-mouse game anytime soon.

During 2021, there were more than double the amount of zero-days recorded, compared to the same year in 2020. This is the highest level since tracking began in 2014, with the number of zero-days increasing every year since then – the trend has been demonstrated by the repository maintained by Project Zero. 

As described by the MIT Technology Review, the increase in hacking over the past few years has been attributed to the rapid proliferation of hacking tools globally and the willingness of powerful state and non-state groups to invest handsomely in discovering and infiltrating these operating systems. Threat actors actively search for vulnerabilities and then sell the information about those vulnerabilities to the highest bidder.

Apple has repeatedly been compromised by these attackers. In 2022, Apple, one of the four most dominating IT companies in the world, is advancing into a year where it is welcoming a new year with two zero-day bugs in its operating systems, a WebKit flaw that could have left users' browsing data vulnerable and after recovering from 12 recorded exploits and remediations in 2021, they have been hit by two zero-day bugs in their operating systems. 

The company released 23 security patches less than one month after it discovered these issues. A new flaw was discovered that could be exploited by attackers to exploit a user's device if certain malicious websites are loaded onto a user's device, leading to an infection of their device.

Keeping this in mind, if we fast forward to August 17 of this year, we learn Apple has discovered two new vulnerabilities in its operating system  CVE-2022-32893 and CVE-2022-32894. The first vulnerability is a remote code execution (RCE) vulnerability in Apple's Safari Web browser kit, which is used by all browsers that are iOS-enabled and macOS-enabled. As for the second vulnerability, another RCE vulnerability, it gives attackers complete access to the user's software and hardware without any limitations. 

In the past couple of weeks, two major vulnerabilities have been found that affect a wide variety of Apple devices  especially the iPhone 6 and later models, the iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterey. The officials updated the security systems to create a protected environment against “actively exploited” vulnerabilities.

The research team at Digital Shadows prepared a report which included that the Zero-day exploits sell for up to $10 million, which is the most expensive commodity in a rather wide array of cybercrime. The report further added that these exploits in the market are bound to expand and provoke more cyber threats.