Pulsar Cyber Trends Apr 2023

The month of April has seen some interesting developments in the world of cyber security. The first topic shows a popular IRS-authorized tax filing website that was caught serving malware. Also highlighted is a massive breach of the American Bar Association. Finally, the importance of properly decommissioning hardware is shown as hackers have been breaching networks using data from resold networking equipment.

eFile.com, an IRS-authorized online tax filing software used by millions of people, has been found to deliver JavaScript malware to users visiting the website. In March, numerous users of eFile.com suspected that the website had been hacked, because at the time, the website displayed an SSL error message that seemed fake. The error message claimed that the site could not be reached, because a browser update was needed. The message included a download link for the update, but instead the link downloads malware onto the user’s device. The malware was identified as a backdoor that allows threat actors to remotely access a compromised device. Threat actors could use this remote access to deploy additional malware, steal sensitive data, or move laterally to other devices on a network. As of April 1^st, eFile.com no longer contains any malware, but caution should still be used when visiting the website. 

Credentials of about 1.4 million members of the American Bar Association (ABA), the largest association of lawyers and judges in the world, were reported to have been accessed and breached by hackers in mid-March. A hacker gained access to the ABA network via a legacy system decommissioned in 2018. There have not been any reports of the credentials being used in ransomware or other exploitation campaigns yet. The credentials exposed were usernames and salted hashes which are much stronger cryptographically than unsalted hashes. However, this does not guarantee the passwords cannot still be converted back to their plaintext versions, especially with a significant number of accounts still using the default password supplied by the ABA, but cracking generally takes more time and resources.

Reports state that hackers have been breaching corporate networks using data obtained from second-hand routers being resold online. Researchers have found that many of the routers and other networking equipment resold on eBay and other online storefronts still contained sensitive information such as login credentials, Wi-Fi SSID’s and passwords, along with other configuration details. This information can be used by attackers to gain unauthorized access to corporate networks that the hardware originated from, potentially leading to data theft or other malicious activities. The report urges businesses and individuals to take proper precautions when disposing/recycling routers and other equipment.