Table of Contents

  1. Saltstack
    1. Hackers exploit Salt RCE bugs in widespread attacks, PoCs public
    2. Hackers breach LineageOS servers via unpatched vulnerability
    3. Ghost blogging platform servers hacked and infected with crypto-miner
    4. Search provider Algolia discloses security incident due to Salt vulnerability
    5. CT2 Log Compromised via Salt Vulnerability
    6. XEN-ORCHESTRA SaltStack CVE-2020-11651 and CVE-2020-11652 incident
  2. Digital rights
    1. Judge Orders FCC to Hand IP Addresses Linked to Fake Net Neutrality Comments
    2. Myanmar blocks “fake news” websites amid COVID-19 pandemic
    3. How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus
  3. Ransomware
    1. Sodinokibi, Ryuk ransomware drive up average ransom to $111,000
    2. Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware
    3. Targeted Ransomware Attack Hits Taiwanese Organizations
    4. Toll Group hit by ransomware a second time, deliveries affected
    5. Nashville plastic surgery center hit by ransomware
    6. LockBit ransomware self-spreads to quickly encrypt 225 systems
    7. New VCrypt Ransomware locks files in password-protected 7ZIPs
    8. Meet NEMTY Successor, Nefilim/Nephilim Ransomware
    9. PeroxyChem discloses ransomware attack as it continues to address recovery
    10. North Dakota government fiber provider hit by ransomware
  4. Leaks
    1. Home affairs data breach may have exposed personal details of 700,000 migrants
    2. Tokopedia - 12,115,583 breached accounts
    3. Elanic - 2,325,283 breached accounts
    4. TaiLieu - 7,327,477 breached accounts
    5. GoDaddy Confirms Data Breach – 28000 Customers Affected
    6. French daily Le Figaro leaks 7.4 Billion records
    7. Firefox 76 released with integrated data breach alerts
    8. Nintendo Source Code for N64, Wii and GameCube Leaked
    9. Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache
    10. Hacker sells 22 million Unacademy user records after data breach
    11. BJC HealthCare warns patients of possible data breach
    12. CAM4 adult cam site exposes 11 million emails, private chats
    13. Security lapse at India’s Jio exposed coronavirus symptom checker results
    14. Philippines NPC Investigating COVID-19 Related Breaches
  5. Malware
    1. This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days
    2. Hackers use website favicon to camouflage credit card skimmer
    3. New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
    4. Malspam Campaigns Attempt to Install Remote Access Trojans
    5. Taiwan’s Formosa Petrochemical gas stations hit by malware attack
    6. Tarkett floored by cyber attack
    7. Kaiji: New Chinese Linux malware turning to Golang
    8. EventBot: A New Mobile Banking Trojan is Born
  6. Privacy
    1. No cookie consent walls, scrolling isn’t consent, says EU data protection body
    2. Hacker buys old Tesla parts on eBay, finds them full of user data
    3. UK COVID-19 contact-tracing app data may be kept for 'research' after crisis ends, MPs told
  7. Crime
    1. Massive campaign targets 900,000 WordPress sites in a week
    2. Information regarding emergencies at the Ruhr-Universität Bochum
    3. Hacker claims to have breached Microsoft's GitHub private repos
    4. Hacker group selling databases with millions of user credentials busted in Poland and Switzerland
    5. Students, experts call for explanation after York University suffers 'extremely serious' cyber attack
    6. Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?
    7. Student Hacks Into Santa Monica–Malibu Unified School District’s Email Server
    8. Hacker Bribed 'Roblox' Insider to Access User Data
  8. Vulnerabilities
    1. 0-click RCE via MMS in all modern Samsung phones (released 2015+)
    2. ‘Psychic Paper’, an Extraordinarily Powerful But Easily Understood iOS Exploit
    3. Academics turn PC power units into speakers to leak secrets from air-gapped systems
    4. Breaking RSA Security With A Low Noise D-Wave 2000Q Quantum Annealer: Computational Times, Limitations And Prospects
    5. SAP announces security issues in cloud-based products
    6. Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters
  9. APT
    1. Alert: APT Groups Targeting COVID-19 Researchers
    2. Naikon APT: Cyber Espionage Reloaded
    3. Nazar: Spirits of the Past
  10. Scams
    1. Tech Support Scam Uses Child Porn Warning
    2. SilverTerrier BEC scammers target US govt healthcare agencies
  11. Phishing
    1. Cisco Webex phishing uses fake cert errors to steal credentials
    2. US financial industry regulator warns of widespread phishing campaign
    3. Targeted Attack Uses Fake EE Email to Deceive Users
  12. Misc
    1. Zoom Acquires Keybase
    2. Microsoft launches IoT-focused bounty program with $100K awards
    3. CursedChrome turns your browser into a hacker's proxy
    4. Integrating "safe" languages into OpenBSD?
    5. Maximator: European signals intelligence cooperation, from a Dutch perspective

Saltstack

Hackers exploit Salt RCE bugs in widespread attacks, PoCs public

Hackers kept busy this weekend exploiting vulnerable Salt instances used in various infrastructures for server management and automation. Hundreds of servers, both masters and clients (minions) have likely been compromised at this point. F-Secure disclosed the two vulnerabilities last week saying that "any competent hacker" would need less than 24 hours to develop a 100% reliable exploit. According to Censys search engine for hosts and networks available online, there are currently more than 5,000 SaltStack servers exposed on the public internet that are potentially vulnerable to the two bugs already exploited bugs. So hackers have sufficient fodder unless Salt patching is accelerated. Many easily accessible PoC exploits have already been published.

Hackers breach LineageOS servers via unpatched vulnerability

Hackers have gained access to the core infrastructure of LineageOS, a mobile operating system based on Android, used for smartphones, tablets, and set-top boxes. The intrusion took place last night, on Saturday, at around 8 pm (US Pacific coast), and was detected before the attackers could do any harm, the LineageOS team said in a statement published less than three hours after the incident. The LineageOS team said the operating system's source code was unaffected, and so were any operating system builds, which had been already paused since April 30, because of an unrelated issue. Signing keys, used to authenticate official OS distributions, were also unaffected, as these hosts were stored separately from the LineageOS main infrastructure. LineageOS developers said the hack took place after the attacker used an unpatched vulnerability to breach its Salt installation.

Ghost blogging platform servers hacked and infected with crypto-miner

The Ghost developer team said they detected an intrusion into their backend infrastructure systems. The SaltStack vulnerability CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) were used to take control over its Salt master server. While hackers had access to the Ghost(Pro) sites and Ghost.org billing services, they didn't steal any financial information or user credentials.

Search provider Algolia discloses security incident due to Salt vulnerability

Search service Algolia said it suffered a security breach over the weekend after hackers exploited a well-known vulnerability in the Salt server configuration software to gain access to its infrastructure. The company said the hackers installed a backdoor and a cryptocurrency miner on a small number of its servers, but that the incident did not impact its operations in any significant way.

CT2 Log Compromised via Salt Vulnerability

DigiCert certificate transparency logs got compromised because of the salt vulnerability.

XEN-ORCHESTRA SaltStack CVE-2020-11651 and CVE-2020-11652 incident

On Sunday night, the hackers exploited Salt vulnerabilities to make another victim, Xen Orchestra, a platform that provides tools to administrate Citrix Hypervisor (XenServer) and get a complete overview of the infrastructure. The attack started after a subset of services on the infrastructure became unreachable almost at the same time. Another symptom was high CPU‌ usage, reads the security report for Xen Orchestra.

Digital rights

Judge Orders FCC to Hand IP Addresses Linked to Fake Net Neutrality Comments

A Manhattan federal judge has ruled the Federal Communications Commission must provide two reporters access to server logs that may provide new insight into the allegations of fraud stemming from agency's 2017 net neutrality rollback. A pair of New York Times reporters---Nicholas Confessore and Gabriel Dance---sued the FCC under the Freedom of Information Act after it refused their request to view copies of the logs. The logs will show, among other details, the originating IP addresses behind the millions of public comments sent to the agency ahead of the December 2017 net neutrality vote. The FCC attempted to quash the paper's request but failed to persuade District Judge Lorna Schofield, who wrote that, despite the privacy concerns raised by the agency, releasing the logs may help clarify whether fraudulent activity interfered with the comment period, as well as whether the agency's decision-making process is "vulnerable to corruption."

Myanmar blocks “fake news” websites amid COVID-19 pandemic

In March 2020, Internet Service Providers (ISPs) in Myanmar received a directive from the Ministry of Transport and Communications to block 230 websites, most of which contain adult content. However, 67 of these sites were blocked on the grounds of spreading "fake news". The list of these 230 websites has not been published.

How International Users Unwittingly Build up WeChat’s Chinese Censorship Apparatus

WeChat is the most popular social media platform in China and third in the world. While the platform dominates the market in China, it also has made efforts to internationalize and attract users globally. Like any other Internet platform operating in China, WeChat is expected to follow rules and regulations from Chinese authorities around prohibited content. Previous Citizen Lab research shows the balancing act WeChat must maintain as it attempts to keep within government red lines in China and attract users internationally. WeChat implements censorship for users with accounts registered to mainland China phone numbers. This censorship is done without notification to users and is dynamically updated, often in response to current events.

Ransomware

Sodinokibi, Ryuk ransomware drive up average ransom to $111,000

The first quarter of the year recorded an increase of the average amount ransomware operators demand from their victims. Compared to the previous quarter, a 33% swell was noted, driven by the Sodinokibi and Ryuk ransomware operators. Behind this are successful attacks against large enterprises that can afford to pay top dollar to get their data back. The details come from Coveware, a company that handles ransomware incidents and tracks threat actors with a high likelihood of keeping their word and decrypt files after getting their ransom.

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

Fresenius, Europe's largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues. Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe's largest private hospital operator (according to the company's Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Targeted Ransomware Attack Hits Taiwanese Organizations

A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which we have dubbed ColdLock. This attack is potentially destructive as the ransomware appears to target databases and email servers for encryption. The information TrendMicro gathered indicates that this attack started hitting organizations in early May. Analysis of the malware points to similarities between ColdLock and two previously known ransomware families, specifically Lockergoga, Freezing, and the EDA2 "educational" ransomware kit. There have been no indications that this attack has hit any other organization outside of those targeted

Toll Group hit by ransomware a second time, deliveries affected

The Toll Group has suffered its second ransomware cyberattack in three months, with the latest one conducted by the operators of the Nefilim Ransomware. Toll Group is Asia Pacific's leading provider of trans portion and logistics services, employing roughly 44,000 people at 1,200 locations in more than 50 countries. On February 5th, 2020, Toll Group announced that they had suffered a cyberattack by a new ransomware variant called Mailto that required them to shut down their network to prevent more devices from being encrypted. This time the cyberattack was conducted by the operators of the Nefilim Ransomware.

Nashville plastic surgery center hit by ransomware

Maze Team reportedly hit Nashville Plastic Surgery Institute, LLC, dba Maxwell Aesthetics. It was the very day that they were reopening after having been shut down totally due to the city's response to COVID-19. As they did with the Tarbet proof, Maze Team dumped a lot of files with protected health information of patients. The patient information included name, date of birth, diagnostic information, type of surgery, and in some cases, health insurance information such as the patient's policy number.

LockBit ransomware self-spreads to quickly encrypt 225 systems

A feature of the LockBit ransomware allows threat actors to breach a corporate network and deploy their ransomware to encrypt hundreds of devices in just a few hours. Started in September 2019, LockBit is a relatively new Ransomware-as-a-Service (RaaS) where the developers are in charge of the payment site and development and 'affiliates' sign up to distribute the ransomware. In a new joint report by the researchers at McAfee Labs and cybersecurity firm Northwave, who handled the incident response, we get insight into how a LockBit ransomware affiliate hacked into a corporate network and encrypted approximately 25 servers and 225 workstations.

New VCrypt Ransomware locks files in password-protected 7ZIPs

A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders. BleepingComputer was told today about a new ransomware that was deleting all of a victim's files found in Windows data folders and then creating new "encrypted" files named after the folder name. These encrypted files would utilize a naming format of username~foldername~.vxcrypt.

Meet NEMTY Successor, Nefilim/Nephilim Ransomware

Nefilim emerged in March 2020 and shares a substantial portion of code with another ransomware family, NEMTY. The exact relationship between the actors behind NEMTY and Nefilim/Nephilim is less than clear. NEMTY launched in August of 2019 as a public affiliate program, and has since gone private. Current data indicates that rather than the same actors being behind both families, it is more likely that those behind Nephilim 'acquired' necessary code out of NEMTY in one way or another. The two primary differences between Nefilim and NEMTY are the payment model, and the lack of a RaaS operation. Nefilim instructs victims to contact the attackers via email, as opposed to directing them to a TOR-based payment portal. To add even more confusion to the family tree, Nefilim appears to have evolved into 'Nephilim', and the two are technically similar, differentiated primarily by extension and artifacts in encrypted files.

PeroxyChem discloses ransomware attack as it continues to address recovery

Maze added PeroxyChem to their website. PeroxyChem, headquartered in Philadelphia, is an Evonik (specialty chemicals) company involved with peroxygen and adjacent chemistries. According to their website, they employ approximately 550 people throughout the world, with facilities in North America, Europe and Asia. PeroxyChem already has a security notification up on their website. It seems clear that they have no intention of paying any ransom.

North Dakota government fiber provider hit by ransomware

The company that operates a fiber optic network that supports statewide and local government entities across North Dakota was a victim of a recent ransomware attack that included some of the firm's files being published on a website that attempts to shame victims into paying. DCN's chief executive officer, Seth Arndorfer, said the attack was detected about 1:18 a.m., but that the organization was able to respond quickly. "We quickly shut everything down and restored all of our data from the most recent tape backup, which was Friday, April 24," he told StateScoop in an email.

Leaks

Home affairs data breach may have exposed personal details of 700,000 migrants

Privacy experts have blasted the home affairs department for a data breach revealing the personal details of 774,000 migrants and people aspiring to migrate to Australia, including partial names and the outcome of applications. At a time the federal government is asking Australians to trust the security of data collected by its Covid-Safe contact tracing app, privacy experts are appalled by the breach, which they say is just the latest in a long line of cybersecurity blunders. The department's SkillsSelect platform, hosted by the employment department, invites skilled workers and business people to express an interest in migrating to Australia. Expressions of interest are stored for two years and displayed on a publicly available app, advertised on the home affairs website, allowing them to receive invitations for skilled work visas.

Tokopedia - 12,115,583 breached accounts

In April 2020, Indonesia's largest online store Tokopedia suffered a data breach. The incident resulted in 15M rows of data (allegedly a subset of the complete breach) being posted to a popular hacking forum. The data included over 12M unique email addresses alongside names, genders, birth dates and passwords stored as SHA2-384 hashes.

Elanic - 2,325,283 breached accounts

In January 2020, the Indian fashion marketplace Elanic had 2.8M records with 2.3M unique email addresses posted publicly to a popular hacking forum. Elanic confirmed that they had "verified the data and it was pulled from one of our test servers where this data was exposed publicly" and that the data was "old" (the hacking forum reported it as being from 2016-2018). When asked about disclosure to impacted customers, Elanic advised that they had "decided to not have as such any communication and public disclosure".

TaiLieu - 7,327,477 breached accounts

In November 2019, the Vietnamese education website TaiLieu allegedly suffered a data breach exposing 7.3M customer records. Impacted data included names and usernames, email addresses, dates of birth, genders and passwords stored as unsalted MD5 hashes. The data was

GoDaddy Confirms Data Breach – 28000 Customers Affected

GoDaddy, one of the most famous domain registrar and hosting companies out there, have notified it's customers about security issues and data leakage they have experienced. On April 23, 2020, GoDaddy employees discovered suspicious activity: usernames and passwords were compromised, as attackers made changes to the SSH file in GoDaddy infrastructure. In total, this problem affected approximately 28,000 customers (not 19,000,000, as some have suggested). But it was easy to make this mistake because not all the data breach-related facts have been released yet.

French daily Le Figaro leaks 7.4 Billion records

French daily newspaper Le Figaro exposed roughly 7.4 billion records containing personally identifiable information (PII) of employees, reporters, and at least 42,000 users. The database was discovered by the Safety Detectives team of experts lead by the researcher Anurag Sen, it was over 8TB, the archive also included data of accounts registered between February and April 2020, as well as logs of accesses in the same period.

Firefox 76 released with integrated data breach alerts

Mozilla has released Firefox 76, to the Stable desktop channel for Windows, macOS, and Linux with bug fixes, new features, and security fixes. With this release, Mozilla has fixed eleven security vulnerabilities, with four of them rated as 'Critical', three as 'High', four as 'Moderate', and one as 'Low'. Included are data breach notifications in the integrated Firefox Lockwise password manager, Picture-in-Picture, and new Audio Worklets for better audio processing.

Nintendo Source Code for N64, Wii and GameCube Leaked

Nintendo has reportedly suffered a significant leak of information related to its legacy consoles. According to various sources archived on Resetera and Reddit, over 2 terabytes of data was allegedly leaked onto the anonymous forum 4chan over the weekend, including the original source code for Nintendo 64, GameCube and Wii.

Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned. The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

Hacker sells 22 million Unacademy user records after data breach

Online learning platform Unacademy has suffered a data breach after a hacker gained access to their database and started selling the account information for close to 22 million users. Unacademy is one of India's largest online learning platforms boasting 14K teachers, over a million video lessons, and over 20 million registered users.

BJC HealthCare warns patients of possible data breach

BJC HealthCare is warning patients that their information may have been exposed after it discovered someone gained unauthorized access to three employee email accounts. The suspicious activity was noticed on March 6 and a leading computer forensic firm was hired to investigate. It determined the email accounts had been accessed for a limited amount of time on March 6.

CAM4 adult cam site exposes 11 million emails, private chats

Adult live streaming website CAM4 exposed over 7TB of personally identifiable information (PII) of members and users, stored within more than 10.88 billion database records. The sensitive data was leaked after one of the site's production databases was left open to Internet access on a misconfigured Elasticsearch cluster, with records dating back to March 16, 2020. CAM4 has around 2 billion visitors each year and its members are streaming more than 1 million hours of adult content every week, with over 75,999 private shows being broadcast on a daily basis.

Security lapse at India’s Jio exposed coronavirus symptom checker results

India's largest cell network Jio, a subsidiary of Reliance, launched its coronavirus self-test symptom checker in late March, just before the Indian government imposed a strict nationwide lockdown to prevent the further spread of the coronavirus. The symptom checker allows anyone to check their symptoms from their phone or Jio's website to see if they may have become infected with COVID-19. But a security lapse exposed one of the symptom checker's core databases to the internet without a password, TechCrunch has found.

Philippines NPC Investigating COVID-19 Related Breaches

On April 25, 2020, the Philippines National Privacy Commission ("NPC") issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the "Statement"). According to MLex, a communications officer for the NPC has confirmed that the regulator will focus primarily on remedial measures rather than on the imposition of fines as it investigates the 17 breach notifications reports it received between March 15 and April 23, 2020.

Malware

This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days

On May 4, 2000, users of Windows computers began receiving an email with a malicious attachment. Within just ten days, some fifty million infections were reported, and it has been estimated that as many as 10% of the internet-connected computers in the world ultimately caught the ILOVEYOU virus.

Hackers use website favicon to camouflage credit card skimmer

Hackers have created and used a fake icon portal to host and load a JavaScript web skimmer camouflaged as a favicon onto compromised e-commerce portals to steal their customers' credit card and personal information. Cybercrime gangs known as Magecart groups inject malicious JavaScript-based scripts into the checkout pages of e-commerce stores after hacking them as part of web skimming attacks also known as e-skimming. In such operations, the attackers' end goal is to harvest all the payment info submitted by the compromised site's customers and to collect it on remote servers under own control. As part of the Magecart attack detailed in a Malwarebytes report, several compromised Magento websites were observed while loading a payment card data skimmer instead of the website favicon on their checkout pages, replacing the sites' legitimate checkout option.

New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app

MalwareBytes recently identified a new variant of the Dacls Remote Access Trojan (RAT) associated with North Korea's Lazarus group, designed specifically for the Mac operating system. Dacls is a RAT that was discovered by Qihoo 360 NetLab in December 2019 as a fully functional covert remote access Trojan targeting the Windows and Linux platforms. This Mac version is at least distributed via a Trojanized two-factor authentication application for macOS called MinaOTP, mostly used by Chinese speakers. Similar to the Linux variant, it boasts a variety of features including command execution, file management, traffic proxying and worm scanning.

Malspam Campaigns Attempt to Install Remote Access Trojans

Several malicious spam campaigns using COVID-19 as a lure are attempting to install the Remcos remote access Trojan on victims' devices, according to the Microsoft Security Intelligence unit. It's not clear if all these malspam campaigns, which are targeting organizations in the U.S. and South Korea, are related. But Microsoft researchers found that all the attacks attempt to install Remcos on victims' devices. This remote access Trojan, or RAT, can give attackers full control over an infected device and enable them to run keyloggers as well as capture screenshots and audio recordings.

Taiwan’s Formosa Petrochemical gas stations hit by malware attack

A day after top oil refiner CPC Corp., Taiwan became the target of a malware attack, its privately held competitor, Formosa Petrochemical Corp., suffered a similar ordeal, reports said Tuesday (May 5). The company said it had shut down its computer system, but its refining and petrochemical activities had not been affected, CNA reported. Its gas stations would be unable to compute their income for the day, but otherwise, the stations were operating normally and serving customers. While technical experts were working on restoring the system to normal, it was impossible to tell when the task would be completed, Formosa Petrochemical said.

Tarkett floored by cyber attack

French flooring company Tarkett has revealed that it was hit by a cyber attack on April 29th, and that its operations continue to be disrupted as a result.

Kaiji: New Chinese Linux malware turning to Golang

Security researchers say they've discovered yet another strain of malware that was specifically built to infect Linux-based servers and smart Internet of Things (IoT) devices, and then abuse these systems to launch DDoS attacks. Named Kaiji, this new malware was spotted last week by a security researcher named MalwareMustDie and the team at Intezer Labs. The malware is very different from other IoT malware strains, primarily because it's written in the Go programming language, rather than C or C++, the two languages in which most IoT malware is coded these days.

EventBot: A New Mobile Banking Trojan is Born

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware that emerged around March 2020. EventBot is a mobile banking trojan and infostealer that abuses Android's accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication. EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets. Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more.

Privacy

No cookie consent walls, scrolling isn’t consent, says EU data protection body

You can't make access to your website's content dependent on a visitor agreeing that you can process their data --- aka a 'consent cookie wall'. Not if you need to be compliant with European data protection law. That's the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people's data.

Hacker buys old Tesla parts on eBay, finds them full of user data

The researcher, who described himself as a "Tesla tinkerer that's curious about how things work," recently gained access to 13 Tesla MCUs --- short for media control units --- that were removed from electric vehicles during repairs and refurbishments. Each one of the devices stored a trove of sensitive information despite being retired. Examples included phone books from connected cell phones, call logs containing hundreds of entries, recent calendar entries, Spotify and W-Fi passwords stored in plaintext, locations for home, work, and all places navigated to, and session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).

UK COVID-19 contact-tracing app data may be kept for 'research' after crisis ends, MPs told

Britons will not be able to ask NHS admins to delete their COVID-19 contact-tracking data from government servers, digital arm NHSX's chief exec Matthew Gould admitted to MPs this afternoon. Gould also told Parliament's Human Rights Committee that data harvested from Britons through NHSX's COVID-19 contact tracing app would be "pseudonymised" - and appeared to leave the door open for that data to be sold on for "research".

Crime

Massive campaign targets 900,000 WordPress sites in a week

Hackers have launched a massive attack against more than 900,000 WordPress sites seeking to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in. Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP‌ addresses over the past month to send malicious requests to more than 900,000 sites. Ram Gall, senior QA at Defiant, said that the attackers focused mostly on exploiting cross-site scripting (XSS) vulnerabilities in plugins that received a fix months or years ago and had been targeted in other attacks.

Information regarding emergencies at the Ruhr-Universität Bochum

The RUB's IT infrastructure is down. It was established that an external computer attack on the RUB's central IT infrastructure has taken place. As a result, a large part of the IT infrastructure had to be taken down. As the overall situation is still unclear, IT Services recommends shutting down all connected Windows-based server systems in the faculties as well.

Hacker claims to have breached Microsoft's GitHub private repos

This evening, a hacker going by the name Shiny Hunters contacted BleepingComputer to tell that they had hacked into the Microsoft GitHub account, gaining full access to the software giant's 'Private' repositories. The individual told BleepingComputer that they then downloaded 500GB of private projects and initially planned on selling it, but has now decided to leak it for free. BleepingComputer has contacted Microsoft to confirm if these are indeed legitimate files but have not received a reply.

Hacker group selling databases with millions of user credentials busted in Poland and Switzerland

Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, dismantled InfinityBlack, a hacking group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. On 29 April 2020, the Polish National Police (Policja) searched six locations in five Polish regions and arrested five individuals believed to be members of the hacking group InfinityBlack. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100 000. Two platforms with databases containing over 170 million entries were closed down by the police.

Students, experts call for explanation after York University suffers 'extremely serious' cyber attack

Students and digital security experts say York University must release more information about what the school calls an "extremely serious" cyber attack last week. York says the Friday evening attack corrupted a number of its servers and workstations, though it has not yet said if any sensitive information was stolen. In a statement, York said its IT department quickly severed the school's internet connection and shut down many of its online programs after the attack began, a move that mitigated the scope and severity of the breach.

Who Is Dmitry Badin, The GRU Hacker Indicted By Germany Over The Bundestag Hacks?

On 5 May 2020, German media reported that Germany's Federal Prosecutor has issued an arrest warrant against Russian citizen Dmitry Badin, the main suspect in the 2015 hacking of the German Bundestag. Bellingcat has done some research to find out more about the suspect.

Student Hacks Into Santa Monica–Malibu Unified School District’s Email Server

A student in the Santa Monica--Malibu Unified School District accessed the school's email late Friday night, according to an email sent by Superintendent Dr. Ben Drati. Drati reported that the student was able to send messages to the student body for 16 minutes before the district's technology team discovered the mass emails and disabled the system. During the weekend, the Gmail application was been temporarily disabled, but teachers were able to use private comments within Google Docs Assignments or use the Stream within Google Classroom for public comments. As of Monday morning Gmail is back in use and distance learning was not disrupted.

Hacker Bribed 'Roblox' Insider to Access User Data

A hacker bribed a Roblox worker to gain access to the back end customer support panel of the massively popular online video game, giving them the ability to lookup personal information on over 100 million active monthly users and grant virtual in-game currency. With this access, the hacker could see users' email address, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more, according to the hacker and screenshots of the internal system. The screenshots shared with Motherboard include the personal information of some of the most high profile users on the platform. The hacker could have looked up information on many users, although it appears they limited their actions to a handful of accounts. The news highlights not only the risk of insiders at companies exploiting their access to user data, but, with Roblox catering to a large audience of minors, how hackers may access the data of children.

Vulnerabilities

0-click RCE via MMS in all modern Samsung phones (released 2015+)

A researcher from Project Zero has released a demo for CVE-2020-8899, that can be abused to get remote code execution, due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices.

‘Psychic Paper’, an Extraordinarily Powerful But Easily Understood iOS Exploit

This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox.

Academics turn PC power units into speakers to leak secrets from air-gapped systems

Academics from an Israeli university have published new research last week showing how an attacker could turn a computer's power supply unit into a rudimentary speaker that can secretly transmit data from an infected host using audio waves. The technique, named POWER-SUPPLaY, is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has been pioneering research into new covert data exfiltration channels. The techniques Guri has been developing can be used for stealing data through unconventional means.

Breaking RSA Security With A Low Noise D-Wave 2000Q Quantum Annealer: Computational Times, Limitations And Prospects

The RSA cryptosystem could be easily broken with large scale general purpose quantum computers running Shor's factorization algorithm. Being such devices still in their infancy, a quantum annealing approach to integer factorization has recently gained attention. This work, analyzes the most promising strategies for RSA hacking via quantum annealing with an extensive study of the low noise D-Wave 2000Q computational times, current hardware limitations and challenges for future developments.

SAP announces security issues in cloud-based products

German software maker SAP announced on Monday that it started to fix security issues identified in several of its cloud-based products. The company discovered the problems following an internal review and has already started working on eliminating the vulnerabilities. Details about the security flaws have not been disclosed. In an advisory, the company says that fixing the bugs "will largely be completed in the second quarter 2020."

Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters

Zero Day initiative released an article analyzing the remote code execution bugs found in Intel Wireless Adapters.

APT

Alert: APT Groups Targeting COVID-19 Researchers

Authorities in the U.S. and U.K. are warning medical institutions, pharmaceutical companies, universities and others about "password spraying campaigns" by advance persistent threat groups seeking to steal COVID-19 research data. The U.S. and U.K. are investigating large-scale password-spraying campaigns - a type of brute force attack - conducted by APT groups, the alert notes. In such campaigns, "the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on," the alert notes.

Naikon APT: Cyber Espionage Reloaded

An advanced hacker group running cyber-espionage campaigns since at least 2010 has been operating stealthily over the past five years. They deliver a new backdoor called Aria-body and use victims' infrastructure to carry attacks against other targets. Multiple variants of the malware have been discovered and one of them was recently delivered to the Australian government via a malicious email. Behind this action is Naikon APT (advanced persistent threat), a Chinese-speaking adversary that was publicly documented for the first time in 2015, although some of its tools, like Rarstone, had been been detected and analyzed before.

Nazar: Spirits of the Past

The plethora of information exposed in the fifth and last leak by the Shadow Brokers, called "Lost in Translation", and the following consequences that took shape in WannaCry and NotPetya among other things, makes this a changing point in the game of cyber security as we know it. Recently, a security researcher revealed a previously misidentified and unknown threat group, called Nazar, which was part of the last leak by the Shadow Brokers. This research will expand upon the analysis done by Juan and another which was written by Maciej Kotowicz, and will provide an in-depth analysis of each of the Nazar components.

Scams

Tech Support Scam Uses Child Porn Warning

A new email scam is making the rounds, warning recipients that someone using their Internet address has been caught viewing child pornography. The message claims to have been sent from Microsoft Support, and says the recipient's Windows license will be suspended unless they call an "MS Support" number to reinstate the license, but the number goes to a phony tech support scam that tries to trick callers into giving fraudsters direct access to their PCs.

SilverTerrier BEC scammers target US govt healthcare agencies

Government healthcare agencies, COVID-19 response organizations, and medical research facilities from across the globe were the targets of Business Email Compromise (BEC) phishing campaigns coordinated by multiple Nigerian BEC actors during the last three months. BEC aka EAC (short for Email Account Compromise) scammers are known for using social engineering via phishing attacks or hacking to switch the bank accounts used by an organization's financial department to wire out funds. The Nigerian BEC actors tracked as SilverTerrier by Palo Alto Networks' Unit 42 threat intelligence team since 2014 were seen switching to COVID-19 themed lures from January 30 to April 30.

Phishing

Cisco Webex phishing uses fake cert errors to steal credentials

A highly convincing series of phishing attacks are using fake certificate error warnings with graphics and formatting lifted from Cisco Webex emails to steal users' account credentials. Cisco Webex is a video and team collaboration solution that helps users set up video conferences, webinars, online meetings, and share their screens with their colleagues and friends. The platform is currently facing an influx of new users due to the unusual remote working increase caused by the COVID-19 pandemic. According to stats shared by email security company Abnormal Security, these phishing emails have already landed in the mailboxes of up to 5,000 targets that use Cisco Webex while working remotely.

US financial industry regulator warns of widespread phishing campaign

The US Financial Industry Regulatory Authority (FINRA) has issued a rare cyber-security alert today warning member organizations of "a widespread, ongoing phishing campaign." FINRA said the malicious emails were aimed at stealing Microsoft Office and SharePoint account passwords from its member organizations. FINRA, which is a private industry group that works as a self-regulatory body for brokerage firms and exchange markets, said the campaign is still ongoing.

Targeted Attack Uses Fake EE Email to Deceive Users

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives' payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider. These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Misc

Zoom Acquires Keybase

Zoom announced the acquisition of Keybase, another milestone in Zoom's 90-day plan to further strengthen the security of the video communications platform. Since its launch in 2014, Keybase's team of exceptional engineers has built a secure messaging and file-sharing service leveraging their deep encryption and security expertise.

Microsoft launches IoT-focused bounty program with $100K awards

Microsoft announced the launch of a new IoT-focused research program with awards of up to $100,000 for vulnerabilities found by security researchers in the Azure Sphere IoT security solution. The new research challenge, dubbed Azure Sphere Security Research Challenge, is an expansion to the Azure Security Lab bounty program announced by Microsoft last year at Black Hat 2019. Azure Security Lab's first phase was announced on August 5, 2019, and it included a sandbox-like environment that allowed security researchers to test Azure's security, featured an increase in Azure bug bounty rewards, as well as new scenario-based challenge rewards.

CursedChrome turns your browser into a hacker's proxy

A security researcher published a proof-of-concept Chrome extension that turns Chrome browsers into proxy bots, allowing hackers to navigate the web using an infected user's identity. The tool, named CursedChrome, was created by security researcher Matthew Bryant, and released on GitHub as an open-source project. Under the hood, CursedChrome has two different parts -- a client-side component (the Chrome extension itself) and a server-side counterpart (a control panel where all CursedChrome bots report).

Integrating "safe" languages into OpenBSD?

Theo de Raadt's statement about adding memory safe languages into OpenBSD.

Maximator: European signals intelligence cooperation, from a Dutch perspective

This article is first to report on the secret European five-partner sigint alliance Maximator that started in the late 1970s. It discloses the name Maximator and provides documentary evidence. The five members of this European alliance are Denmark Sweden, Germany, the Netherlands, and France. The cooperation involves both signals analysis and crypto analysis. The Maximator alliance has remained secret for almost fifty years, in contrast to its Anglo-Saxon Five-Eyes counterpart. The existence of this European sigint alliance gives a novel perspective on western sigint collaborations in the late twentieth century. The article explains and illustrates, with relatively much attention for the cryptographic details, how the five Maximator participants strengthened their effectiveness via the information about rigged cryptographic devices that its German partner provided, via the joint U.S.-German ownership and control of the Swiss producer Crypto AG of cryptographic devices.