Table of Contents

  1. Politics
    1. New details emerge about Russia’s trolling operation
    2. U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack
  2. Vulnerabilities
    1. A CVE Journey: From Crash to Local Privilege Escalation
    2. Dangerous Domain Corp.com Goes Up for Sale
    3. Dell SupportAssist Bug Exposes Business, Home PCs to Attacks
  3. Leaks
    1. Personal info of 6M Israelis leaked after Likud uploads voter info
    2. The Altsbit exchange will exit in May following a hack
    3. Software Error Exposes the ID Numbers For 1.26 Million Danish Citizens
  4. Crime
    1. A dark web tycoon pleads guilty, but how was he caught?
  5. Ransomware
    1. Ragnar Locker Ransomware Targets MSP Enterprise Support Tools
  6. Phishing
    1. Active PayPal Phishing Scam Targets SSNs, Passport Photos
  7. Privacy
    1. How Big Companies Spy on Your Emails

Politics

New details emerge about Russia’s trolling operation

A person who worked for the Russian "troll farm" Internet Research Agency discussed the organization with the independent Russian news outlet Dozhd. "Our task was to set Americans against their own government," Maxim said, "to provoke unrest and discontent." Recently revealed details about how an infamous Russian "troll farm" operated and its role in Russia's disinformation campaign shed new light on Russia's interference in the 2016 US presidential race. The secretive firm is bankrolled by Yevgeny Prigozhin, CNN reported, a Russian oligarch who is a close ally of President Vladimir Putin. The foreign desk had a more sophisticated purpose, according to Max, who worked in that department. In fact, those who worked for the foreign desk were restricted from spreading pro-Russia propaganda. The troll farm also had its own "Facebook desk," whose function was to relentlessly push back against the platform's administrators who deleted fake accounts as they began gaining traction. In addition to spreading fake news, Russian Facebook accounts went one step further by organizing events, rallies, and protests, some of which galvanized dozens of people. To be sure, RBC found that the Internet Research Agency hired 100 American activists over the internet to hold 40 rallies across different US cities. Those people did not know they were working for a Russian organization, according to the investigation.

U.S. Charges 4 Chinese Military Officers in 2017 Equifax Hack

The U.S. Justice Department today unsealed indictments against four Chinese officers of the People's Liberation Army (PLA) accused of perpetrating the 2017 hack against consumer credit bureau Equifax that led to the theft of personal data on nearly 150 million Americans. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded. Some security experts have charged that such indictments could both lessen the charges' impact and leave American officials open to parallel criminal allegations from Chinese authorities. "Our concern is not with the Chinese people or with the Chinese American," he said. "It is with the Chinese government and the Chinese Communist Party. Confronting this threat directly doesn't mean we should not do business with China, host Chinese students, welcome Chinese visitors or co-exist with China as a country on the world stage. On March 7, 2017, the Apache Software Foundation announced that some versions of its Apache Struts software had a vulnerability that could allow attackers to remotely execute code on a targeted web application. It's a serious type of bug, because it gives hackers an opportunity to meddle with a system from anywhere in the world. As part of its disclosure, Apache also offered a patch and instructions on how to fix the issue. Equifax, which used the Apache Struts Framework in its dispute-resolution system, ignored both. Within a few weeks, the DOJ says, Chinese hackers were inside Equifax's systems.

Vulnerabilities

A CVE Journey: From Crash to Local Privilege Escalation

A blog post detailing the exploitation of the recent sudo bug that crashed when pwfeedback was enabled because of a stack-based buffer overflow.

Dangerous Domain Corp.com Goes Up for Sale

As an early domain name investor, Mike O'Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O'Connor refused to auction perhaps the most sensitive domain in his stable - corp.com. Now, facing 70 and seeking to simplify his estate, O'Connor is finally selling corp.com. The asking price - $1.7 million - is hardly outlandish for a 4-letter domain with such strong commercial appeal. But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory - Windows 2000 Server, for example - the default or example Active Directory path was given as "corp," and many companies apparently adopted this setting without modifying it to include a domain they controlled. But what happens when an employee working at a company with an Active Directory network path called "corp" takes a company laptop to the local Starbucks? Chances are good that at least some resources on the employee's laptop will still try to access that internal "corp" domain. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time.

Dell SupportAssist Bug Exposes Business, Home PCs to Attacks

Dell published a security update to patch a SupportAssist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers. According to Dell's website, the SupportAssist software is "preinstalled on most of all new Dell devices running Windows operating system." SupportAssist also "proactively checks the health of your system's hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin." This uncontrolled search path vulnerability reported by Cyberark's Eran Shimony is tracked as CVE-2020-5316 and comes with a high severity CVSSv3 base score of 7.8. A similar RCE flaw was found by security researcher Tom Forbes in the Dell System Detect software in 2015.

Leaks

Personal info of 6M Israelis leaked after Likud uploads voter info

The personal information of 6,453,254 Israelis was leaked after the Likud Party uploaded the entire Israeli national voter registry to an application, according to Haaretz. The voter registry was uploaded to the Elector application which the Likud Party uses on election day. A breach in the application allows for the leaking of the voter registry which can then be downloaded on a computer, according to Haaretz. An anonymous source told Haaretz about the security flaw through which any person could access the entire registry without even needing to use sophisticated tools. Haaretz published exact instructions on how to access the voter registry. Privacy activists warned about using the application even before the leak and Haaretz passed the report on to the National Cyber Directorate. Last week, Prime Minister Benjamin Netanyahu called on Likud supporters to download the application in order to help draft more supporters and voters. The company that developed the application told Haaretz that this was "a specific incident that was taken care of immediately and afterwards security was strengthened substantially."

The Altsbit exchange will exit in May following a hack

The Italy based cryptocurrency exchange Altsbit announced that it has suffered a security breach that led to the theft of its customer's funds. Unfortunately, Altsbit exchange declared not having the possibility to compensate for the stolen funds, for this reason a loss will be distributed among all its users. At the time it is not clear who is behind the attack, hacking group @LulzSec has claimed responsibility for the hack. Some users online speculate that the incident is a coverage for an exit scam.

Software Error Exposes the ID Numbers For 1.26 Million Danish Citizens

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population. The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week. The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST). According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online. Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.

Crime

A dark web tycoon pleads guilty, but how was he caught?

When the enterprising cybercriminal Eric Eoin Marques pleaded guilty in an American court this week, it was meant to bring closure to a seven-year-long international legal struggle centered on his dark web empire. Investigators were somehow able to break the layers of anonymity that Marques had constructed, leading them to locate a crucial server in France. Marques was the first in a line of famous cybercriminals to be caught despite believing that using the privacy-shielding anonymity network Tor would make them safe behind their keyboards. Marques has blamed the American NSA's world-class hackers, but the FBI has also been building up its efforts since 2002. "It does a disservice to our criminal justice system when the government hides techniques of investigation from public and criminal defendants. While in control of Freedom Hosting, the agency then used malware that probably touched thousands of computers. Two months after Marques was caught, the free-wheeling marketplace Silk Road was shut down in another FBI-led operation. After facilitating at least hundreds of millions of dollars in sales, Silk Road became a symbol of the apparent invulnerability of the criminals inhabiting the dark web. Freedom Hosting and Silk Road were just the most well-known dark web sites that were brought down by law enforcement despite the anonymity that Tor is meant to provide.

Ransomware

Ragnar Locker Ransomware Targets MSP Enterprise Support Tools

A ransomware called Ragnar Locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stopped. Attackers first began using the Ragnar Locker ransomware towards the end of December 2019 as part of attacks against compromised networks. According to the attackers, one of these pre-deployment tasks is to first steal a victim's files and upload it to their servers. "Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view !", the attackers state in the Ragnar Locker ransom note. BleepingComputer has seen various ransom notes for Ragnar Locker with ransom demands ranging from $200,000 to to approximately $600,000. Kyle Hanslovan, the CEO of MSP security firm Huntress Labs, has told BleepingComputar that his company has seen Ragnar Locker deployed via the MSP software ConnectWise. According to Head of SentinelLabs Vitali Kremez who also analyzed the ransomware, when first started Ragnar Locker will check the configured Windows language preferences and if they are set as one of the former USSR countries will terminate the process and not encrypt the computer.

Phishing

Active PayPal Phishing Scam Targets SSNs, Passport Photos

A recently uncovered phishing campaign targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data -- even going so far as to ask for social security numbers and uploaded photos of their passports. "Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them. While the initial email sender shows up under the name "Support," a closer look at the email address shows it is from [service53659(at)ovh.com], rather than a legitimate PayPal email address. However, if victims are gullible enough to enter their credentials, a general information gathering form is then displayed. This means that a less vigilant user might upload multiple photos of documents while thinking that their previous attempts were invalid for some reason.

Privacy

How Big Companies Spy on Your Emails

Multiple confidential documents obtained by Motherboard show the sort of companies that want to buy data derived from scraping the contents of your email inbox. The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users' email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. On its website Edison says that it does "process" users' emails, but some users did not know that when using the Edison app the company scrapes their inbox for profit. Some of the companies listed in the J.P. Morgan document sell data sourced from "personal inboxes," the document adds. A spokesperson for J.P. Morgan Research, the part of the company that created the document, told Motherboard that the research "is intended for institutional clients." The document adds that the "source" of the data is the "Edison Email App". The Wall Street Journal previously mentioned how employees of Edison read users' emails in order to improve a smart-replies feature of the app.