Table of Contents

  1. Breaches
    1. Zoomcar - 3,589,795 breached accounts
    2. CPA Canada discloses data breach affecting 329,000 individuals
    3. Two Data Breaches Hit Kentucky Employees’ Health Plan
    4. Student loan company that stole millions from consumers leaks sensitive phone calls, SSNs, tax records
    5. Bank of America Breach Reveals PPP Info
    6. San Francisco retirement program SFERS suffers data breach
  2. Privacy
    1. Signal app downloads spike as US protesters seek message encryption
    2. Signal Launches Face-Blurring Tool as US Protesters Embrace Encrypted Messaging
  3. Vulnerabilities
    1. CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leaka
    2. Unclamping the Barnacle
    3. Two vulnerabilities in Zoom could lead to code execution
    4. Haveibeenpwned.com pwned our helpdesk! GLPI 9.4.5 SQL Injection
  4. Misc
    1. Mozilla Firefox to let you export saved passwords in plain text
    2. Germany bans digital doppelganger passport photos
    3. Google sued for secretly amassing vast trove of user data
  5. Malware
    1. Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique
    2. USBCulprit malware targets air-gapped systems to steal govt info
    3. Bruteforce malware probes login for popular web platforms
    4. Hackers tried to steal database logins from 1.3M WordPress sites
    5. Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware
  6. Politics
    1. Google: Chinese and Iranian hackers targeted Biden and Trump campaign staffers
    2. George Floyd death: Anti-racism sites hit by wave of cyber-attacks
    3. Huawei hid business operation in Iran after Reuters reported links to CFO
  7. Ransomware
    1. Business services giant Conduent allegedly hit by Maze Ransomware
    2. NetWalker Ransomware: No Respite, No English Required
    3. New Tycoon ransomware targets both Windows and Linux systems
    4. Ransomware Attacks Hit 2 More Healthcare Organizations
    5. Sensitive Data of Multiple Organisations Been Leaked by the PYSA/Mespinoza Ransomware Operators
  8. APT
    1. New LNK attack tied to Higaisa APT discovered
    2. Hackers steal secrets from US nuclear missile contractor
  9. Crime
    1. Hackers hijack one of Coincheck's domains for spear-phishing attacks
    2. Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion
  10. Phishing
    1. Office 365 phishing baits remote workers with fake VPN configs
    2. The IRS’s Extended Tax Deadline Fuels Email Phishing

Breaches

Zoomcar - 3,589,795 breached accounts

In July 2018, the Indian self-drive car rental company Zoomcar suffered a data breach which was subsequently sold on a dark web marketplace in 2020. The breach exposed over 3.5M records including names, email and IP addresses, phone numbers and passwords stored as bcrypt hashes.

CPA Canada discloses data breach affecting 329,000 individuals

Chartered Professional Accountants of Canada (CPA) disclosed that a cyberattack against the CPA Canada website allowed unauthorized third parties to access the personal information of over 329,000 members and other stakeholders. CPA Canada is a national organization with more than 217,000 Chartered Professional Accountants as members and one of the largest national accounting bodies in the world. After discovering the data breach at a yet undisclosed date, CPA Canada contained the incident by taking measures to secure the compromised systems and notified the affected individuals after identifying them. "The information involved predominately relates to the distribution of the CPA Magazine and includes personal information such as names, addresses, email addresses and employer names," the breach notification reads.

Two Data Breaches Hit Kentucky Employees’ Health Plan

Nearly a thousand members of Kentucky Employees' Health Plan (KEHP) were victims of a data breach that took place in late April and mid-May, according to a statement released by the Commonwealth of Kentucky Personnel Cabinet on June 2. During the first attack, from April 21 to 27, 971 KEHP members accounts were accessed by a "bad actor" who used valid login information to infiltrate StayWell, a third-party vendor utilized by KEHP members for their well-being and incentive portal. This portal offers financial rewards for completion of certain challenges and goals in order to promote a healthier lifestyle among members. After investigation by the Commonwealth Office of Technology, the Personnel Cabinet and the StayWell IT team, it was determined that while the attacker was unable to access important financial and personal information on the portal, such as birthdays, Social Security numbers or addresses, they were able to view biometric screening and health assessment data.

Student loan company that stole millions from consumers leaks sensitive phone calls, SSNs, tax records

CyberNews discovered an unsecured Amazon Simple Storage Service (S3) bucket that contains more than 55,000 call recordings between loan support workers and American consumers with outstanding student loans. This open database also contains more than 25,000 PDFs, many of which are scans or photos of proof of income (such as pay receipts or tax returns). Both the proofs of income and call recordings contain the loaners' social security numbers, among other sensitive personal data. The database seems to belong to members of the Student Advocates Group, which an FTC press release named as a student loan debt relief scheme that "bilked millions out of consumers by charging illegal upfront fees and falsely promising to lower or even eliminate consumers' loan payments or balances."

Bank of America Breach Reveals PPP Info

After processing over 300,000 Paycheck Protection Program applications, Bank of America has revealed that a data breach occurred within the U.S. Small Business Administration's program that allowed all other SBA-authorized lenders to view highly sensitive data. The data includes tax information and social security numbers relating to both businesses and their owners and could have extremely devastating effects in the wrong hands. Fortunately, the SBA secured the compromised data within a day of being notified and Bank of America has reached out to affected customers offering of two years of identity theft protection.

San Francisco retirement program SFERS suffers data breach

The San Francisco Employees' Retirement System (SFERS) has suffered a data breach after an unauthorized person gained access to a database hosted in a test environment. SFERS manages the benefits program for active and retired employees of San Francisco, California. In a data breach notification, SFERS stated that one of their vendors had set up a test environment that included a database containing the information for approximately 74,000 SFERS members. On March 21, 2020, the vendor learned that the server had been accessed by an unauthorized third-party on February 24, 2020. They subsequently told SFERS on March 26, when an investigation was started.

Privacy

Signal app downloads spike as US protesters seek message encryption

In the past week, US protesters have staged large-scale demonstrations against racism and police brutality across all 50 states. Over the same period, daily US downloads of the encrypted messaging app Signal have tripled, according to data from the mobile app analytics firm SensorTower. The spike in downloads coincides with calls from Twitter users and privacy-focused organizations like the Electronic Frontier Foundation, urging American protesters to communicate with each other with encrypted apps like Signal. Encryption jumbles the content of a message while it's being transmitted from the sender to the recipient, allowing users to chat with less risk that their conversation will be intercepted and monitored by a third party.

Signal Launches Face-Blurring Tool as US Protesters Embrace Encrypted Messaging

Law enforcement officials across the U.S. have already revealed that they will leverage facial recognition technology to retroactively target protesters following the killing of George Floyd, with police asking the public for footage and photos. Against this backdrop, Signal is introducing a new feature that can automatically obfuscate faces shared within the encrypted messaging app, as the company says it's "working hard to keep up with the increased traffic" from protesters. Moving forward, Signal users will be able to activate a feature in the main photo editing toolbox that will automatically blur all faces it identifies in an image. As with many automated computer vision tools, Signal doesn't claim that its face-blurring smarts are 100% effective. It may not identify all faces in a photo, which is why users can manually obscure faces by drawing the blur brush across each face with their finger.

Vulnerabilities

CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leaka

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection.

Unclamping the Barnacle

You may have seen the furore around the Barnacle windscreen-based parking clamp back in January this year. It's a different approach that allows the clamp to be unlocked remotely, so you don't need the clamp company to come remove it for you. It turns out those devices use a SIM card, and an API too. PentestPartners has found that the entire environment could be dumped including S3, Dynamo and SES keys from the servers.

Two vulnerabilities in Zoom could lead to code execution

Cisco Talos recently discovered two vulnerabilities in the popular Zoom video chatting application that could allow a malicious user to execute arbitrary code on victims' machines. An exploitable path traversal vulnerability exists in the Zoom Client version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write which could potentially be further abused to achieve arbitrary code execution. In order to trigger this vulnerability, an attacker needs to send a specially crafted message to a target user or a group. Only Giphy servers were originally supposed to be used for this feature in Zoom. However, the content from an arbitrary server would be loaded in this case, which could be abused to further leak information or abuse other vulnerabilities.

Haveibeenpwned.com pwned our helpdesk! GLPI 9.4.5 SQL Injection

A vulnerability in the GLPI helpdesk was discovered because Haveibeenpwned uses ';--have I been pwned? in the title, thus causing SQL errors.

Misc

Mozilla Firefox to let you export saved passwords in plain text

Mozilla Firefox will soon allow you to export your saved login credentials to a CSV text file that you can then import into a password manager or store as a backup. Like many other browsers, Mozilla Firefox has a password manager that allows you to save login names and passwords for websites that you have an account. When you visit these sites, Firefox will automatically populate the login forms with the saved credentials. In the Firefox 79 Nightly build, Mozilla has added the ability to export your saved credentials to a CSV text file.

Germany bans digital doppelgänger passport photos

Germany will outlaw the 'morphing' of passport photos, in which pictures of two people are digitally combined, making it possible to assign multiple identities to a single document. Morphing can trick artificial intelligence used at passport control into 'recognising' different individuals. The government on Wednesday backed a law requiring people to either have their photo taken at a passport office or, if they use a photographer, have it submitted in digital form over a secure connection, spokesman Steffen Seibert said.

Google sued for secretly amassing vast trove of user data

Google surreptitiously amasses billions of bits of information - every day - about internet users even if they opt out of sharing their information, three consumers alleged in a proposed class action lawsuit. "Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy," according to the complaint filed Tuesday in federal court in San Jose, California. The lawsuit argues that while Google lets users turn off data collection when using its Chrome web browser, other Google tools used by websites themselves scoop up their data anyways. The suit includes claims for invasion of privacy and violations of federal wiretapping law.

Malware

Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique

TrendMicro recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (Trend Micro detects these as AndroidOS~HiddenAd~.HRXJA). This includes behavior that can be seen even when the user is not actively using the phones. The app requests ads at 15-minute intervals, and it also added listeners to monitor the ad's status. When the ad is opened, the page is closed right away, so the user would not see the ad at all.

USBCulprit malware targets air-gapped systems to steal govt info

The newly revealed USBCulprit malware is used by a group known as Cycldek, Conimes, or Goblin Panda and is designed for compromising air-gapped devices via USB. Cycldek is a Chinese APT group targeting that has been Southeast Asian nations for a long time to steal government information and state secrets. The APT group has demonstrably taken an interest in "large organizations and government institutions in Vietnam," stated a new report on the malware by Kaspersky.

Bruteforce malware probes login for popular web platforms

An aggressive tool hitting a sizable number of popular web services and platforms is trying to brute force its way in with login combinations obtained from parsing metadata from the target. The malware looks for various systems for managing content, databases, and file transfers as well as backup files and administrator login paths.

Hackers tried to steal database logins from 1.3M WordPress sites

A large scale attack targeted hundreds of thousands of WordPress websites over the course of 24 hours, attempting to harvest database credentials by stealing config files after abusing known XSS vulnerabilities in WordPress plugins and themes. "Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files," Wordfence QA engineer and threat analyst Ram Gall said. "The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem."

Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

The Bitdefender researchers Janos Gergo SZELES and Ruben Andrei CONDOR have documented a new Metamorfo campaign that uses legitimate software components to compromise computers. Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

Politics

Google: Chinese and Iranian hackers targeted Biden and Trump campaign staffers

State-sponsored hackers from China and Iran have unsuccessfully targeted the campaign staffs of US presidential candidates Joe Biden and Donald Trump, respectively. The attacks have been observed by the Google Threat Analysis Group (TAG), a division inside Google's security department that tracks nation-state hacking groups. "Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing," said Shane Huntley, head of Google TAG. Huntley said the groups behind the attacks are APT31 (targeted Biden) and APT35 (targeted Trump). APT31, also known as Zirconium, is a Chinese state-sponsored hacking group that has been active since at least early 2016, and has historically targeted foreign companies to steal intellectual property, however, it has also targeted diplomatic entities in the past. According to a Microsoft threat analyst, the group has seen a surge of activity recently and has been very active over the past 45 days. APT35, also known as Newscaster, is an Iranian cyber-espionage sponsored by the Iranian government. The group has been active since 2014 and has typically targeted the US and Middle Eastern militaries, diplomatic and government personnel, organizations in the media, energy and defense industrial bases (DIB), and the engineering, business services, and telecommunications sectors.

George Floyd death: Anti-racism sites hit by wave of cyber-attacks

Cyber-attacks against anti-racism organisations shot up in the wake of the death of George Floyd, a leading provider of protection services says. Cloudflare, which blocks attacks designed to knock websites offline, says advocacy groups in general saw attacks increase 1,120-fold. Mr Floyd's death, in police custody, has sparked nationwide civil unrest in the US.

Huawei hid business operation in Iran after Reuters reported links to CFO

China's Huawei Technologies acted to cover up its relationship with a firm that had tried to sell prohibited U.S. computer gear to Iran, after Reuters in 2013 reported deep links between the firm and the telecom-equipment giant's chief financial officer, newly obtained internal Huawei documents show. Huawei has long described the firm - Skycom Tech Co Ltd - as a separate local business partner in Iran. Now, documents obtained by Reuters show how the Chinese tech titan effectively controlled Skycom. The documents, reported here for the first time, are part of a trove of internal Huawei and Skycom Iran-related business records - including memos, letters and contractual agreements - that Reuters has reviewed. One document described how Huawei scrambled in early 2013 to try to "separate" itself from Skycom out of concern over trade sanctions on Tehran. To that end, this and other documents show, Huawei took a series of actions - including changing the managers of Skycom, shutting down Skycom's Tehran office and forming another business in Iran to take over tens of millions of dollars worth of Skycom contracts.

Ransomware

Business services giant Conduent allegedly hit by Maze Ransomware

The Maze Ransomware operators are claiming to have successfully attacked business services giant Conduent, where they stole unencrypted files and encrypted devices on their network. Conduent is a New Jersey, USA based business services firm with 67,000 employees and a 2019 business revenue of $4.47 billion.

NetWalker Ransomware: No Respite, No English Required

The operators behind NetWalker (aka Mailto) ransomware have proven time over time again that they do not hold back. In a time when even some of the most active ransomware-centric actors are backing off from attacking medical targets due to the COVID-19 pandemic, NetWalker ransomware continues to attack them. The ransom demands are steep and almost guarantee that the victim will choose to be uncooperative, leading to the victim's data being leaked publicly. In recent weeks, U.S. educational institutions have been heavily targeted with NetWalker ransomware. Michigan State University, University of California San Francisco and Columbia College of Chicago have all been hit. With the recent move to a RaaS (Ransomware-as-a-Service) model, the potential for even greater expansion is on the horizon. Consequently, detection and clean-up is no longer sufficient to ensure organizational data remains confidential and secure. Prevention is the only cure for threats like NetWalker, which hit organizations with the double-edged sword of encryption by ransomware and extortion via threats of public data exposure.

New Tycoon ransomware targets both Windows and Linux systems

A new human-operated ransomware strain is being deployed in highly targeted attacks targeting small to medium size organizations in the software and education industries since at least December 2019. The ransomware, dubbed Tycoon by security researchers with BlackBerry Threat Intelligence and KPMG, is a multi-platform Java-based malware that can be used to encrypt both Windows and Linux devices. Tycoon is manually deployed by its operators in the form of a "ZIP archive containing a Trojanized Java Runtime Environment (JRE) build" after they infiltrate their victims' networks using vulnerable and Internet-exposed RDP servers as a stepping stone.

Ransomware Attacks Hit 2 More Healthcare Organizations

Two ransomware incidents recently reported to federal regulators as health data breaches illustrate that the surge in such attacks shows no signs of abating. Among the recent ransomware-related data breaches reported to the Department of Health and Human Services' Office for Civil Rights were incidents at Woodlawn Dental Center based in Cambridge, Ohio, and Mat-Su Surgical Associates in Palmer, Alaska.

Sensitive Data of Multiple Organisations Been Leaked by the PYSA/Mespinoza Ransomware Operators

The Cyble Research Team came across several data leaks of well-established organisations been posted by a trending group of ransomware operators named PYSA/Mespinoza. In this instance, our researchers identified and verified data leak of multiple organisations such as Diamond Box, Allard-Europe, Matthews, Fincamex, St Andrew's College, Liberty Linehaul, and several others. All these organisations are known for their service, for instance, Matthews Australasia is the Australian leader in intelligent product identification, product inspection, and software traceability solutions. Similar to it, Allard-Europe one of the well-known casting steel and iron firms based in Belgium.

APT

New LNK attack tied to Higaisa APT discovered

MalwareBytes identified an attack that is part of a new campaign from an Advanced Persistent Threat actor known as Higaisa. The Higaisa APT is believed to be tied to the Korean peninsula, and was first disclosed by Tencent Security Threat Intelligence Center in early 2019. The group's activities go back to at least 2016 and include the use of Trojans such as Gh0st and PlugX, as well as mobile malware. Its targets include government officials and human rights organizations, as well as other entities related to North Korea. In this latest incident, Higaisa used a malicious shortcut file ultimately responsible for creating a multi-stage attack that consists of several malicious scripts, payloads and decoy PDF documents.

Hackers steal secrets from US nuclear missile contractor

Hackers have stolen confidential documents from a US military contractor which provides critical support for the country's Minuteman III nuclear deterrent, Sky News has learned. After gaining access to Westech International's computer network, the criminals encrypted the company's machines and began to leak documents online to pressure the company to pay extortion. It is unclear if the documents stolen by the criminals include military classified information, but files which have already been leaked online suggest the hackers had access to extremely sensitive data, including payroll and emails.

Crime

Hackers hijack one of Coincheck's domains for spear-phishing attacks

Japanese cryptocurrency exchange Coincheck says hackers took control over its account at a local domain registrar and hijacked one of its domain names, which they later used to contact some of its customers. The exchange paused remittance operations on its platform on Tuesday while it's investigating the incident. Other operations, such as withdrawals or deposits, have not been blocked. According to an incident report, the company said the initial attack took place on Sunday, May 31. The hackers gained access to Coincheck's account at Oname.com, the company's domain registrar provider. Oname also confirmed the incident.

Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion

An exhaustive inquiry published by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico's top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities. The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called "Intacash" and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico. According to the OCCRP, Riviera Maya's skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries --- often halfway around the world in places like India, Indonesia, and Taiwan.

Phishing

Office 365 phishing baits remote workers with fake VPN configs

Microsoft Office 365 customers are targeted by a phishing campaign using bait messages camouflaged as notifications sent by their organization to update the VPN configuration they use to access company assets while working from home. The phishing emails impersonating VPN configuration update requests sent by their company's IT support department have so far landed in the inboxes of up to 15,000 targets according to stats from researchers at email security company Abnormal Security. These phishing messages are a lot more dangerous because of the huge influx of employees working remotely and using VPNs to connect to company resources from home for sharing documents with their colleagues and accessing their orgs' servers.

The IRS’s Extended Tax Deadline Fuels Email Phishing

If you haven't started preparing your taxes yet, you might be vulnerable for a QuickBooks scam. INKY, the leader in cloud-based email phishing software, caught this recent fraudulent email that supposedly came from Intuit. In this case, the would-be hacker was alerting a QuickBooks customer that their subscription renewal was due and that they were having issues with their form of payment. The phishing email gave several possible reasons for this dilemma and urged the reader to call a toll-free number or click on a link to update their payment method.