Table of Contents

  1. Privacy
    1. Twitter says an attacker used its API to match usernames to phone numbers
    2. Google software glitch sent some users' videos to strangers
    3. 'They know us better than we know ourselves': how Amazon tracked my last two years of reading
    4. Google Receives Geofence Warrants
  2. Vulnerabilities
    1. TeamViewer stores user passwords in registry, encrypted with hard-coded key
    2. Tesla Autopilot Duped By ‘Phantom’ Images
  3. Politics
    1. Ex-CIA Employee Accused Of Leaking Documents To WikiLeaks Goes On Trial
  4. Crime
    1. Nintendo Hacker Pleads Guilty to Child Porn Charges, Faces 25 Years
  5. Ransomware
    1. NIST Drafts Guidelines for Coping With Ransomware
    2. Toll Group shuts down some online systems after ransomware attack
    3. Bouygues Construction Shuts Down Network to Thwart Maze Ransomware
    4. DoppelPaymer Ransomware Sells Victims' Data on Darknet if Not Paid
    5. Ransomware brought down services of popular TV search engine TVEyes
    6. Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
    7. The city of Racine was offline following a ransomware attack
  6. Scams
    1. Ashley Madison Breach Extortion Scam Targets Hundreds
  7. Crypto
    1. How to decrypt WhatsApp end-to-end media files

Privacy

Twitter says an attacker used its API to match usernames to phone numbers

In a statement, Twitter disclosed a security incident during which third-parties exploited the company's official API (Application Programming Interface) to match phone numbers with Twitter usernames. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames. Twitter says that following this report, it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames. Although the malicious accounts were located in countries from all around the globe, many requests to the affected API were coming from IP addresses within Iran, Israel, and Malaysia. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts. Twitter says the attacks did not impact all Twitter users, but only those who enabled an option in their settings section to allow phone number-based matching. "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.

Google software glitch sent some users' videos to strangers

Google has said a software bug resulted in some users' personal videos being emailed to strangers. The flaw affected users of Google Photos who requested to export their data in late November. For four days the export tool wrongly added videos to unrelated users' archives. As a result, private videos may have been sent to strangers, while downloaded archives may not have been completed. "We are notifying people about a bug that may have affected users who used Google Takeout to export their Google Photos content between November 21 and November 25," a Google spokesperson said.

'They know us better than we know ourselves': how Amazon tracked my last two years of reading

Amazon collects a mind blowing amount of information about its users, including what parts of the books you like the most, and with this they could easily make inferences about personal and mental health, career, hobbies, etc... "Many of these companies just scoop up as much data as they can without knowing how it will be used-all they know is that more information is better. The essential truth is that these entities know us better than we know ourselves."

Google Receives Geofence Warrants

Google reportedly has a database called Sensorvault in which it stores location data for millions of devices going back almost a decade. The article is about Geofence warrants, where the police goes to companies like Google and asks for information about every device in a particular geographic area at a particular time. In 2013, we learned from Edward Snowden that the NSA does this worldwide. Its program is called CO-TRAVELLER. The NSA claims it stopped doing that in 2014 -probably just stopped doing it in the US-but why should it bother when the government can just get the data from Google.

Vulnerabilities

TeamViewer stores user passwords in registry, encrypted with hard-coded key

TeamViewer stored user passwords encrypted with AES-128-CBC with the key of 0602000000a400005253413100040000 and iv of 0100010067244F436E6762F25EA8D704 in the Windows registry. If the password is reused anywhere, privilege escalation is possible. If you do not have RDP rights to the machine but TeamViewer is installed, you can use TeamViewer to remote in. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a .bat file.

Tesla Autopilot Duped By ‘Phantom’ Images

Researchers were able to fool popular autopilot systems into perceiving projected images as real - causing the cars to brake or veer into oncoming traffic lanes. Researchers said that autopilot systems used by popular cars - including the Tesla Model X - can be fooled into detecting fake images, projected by drones on the road or on surrounding billboards, as real. By detecting and reacting to obstacles in the road, ADAS systems are designed to increase driver safety. However, researchers said that they were able to create "phantom" images purporting to be an obstacle, lane or road sign; use a projector to transmit the phantom within the autopilots' range of detection; and trick systems into believing that they are legitimate.

Politics

Ex-CIA Employee Accused Of Leaking Documents To WikiLeaks Goes On Trial

In 2017, WikiLeaks released more than 8,000 pages of secret materials - which the anti-secrecy organization called "Vault 7" - detailing the CIA's cyberespionage arsenal, including the agency's playbook for hacking smartphones, computer operating systems, messaging applications and internet-connected televisions. It was one of the largest breaches in the agency's history. Federal prosecutors say the defendant, Joshua Schulte, stole the documents when he worked in a CIA unit that designed the hacking tools. Mr. Schulte, 31 years old, faces 11 criminal counts, including illegal gathering and transmission of national defense information - charges that derive from the Espionage Act, a statute that has been applied in other WikiLeaks cases.

Crime

Nintendo Hacker Pleads Guilty to Child Porn Charges, Faces 25 Years

21-year-old Californian Ryan S. Hernandez pleaded guilty to hacking into several Nintendo servers, stealing confidential information on hardware, games, and developer tools, and leaking it via social media and online portals. As part of his plea agreement, Hernandez has to pay $259,323.82 to Nintendo as restitution as remediation costs for infiltrating the company's network, and accessing and leaking confidential data to third parties via online portals and social media. Between October 2016 and June 2019, Hernandez downloaded thousands of files containing non-public info relating to pre-release or unreleased products, as well as pre-production development and testing of various titles. He "used the stolen data and files for his own purposes, including to modify Nintendo consoles and to access pirated and unreleased video games, and further disseminated to others stolen data and information about Nintendo's internal computer network and products" according to superseding info.

Ransomware

NIST Drafts Guidelines for Coping With Ransomware

The National Institute of Standards and Technology has unveiled a pair of draft practice guidelines that offer updated advice and best practices on how to protect the confidentiality, integrity and availability of data in light of increasing threats from ransomware and other large-scale cyber events. NIST will accept comments on the draft advice until Feb. 26, and then will issue final guidance later this year. And while other federal agencies, such as the FBI, have issued warnings about ransomware, NIST is the position to offer technical assistance and guidance for organizations. Changing Nature of RansomwareOne significant reason why NIST created these practice guidelines now is that the nature of ransomware has changed over the last two years, Ekstrom says. In its draft guidance, NIST is attempting to address current issues, including how to implement vulnerability management, as well as network protection and awareness, throughout the entire IT infrastructure.

Toll Group shuts down some online systems after ransomware attack

The Australian transportation and logistics giant Toll Group has suffered a ransomware attack that forced it to shut down part of its services. The Australian transportation and logistics giant Toll Group was victim of a ransomware attack, in response to the incident the company has shut down some of its online services. The Toll Group is an Australian transportation and logistics company with operations in road, rail, sea, air, and warehousing, it is a subsidiary of Japan Post Holdings and has over 44,000 employees. The attack was discovered on January 31 when the internal staff detected a piece of ransomware on its systems. Meanwhile, Toll Group has reported the incident to the authorities, an investigation is still ongoing.

Bouygues Construction Shuts Down Network to Thwart Maze Ransomware

French construction giant Bouygues Construction shut down their computer network to avoid having all of their data encrypted by the Maze Ransomware. In a statement posted to their website, Bouygues stated that they shut down their computer network on January 30th, 2020, as a "precautionary measure" to prevent a ransomware attack from propagating further. "A ransomware-type virus was detected on Bouygues Construction's computer network on 30 January. Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. According to the Maze Ransomware operators, they are responsible for this attack and state that they encrypted 237 computers. In addition, the ransomware operators claim to have encrypted over 1,000 Terabytes of data.

DoppelPaymer Ransomware Sells Victims' Data on Darknet if Not Paid

The DoppelPaymer Ransomware is the latest family threatening to sell or publish a victim's stolen files if they do not pay a ransom demand. A new tactic being used by ransomware operators that perform network-wide encryption is to steal a victim's files before encrypting any devices. This new tactic started in November 2019 when Maze Ransomware publicly released stolen files belonging to Allied Universal for not paying a ransom. Since then, Sodinokibi/REvil published stolen data and the Nemty Ransomware announced in their RaaS affiliate panel that they would start doing it as well. While DoppelPaymer told us that they have not publicly released stolen data yet, the Maze Ransomware operators have shown that doing so will increase the number of payments. "MAZE shown the world that success rates are increased after sharing some data", DoppelPaymer told BleepingComputer.

Ransomware brought down services of popular TV search engine TVEyes

TVEyes was brought down after its core server and engineering workstations were infected with a ransomware attack, company CEO confirmed. TVEyes is a company that manages a popular platform for monitoring TV and radio news broadcasts, it is used worldwide by PR agencies and newsrooms. On Thursday night, a ransomware attack hit the company network causing an outage of its multimedia messaging and data feed services (i.e. TVEyes reported the incident to its customers by email, one Tweet sent by the company to Medium Buying explained that the root cause of the outage was a ransomware infection. "We are rebuilding the core system on fresh hardware, and expect to have TVEyes back online soon, but do not have an exact ETA for services to be restored," the email says. "As you can imagine, TVEyes engineers are working nonstop and will continue to do so until we are back up and running."

Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender

A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit. Last week, FireEye released a report about new attacks exploiting the now patched Citrix ADC vulnerability to install the new Ragnarok Ransomware on vulnerable networks. When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability. If detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and installs the Ragnarok ransomware onto the exploited device. Many ransomware operations are created by developers based out of Russia or other CIS countries. It is rare, though, to see ransomware infections themselves attempt to disable the functionality of Windows Defender, which is what Ragnarok attempts. Given that Citrix is exploited cross-platform and might be running on both Unix and Windows systems. A standard encryption routineThe rest of the Ragnarok encryption process is similar to what we see in other ransomware infections. When scanning for files to encrypt, Ragnarok will skip any files that have the ".exe", ".dll", ".sys", and ".ragnarok" extensions.

The city of Racine was offline following a ransomware attack

The city of Racine joins to the long string of US municipalities that were hit with ransomware attack, it was forced offline following the infection. Most of the non-emergency computer services of the city went offline following the attack. "City of Racine computer systems were infected by ransomware early Friday morning, and remained that way late Sunday afternoon." reported the GovernmentTechnology website. The tax collection, 911 and public safety systems were not impacted by the ransomware attack.

Scams

Ashley Madison Breach Extortion Scam Targets Hundreds

Nearly five years after the high-profile Ashley Madison data breach, hundreds of impacted website users are being targeted by a new extortion attack this past week. The 2015 data breach of the adultery website led to 32 million accounts being publicly dumped online, including victims' names, passwords, phones numbers, credit card information and more. Now, cybercriminals are exploiting the treasure trove of breached Ashley Madison data again in a new highly- personalized and targeted attacks. According researchers at Vade Secure, extortionist are sending emails targeting affected Ashley Madison users once again. "In the last week, Vade Secure has detected several hundred examples of this extortion scam, primarily targeting users in the United States, Australia, and India," said Ed Hadley with Vade Secure in a Friday post.

Crypto

How to decrypt WhatsApp end-to-end media files

At the center of the Saudis hacked Bezos story is a mysterious video file investigators couldn't decrypt, sent by Saudi Crown Prince MBS to Bezos via WhatsApp. In this blog post, the author shows how to decrypt it. Once decrypted, we'll either have a smoking gun proving the Saudi's guilt, or exoneration showing that nothing in the report implicated the Saudis.