Table of Contents

  1. Leaks
    1. Data leak at car rental Buchbinder: 3 million customer data open online
    2. 250 Million Microsoft customer support records and PII exposed online
  2. Privacy
    1. Google: Flaws in Apple’s Private-Browsing Technology Allow for Third-Party Tracking
    2. India likely to force Facebook & WhatsApp to identify the originator of messages
    3. Microsoft to force Office 365 users to use Bing
  3. Politics
    1. UN experts say hacking of Bezos phone suggests effort to influence news coverage
  4. Hardening
    1. Passwordless Authentication: The next breakthrough in secure digital transformation
  5. Malware
    1. Emotet Malware Alert Sounded by US Cybersecurity Agency
    2. Euro Cup and Olympics Ticket Reseller Hit by MageCart
    3. Shlayer Trojan attacks one in ten macOS users
    4. Malware redirecting visitors found on 2,000 WordPress sites
    5. sLoad launches version 2.0, Starslord
    6. Investigating a Backdoor.SH.SHELLBOT.AA Infection
  6. Crime
    1. Potsdam city servers offline
    2. How I Stopped a Credit Card Thief From Ripping Off 3,537 People
  7. Ransomware
    1. Sodinokibi Ransomware Threatens to Publish Data of Automotive Group
    2. Maze Ransomware Not Getting Paid, Leaks Data Left and Right
    3. First Node.js-Based Ransomware: Nodera
  8. Vulnerabilities
    1. Citrix Releases Scanner to Detect Hacked Citrix ADC Appliances

Leaks

Data leak at car rental Buchbinder: 3 million customer data open online

Ten terabytes of sensitive customer data from the Buchbinder car rental company were accessible to everyone online for weeks. Customers of other rental portals are also affected. It is probably one of the largest data leaks in the history of the Federal Republic of Germany: Personal data from three million Buchbinder car rental customers were unprotected for weeks on the Internet, including addresses and telephone numbers of celebrities and politicians.

250 Million Microsoft customer support records and PII exposed online

Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All the data was left accessible to anyone with a web browser, with no password or other authentication needed. The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.

Privacy

Google: Flaws in Apple’s Private-Browsing Technology Allow for Third-Party Tracking

New research outlines vulnerabilities in Safari's Intelligent Tracking Protection that can reveal user browsing behavior to third parties. Technology Apple designed for its Safari web browser to protect users from being tracked when they surf the web may actually do just the opposite, according to new research from Google. Google researchers discovered five different types of potential attacks on the vulnerabilities they found in ITP that could allow for third parties like digital advertisers to obtain "sensitive private information about the user's browsing habits," according to the report.

India likely to force Facebook & WhatsApp to identify the originator of messages

New Delhi is inching closer to recommending regulations that would require social media companies and instant messaging app providers to help law enforcement agencies identify users who have posted content - or sent messages - it deems questionable, two people familiar with the matter told TechCrunch. India will submit the suggested change to the local intermediary liability rules to the nation's apex court later this month. The suggested change, the conditions of which may be altered before it is finalized, currently says that law enforcement agencies will have to produce a court order before exercising such requests, sources who have been briefed on the matter said. But regardless, asking companies to comply with such a requirement would be "devastating" for international social media companies, a New Delhi-based policy advocate told TechCrunch on the condition of anonymity.

Microsoft to force Office 365 users to use Bing

Microsoft has decided it's a good idea to install a Chrome extension on Office 365 users that replaces the search engine with Bing. Also, a Firefox extension is planned in the future too.

Politics

UN experts say hacking of Bezos phone suggests effort to influence news coverage

UN human rights experts are gravely concerned by information they have received suggesting that, in contravention of fundamental international human rights standards, a WhatsApp account belonging to the Crown Prince of the Kingdom of Saudi Arabia in 2018 deployed digital spyware enabling surveillance of The Washington Post owner and Amazon CEO, Jeffery Bezos. "The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi. Some of the investigation's findings were first reported by the Guardian, but has received criticism from information security professionals because the news reports have suggested the tool used might have been developed by the Israeli company NSO Group, a maker of offensive mobile hacking tools. The forensic report does not say an NSO Group tool was used, but simply notes that the company's tools have the ability to conduct the kind of exfiltration that appears to have occurred on Bezos' phone. NSO Group responded by saying they are shocked and appalled by the store and claim their tools haven't been used in this instance.

Hardening

Passwordless Authentication: The next breakthrough in secure digital transformation

Cybercrime is set to cost the global economy $2.9 million every minute in 2020 and some 80% of these attacks are password-related. Knowledge-based authentication - whether with PINs, passwords, passphrases, or whatever we need to remember - is not only a major headache for users, it is costly to maintain. For larger businesses, it is estimated that nearly 50% of IT help desk costs are allocated to password resets, with average annual spend for companies now at over $1 million for staffing alone.

Malware

Emotet Malware Alert Sounded by US Cybersecurity Agency

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday warned that it's seen a surge in targeted attacks using a sophisticated strain of malware called Emotet. While Emotet started life as a banking Trojan, over the past five years, developers have added additional functionality, including making the malware a dropper - aka Downloader - so that it can be used to install additional malicious code on endpoints it has infected, as well as giving it the ability to scrape victims' PCs for contact information. In addition, other attackers have increasingly rented Emotet botnets to install malware, including TrickBot and various strains of ransomware.

Euro Cup and Olympics Ticket Reseller Hit by MageCart

The sites belonging to a reseller of tickets for Euro Cup and the Tokyo Summer Olympics, two major sports events happening later this year, have been infected with JavaScript that steals payment card details. On one of the websites, the malicious code survived for at least 50 days, while on the other it lasted for two weeks. If not for the intervention and persistence of two security specialists, the malware would have continued to pilfer card data undetected.

Shlayer Trojan attacks one in ten macOS users

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detection for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

Malware redirecting visitors found on 2,000 WordPress sites

More than 2,000 WordPress sites have been infected with malicious JavaScript that redirects visitors to scam websites and sets the stage for additional malware to be downloaded at a later time. The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. A large uptick in this activity was picked up during the third week of January.

sLoad launches version 2.0, Starslord

Microsoft has written a blog post about sLoad, the PowerShell-based Trojan Downloader notable for its almost exclusive use of the Background Intelligent Transfer Service (BITS) for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog published detailing the malware's multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors. With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

Investigating a Backdoor.SH.SHELLBOT.AA Infection

Technical analysis of a backdoor found inside an unprotected account on a raspberry pi.

Crime

Potsdam city servers offline

The state capital Potsdam has switched off the administration's internet connection and is therefore no longer accessible by email. Numerous inconsistencies have been found in central access to the capital of the state. The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware. In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work. The state capital has filed criminal charges against unknown persons and has informed the regional offices responsible for IT security and data protection.

How I Stopped a Credit Card Thief From Ripping Off 3,537 People

Quincy Larson, the founder of freeCodeCamp, a non-profit organization that runs an open-source community for learning to code, writes on a blog post: I tucked my son under my arm and jogged to my desk. I'd been up until 2 a.m. finishing the announcement for our new #AWSCertified Challenge. And so far, the launch was going well. Our new Twitter bot was tweeting, and our Discord chatroom was abuzz with ambitious developers eager to earn their AWS certifications. I was getting ready to meet with my team when I noticed two strange emails -- both of which arrived within minutes of one another. "Your a fraud" reads one of the emails in typo-riddled English. "That's exactly what I'm thinking since I see a charge on my financial institution from you and since I've never heard of you. Yes you need to resolve this." The other email was... well, let's just say it was also an angry letter and let's leave it at that. freeCodeCamp is a donor-supported nonprofit, and we have thousands of people around the world who donate to us each month. Once in a while, there are misunderstandings - usually when one family member donates without telling the other. But this felt different.

Ransomware

Sodinokibi Ransomware Threatens to Publish Data of Automotive Group

The attackers behind the Sodinokibi Ransomware are now threatening to publish data stolen from another victim after they failed to get in touch and pay the ransom to have the data decrypted. Sodinokibi claims that this data was stolen from GEDIA Automotive Group, a German automotive supplier with production plants in Germany, China, Hungary, India, Mexico, Poland, Hungary, Spain, and the USA.

Maze Ransomware Not Getting Paid, Leaks Data Left and Right

Maze Ransomware operators have infected computers from Medical Diagnostic Laboratories (MDLab) and are releasing close to 9.5GB of data stolen from infected machines. The actor also followed through with leaking another cache of files belonging to another of its victims that did not pay the ransom, Southwire wire and cable manufacturer from Carrollton, Georgia. This action was prompted by the company's refusal to pay a ransom of 200 bitcoins (a little over $1.7 million today) that would buy from the attacker the file decryption key from the attacker and the promise to destroy the data.

First Node.js-Based Ransomware: Nodera

Recently while threat hunting, Quick Heal Security Labs came across an unusual Node.js framework based Nodera ransomware. The use of Node.js framework is not seen commonly across malware families. The latest development by threat actors reveal a nasty and one-of-its-kind ransomware being created; one that uses Node.js framework, which enables it to infect Windows based OS. Interestingly, users can easily get infected by this Nodera ransomware while browsing online, either by clicking on a malicious HTA file or when served as a malvertisement.

Vulnerabilities

Citrix Releases Scanner to Detect Hacked Citrix ADC Appliances

Citrix released a free scanner for detecting compromised Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances by digging for indicators of compromise (IoC) collected in incident response engagements related to CVE-2019-19781 exploitation. The tool was developed in collaboration with FireEye and it is designed to be used locally to scan their organizations Citrix instances, one appliance at a time, to get assessments of potential indications of compromise found on the systems.