Table of Contents

  1. Microsoft
    1. Microsoft Backpedals on Forcing Bing Search for Office 365 Users
  2. Politics
    1. Crypto AG Was Owned by the CIA
  3. Scams
    1. FTC Warns of Ongoing Scams Using Coronavirus Bait
    2. FBI: Cybercrime Victims Lost $3.5 Billion in 2019
    3. Amex, Chase Fraud Protection Emails Used as Clever Phishing Lure
  4. Vulnerabilities
    1. IBM X-Force: Stolen Credentials and Vulnerabilities Weaponized Against Businesses in 2019
    2. SoundCloud Fixed API Flaws That Could Lead to Account Takeover
  5. Leaks
    1. 440M records found online in unprotected database belonging to Estée Lauder


Microsoft Backpedals on Forcing Bing Search for Office 365 Users

Microsoft announced today that the Microsoft Search in Bing Google Chrome extension will not be forcibly installed for Office 365 ProPlus users as the company said on January 22nd. The Microsoft Search browser extension would have forced the Chrome browser to use Bing as the default search engine for some Office 365 ProPlus customers, helping them "access relevant workplace information directly from the browser address bar." Microsoft now says that it heard customers' concerns regarding the way the company planned to roll "this value out." "Most importantly, we heard that customers don't want Office 365 ProPlus to change search defaults without an opt-in, and they need a way to govern these changes on unmanaged devices," Microsoft says. "Through a new toggle in Microsoft 365 admin center, administrators will be able to opt in to deploy the browser extension to their organization through Office 365 ProPlus," Microsoft adds.


Crypto AG Was Owned by the CIA

The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA: And none of its customers ever even knew that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices, so they could easily break the codes that countries used to send encrypted messages. This isn't really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details: The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project. The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations' gullibility for years, taking their money and stealing their secrets. The operation known first by the code name "Thesaurus" and later "Rubicon" ranks among the most audacious in CIA history.


FTC Warns of Ongoing Scams Using Coronavirus Bait

The U.S. Federal Trade Commission (FTC) warns about ongoing scam campaigns that make use of the current Coronavirus global scale health crisis to bait potential targets from the United States via phishing emails, text messages, and social media. The World Health Organization (WHO) announced on January 30, 2020, that the new 2019 novel Coronavirus (also known as 2019-nCOV and Wuhan coronavirus) outbreak is a public health emergency of international concern. "Scammers are taking advantage of fears surrounding the Coronavirus," the FTC says. "They're setting up websites to sell bogus products, and using fake emails, texts, and social media posts as a ruse to take your money and get your personal information. "The emails and posts may be promoting awareness and prevention tips, and fake information about cases in your neighborhood. Just as the actors behind the phishing campaigns KnowBe4 and Mimecast spotted, the Emotet gang is also known for quickly taking advantage of trending events and nearing holidays, like a Greta Thunberg Demonstration or the 2019 Christmas and Halloween parties.

FBI: Cybercrime Victims Lost $3.5 Billion in 2019

FBI's Internet Crime Complaint Center (IC3) published the 2019 Internet Crime Report which reveals that cybercrime was behind individual and business losses of $3.5 billion as shown by the 467,361 complaints received during the last year. These resulted in recorded losses reported by victims of $10.2 billion over the last five years, between 2015 and 2019. "It is getting harder and harder for victims to spot the red flags and tell real from fake." "In the same way your bank and online accounts have started to require two-factor authentication - apply that to your life. Verify requests in person or by phone, double-check web and email addresses, and don't follow the links provided in any messages." The IC3 also says that the Recovery Asset Team (RAT) established in February 2018 was able to help cybercrime victims recover funds lost due to various types of Internet crimes. During 2019, IC3 observed an increased number of diversion of payroll funds BEC complaints where fraudsters send emails to a company's human resources or payroll department requesting direct deposit info updates while posing as an employee. According to IC3 the vast majority of victims that sent complaints reporting tech support fraud scams were over 60 years of age. In 2019, the IC3 also received 2,047 complaints related to ransomware incidents with adjusted losses of over $8.9 million.

Amex, Chase Fraud Protection Emails Used as Clever Phishing Lure

A very clever phishing campaign is underway that pretends to be fraud protection emails from American Express and Chase that ask you to confirm if the listed credit card transactions are legitimate. Scammers are sending fake Chase and Amex fraud protection emails asking if charges are valid. When comparing real and fake fraud protection emails there is some suspicious formatting on the phishing emails, but for the most part, they do a very convincing job. As phishing scams become more sophisticated and convincing, it becomes a bit harder to detect whether an email is legitimate. What's even worse, both the Chase and Amex phishing emails have good use of the English language and appear to have been written by native speakers rather than translated through a service like Google Translate.


IBM X-Force: Stolen Credentials and Vulnerabilities Weaponized Against Businesses in 2019

IBM Security released the IBM X-Force Threat Intelligence Index 2020, highlighting how cybercriminals' techniques have evolved after decades of access to tens of billions of corporate and personal records and hundreds of thousands of software flaws. According to the report 60% of initial entries into victims' networks that were observed leveraged either previously stolen credentials or known software vulnerabilities, allowing attackers to rely less on deception to gain access. IBM's analysis found that of the more than 8.5 billion breached records reported in 2019, seven billion of those, or over 85%, were due to misconfigured cloud servers and other improperly configured systems - a stark departure from 2018 when these records made up less than half of total records. Some of the most active banking Trojans found in this year's report, such as TrickBot, were increasingly observed to set the stage for full-on ransomware attacks. In fact, novel code used by banking Trojans and ransomware topped the charts compared to other malware variants discussed in the report.

SoundCloud Fixed API Flaws That Could Lead to Account Takeover

Social audio platform SoundCloud fixed multiple security vulnerabilities affecting its application programming interface (API) that could allow potential attackers to take over accounts, launch denial of service attacks, and exploit the service according to the Checkmarx Security Research team. According to a report, while investigating the online music platform for API security flaws, the Checkmarx researchers found several vulnerabilities in SoundCloud's API endpoints that attackers could exploit to launch attacks directed at the platform and its users. In combination with a user enumeration bug in the /sign-in/identifier and /users/password~reset~ endpoints that could be used to obtain valid user account identifiers, it would have allowed threat actors to completely takeover SoundCloud user accounts. Nevertheless, we found evidence of past incidents that could have been caused by a Broken Authentication issue exploitation," Checkmarx security researcher Paulo Silva told BleepingComputer.


440M records found online in unprotected database belonging to Estée Lauder

A security expert discovered that the Cosmetic firm Estée Lauder exposed 440 million records online in a database that was left unsecured. "On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852". I could see audit logs that contained numerous email addresses in each document. I immediately sent a responsible disclosure notice to Estée Lauder alerting them to the exposure. "The exposed data included user email addresses in plain text, the archive also contained Internal email addresses from the domain. The archive included audit logs containing many email addresses in each document. "There were millions of records pertaining to middleware that is used by the Estée Lauder company. At the time it is not clear how many email addresses were exposed in the database and for how long the data was exposed online.