Table of Contents

  1. Politics
    1. UK Gov using Signal's disappearing messages to evade FOI
    2. Case files discredit Kemp's accusation that Democrats tried to hack Georgia election
  2. Ransomware
    1. Maze Ransomware Operators Targets Kerr Controls Ltd
  3. Vulnerabilities
    1. Finding secrets by decompiling Python bytecode in public repositories
    2. Zero-day in Sign in with Apple
  4. Privacy
    1. List of well-known web sites that port scan their visitors
    2. Security flaw in Qatar’s COVID-19 contact-tracing app ‘put 1m people’s sensitive data at risk’
  5. Breaches
    1. Amtrak resets user passwords after Guest Rewards data breach
    2. 200 Websites Breached – 6.1 Million Accounts at Risk
    3. Joomla team discloses data breach
    4. Hacker leaks database of dark web hosting provider
  6. Malware
    1. New Agent Tesla Variant Spreading by Phishing

Politics

UK Gov using Signal's disappearing messages to evade FOI

Encrypted messaging app Signal is increasingly popular in Westminster. Many Tory MPs joined the network after the general election, apparently attracted by the larger group size it allows compared to WhatsApp, which is handy for a party with a big majority. Another feature of the app, which is endorsed by none other than Edward Snowden, has attracted Boris Johnson as well as senior government officials: messages can be set to automatically self-destruct from recipients' devices any time from five seconds to a week after being read. The encrypted nature of the system means that once messages are gone they're, er, gone, and not even a judge's order can have them retrieved. And the benefits aren't limited to making leaks more difficult. The automatic deletion suggests a perilous lack of records on key decision-making processes at a time when many in government are working remotely.

Case files discredit Kemp's accusation that Democrats tried to hack Georgia election

GBI investigation shows Kemp misrepresented election security It was a stunning accusation: Two days before the 2018 election for Georgia governor, Republican Brian Kemp used his power as secretary of state to open an investigation into what he called a "failed hacking attempt" of voter registration systems involving the Democratic Party. But newly released case files from the Georgia Bureau of Investigation reveal that there was no such hacking attempt.The evidence from the closed investigation indicates that Kemp's office mistook planned security tests and a warning about potential election security holes for malicious hacking.

Ransomware

Maze Ransomware Operators Targets Kerr Controls Ltd

As usual Maze ransomware operators add another data breach to their name. In this instance, they breached Kerr Controls Ltd, a well-established wholesale distributor of a leading wholesale distributor of heating, ventilation, air conditioning and refrigeration (HVACR) materials for residential and commercial markets. Kerr Controls Ltd was founded in the year 1949. Kerr is a leading wholesale distributor of heating, ventilation, air conditioning, and refrigeration (HVACR) materials for residential and commercial markets. The Cyble Research Team has verified and reported the data leak of around 3GB. The data leak includes highly sensitive and corporate operation documents and data such as the company's bank statements, multiple bank deposits details, and much more.

Vulnerabilities

Finding secrets by decompiling Python bytecode in public repositories

When you import a Python file for the first time, the Python interpreter will compile it and cache the resulting bytecode in a .pyc file so that subsequent imports don't have to deal with the overhead of parsing or compiling the code again. It's also common practice for Python projects to store secrets in a gitignored Python file named something like secrets.py, config.py, or settings.py, which other parts of the project import. This provides a nice separation between secrets and source code that gets checked in, and for the most part, this kind of setup works well. And because it reuses the language's import mechanism, these projects don't have to fuss around with file I/O or formats like JSON. But for the same reason that this pattern is fast and convenient, it is also potentially insecure. Because it reuses the language's import mechanism, which has a habit of creating and caching .pyc files, those secrets also live in the compiled bytecode! Some initial research using the GitHub API reveals that thousands of GitHub repositories contain secrets hidden inside their bytecode.

Zero-day in Sign in with Apple

Bhavuk Jain discovered a Zero-day in the "Sign in with Apple" they had an endpoint in their authentication system that could link any email ID to a forged JWT token, to an attacker's account, so the attacker could link any existing email to his own account. This bug could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not.

Privacy

List of well-known web sites that port scan their visitors

BleepingComputer has compiled a list of well-known websites as well as a Google Sheets link with subdomains used by ThreatMetrix which is a fraud protection script used to detect hacked computers, but doing so, they run a port scan on the computers running it.

Security flaw in Qatar’s COVID-19 contact-tracing app ‘put 1m people’s sensitive data at risk’

Serious security vulnerabilities in Qatar's mandatory contact tracing app, uncovered by Amnesty International, must act as a wake-up call for governments rolling-out COVID-19 apps to ensure privacy safeguards are central to the technology. An investigation by Amnesty's Security Lab discovered the critical weakness in the configuration of Qatar's EHTERAZ contact tracing app. Now fixed, the vulnerability would have allowed cyber attackers to access highly sensitive personal information, including the name, national ID, health status and location data of more than one million users.

Breaches

Amtrak resets user passwords after Guest Rewards data breach

The National Railroad Passenger Corporation (Amtrak) disclosed a data breach that led to the exposure of personal information of some Guest Rewards members. Amtrak, a high-speed intercity passenger rail provider and an independent US government agency, operates a nationwide rail network in 46 states, the District of Columbia, and three Canadian provinces, with 30 million customers during the last nine years. "On the evening of April 16, 2020, Amtrak determined that an unknown third party gained unauthorized access to certain Amtrak Guest Rewards accounts," Amtrak Guest Rewards Senior Director Vicky Radke says in a notice of data breach filed with the Office of the Vermont Attorney General. "We have determined that compromised usernames and passwords were used to access certain accounts and some personal information may have been viewed."

200 Websites Breached – 6.1 Million Accounts at Risk

Cyble has detected and verified 200 data breaches on various websites and companies. In total due to these data breaches around 6.1 million user accounts are brought up to risk.

Joomla team discloses data breach

The team behind the Joomla open source content management system (CMS) announced a security breach last week. The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company. The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website - a portal where professionals advertise their Joomla site-making skills. Joomla admins said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company's S3 server.

Hacker leaks database of dark web hosting provider

A hacker has leaked online the database of Daniel's Hosting (DH), the largest free web hosting provider for dark web services. The leaked data was obtained after the hacker breached DH earlier this year, on March 10, 2020. At the time, DH owner Daniel Winzen told ZDNet the hacker breached his portal, stole its database, and then wiped all servers. On March 26, two weeks after the breach, DH shut down its service for good, urging users to move their sites to new dark web hosting providers. Around 7,600 websites - a third of all dark web portals - went down following DH's shutdown.

Malware

New Agent Tesla Variant Spreading by Phishing

Agent Tesla is a spyware, keylogger, and information stealer Trojan written in Microsoft's .Net language. Agent Tesla has been observed in the world since 2014, and has been active ever since. Agent Tesla is also a commercial project, whose subscription license is sold on its official website. Several days ago, FortiGuard Labs captured a phishing email with an attachment that is being used to spread a new version of Agent Tesla.