Table of Contents

  1. Vulnerabilities
    1. CVE-2019-0604 SharePoint Remote Code Execution (RCE) vulnerability
    2. Why I love offensive work, confessions of a recovering Vuln-Dev
    3. Flaw in WordPress ThemeGrill Demo Importer WordPress theme plugin expose 200K+ sites to hack
    4. WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users
    5. Windows, Linux Devices at Risk Due to Unsigned Peripheral Firmware
    6. Hacking McDonald's for Free Food
    7. npm stopped working because of Cloudflare
    8. Voatz Internet Voting App Is Insecure
  2. Scams
    1. 800K IPv4 addresses obtained illegitimately
    2. Pay Up, Or We’ll Make Google Ban Your Ads
    3. Encoding Stolen Credit Card Data on Barcodes
  3. Malware
    1. AZORult spreads as a fake ProtonVPN installer
    2. Israeli soldiers tricked into installing malware by Hamas
    3. Parallax RAT: Common Malware Payload After Hacker Forums Promotion
    4. An Old Android Virus is Reinstalling Itself Even After Factory Resets
    5. Apple iPhone Users Targeted with Bogus Dating App for Valentine’s Day
  4. Ransomware
    1. Ouroboros: Following A New Trend In Ransomware League
    2. Ransomware Hit a Florida Voting System in 2016
    3. US CISA warns of Ransomware attacks impacting pipeline operations
  5. Politics
    1. Twitter locks WikiLeaks account days before Assange's extradition hearing
    2. Iran Has Been Targeting VPN Servers to Plant Backdoors
    3. US Govt Updates Info on North Korean Malware
    4. Estonian foreign intelligence warns of growing cyber threats from Russia
    5. Huawei Charged in Racketeering Conspiracy and Conspiracy to Steal Trade Secrets
    6. Nevada Democrats To Use iPads Loaded With Google Forms To Track Caucus
    7. We've Just Seen the First Use of Deepfakes In an Indian Election Campaign
    8. Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign
    9. Cybersecurity Plan for 2020 US Election Unveiled
  6. Privacy
    1. Don't let "Magic Enhancer for YouTube" slurp up your browsing history
    2. Ring Forces 2FA On All Users to Secure Cameras from Hackers
    3. Google slams Samsung for 'unnecessary changes' to the Android kernel
    4. An Anonymous Group Claims it Took DNA From Global Elites -- And is Auctioning It Off
  7. Google
    1. Google Confirms It Again Removed Alleged Spying Tool ToTok From Google Play
    2. Google redraws the borders on maps depending on who’s looking
  8. Phishing
    1. World Health Organization Warns of Coronavirus Phishing Attacks
    2. Phishing on Instagram Baits Russians With Free Money Promise
    3. Mobile Banking Users Targeted in SMS Phishing Campaign
  9. Digital rights
    1. Indian police open case against hundreds in Kashmir for using VPN
    2. Russia Blocks Tutanota Email, Service Still Usable Over Tor or VPN
  10. Crime
    1. Three Italian universities hacked by LulzSec_ITA collective
    2. PoS malware infected systems at 71 locations operated by US store chain Rutter’s
    3. That Time I Worked for A Criminal Organization
  11. Leaks
    1. Nedbank client data compromised in security breach at third-party provider
    2. Plastic Surgery Patient Photos, Info Exposed by Leaky Database


CVE-2019-0604 SharePoint Remote Code Execution (RCE) vulnerability

A security expert found a flaw in SharePoint that could be exploited to remotely execute arbitrary code by sending a specially crafted SharePoint application package. Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. A malicious actor could exploit this vulnerability by simply sending a specially crafted SharePoint application package. The application ( was found to be vulnerable as it was using SharePoint as a technology to host its service.

Why I love offensive work, confessions of a recovering Vuln-Dev

Halvar Flake had a cool presentation talk at OffensiveCon 2020 about his experience working about 20 years in offensive security industry.

Flaw in WordPress ThemeGrill Demo Importer WordPress theme plugin expose 200K+ sites to hack

A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site. Experts from the security firm WebARX have discovered a serious flaw in the WordPress theme plugin ThemeGrill Demo Importer with over 200,000 active installs. The vulnerability could be exploited to wipe sites running the vulnerable versions of the plugin and gain admin access to the site.

WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users

Critical bugs found in the WordPress GDPR Cookie Consent plugin used by over 700,000 websites allow potential attackers to delete and change content and inject malicious JavaScript code due to improper access controls. The GDPR Cookie Consent plugin is designed to allow site admins to display customizable header or footer cookie banners to show their website's EU Cookie Law (GDPR) compliance. The plugin maintained by WebToffee is also among the top 100 most popular ones in the WordPress plugins repository and is used by more than 700,000 sites according to the active installations count on its WordPress library entry.

Windows, Linux Devices at Risk Due to Unsigned Peripheral Firmware

Researchers have discovered multiple instances of unsigned firmware in computer peripherals that can be used by malicious actors to attack laptops and servers running Windows and Linux. Vulnerable trackpads, cameras, Wi-Fi adapters, and USB hubs. Attackers can take advantage of unsigned firmware in several ways depending on the component they manage to compromise by abusing this flaw. In the case of network adapters, they can capture or alter the network traffic, while PCI devices would enable them to steal information and even take over the system via Direct Memory Access (DMA) attacks. "This could lead to implanted backdoors, network traffic sniffing, data exfiltration and more.

Hacking McDonald's for Free Food

This hack was possible because the McDonald's app didn't authenticate the server, and just did whatever the server told it to do: McDonald's receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month. One day, David happened to be checking out how the website's coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a program replicating the code, as if someone was taking the survey again and again.

npm stopped working because of Cloudflare

David Kitchen from Cloudflare writes: 'I am the engineering manager for the DDoS protection team and this morning at 11:06 UTC we tweaked a rule that affected one of our signals. The signal relates to the HTTP referrer header, and we have a piece of code that looks at invalid referrer headers. In this case we tweaked it to include not just "obvious garbage" but "anything that does not conform to the HTTP specification"... i.e. is the referrer a URI? If not then it contributes to knowledge about bad traffic. So... why did this impact It turns out that a lot of NPM traffic sends the referrer as "install" which is invalid according to the HTTP specification. As NPM is also a heavily trafficked site this resulted in the DDoS systems picking this up and treating the traffic as an HTTP flood and determining that a rate-limit should be applied. When we noticed that NPM was seeing an increase in HTTP 429s (as seen on Twitter) we contacted NPM and started an internal investigation. As soon as we identified the root cause we reverted the change, which was at 13:00 UTC. We'll note that NPM and 1 other site use the referrer for purposes outside the HTTP spec and we'll update our systems to ensure that this does not happen again. Additionally, we'll improve our monitoring around changes of this nature so that we can discover impact sooner and roll back automatically.'

Voatz Internet Voting App Is Insecure

This paper describes the flaws in the Voatz Internet voting app: "The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections." MIT researchers say an attacker could intercept and alter votes, while making voters think their votes have been cast correctly, or trick the votes server into accepting connections from an attacker. The app, also has problems with how it handles authentication between the voter's mobile phone and the backend server, allowing an attacker to impersonate a user's phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn't actually used in the way Voatz claims it is, thereby supplying no additional security to the system. Voatz responded to the research, claiming it was flawed and the researchers have used an outdated version of the application.


800K IPv4 addresses obtained illegitimately

A first-of-its-kind fraud prosecution of a small technology company and its owner has shed light on how the architecture of the internet allows spammers, hackers and other bad actors to flourish online while cloaking their true identities. Amir Golestan and his company, Micfo - a web-services provider based above a cafe in a building in this city's historic district - face 20 counts of wire fraud in a case brought in U.S. District Court in South Carolina. Both Mr. Golestan and the corporation have pleaded not guilty. The alleged victim: the American Registry for Internet Numbers, a Centreville, Va., nonprofit that assigns internet protocol addresses in North America and the Caribbean to all online devices. In the Micfo case, filed last May, the Justice Department alleges Mr. Golestan created shell companies solely to deceive the registry into granting him 800,000 IP addresses - which he would have struggled to obtain by other means, especially as the most common type of new IP addresses has become scarce. Mr. Golestan then leased or sold those addresses to clients, according to the complaint and his own account.

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting website owners serving banner ads through Google's AdSense program. In this scam, the fraudsters demand Bitcoin in exchange for a promise not to flood the publisher's ads with so much bot and junk traffic that Google's automated anti-fraud systems suspend the user's AdSense account for suspicious traffic.

Encoding Stolen Credit Card Data on Barcodes

Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.


AZORult spreads as a fake ProtonVPN installer

Researchers discovered one unusual campaign: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows. The campaign started at the end of November 2019 when the threat actor behind it registered a new domain under the name The Registrar used for this campaign is from Russia. In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.

Israeli soldiers tricked into installing malware by Hamas

Members of the Hamas Palestinian militant group have posed as young teenage girls to lure Israeli soldiers into installing malware-infected apps on their phones, a spokesperson for the Israeli Defense Force (IDF) said today. Some soldiers fell for the scam, but IDF said they detected the infections, tracked down the malware, and then took down Hamas' hacking infrastructure. IDF said Hamas operatives created Facebook, Instagram, and Telegram accounts and then approached IDF soldiers. According to IDF spokesperson Brigadier General Hild Silberman, Hamas agents posed as new Israeli immigrants in order to excuse their lacking knowledge of the Hebrew language. Soldiers who engaged in conversations were eventually lured towards installing one of three chat apps, named Catch & See, Grixy, and Zatu, where the agents promised to share more photos.

Parallax RAT: Common Malware Payload After Hacker Forums Promotion

A remote access Trojan named Parallax is being widely distributed through malicious spam campaigns that when installed allow attackers to gain full control over an infected system. Since December 2019, security researcher MalwareHunterTeam has been tracking the samples of the Parallax RAT as they have been submitted through VirusTotal and other malware submissions services. Since early December 2019, the Parallax RAT has been sold on hacker forums where the developers are promoting the software and offering support. Parallax RAT had been developed by a professional team and its fully coded in MASM.

An Old Android Virus is Reinstalling Itself Even After Factory Resets

A particularly persistent malware infection has been spreading amongst Android phones - and removing it only seems to bring it back with a vengeance. The Trojan xHelper, which Malwarebytes first wrote about last year, is reportedly re -spawning on devices where it's already been removed. If virus-removal software doesn't take care of a nasty infection, a hard reset will usually do the trick. But users report that even a full factory reset of an infected device doesn't wipe xHelper out completely. Within an hour the malware is usually back and ready to wreak havoc.

Apple iPhone Users Targeted with Bogus Dating App for Valentine’s Day

A malicious email campaign aimed at iPhone owners is making the rounds this week, using a bouquet of different themes to scam victims, just in time for Valentine's Day - including a fake dating app. The gambit begins far afield from romance however, with an email from "Nerve Renew," claiming to offer a miracle cure for neuropathy. The interesting thing about this is that the email body is a picture, completely static. "You cannot copy the contents and paste it elsewhere," according to a Friday post from researchers at Bitdefender, who uncovered the campaign. "The sender wants to keep us inside the email body, clicking the malicious links inside."


Ouroboros: Following A New Trend In Ransomware League

Ransomware authors keep exploring new ways to test their strengths against various malware evasion techniques. The ransomware known as "Ouroboros" is intensifying its footprint in the field by bringing more and more advancements in its behavior as it updates its version. This analysis provides the behavior of version 6, few earlier variants of it and some insights on the recent Version 7. This Ransomware not only applies conventional methods but also adopts some new techniques making it very difficult to analyze.

Ransomware Hit a Florida Voting System in 2016

Election officials in Palm Beach County, Florida, revealed this week that its voter registration system was hit by ransomware in the weeks leading up to the 2016 presidential election, according to The Palm Beach Post. County officials believe that the incident did not interfere with vote counts, the newspaper reports. On Wednesday, Wendy Sartory Link, the recently appointed election supervisor of Palm Beach County, acknowledged that the government voting system sustained a previously undisclosed ransomware attack in mid-September 2016, according to the news report. The attack only came to light recently after Jeff Darter, the former IT director of the Palm Beach County Elections Office, was fired after he was charged with possession of child pornography, the newspaper reports. Following Darter's dismissal, Ed Sacerio, the second in command in the department, revealed the attack to Link. Link added that it does not appear the FBI or Homeland Security was notified of the attack despite widespread reports of hacking before the 2016 election, the newspaper reports. Palm Beach officials didn't offer details about the ransomware strain that hit the voter registration system. Sacerio said that at the time of the attack, a colleague noticed some files disappeared and certain Microsoft documents were encrypted, according to the newspaper. In response to The Palm Beach Post's question on a potential link between the ransomware attack and Russian interference, Link said that she didn't believe they were connected.

US CISA warns of Ransomware attacks impacting pipeline operations

The Cybersecurity and Infrastructure Security Agency (CISA) is warning critical U.S. infrastructure operators of a recent ransomware attack that affected a natural gas compression facility. CISA responded to a cyberattack affecting control and communication assets on the operational technology network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link to obtain initial access to the organization's information technology network before pivoting to its OT network." reads the alert published by CISA. "The threat actor then deployed commodity ransomware to Encrypt Data for Impact on both networks. This was possible because the victim failed to implement segmentation between the IT and OT networks. Then the attackers deployed ransomware that encrypted files on both IT and OT networks causing the "loss of availability" of human-machine interfaces (HMIs), data historians, and polling servers. CISA alert provided planning and operational mitigation measures, as well as technical and architectural mitigations that should be implemented by organizations in critical infrastructure sectors to avoid similar ransomware attacks.


Twitter locks WikiLeaks account days before Assange's extradition hearing

Days before Julian Assange's extradition hearings are set to continue, WikiLeaks' journalist Kristin Hrafnsson reports that the official WikiLeaks twitter account has been locked. All attempts to get it reopened via regular channels have been unsuccessful, writes Hrafnsson in a tweet. It has been impossible to reach a human at twitter to resolve the issue. Can someone fix this? RT reports: The @wikileaks account's most recent posts date back to February 9 and concern the dire precedent set by extraditing a publisher to stand trial on espionage charges. Assange's extradition hearing in the UK, which a court ordered to be split into two parts, is set to begin next week, while the second half is scheduled for May. The publisher's lawyers have complained that access to their client is being restricted, and Assange was only recently moved from solitary confinement at Belmarsh prison after his fellow inmates staged a protest.

Iran Has Been Targeting VPN Servers to Plant Backdoors

A new report reveals that Iran's government-backed hacking units have made a top priority last year to exploit VPN bugs as soon as they became public in order to infiltrate and plant backdoors in companies all over the world. According to a report from Israeli cyber-security firm ClearSky, Iranian hackers have targeted companies from the IT, Telecommunication, Oil and Gas, Aviation, Government and Security sectors. The report comes to dispel the notion that Iranian hackers are not sophisticated, and less talented than their Russian, Chinese, or North Korean counterparts. ClearSky says that Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1 - day vulnerabilities in relatively short periods of time. In some instances, ClearSky says it observed Iranian groups exploiting VPN flaws within hours after the bugs have been publicly disclosed. According to the ClearSky report, the purpose of these attacks is to breach enterprise networks, move laterally throughout their internal systems, and plant backdoors to exploit at a later date.

US Govt Updates Info on North Korean Malware

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released new info on North Korean malware with six new and updated Malware Analysis Reports (MARs) related to malicious cyber activity from North Korea. Each of these MARs is designed to provide organizations with detailed malware analysis information acquired via manual reverse engineering. They are also issued to help network defenders to detect and reduce exposure to HIDDEN COBRA malicious cyber activity as the U.S. government refers to North Korean government malicious activity. Each MAR comes with detailed malware descriptions, suggested response actions, and recommended mitigation techniques. US Cyber Command also uploaded malware samples to VirusTotal, saying that this malware is currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions."

Estonian foreign intelligence warns of growing cyber threats from Russia

Russia will continue to engage in cyber operations to threaten Western nations, with sanctions so far proving ineffective. The warning comes from the Estonian Foreign Intelligence Service (EFIS), which in its 2020 annual threat assessment report states that Russian cyber operations have been successful so far and will continue to look for new security vulnerabilities to exploit in coming months. "In 2019, Russian cyber operations were revealed that have been going on undiscovered for years, and there are likely to be more," the EFIS wrote in its report.

Huawei Charged in Racketeering Conspiracy and Conspiracy to Steal Trade Secrets

A superseding indictment was returned yesterday in federal court in Brooklyn, New York, charging Huawei Technologies Co. Ltd. (Huawei), the world's largest telecommunications equipment manufacturer, and two U.S. subsidiaries with conspiracy to violate the Racketeer Influenced and Corrupt Organizations Act (RICO). As part of the scheme, Huawei allegedly launched a policy instituting a bonus program to reward employees who obtained confidential information from competitors. The policy made clear that employees who provided valuable information were to be financially rewarded. Huawei said in a statement that the new indictment was an attempt to "irrevocably damage Huawei's reputation and its business for reasons related to competition rather than law enforcement". The superseding indictment also includes new allegations about Huawei and its subsidiaries' involvement in business and technology projects in countries subject to U.S., E.U. and/or U.N. sanctions, such as Iran and North Korea - as well as the company's efforts to conceal the full scope of that involvement. The defendants' activities, which included arranging for shipment of Huawei goods and services to end users in sanctioned countries, were typically conducted through local affiliates in the sanctioned countries. Lindsey Graham, a US senator close to Donald Trump, also warned the UK risked burning its bridges if it included Huawei technologies in its 5G network. That Huawei technology is a threat to the US and, we really think, to the world order. He said: "Reliance on Chinese 5G vendors could render our partners' critical systems vulnerable to disruption, manipulation and espionage. It could also jeopardize our intelligence and communication-sharing capabilities, and by extension it could jeopardize our alliances. It is essential that the international community wake up to the challenge. "Pompeo said the Chinese Communist party "represented an enormous risk to the idea of the west".

Nevada Democrats To Use iPads Loaded With Google Forms To Track Caucus

Nevada's Democratic Party said Thursday it plans to use iPads loaded with survey app Google Forms to calculate voting results in next week's caucuses. The system is an effort to avoid a repeat of the Iowa caucus chaos. The app will be loaded onto 2,000 iPads purchased by the party and distributed to precinct chairs, according to a memo signed by party Executive Director Alana Mounce seen by the Associated Press Thursday. Google's app will calculate and submit results electronically, while a second step will rely on submissions also being made by phone. Nevada's caucuses will be held on Feb. 22nd.

We've Just Seen the First Use of Deepfakes In an Indian Election Campaign

The Delhi Bharatiya Janata Party (BJP) has partnered with political communications firm The Ideaz Factory to create "positive campaigns" using deepfakes to reach different linguistic voter bases, reports Nilesh Christopher reports via Motherboard. It marks the debut of deepfakes in election campaigns in India. From the report: On February 7, a day ahead of the Legislative Assembly elections in Delhi, two videos of the Bharatiya Janata Party (BJP) President Manoj Tiwari criticizing the incumbent Delhi government of Arvind Kejriwal went viral on WhatsApp. While one video had Tiwari speak in English, the other was him speaking in the Hindi dialect of Haryanvi. '[Kejriwal] cheated us on the basis of promises. But now Delhi has a chance to change it all. Press the lotus button on February 8 to form the Modi-led government," he said. One may think that this 44-second monologue might be a part of standard political outreach, but there is one thing that's not standard: These videos were not real. Deepfake technology has helped us scale campaign efforts like never before, Neelkant Bakshi, co-incharge of social media and IT for BJP Delhi, tells VICE. "The Haryanvi videos let us convincingly approach the target audience even if the candidate didn't speak the language of the voter." Tiwari's fabricated video was used widely to dissuade the large Haryanvi -speaking migrant worker population in Delhi from voting for the rival political party. According to Bakshi, these deepfakes were distributed across 5,800 WhatsApp groups in the Delhi and NCR region, reaching approximately 15 million people.

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Security experts from Yoroy -Cybaze ZLab have conducted a detailed analysis of an implant used by the Gamaredon APT group in a recent campaign. Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo -political confrontation against the Ukrainian government and more in general against the Ukrainian military power. In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze - Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Cybersecurity Plan for 2020 US Election Unveiled

CISA, a unit of the U.S. Department of Homeland Security, will focus on protecting the election infrastructure as well as the infrastructure used by campaigns and political parties; making sure voters are protected from disinformation campaigns; and issuing warnings and responses related to foreign influence and hacking. "We are working to make it harder for adversaries to compromise our systems and to enhance our resilience so that Americans know their votes will count - and will be counted correctly," Christopher Krebs, director of CISA, notes in the plan. Krebs is slated to give a keynote address Feb. 25th at the RSA 2020 Conference in San Francisco, when he likely will further outline the agency's cybersecurity plans for the presidential election. On Feb. 6, the U.S. Government Accountability Office released a report about election security for 2020 calling for CISA and Homeland Security to do more to support local and state officials, including improving communications and providing more timely threat intelligence.


Don't let "Magic Enhancer for YouTube" slurp up your browsing history

Magic Enhancer for YouTube is a handy Chrome Extension that improves the user interface of YouTube by hiding all the distracting bits. It also records every URL you visit and sends them to their servers.

Ring Forces 2FA On All Users to Secure Cameras from Hackers

Ring announced the roll-out of mandatory two - factor authentication (2FA) to all user accounts, as well as the inclusion of additional security and privacy controls over third-party service providers, and the choice to opt-out of personalized advertising. "While we already offered two-factor authentication to customers, starting today we're making a second layer of verification mandatory for all users when they log into their Ring accounts," Ring President Leila Rouhi said. "This added authentication helps prevent unauthorized users from gaining access to your Ring account, even if they have your username and password." This change comes after attackers terrified homeowners after taunting them or speaking to their children over their Ring devices' speakers following a series of hacks targeting Ring cameras. After EFF's report on Ring's use of the third-party trackers, the company also has announced that they are temporarily pausing the use of most third-party trackers and are working on a way to allow users to further limit information sharing. The announcement further states that customers will be able to opt out of sharing information with third-party trackers specifically for the purpose of receiving personalized ads. These privacy reforms are a good step forward. However, the density of surveillance networks created by Ring cameras combined with the rapid proliferation of partnerships between law enforcement agencies and Ring ---with limited, if any, oversight, transparency, or restrictions - continue to pose grave threats to the privacy of all communities, and not just Ring's users. There are still a number of key reforms that Ring must make to signal that they are seriously considering fundamental problems that their technology poses.

Google slams Samsung for 'unnecessary changes' to the Android kernel

Google scolded Samsung this week for an issue discovered on the Korean phone maker's Galaxy A50. Google says Samsung made "unnecessary changes to Android's core kernel," adding the changes Samsung made threaten rather than strengthen the phone's security. In a detailed blog post from Google's Project Zero Team, researcher Jann Horn outlines the exact issue with Samsung's changes to the Android kernel on the A50. Samsung's changes included a security feature to restrict an attacker from reading or modifying user data, but Horn says the move is "futile" and rather than bolstering security, it introduces vulnerabilities that could increase an attacker's ability to arbitrarily execute code.

An Anonymous Group Claims it Took DNA From Global Elites - And is Auctioning It Off

An anonymous organization called the Earnest Project is offering the chance to own DNA samples of a handful of world leaders and celebrities. The group claims it has surreptitiously collected items discarded by attendees of the 2018 World Economic Forum in Davos, Switzerland, that may contain their DNA. President Trump, French President Emmanuel Macron, German Chancellor Angela Merkel, and Elton John all attended the conference. From a report: The group has compiled these artifacts - napkins, paper coffee cups, a glass parfait jar, cigarette butts, and other items - in an online catalog it calls the "Davos Collection." Each has an estimated dollar value: A strand of human hair is listed at $1,200 to $3,000. A used breakfast fork has an estimated worth up to $36,500. And a wine glass is valued at up to $65,000. None of the items are identified with names, but it's assumed they come from the leaders or celebrities at the forum. The Earnest Project is planning to auction off the items to raise awareness about "surveillance capitalism," the practice of monetizing people's personal data. They fear that our genetic data could eventually end up in the hands of tech companies like Facebook and Google, which already harvest a lot of personal data.


Google Confirms It Again Removed Alleged Spying Tool ToTok From Google Play

Google has confirmed that the popular messaging app ToTok, which is actually a spying tool used by the United Arab Emirates to track the activities of those who download it, has again been removed from the Play Store. But this time they declined to comment as to why. Reached for comment, Google confirmed to TechCrunch that it removed the app from Google Play. In addition, Google noted the enforcement was not done in response to any external direction or request. That means the U.S. government did not get involved here, rather that Google chose to remove the app itself - likely for a policy violation.

Google redraws the borders on maps depending on who’s looking

Google's corporate mission is "to organize the world's information," but it also bends it to its will. From Argentina to the United Kingdom to Iran, the world's borders look different depending on where you're viewing them from. That's because Google - and other online mapmakers -simply change them.


World Health Organization Warns of Coronavirus Phishing Attacks

The World Health Organization (WHO) warns of ongoing Coronavirus-themed phishing attacks that impersonate the organization with the end goal of stealing information and delivering malware. "Criminals are disguising themselves as WHO to steal money or sensitive information," the United Nations agency says in the Coronavirus scam alert. "WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency." The phishing messages are camouflaged to appear as being sent by WHO officials and ask the targets to share sensitive info like usernames and passwords, redirect them to a phishing landing page via malicious links embedded in the emails, or ask them to open malicious attachments containing malware payloads.

Phishing on Instagram Baits Russians With Free Money Promise

A large-scale phishing campaign is running on Instagram to bait Russians with a fake presidential decree that promises a lump - sum payment for a citizen to start their own business. Since the start of the campaign, more than 200,000 people viewed the messages. "The first results of the so-called «social contracts program» are being summed up in several Russian regions. Security researchers from Russian antivirus company Doctor Web found that the fraudsters rely on advertisements delivered on Instagram to promote the lure. Along with the presidential decree detail, which the crooks gave the number 1122B and dated it February 11, 2020, makes for a convincing tale. "A pre-created Facebook profile is used as the advertiser for the campaign," say the experts in a brief report on Monday. Doctor Web found two phishing websites part of this campaign, both with valid digital certificates and purporting to be "official resources of the Russian Ministry of Economic Development:"https://news-post. A random sum is generated next, and a fee of 300 rubles (~$5) is requested for the electronic application to get it. The checkout page asks for more details, including the phone number and information on the payment card (name, number, CVV code). Needless to say that the crooks get both the registration fee and all the data provided.

Mobile Banking Users Targeted in SMS Phishing Campaign

Cybercriminals targeted mobile banking users by sending malicious SMS messages to their smartphones as part of a phishing campaign to steal account holders' information, including usernames and passwords, according to the cybersecurity firm Lookout. More than 3,900 mobile banking app users of several Canadian and American banks fell victim to the SMS phishing attacks, which started in June 2019 and apparently recently ended, researchers at Lookout say in their new report. Those affected included customers of Scotiabank, CIBC Bank, RBC Royal Bank, UniBank, HSBC, Tangerine Bank, TD Bank, Meridian, Laurentian, Manulife, BNC National Bank and Chase, according to the report. The researchers notified the banks involved before publishing their report on Friday.

Digital rights

Indian police open case against hundreds in Kashmir for using VPN

Local authorities in India - controlled Kashmir have opened a case against hundreds of people who used virtual private networks (VPNs) to circumvent a social media ban in the disputed Himalayan region in a move that has been denounced by human rights and privacy activists. Tahir Ashraf, who heads the police cyber division in Srinagar, said on Tuesday that the authority had identified and was probing hundreds of suspected users who he alleged misused social media to promote "unlawful activities and secessionist ideology." On Monday, the police said they had also seized "a lot of incriminating material" under the Unlawful Activities Prevention Act (UAPA), the nation's principal counter - terrorism law. Those found guilty could be jailed up to seven years.

Russia Blocks Tutanota Email, Service Still Usable Over Tor or VPN

Access to the Tutanota secure email service is currently being blocked in Russia, with the block being enacted over the weekend, starting February 14. No Russian authorities contacted or notified Tutanota about this block yet and the team behind it still doesn't know why Tutanota is blocked in Russia according to Tutanota co - founder and developer Matthias Pfau. Still accessible via Tor or VPN. As the OONI Explorer - a tool to demonstrate censorship online - shows, Tutanota is blocked in parts of Russia," Pfau shared in a blog post. "Tutanota is also listed in the registry of blocked sites provided by Russian activists," he added. Tutanota is currently blocked in Russia. "We are still evaluating the situation and figuring out how we can resolve this for the users of our secure email service in Russia. For now, we ask them to use the Tor browser or a VPN to access Tutanota." Russian users who cannot access Tutanota can use a VPN or the Tor browser to evade the ongoing block to get access to their secure Tutanota mailboxes. According to Pfau, Tutanota is also being blocked in Egypt since October 2019 although users can still access it via VPN and Tor. ProtonMail and StartMail also blocked as we previously reported, Tutanota is not the first secure email service blocked by the Russian government since the start of 2020, with ProtonMail (and ProtonVPN) also becoming unreachable in Russia starting on January 29.


Three Italian universities hacked by LulzSec_ITA collective

The popular Italian hacktivist collective LulzSec ITA has announced via Twitter the hack of three Italian universities, highlighting the importance of the cybersecurity for our society. Attackers claimed that the choice to attack the universities of Basilicata, Napoli and Rome 3 was casual. As for motivation, they confirmed to me they have always had an interest in Italian education. They explained that after 9 years since the first attacks against the universities, nothing has changed from the cyber security perspective. In the simplest way, the hackers used a classic and very simple SQL Injection attack. Such kind of attack could be automatically launched by using very simple tools. SQL Injection attacks can allow attackers to access the target database.

PoS malware infected systems at 71 locations operated by US store chain Rutter’s

US store chain Rutter disclosed a security breach, 71 locations were infected with a Point-of-Sale (POS) malware used to steal customers' credit card information. The company confirmed that attackers gained access to its stores' network system and infected payment systems at 71 locations with a Point-of-Sale (POS) malware. The US store chain Rutter's operates more than 75 locations throughout Pennsylvania, Maryland, and West Virginia. According to a Notice of Payment Card Incident published by the company, attackers have stolen some payment card data from cards used on Point-of-Sale (POS) devices from convenience stores and fuel pumps. Threat actors planted PoS malware into the payment processing systems that was specifically designed to steal card data.

That Time I Worked for A Criminal Organization

Here's a blog post by an ex employee at Micfo, that recently came to light after it was found out the CEO used shady tactics, and got illegitimately IPv4 numbers from ARIN.


Nedbank client data compromised in security breach at third-party provider

Nedbank bank announced on Thursday that a security breach at a third - party supplier has compromised the details of as many as 1.7 million of its clients. "We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities (Pty) Ltd. Information from Nedbank Retail relating to approximately 1,7 million clients was potentially affected of which 1,1 million are active clients." continues the notice. "We regret the incident that occurred at the third-party service provider, namely Computer Facilities (Pty) Ltd and the matter is receiving our urgent attention. Nedbank Group Chief Information Officer Fred Swanepoel says: "The third-party service provider namely, Computer Facilities (Pty) Ltd did not have any links to our systems. Our team of IT specialists and external cyber security experts have been working continuously with them since we became aware of this matter. Clients' bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss.

Plastic Surgery Patient Photos, Info Exposed by Leaky Database

Hundreds of thousands of documents with plastic surgery patients' personal information and highly sensitive photos were exposed online by an improperly secured Amazon Web Services (AWS) S3 bucket. NextMotion is a French plastic surgery tech firm that provides imaging and patient management services that help 170 plastic surgery clinics from 35 countries document, digitize and market their practices. The company promises to the clients before & after imaging issues, reassure your patients, simplify your data management and improve your e-reputation." The bucket was used by NextMotion to store roughly 900,000 files with highly sensitive patient images and videos, as well as plastic surgery, dermatological treatments, and consultation documents. NextMotion's CEO said in a press release that the patient data stored in the leaky database "had been de-identified - identifiers, birth dates, notes, etc. However, "the exposed paperwork and invoices also contained Personally Identifiable Information (PII) data of patients," as the two researchers explained. "This incident only reinforced our ongoing concern to protect your data and your patients' data when you use the Nextmotion application." - CEO of NextMotion. This is not the first time the sensitive personal information of plastic surgery patients might have landed in the wrong hands following a security incident. In 2017, the London Bridge Plastic Surgery clinic issued a data breach statement saying that The Dark Overlord (TDO) hacking group was able to steal patient information and highly sensitive photos. The AZ Plastic Surgery Center notified 5,524 patients in February 2019 that some of their protected health information (PHI) may have been accessed by TDO.