Table of Contents

  1. Privacy
    1. France defends 'centralized' coronavirus tracing app, insists privacy held sacred
    2. German intelligence can't spy on foreigners outside Germany
    3. New York Times phasing out all 3rd-party advertising data
    4. Apple whistleblower goes public over 'lack of action'
    5. Google rolls out new Enhanced Safe Browsing security feature
    6. COVID-19 data sharing with law enforcement sparks concern
    7. Canada fines Facebook almost $6.5 million over ‘false’ data privacy claims
    8. Coronavirus: Serco shares email addresses of hundreds of contact tracers in ‘privacy breach’
    9. Tusla fined €75,000 for three GDPR violations
    10. Signal to move away from using phone numbers as user IDs
    11. French Court Bans the Use of Drone Surveillance to Enforce Covid-19 Lockdown
    12. Why Is This Website Port Scanning Me?
  2. Breaches
    1. 'Highly sophisticated' hackers access details of 9 million easyJet passengers
    2. Verizon Data Breach Report 2020
    3. FBI investigating security breach of Arkansas’ self-employed aid website
    4. Ukraine Nabs Suspect in 773M Password ‘Megabreach’
    5. UK: Over 190 Law Firms Affected by Advanced Data Leak That Exposed Over 10,000 Legal Documents
    6. BlockFi’s Data Breach May Allow Criminals to Extort Rich Clients
    7. Japan suspects missile data leak in Mitsubishi cyberattack
    8. Brazil’s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers
    9. ‘Flight risk’ employees involved in 60% of insider cybersecurity incidents
    10. Home Chef announces data breach after hacker sells 8M user records
  3. Vulnerabilities
    1. Adobe issues out-of-band patch to fix remote code execution flaw in animation software
    2. NXNSAttack
    3. The Elementor Attacks: How Creative Hackers Combined Vulnerabilities to Take Over WordPress Sites
    4. Lost and Found: Stopping Bluetooth Finders from Leaking Private Information
    5. Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks
    6. In Flight Entertainment System Security
    7. Turning Signal App into a Coarse Tracking Device
  4. Scams
    1. US Treasury Warning: Beware of COVID-19 Financial Fraud
    2. Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims
  5. Digital rights
    1. Social media disrupted in Burundi on election day
  6. Malware
    1. The wolf is back...
    2. TrickBot BazarLoader In-Depth
    3. Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’
  7. Phishing
    1. Microsoft warns of 'massive' phishing attack pushing legit RAT
  8. Politics
    1. Israel behind cyberattack that caused ‘total disarray’ at Iran port
  9. Ransomware
    1. Netfilm Ransomware Operators Leak Massive Data From a Global Logistic Group
    2. Netwalker Fileless Ransomware Injected via Reflective Loading

Privacy

France defends 'centralized' coronavirus tracing app, insists privacy held sacred

France has defended its homebrew coronavirus-tracing app as European countries continue to clash with Google and Apple over how the apps should gather and use consumer data. Countries across the world are clamoring to create ways to deal with the spread of COVID-19. Alongside pouring investment into vaccine and drug therapy trials, contact-tracing apps have been touted as a potential way to document the spread of the novel coronavirus through a population. The concept is "track and trace" -- ask citizens to download a mobile application, and if they are experiencing COVID-19 symptoms, they can flag themselves as potential cases. Individuals they have come into contact with will then be alerted, and vice versa.

German intelligence can't spy on foreigners outside Germany

In a landmark decision, the German Constitutional Court has ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional. Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and work in Europe. Many will now be protected after lackluster 2016 surveillance reforms continued to authorize the surveillance on EU states and institutions for the purpose of "foreign policy and security," and permitted the BND to collaborate with the NSA. In its press release about the decision, the court found that the privacy rights of the German constitution also protects foreigners in other countries and that the German intelligence agency, Bundesnachrichtendienst (BND), had no authority to conduct telecommunications surveillance on them:

New York Times phasing out all 3rd-party advertising data

The New York Times will no longer use 3rd-party data to target ads come 2021, executives tell Axios, and it is building out a proprietary first-party data platform. Why it matters: Third-party data, which is collected from consumers on other websites, is being phased out of the ad ecosystem because it's not considered privacy-friendly. This has forced several big publications to rely on their own first-party data, or data that they collect directly from their users.

Apple whistleblower goes public over 'lack of action'

A former Apple contractor who helped blow the whistle on the company's programme to listen to users' Siri recordings has decided to go public, in protest at the lack of action taken as a result of the disclosures. In a letter announcing his decision, sent to all European data protection regulators, Thomas le Bonniec said: "It is worrying that Apple (and undoubtedly not just Apple) keeps ignoring and violating fundamental rights and continues their massive collection of data. "I am extremely concerned that big tech companies are basically wiretapping entire populations despite European citizens being told the EU has one of the strongest data protection laws in the world. Passing a law is not good enough: it needs to be enforced upon privacy offenders." LeLe Bonniec, 25, worked as a subcontractor for Apple in its Cork offices, transcribing user requests in English and French, until he quit in the summer of 2019 due to ethical concerns with the work. "They do operate on a moral and legal grey area," he told the Guardian at the time, "and they have been doing this for years on a massive scale. They should be called out in every possible way."

Google rolls out new Enhanced Safe Browsing security feature

Google has announced a new Enhanced Safe Browsing feature that will offer real-time protection against known malicious web sites and downloads. Since 2007, Google has offered the Safe Browsing feature to protect users from malicious web sites and files that contain malware, display phishing pages, or attempt to install malicious files. With this feature, when you browse a site or download a file, Chrome will share additional information with Google Safe Browsing so it can check URLs for malicious activity. The use of this feature, though, does come with a small sacrifice in privacy as "Chrome will also send a small sample of pages and suspicious downloads to help discover new threats against you and other Chrome users." Google has released Chrome 83, to the Stable desktop channel, and it includes massive security and privacy enhancments as well as some long awaited features.

COVID-19 data sharing with law enforcement sparks concern

More than 11 million people have been tested in the U.S. for COVID-19, all with the assurance that their private medical information would remain protected and undisclosed. Yet, public officials in at least two-thirds of states are sharing the addresses of people who tested positive with first responders --- from police officers to firefighters to EMTs. An Associated Press review found that at least 10 of those states also share the patients' names. First responders argue the information is vital to helping them take extra precautions to avoid contracting and spreading the coronavirus. But civil liberty and community activists have expressed concerns of potential profiling in African-American and Hispanic communities that already have an uneasy relationship with law enforcement. Some envision the data being forwarded to immigration officials.

Canada fines Facebook almost $6.5 million over ‘false’ data privacy claims

Facebook is coughing up for another fine. This time the social network is handing over CAD$9 million (US$6.5 million / £5.3 million) to Canada as part of a settlement over the way it handled users' personal information between August 2012 and June 2018. According to Canada's independent Competition Bureau, Facebook "made false or misleading claims about the privacy of Canadians' personal information on Facebook and Messenger" and improperly shared data with third-party developers.

Coronavirus: Serco shares email addresses of hundreds of contact tracers in ‘privacy breach’

E-mail addresses of 300 contact tracers have been shared accidentally by Serco in what could be a breach of data protection rules. The government is using the outsourcing firm to help with its tracing strategy aimed at monitoring Covid-19 cases. The company has been training people to track cases of coronavirus in the UK and has so far recruited 21,000 staff, some of whom are healthcare professionals, according to health secretary Matt Hancock.

Tusla fined €75,000 for three GDPR violations

Tusla, Ireland's child and family agency, has been fined €75,000 for three breaches of the GDPR (General Data Protection Regulation). It was found to have disclosed the personal information of children to unauthorised parties on three occasions. In one instance, the contact and location data of a mother and child was disclosed to an alleged abuser. The other cases related to personal data about children in foster care being disclosed to blood relatives.

Signal to move away from using phone numbers as user IDs

Secure instant messaging app Signal launched this week a new feature called "Signal PINs" which the company says will help users migrate account data between devices. Signal says that in the long run, this new feature is the base and the first step towards moving away from using phone numbers as profile IDs. The new Signal profile PIN feature is already live and available for all Signal users. The feature can be enabled in the Signal Settings section, under Privacy, and the Signal PIN option. Once enabled, users will be asked to create a PIN code that will be associated with their account. The PIN can be anything from a four-digit number to a long alpha-numerical string. The PIN code will be used to encrypt profile information, account settings, and local contacts, and then upload a copy of the data on Signal's servers.

French Court Bans the Use of Drone Surveillance to Enforce Covid-19 Lockdown

The Conseil d'État, France's highest administrative court, issued a decision banning French authorities from using drone surveillance to track individuals violating social distancing rules. The Court cited privacy issues with drone surveillance and stated that drone surveillance by police would be banned until technology is added to prevent the filming and identification of individuals or approval was given by France's privacy regulator, the Commission nationale de l'informatique et des libertés.

Why Is This Website Port Scanning Me?

Charlie Belmer discovered that Ebay is using websockets to port scan localhost, presumably to find out if the device is compromised and there's malware running on it.

Breaches

'Highly sophisticated' hackers access details of 9 million easyJet passengers

Travel details and email addresses of around nine million easyJet customers have been accessed through a "highly sophisticated" cyber hack, according to the airline. In a statement on Tuesday, the budget carrier said the credit card details of a further 2,208 people had been accessed, but added there was "no evidence" of the data being misused. Passport details are not believed to have been touched. The airline has yet to specify how attackers accessed its systems, when the data breach began, how long it lasted or when it was first detected. But the BBC reports that the breach began in January and that customers whose payment card data was accessed were notified in April.

Verizon Data Breach Report 2020

Verizon has released its yearly data breach report with analysis of encountered attacks.

FBI investigating security breach of Arkansas’ self-employed aid website

The troubled website Arkansas built from scratch to offer unemployment assistance to freelancers and contractors knocked out of work by the COVID-19 pandemic remains offline Monday because of a security breach detected before the weekend. Technicians with the state Department of Commerce have been working to fix the portal after a person alerted authorities they had gained access to other applicants' private data. Whether you call that person a hacker or a concerned citizen may come down to political points of view. "It is being investigated by the FBI," said Governor Asa Hutchinson during his latest update on the pandemic response. "My information was this data was exploited."

Ukraine Nabs Suspect in 773M Password ‘Megabreach’

In January 2019, dozens of media outlets raised the alarm about a new "megabreach" involving the release of some 773 million stolen usernames and passwords that was breathlessly labeled "the largest collection of stolen data in history." A subsequent review by KrebsOnSecurity quickly determined the data was years old and merely a compilation of credentials pilfered from mostly public data breaches. The Security Service of Ukraine (SBU) on Tuesday announced the detention of a hacker known as Sanix (a.k.a. "Sanixer") from the Ivano-Frankivsk region of the country. The SBU said they found on Sanix's computer records showing he sold databases with "logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and for organizing distributed denial-of-service (DDoS) attacks."

UK: Over 190 Law Firms Affected by Advanced Data Leak That Exposed Over 10,000 Legal Documents

A leading UK software company exposed personal information belonging to over 190 law firms through an unsecured online database. TurgenSec security firm discovered the breach but could not immediately identify the owner of the online database and therefore contacted the National Cyber Security Centre (NCSC). Following the Responsible Disclosure Policy, the firm contacted the affected law firms who confirmed the data leak came from legal documents hosted by Laserform Hub owned by Advanced Computer Software Group Limited.

BlockFi’s Data Breach May Allow Criminals to Extort Rich Clients

Crypto lending provider BlockFi reported on Tuesday that it suffered a data breach that may put some of its clients in physical danger. According to its incident report, some of the company's client data was breached through a SIM card swap attack performed on one of its employees.

Japan suspects missile data leak in Mitsubishi cyberattack

Japan is investigating a possible leak of data including details of a prototype missile in a massive cyberattack earlier this year on Mitsubishi Electric Corp., officials said Wednesday. The suspected leak involves sensitive information about a prototype of a cutting-edge high speed gliding missile intended for deployment for the defense of Japan's remote islands amid China's military assertiveness in the region. Chief Cabinet Secretary Yoshihide Suga told reporters that the Defense Ministry is investigating "the possible impact of the information leak on national security."

Brazil’s Natura & Co Cosmetics Accidentally Exposes Personal Details of 192 Million Customers

Natura, one of Brazil's largest cosmetics companies, accidentally exposed the personal identifiable information (PII) of nearly 192 million customers. The leaky database, discovered last month by Safety Detectives led by cybersecurity researcher Anurag Seg, was hosted on two unprotected US-based Amazon servers, and contained between 272GB and 1.3TB of data belonging to the company. In yesterday's report, the researchers noted that more than "250,000 customers that had previously ordered beauty products from the website had their personal information made available to the public without Natura's knowledge." To make matters worse, payment information of 40,000 shoppers "related to a third-party company, Wirecard, was also publicly available for over 2 weeks."

‘Flight risk’ employees involved in 60% of insider cybersecurity incidents

According to the Securonix 2020 Insider Threat Report, "flight risk" employees, generally deemed to be individuals on the verge of resigning or otherwise leaving a job, often change their behavioral patterns from two months to two weeks before conducting an insider attack. Insider incidents are caused by individuals within an organization rather than external threat actors. Employees or contractors with privileged access to systems may cause damage, steal or sell data, or be the cause of a security failure -- such as by uploading or moving confidential resources to third-party services without permission. A 2019 case involving Trend Micro, for example, involved a rogue employee who was caught stealing customer data in order to sell the records on to others for use in targeted scams. Securonix says that the exfiltration of sensitive data continues to be the most common insider threat, often taking place via email transfers or web uploads to cloud storage services including Box and Dropbox. This attack vector is followed by privileged account abuse.

Home Chef announces data breach after hacker sells 8M user records

Home Chef, a US-based meal kit and food delivery service, announced a data breach today after a hacker sold 8 million user records on a dark web marketplace. Last week, BleepingComputer reported that a hacking group actor named Shiny Hunters was selling the user records for eleven companies on a dark web marketplace. The threat actor was selling these databases for $500 to $2,500. The user records for Home Chef was one of the databases being sold and allegedly contained 8 million user records. At the time of our reporting, BleepingComputer emailed Home Chef but never received a response. Now, almost two weeks later, Home Chef has officially disclosed the data breach in a "Data security incident" notice posted to their web site.

Vulnerabilities

Adobe issues out-of-band patch to fix remote code execution flaw in animation software

On Tuesday, the company released a security advisory warning customers of CVE-2020-9586, a stack-based buffer overflow vulnerability that could lead to RCE attacks. Adobe Character Animator on Windows and macOS machines, versions 3.2 and earlier, are vulnerable to the critical bug which has been issued a CVSS severity score of 7.8. While there are no reported cases of the security flaw being exploited in the wild, attackers could trigger an attack through persuading users to open a crafted, malicious document. It is also possible for this vulnerability to cause system crashes.

NXNSAttack

The NXNSAttack is a new vulnerability that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains nameservers but without their corresponding IP addresses (i.e., missing glue-records). The number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers' IP addresses. This inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers. The NXNSAttack is more effective than the NXDomain attack: i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) Besides the negative cache, the attack also saturates the 'NS' resolver caches.

The Elementor Attacks: How Creative Hackers Combined Vulnerabilities to Take Over WordPress Sites

Wordfence wrote an article detailing the recent Elementor Pro 0-day used to take over Wordpress sites. The attackers have combined multiple flaws to register as a subscriber on any vulnerable site and potentially use that access to pivot and exploit vulnerabilities that required subscriber level access.

Lost and Found: Stopping Bluetooth Finders from Leaking Private Information

A Bluetooth finder is a small battery-powered device that can be attached to important items such as bags, keychains, or bikes. The finder maintains a Bluetooth connection with the user's phone, and the user is notified immediately on connection loss. Researchers reveal several significant security vulnerabilities in those products concerning mobile applications and the corresponding backend services in the cloud. They also show that all analyzed cloud-based products leak more private data than required for their respective cloud services. Overall, there is a big market for Bluetooth finders, but none of the existing products is privacy-friendly.

Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

A Taiwanese security researcher published details about three vulnerabilities in the firmware of QNAP network-attached storage (NAS) devices. Henry Huang, the security researcher, said the bugs reside in Photo Station, a photo album app that comes preinstalled with all recent versions of QNAP NAS systems. Huang says the Photo Station app is installed on around 80% of all QNAP NAS systems; a number the researcher believes to be around 450,000 devices, based on a rough estimate using results provided by the Shodan IoT search engine. In a Medium blog post, Huang published in-depth technical details about three of four vulnerabilities he found in the QNAP devices. Three impact the Photo Station app, while a fourth impacts the QTS file manager app.

In Flight Entertainment System Security

Pen Test Partners has written an article talking about the security of in-flight entertainment (IFE) systems, and why the flight controls cannot be accessed from this systems, therefore the only reason to worry about IFE security is to stop people from panicking.

Turning Signal App into a Coarse Tracking Device

Tenable has disclosed a vulnerability in Signal app, that could be used to leak the coarse location of the user by ringing them. This worked by abusing WebRTC ICE Candidates to supply a unique domain name, and on the DNS server side authoritative for the domain, an incoming DNS query from the nameserver used by the remote Signal user will be generated. Since typically the nameserver is geographically near to the user, this can be used to find out the country of the user.

Scams

US Treasury Warning: Beware of COVID-19 Financial Fraud

The U.S. Treasury's Financial Crimes Enforcement Network is alerting financial institutions about surging COVID-19 themed scams and other "illicit activities," ranging from medical-related fraud involving the sale of fake cures, tests and vaccines to price gouging for supplies.

Scattered Canary Cybercrime Ring Exploits the COVID-19 Pandemic with Fraudulent Unemployment and CARES Act Claims

Recently, news broke about how a sophisticated Nigerian cybercriminal organization has been committing mass unemployment fraud against a number of states, including Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming. Based on information uncovered by the Agari Cyber Intelligence Division, some, if not all, the actors behind these fraudulent schemes are likely part of Scattered Canary, a Nigerian cybercrime group about which we released a detailed report last June. As detailed last year, Scattered Canary has been involved in a wide variety of fraudulent activity against government services over their 10+ year history, including unemployment fraud, social security fraud, disaster relief fraud, and student aid fraud.

Digital rights

Social media disrupted in Burundi on election day

Network data from the NetBlocks internet observatory confirm that social media and messaging apps are disrupted and unavailable in Burundi on the morning of Wednesday, 20 May 2020 as the country goes to elections. On Wednesday morning, members of Burundi's diaspora and journalists covering the polls noticed that WhatsApp messages had stopped reaching contacts within the country, sparking concerns that an internet shutdown had been imposed.

Malware

The wolf is back...

Cisco Talos has discovered a new Android malware based on a leak of the DenDroid malware family. Malware was named "WolfRAT" due to strong links between this malware (and the command and control (C2) infrastructure) and Wolf Research, an infamous organization that developed interception and espionage-based malware and was publicly described by CSIS during Virus Bulletin 2018. Researchers identified infrastructure overlaps and string references to previous Wolf Research work. The organization appears to be shut down, but the threat actors are still very active.

TrickBot BazarLoader In-Depth

AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. The latest article describes two new TrickBot modules aptly named "BazarLoader" and "BazarBackdoor" after attempted Command and Control (C2) communications with the Emercoin DNS (EmerDNS) .bazar domains. EmerDNS is desirable for attackers because it is a distributed blockchain that is decentralized, cannot be censored, and cannot be altered, revoked or suspended by any authority.

Confiant & Protected Media Uncover Mobile Billing Malvertiser Dubbed ‘wapSiphone’

The following blog post is a collaborative disclosure between Confiant and Protected Media around a new malvertising threat actor that leverages media buys in order to collect the MSISDNs of their victims for further exploitation in a WAP billing scheme. The Mobile Station International Subscriber Directory Number (MSISDN) is an international mobile phone identifier. These ID's are harvested by the attacker using a a variety of techniques, including an XSS payload that specifically targets a mobile carrier based out of the United Arab Emirates. Iranian and Mexican carriers have observed to be abused by the attacker as well.

Phishing

Microsoft warns of 'massive' phishing attack pushing legit RAT

Microsoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool. In a series of tweets, the Microsoft Security Intelligence team outlines how this "massive campaign" is spreading the tool via malicious Excel attachments. The attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of Coronavirus-related deaths there are in the United States. The NetSupport Manager is a legitimate remote administration tool commonly distributed among the hacker communities to use as a remote access trojan.

Politics

Israel behind cyberattack that caused ‘total disarray’ at Iran port

Israel carried out a recent sophisticated cyberattack on an Iranian port facility, causing widespread chaos, apparently in retaliation for an attempt by Tehran to target Israel's water infrastructure, the Washington Post reported Monday. The report, citing foreign and US officials, said Israel was likely behind the hack that brought the "bustling Shahid Rajaee port terminal to an abrupt and inexplicable halt" on May 9. "Computers that regulate the flow of vessels, trucks and goods all crashed at once, creating massive backups on waterways and roads leading to the facility," the Post reported, adding that it had seen satellite photos showing miles-long traffic jams leading to the port and ships still waiting to offload several days later.

Ransomware

Netfilm Ransomware Operators Leak Massive Data From a Global Logistic Group

The Netflim ransomware operators have leaked the first installment of data from a massive 200 GB worth data of the global logistics company Toll Group. The operators have hacked the Toll network via its ransomware at the beginning of this month and breached a massive volume of data before encrypting the Toll network. Significantly, the Japan Post Holdings subsidiary company has fall prey to ransomware attacks twice in 2020. The Netfilm attack was executed at the beginning of May, while a MailTo ransomware compromised Toll's global network on January 31 this year. In the earlier attack, the ransomware had taken down over 1000 servers, which compromised around 500 corporate applications, Active Directory, and other critical systems. After the MailTo ransomware attack, the global operation of the company was suspended for several weeks. Toll Group officially confirmed to take its network in the second week of March. But, while fixing the network, the system admins might have overlooked a backdoor, which was later exploited by the Netfilm group of ransomware operators.

Netwalker Fileless Ransomware Injected via Reflective Loading

TrendMicro hav observed Netwalker ransomware attacks that involve malware that is not compiled, but written in PowerShell and executed directly in memory and without storing the actual ransomware binary into the disk. This makes this ransomware variant a fileless threat, enabling it to maintain persistence and evade detection by abusing tools that are already in the system to initiate attacks. This type of threat leverages a technique called reflective dynamic-link library (DLL) injection, also referred to as reflective DLL loading. The technique allows the injection of a DLL from memory rather than from disk. This technique is stealthier than regular DLL injection because aside from not needing the actual DLL file on disk, it also does not need any windows loader for it to be injected. This eliminates the need for registering the DLL as a loaded module of a process, and allowing evasion from DLL load monitoring tools.