Table of Contents

  1. Crime
    1. German Payments Group Wirecard Says $2.1 Billion of Cash is Missing
    2. FBI used Etsy, LinkedIn to make arrest in torching of Philadelphia police cars
    3. Akamai Registers Massive 1.44 Terabit-per-second DDoS Attack
    4. AWS said it mitigated a 2.3 Tbps DDoS attack
    5. AT&T dragged to court, again, over SIM hijacking and cryptocurrency theft
    6. Yahoo engineer gets no jail time after hacking 6,000 accounts to look for porn
    7. Italy and Romania take down cyber fraud ring generating €20 million per year in criminal profits
    8. How Police Secretly Took Over a Global Phone Network for Organized Crime
    9. DOJ indict Fxmsp hacker for selling access to hacked orgs, AV firms
    10. German authorities seize 'BlueLeaks' server that hosted data on US cops
    11. Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting
    12. Devious Bitcoin scam uses targeted texts and celeb endorsements
    13. Russian leader of Infraud stolen ID, credit card ring pleads guilty
    14. Hackers strike at Life Healthcare, extent of data breach yet to be assessed
    15. Admin of carding portal behind $568M in losses pleads guilty
    16. Owner of Cardplanet credit card market gets 9 years in prison
    17. Developer of Mirai, Qbot-based DDoS botnets jailed for 13 months
    18. New Charges, Sentencing in Satori IoT Botnet Conspiracy
    19. Largest ever recorded packet per second-based DDoS attack mitigated by Akamai
    20. New Zealand freezes $90 million in BTC-e money laundering case
    21. FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy
    22. Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security
    23. Over 1,300 phishing kits for sale on hacker forum
    24. Hacker arrested for stealing, selling PII of 65K hospital employees
    25. Academics studied DDoS takedowns and said they're ineffective, recommend patching vulnerable servers
    26. Fraudster gets maximum jail time for news site DDoS extortion
    27. Russian hacker found guilty for Dropbox, LinkedIn, and Formspring breaches
  2. Malware
    1. Wells Fargo phishing baits customers with calendar invites
    2. FBI warns hackers are targeting mobile banking apps
    3. Google removes 106 Chrome extensions for collecting sensitive user data
    4. EvilQuest wiper uses ransomware cover to steal files from Macs
    5. New Phishing scam targets website owners with free DNSSEC offer
    6. Cerberus banking Trojan infiltrates Google Play
    7. Try2Cry ransomware tries to worm its way to other Windows systems
    8. Avaddon ransomware shows that Excel 4.0 macros are still effective
    9. Mozilla suspends Firefox Send service while it addresses malware abuse
    10. Free decryptor available for ThiefQuest ransomware victims
    11. New Mac Ransomware Is Even More Sinister Than It Appears
    12. GoldenSpy backdoor installed by tax software gets remotely removed
    13. Google removes 25 Android apps caught stealing Facebook credentials
    14. This is how EKANS ransomware is targeting industrial control systems
    15. TrickBot malware now checks screen resolution to evade analysis
    16. Windows POS malware uses DNS to smuggle stolen credit cards
    17. Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set
    18. European victims refuse to bow to Thanos ransomware
    19. Guardicore Labs Launches Botnet Encyclopedia to Aid in Global Fight Against Cybercrime
    20. University of California SF pays ransomware hackers $1.14 million to salvage research
    21. A hacker gang is wiping Lenovo NAS devices and asking for ransoms
    22. Chinese Bank Required Two Western Companies to Use Tax Software With a Hidden Backdoor
    23. New Lucifer DDoS malware creates a legion of Windows minions
    24. Microsoft: Attackers increasingly exploit Exchange servers
    25. Zimperium Discovers MobOk Malware Left Undetected by AV Industry for Months
    26. Hackers Used Malicious Docker Images to Mine Monero
    27. The face of tomorrow’s cybercrime: Deepfake ransomware explained
    28. Phishing Attacks Use Social Media Notifications to Steal Credentials
    29. New Ransom X Ransomware used in Texas TxDOT cyberattack
    30. “You’re Invited!” to Phishing Links Inside .ics Calendar Attachments
    31. Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com
    32. Conti ransomware shows signs of being Ryuk's successor
    33. Cereberus Banking Trojan Targeted Spanish Android Users
    34. Joker Android malware keeps evading Google Play Store defenses
    35. More pre-installed malware has been found in budget US smartphones
    36. Microsoft warns of Office 365 phishing via malicious OAuth apps
    37. Ryuk ransomware deployed two weeks after Trickbot infection
    38. Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers
    39. Why did this Bank of America phishing email bypass spam filters?
    40. InvisiMole malware delivered by Gamaredon hacker group
    41. Microsoft: COVID-19 malware attacks were barely a blip in total malware volume
    42. BazarBackdoor malware: What it is, how it works and how to prevent it
    43. Universities Targeted by NetWalker Ransomware
    44. Black Kingdom ransomware hacks networks with Pulse VPN flaws
    45. Imperva Takes on its Largest Recorded Account Takeover Attack on a Single Company
    46. Deep Analysis of a QBot Campaign – Part I
    47. TrickBot malware mistakenly warns victims that they are infected
  3. APT
    1. Aerospace, Defense Firms Targeted With Fake LinkedIn Profiles
    2. North Korean hackers linked to web skimming (Magecart) attacks, report says
    3. Researchers link APT15 hackers to Chinese military company
    4. Promethium APT attacks surge, new Trojanized installers uncovered
    5. Taurus: The New Stealer in Town
    6. Researchers connect Evilnum hacking group to cyberattacks against Fintech firms
    7. Business Email Compromise (BEC) Criminal Ring
    8. Hidden Cobra - from a shed skin to the viper’s nest
    9. Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey
  4. Vulnerabilities
    1. Ripple20 vulnerabilities will haunt the IoT landscape for years to come
    2. 79 Netgear router models risk full takeover due to unpatched bug
    3. New Cisco Webex Meetings flaws
    4. Microsoft releases urgent security updates for Windows 10 Codecs bugs
    5. Tesco coupons easily faked to save £750 on Hotels.com bookings worldwide
    6. Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances
    7. PoC exploits released for F5 BIG-IP vulnerabilities, patch now!
    8. .NET Core vulnerability lets attackers evade malware detection
    9. Windows 10 background image tool can be abused to download malware
    10. Fixing critical vulnerabilities in Apache's remote desktop
    11. Estonian Electronic Identity Card: Security Flaws in Key Management
    12. RCE on Telia Routers
    13. Microsoft releases emergency security update to fix two bugs in Windows codecs
    14. Disclosure: Another macOS privacy protections bypass
    15. Palo Alto Networks patches critical vulnerability in firewall OS
    16. GeoVision access control devices let hackers steal fingerprints
    17. Almost 300 Windows 10 executables vulnerable to DLL hijacking
    18. A survey of recent iOS kernel exploits
    19. FF Sandbox Escape (CVE-2020-12388)
    20. SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL
    21. Nvidia squashes display driver code execution, information leak bugs
    22. From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration
    23. Heap Overflow in the NETGEAR Nighthawk R6700 Router
    24. List of Ripple20 vulnerability advisories, patches, and updates
    25. Remote code execution vulnerability in KensingtonWorks mouse manager
    26. Turn on MFA Before Crooks Do It For You
    27. Fraunhofer FKIE: Significant security flaws detected in Home Routers
    28. Smartwatch Hack Could Trick Patients To 'Take Pills' With Spoofed Alerts
    29. Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data
    30. Zoom working on patching zero-day disclosed in Windows client
    31. How to unc0ver a 0-day in 4 hours or less
    32. XSS Flaw Impacting 100,000 Sites Patched in KingComposer
    33. Disabling Google 2FA Doesn't Need 2FA
    34. 80,000 printers are exposing their IPP port online
    35. BitDefender fixes bug allowing attackers to run commands remotely
    36. Netgear 0-day Vulnerability Analysis and Exploit for 79 devices
    37. CVE-2020-1181: SharePoint Remote Code Execution Through Web Parts
    38. Bug in ‘USB for Remote Desktop’ lets hackers add fake devices
    39. Plex fixes Media Server bugs allowing full system takeover
    40. VLC Media Player 3.0.11 fixes severe remote code execution flaw
    41. Adobe fixes critical flaws in Illustrator, After Effects, more
    42. The Curious Case of Copy and Paste
    43. D-Link leaves severe security bugs in home router unpatched
    44. Hackers are quick to notice exposed Elasticsearch servers
    45. U2F with Duo Web Phishable by default
    46. A Trio of Bugs Used to Exploit Inductive Automation at Pwn2Own Miami
  5. Politics
    1. Russia unbans Telegram
    2. Zoom Acknowledges It Suspended Activists' Accounts At China's Request
    3. US designates China's Huawei and ZTE as national security threats
    4. India bans 59 Chinese apps, including TikTok, UC Browser, Weibo, and WeChat
    5. U.S. looking at banning Chinese social media apps, including TikTok
    6. TikTok to pull out of Hong Kong
    7. TikTok ban being investigated in Australia
    8. Facebook and WhatsApp pause Hong Kong user data requests
    9. DuckDuckGo coming back online in India following country-wide block
    10. Repairing your smartphone or installing a ROM will now be a crime in Mexico
    11. FBI chief says China threatens families to coerce overseas critics to return to China
    12. COVID-19 ‘Breach Bubble’ Waiting to Pop?
    13. Internet cut in Ethiopia amid unrest following killing of singer
    14. Political Data Leak in Malta
    15. Chinese malware used in attacks against Australian orgs
    16. Iran’s domestic espionage: Lessons from recent data leaks
    17. Twitter bans 32k accounts pushing Chinese, Russian, and Turkish propaganda
    18. Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools
    19. China's Great Firewall descends on Hong Kong internet users
    20. Super Secretive Russian Disinfo Operation Discovered Dating Back To 2014
    21. Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies
    22. German ISPs will redirect traffic to intelligence services for trojan install
    23. Russia says Germany has not provided any evidence of Bundestag hack
    24. Huawei believes it can supply 5G kit to UK despite US sanctions
    25. Social media restricted in Mali amid protests against president
    26. Internet in Iran disrupted due to knock-on effect of power cut in Armenia
    27. Citizen Lab and Amnesty International Uncover Spyware Operation Against Indian Human Rights Defenders
    28. Congress wants to know what commercial spyware other countries are using
  6. Privacy
    1. Zoom will provide end-to-end encryption to all users after privacy backlash
    2. TikTok App to Stop Accessing User Clipboards After Being Caught in the Act
    3. GDPR: Teams and Zoom cannot be used in compliance with the law
    4. Only 9% of visitors give GDPR consent to be tracked
    5. DuckDuckGo browser seemingly sends domains a user visits to DDG servers
    6. Reddit and LinkedIn apps also caught copying and pasting clipboard contents
    7. Amazon’s Ring Enables the Over-Policing Efforts of Some of America’s Deadliest Law Enforcement Agencies
    8. Facebook says 5,000 app developers got user data after cutoff date
    9. Boston bans use of facial recognition technology
    10. The Senate’s New Anti-Encryption Bill Is Even Worse Than EARN IT, and That’s Saying Something
    11. Invasive, secretive “bossware” tracking workers
    12. Michigan tackles compulsory microchip implants for employees with new bill
    13. Apple declined to implement 16 Web APIs in Safari due to privacy concerns
    14. Google Loses $56 Million Fight in French Test of EU Privacy Law
    15. Oracle's BlueKai Tracks You Across the Web. That Data Spilled Online
    16. Police Are Buying Access To Hacked Website Data
    17. Germany’s Corona-Warn-App: Frequently Asked Questions
    18. The Dark Side of SwissCovid
    19. PimEyes: A Polish company is abolishing our anonymity
    20. Google bans stalkerware ads
    21. Amazon tells employees to remove TikTok from their phones due to security risk, then walks it back
    22. Police surveilled protests with help from Twitter-affiliated startup Dataminr
    23. A Quick and Dirty Guide to Cell Phone Surveillance at Protests
    24. Six eBay executives and employees charged over alleged cyberstalking campaign
    25. Hackers use an ordinary light bulb to spy on conversations 80 feet away
    26. EU privacy watchdog thinks that Clearview AI is illegal
    27. The battle to outlaw end-to-end encryption in the U.S. is heating up
  7. Breaches
    1. Delivery Hero Confirms Data Breach After Customer Data is Posted On a Dark Web Forum
    2. Business giant Xerox allegedly suffers Maze Ransomware attack
    3. Brazil's Hapvida Discloses Cyber Breach, Potential Client Data Leak
    4. Ransomware attack on insurance MSP Xchanging affects clients
    5. Hackers Compromise Russian Foreign Ministry Twitter Account, Ask $600,000 For ‘Stolen’ Database
    6. Home Loan Provider Exposed 695k Records Online
    7. One of Florida’s largest orthopedic providers faces class-action lawsuit after data breach
    8. Serious data privacy breach at DU admit card 2020 download portal, students' personal details available
    9. Thousands of MyGov accounts for sale on dark web
    10. NY Employment Nonprofit Client Data Potentially Exposed
    11. Roblox accounts hacked with pro-Trump messages
    12. Surge of MongoDB ransom attacks use GDPR as extortion leverage
    13. Dozens of US news sites hacked in WastedLocker ransomware attacks
    14. V Shred data leak exposes PII, sensitive photos of fitness customers and trainers
    15. Corona contact list can be accessed unprotected on the Internet
    16. Hackers obtain Covid-19 patient database in protest at treatment of Indian health workers
    17. US schools leaked 24.5 million records in 1,327 data breaches since 2005
    18. Unsecured Chinese companies leak users’ sensitive personal and business data
    19. Seller floods hacker forum with data stolen from 14 companies
    20. Philippines: unauthorized disclosure of COVID-19 patients’ identities continues
    21. Domestic Abuse Prevention App Exposed Voice Recordings
    22. Impact Guru, India’s Leading Crowdfunding Platform Breached
    23. Lawsuit against Pearson over data breach scuttled by injury claims
    24. Google Alerts catches fake data breach notes pushing malware
    25. Hackers breach E27, want "donation" to reveal vulnerabilities
    26. Largest US Bubble Tea Supplier Exposed Data Online
    27. Twitter discloses billing info leak after 'data security incident'
    28. LG Electronics allegedly hit by Maze ransomware attack
    29. Quidd - 3,805,863 breached accounts
    30. Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More
    31. Bank Card "Master Key" Stolen
    32. eToro accounts peddled by the thousands on cybercrime forums
    33. Popular MMO game Stalker Online hacked, 1.2 million user records put for sale on hacker forums
    34. IT giant Cognizant confirms data breach after ransomware attack
    35. Chipmaker MaxLinear reports data breach after Maze Ransomware attack
    36. Avon recovering after mysterious cyber-security incident
    37. 30,000+ Italian sales agents’ personal data, IDs leaked by MLM company that distributes wellness products
    38. City of Knoxville shuts down network after ransomware attack
    39. Live event solutions leader TAIT discloses data breach
    40. Fortune 500 insurance firm Genworth discloses data breach
    41. Power company Enel Group suffers Snake Ransomware attack
    42. Personal Details, including SSNs, of 40K USA Citizens Leaked on Darkweb
  8. Misc
    1. System hardening in Android 11
    2. Targeted MitM attacks using information leakage in SSH clients
    3. One Out of Every 142 Passwords is '123456'
    4. German stock trading platform Xetra down, all securities affected
    5. Life As A Professional Hacker
    6. The more cybersecurity tools an enterprise deploys, the less effective their defense is
    7. Over 100k daily brute-force attacks on RDP in pandemic lockdown
    8. Whistleblower provides blocking orders for over 4000 websites
    9. Hardcoded secrets, unverified tokens, and other common JWT mistakes
    10. Risky blogspot.in domain for sale after Google fails to renew it
    11. Hackers use Google Analytics to steal credit cards, bypass CSP
    12. The Antitrust Case against Google
    13. Adobe to remove Flash Player from web site after December 2020
    14. Hackers hide credit card stealing script in favicon metadata
    15. FBI warns K12 schools of ransomware attacks via RDP
    16. Sony launches PlayStation bug bounty program with $50K+ rewards
    17. Examining the US Cyber Budget
    18. France to introduce controversial age verification system for adult websites
    19. Microsoft's new KDP tech blocks malware by making parts of the Windows kernel read-only
    20. US govt to enforce HTTPS on new .gov sites starting September 1
    21. Car autopilot security
    22. Intel adds CPU-level malware protection to Tiger Lake processors

Crime

German Payments Group Wirecard Says $2.1 Billion of Cash is Missing

Wirecard was engulfed in a deepening crisis on Thursday after a warning from the German payments group that $2.1 billion of cash was missing. The company was told by EY that there were indications a trustee of Wirecard bank accounts had attempted "to deceive the auditor" and that "spurious cash balances" might have been provided to EY by a third party. The disclosure left Wirecard unable to release its 2019 results as it had promised to do on Thursday and gives banks the option of terminating $2.2 billion of loans unless they are published by Friday June 19. In a statement Wirecard said it was "working intensively together with the auditor towards a clarification of the situation."

FBI used Etsy, LinkedIn to make arrest in torching of Philadelphia police cars

Authorities used popular websites including Etsy, Poshmark and LinkedIn to identify a woman who has since been charged for the arson of two Philadelphia police vehicles during the unrest that followed peaceful protests on May 30. But the FBI says it was Blumenthal's T-shirt and a forearm tattoo that helped authorities identify her. Lore-Elisabeth Blumenthal, 33, of Philadelphia, is currently in federal custody and had her initial court appearance on Tuesday. In amateur photos given to authorities, she is seen wearing a T-shirt that says, "Keep the immigrants, deport the racists." Investigators say open searches for the username led them to a Poshmark user by the name of lore-elisabeth. Open searches for a Lore Elisabeth in Philadelphia led investigators to a LinkedIn profile for a woman who was employed as a massage therapist.

Akamai Registers Massive 1.44 Terabit-per-second DDoS Attack

An unnamed webhost was just hit with one of the largest DDoS attacks ever registered by Akamai, one of the world's biggest web and cloud providers. The attack was directed at a large hosting provider used by a number of political and social sites. Akamai didn't reveal the name of the target, but the company did share some technical details about the attack itself. "A typical DDoS attack depends on one to three different attack vectors, but this one utilized nine," said Roger Barranco, vice president of global security operations for Akamai. "The methods involved volumetric attacks, or floods, of ACK, SYN, UDP, NTP, TCP reset, and SSDP packets, multiple botnet attack tools, and CLDAP reflection, TCP anomaly, and UDP fragments. There were no zero-day vulnerabilities and novel techniques."

AWS said it mitigated a 2.3 Tbps DDoS attack

Amazon said its AWS Shield service mitigated the largest DDoS attack ever recorded, stopping a 2.3 Tbps attack in mid-February this year. The incident was disclosed in the company's AWS Shield Threat Landscape, a report detailing web attacks mitigated by Amazon's AWS Shield protection service. The report didn't identify the targeted AWS customer but said the attack was carried out using hijacked CLDAP web servers and caused three days of "elevated threat" for its AWS Shield staff.

AT&T dragged to court, again, over SIM hijacking and cryptocurrency theft

AT&T is being sued for the second time over the alleged theft of cryptocurrency belonging to a customer, facilitated by a SIM-swap attack. Seth Shapiro, an advisor in business and technology, claims that his "life savings" were stolen after an AT&T employee facilitated the transfer of a phone number to a hacker's control.

Yahoo engineer gets no jail time after hacking 6,000 accounts to look for porn

A former Yahoo engineer was sentenced to five years of probation and home confinement for hacking into the personal accounts of more than 6,000 Yahoo Mail users to search for sexually explicit images and videos. The judge also ordered Ruiz to pay a $5,000 fine and $118,456 in restitution to Yahoo (now Oath), according to court documents obtained by ZDNet.

Italy and Romania take down cyber fraud ring generating €20 million per year in criminal profits

The Italian National Postal and Communication Police Unit and the Romanian National Police, supported by Europol and Eurojust, dismantled an organised criminal group involved in financial fraud, cybercrime and money laundering. On 7 July, Italian and Romanian law enforcement authorities carried out 12 house searches and arrested 12 individuals (8 in Italy and 4 in Romania). The operation led to the seizures of personal computers, credit cards, properties, vehicles and other assets with an overall estimated value of over €1.5 million.

How Police Secretly Took Over a Global Phone Network for Organized Crime

French police hacked EncroChat secure phones, which are widely used by criminals: Police monitored a hundred million encrypted messages sent through Encrochat, a network used by career criminals to discuss drug deals, murders, and extortion plots. Something wasn't right. Starting earlier this year, police kept arresting associates of Mark, a UK-based alleged drug dealer. Mark took the security of his operation seriously, with the gang using code names to discuss business on custom, encrypted phones made by a company called Encrochat. French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users' communications for months. Investigators then shared those messages with agencies around Europe.

DOJ indict Fxmsp hacker for selling access to hacked orgs, AV firms

The US Department of Justice has indicted a hacker known as 'Fxmsp' for hacking into and selling access to over three hundred organizations worldwide. In an indictment, the DOJ is charging a citizen of Kazakhstan named Andrey Turchin, also known as "Fxmsp," with conspiracy to commit computer hacking, two counts of computer fraud and abuse (hacking), conspiracy to commit wire fraud, and access device fraud.

German authorities seize 'BlueLeaks' server that hosted data on US cops

German authorities have seized a web server that hosted BlueLeaks, a website that provided access to internal documents stolen from US police departments. The server belonged to DDoSecrets (Distributed Denial of Secrets), an activist group that published the files last month, in mid-June. A Twitter spokesperson has told ZDNet that they've permanently suspended the @DDoSecrets Twitter account for violating its policy about the distribution of hacked data after the account shared links to hacked data stolen from US law enforcement agencies. Brian Krebs reported on the leak and was able to obtain an analysis from the National Fusion Center Association (NFCA) on June 20th, certifying the authenticity of the leaked records.

Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting

Facebook security personnel and engineers helped the FBI track down a notorious child predator by helping a third-party company develop an exploit in a security-focused version of the Linux operating system, Tails, per a Wednesday report by Vice. But they did so quietly and without notifying the developers of Tails afterwards of the major security flaw, potentially violating security industry norms while handing over a surveillance backdoor to federal agents.

Devious Bitcoin scam uses targeted texts and celeb endorsements

A multi-stage bitcoin fraud exposed and leveraged personally identifiable information to trick users into enlisting to a dubious investment site. Researchers found close to 250,000 unique records. The attackers prepared websites impersonating publications that are well-known in the victim's country with fake interviews and comments where famous people praised a cryptocurrency trading platform.

Russian leader of Infraud stolen ID, credit card ring pleads guilty

A Russian national has pleaded guilty to corruption charges after being accused of being one of the leaders of a carding ring trading in stolen identities, credit cards, and hacking tools. On Friday, the US Department of Justice (DoJ) said Sergey Medvedev, also known as "Stells," "segmed," and "serjbear," was one of the lead members of the Infraud Organization, a large cybercriminal ring specializing in carding. Carding is the term used to describe a range of payment card-related fraud, including the sale and exchange of credit card numbers, the use of stolen details to purchase gift cards or other products, and money laundering.

Hackers strike at Life Healthcare, extent of data breach yet to be assessed

South Africa's Life Healthcare said on Tuesday its southern African operation was hit by a cyber attack affecting its admissions systems, business processing systems and email servers, but is yet to determine the extent to which data has been compromised. The hospital operator said its patient care was not impacted and an investigation into the incident is underway.

Admin of carding portal behind $568M in losses pleads guilty

Russian national Sergey Medvedev, one of the co-founders of Internet-based cybercriminal enterprise Infraud Organization and an admin on the organization's carding portal, pleaded guilty to RICO conspiracy. In February 2018, US authorities indicted 36 individuals for alleged roles in the transnational Infraud cybercrime group, out of 10,901 registered members in March 2017, and apprehended 13 defendants from the United States and six countries: Australia, the United Kingdom, France, Italy, Kosovo and Serbia. "During the course of its seven-year history, the Infraud Organization inflicted approximately $2.2 billion in intended losses, and more than $568 million in actual losses, on a wide swath of financial institutions, merchants, and private individuals, and would have continued to do so for the foreseeable future if left unchecked," a DoJ release says.

Owner of Cardplanet credit card market gets 9 years in prison

A 30-year old Russian national named Aleksey Yurievich Burkov was sentenced to nine years in prison for running Cardplanet and Direct Connection, two sites that facilitated payment card fraud, computer hacking, and other cybercrimes. Burkov (also known as Aleksey Yurevich Burkov) pleaded guilty to identity theft, computer intrusions, wire fraud, money laundering, and conspiracy to commit access device fraud in January 2020, facing a maximum of 15 years of prison time.

Developer of Mirai, Qbot-based DDoS botnets jailed for 13 months

A 22-year-old Washington man was sentenced to 13 months in prison for renting and developing Mirai and Qbot-based DDoS botnets used in DDoS attacks against targets from all over the world. Schuchman, also known as Nexus Zeta, pleaded guilty to the charges of being involved in the creation and operation of the Satori, Okiru, Masuta, and Tsunami/Fbot botnets and was released to the United States Probation and Pretrial Services on September 3, 2019.

New Charges, Sentencing in Satori IoT Botnet Conspiracy

The U.S. Justice Department charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy.

Largest ever recorded packet per second-based DDoS attack mitigated by Akamai

A bank in Europe was the target of a huge distributed denial-of-service (DDoS) attack that sent to its networking gear a flood of 809 million packets per second (PPS). The attack can easily be a contender for the largest DDoS incident to date, despite not being a bandwidth-intensive attack, with a footprint of just 418Gbps.

New Zealand freezes $90 million in BTC-e money laundering case

Law enforcement in New Zealand has seized $140 million NZD ($90 million USD) as part of a case against Alexander Vinnik, the alleged former operator of BTC-e. Vinnik, claimed to be BTC-e's founder and CEO, has been sought by law enforcement in the US, France, and Russia on charges of money laundering. New Zealand has now become involved following the discovery of a company registered in the country, Canton Business Corporation. Caton, which New Zealand says is owned by Vinnik, has now had $165.4 million in cash and bank accounts frozen, alongside close to $63 million in assets and property. Local law enforcement called the seizure "the largest restraint of funds in New Zealand Police history."

FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security

The breach - allegedly committed by a CIA employee - was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the [[https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html][biggest unauthorized disclosure of classified information in the CIA's history]], causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency's techniques. The October 2017 report by the CIA's WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were "woefully lax" within the special unit that designed and built the tools, the report said. Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. "Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss," the task force concluded. The task force report was provided to The Washington Post by the office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has pressed for stronger cybersecurity in the intelligence community. He obtained the redacted, incomplete copy from the Justice Department.

Over 1,300 phishing kits for sale on hacker forum

A member of a hacker forum is looking to make over $30,000 from selling a huge collection of more than 1,300 phishing kits. The malicious trove is part of the seller's collection and covers top-rated websites, banks, and financial organizations. At $25 per phishing kit, the seller is looking to make at least $32,500 if they manage to sell the entire cache. They could make more if there are multiple buyers.

Hacker arrested for stealing, selling PII of 65K hospital employees

29-year-old Michigan man Justin Sean Johnson was arrested earlier this week for allegedly being behind the 2014 hack of the health care provider and insurer University of Pittsburgh Medical Center (UPMC), stealing the PII and W-2 information of over 65,000 employees, and selling it on the dark web. Pittsburgh-based UPMC is Pennsylvania's largest healthcare provider with over 90,000 employees, integrating 40 hospitals and 700 doctors' offices and outpatient sites.

Academics studied DDoS takedowns and said they're ineffective, recommend patching vulnerable servers

A team of Dutch and German academics has studied the aftermath of a major crackdown against DDoS providers and concluded that law enforcement takedowns are largely ineffective, recommending that authorities rather focus on patching the vulnerable systems that are abused for the DDoS attacks in the first place. The study, published last year on paper-hosting service arXiv, analyzed how the DDoS-for-hire market was impacted after US and European law enforcement shut down 15 major DDoS-for-hire (aka DDoS booter, DDoS stresser) services in December 2018.

Fraudster gets maximum jail time for news site DDoS extortion

Iranian-born U.S. citizen Andrew Rakhshan, previously convicted in Canada for fraud, was sentenced to the maximum sentence of five years and ordered to pay over $500,000 after being found guilty of launching several distributed denial of service (DDoS) attacks against news websites. Rakhshan, born Kamyar Jahanrakhshan, was arrested in July 2017 and indicted one month later, after being deported from Canada. He then pled guilty in February 2020 of conspiring to launch DDoS attacks legal aggregation site Leagle.com in January 2015 after the website refused to take down court documents with information on his prior conviction in Canada.

Russian hacker found guilty for Dropbox, LinkedIn, and Formspring breaches

A jury found Russian hacker Yevgeniy Nikulin guilty for breaching the internal networks of LinkedIn, Dropbox, and Formspring back in 2012 and then selling their user databases on the black market. The jury verdict was passed on Friday during what was the first trial to be held in California since the onset of the coronavirus (COVID-19) pandemic.

Malware

Wells Fargo phishing baits customers with calendar invites

Wells Fargo customers are being targeted by a phishing campaign impersonating the Wells Fargo Security Team and luring potential victims to phishing pages with the help of calendar invites. Wells Fargo is a multinational financial services (banking, investment, and mortgage) provider with roughly 263,000 employees in 7,400 locations in 31 countries and territories. It serves one-third of all US households and it was ranked No. 30 on Fortune's 2020 rankings of America's largest corporations. The phishing messages spotted by researchers at email security company Abnormal Security earlier this month have so far targeted over 15,000 Wells Fargo customers using .ics calendar file attachments containing events directing the recipients to phishing pages.

FBI warns hackers are targeting mobile banking apps

The FBI on Wednesday warned that malicious cyber actors were targeting mobile banking apps in an attempt to steal money as more Americans have moved to online banking during the coronavirus pandemic. In a public service announcement, the FBI noted it expects to see hackers "exploit" mobile banking platforms, which have seen a 50 percent surge in use since the beginning of the pandemic. "With city, state, and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations," the agency wrote. "The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps."

Google removes 106 Chrome extensions for collecting sensitive user data

Google has removed 106 malicious Chrome extensions that have been caught collecting sensitive user data. The 106 extensions are part of a batch of 111 Chrome extensions that have been identified as malicious in a report by cyber-security firm Awake Security. Awake says these extensions posed as tools to improve web searches, convert files between different formats, as security scanners, and more. But in reality, Awake says the extensions contained code to bypass Google's Chrome Web Store security scans, take screenshots, read the clipboard, harvest authentication cookies, or grab user keystrokes (such as passwords).

EvilQuest wiper uses ransomware cover to steal files from Macs

A new data wiper and info-stealer called EvilQuest is using ransomware as a decoy to steal files from macOS users. The victims get infected after downloading trojanized installers of popular apps from torrent trackers. This ransomware is different from previous macOS ransomware threats because besides encrypting the victim's files, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts.

New Phishing scam targets website owners with free DNSSEC offer

A very clever phishing campaign targets bloggers and website owners with emails pretending to be from their hosting provider who wants to upgrade their domain to use secure DNS (DNSSEC). As it's possible to determine who is hosting a domain for a website via the WHOIS records, IP addresses, and HTTP headers, the email scam is highly targeted and impersonates the specific hosting company used by a website. In a new report by Sophos, researchers explain how the scammers are using this WHOIS information to send targeted emails that impersonate WordPress, NameCheap, HostGator, Microsoft Azure, and other well-known hosting companies.

Cerberus banking Trojan infiltrates Google Play

Security researchers have discovered the Cerberus banking Trojan disguised as a legitimate currency app on Google Play. On Tuesday, the cybersecurity team at Avast said the malicious app in question posed as a legitimate currency converter app designed for Spanish users. In total, the software, "Calculadora de Moneda," - translated as Currency Calculator - has been downloaded over 10,000 times.

Try2Cry ransomware tries to worm its way to other Windows systems

A new ransomware known as Try2Cry is trying to worm its way onto other Windows computers by infecting USB flash drives and using Windows shortcuts (LNK files) posing as the targets' files to lure them into infecting themselves. The Try2Cry ransomware was discovered by G DATA malware analyst Karsten Hahn when a detection signature designed to spot USB worm components got triggered while analyzing an unidentified malware sample. Try2Cry is a .NET ransomware and another variant of the open-source Stupid ransomware family as Hann found after analyzing a sample obfuscated with the DNGuard code protection tool.

Avaddon ransomware shows that Excel 4.0 macros are still effective

Avaddon ransomware has been spreading this week via an old technique that's making a comeback, Microsoft cautions on Thursday. The attacks appear to be more targeted and rely on malicious Excel 4.0 macros to download the malware directly on the system.

Mozilla suspends Firefox Send service while it addresses malware abuse

Mozilla has temporarily suspended the Firefox Send file-sharing service as the organization investigates reports of abuse from malware operators and while it adds a "Report abuse" button. The browser maker took down the service after ZDNet reached out to inquire about Firefox Send's increasing prevalence in current malware operations.

Free decryptor available for ThiefQuest ransomware victims

Cyber-security firm SentinelOne has released a free decryptor app that can help victims of the ThiefQuest ransomware recover their locked files. The ThiefQuest ransomware - initially identified under the name of EvilQuest - targets only Mac users.

New Mac Ransomware Is Even More Sinister Than It Appears

The threat of ransomware may seem ubiquitous, but there haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. Though ThiefQuest is packed with menacing features, it's unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. Jamf's Wardle also found in his analysis that while the malware has all the components it would need to decrypt the files, they don't seem to be set up to actually function in the wild.

GoldenSpy backdoor installed by tax software gets remotely removed

As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware. GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes. Following an investigation into suspicious behavior on systems belonging to one of their clients, researchers at Trustwave SpiderLabs found that Intelligent Tax behaved in a way that is unrelated to the GoldenSpy component.

Google removes 25 Android apps caught stealing Facebook credentials

Google has removed this month 25 Android applications from the Google Play Store that were caught stealing Facebook credentials. Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times. The malicious apps were developed by the same threat group and despite offering different features, under the hood, all the apps worked the same.

This is how EKANS ransomware is targeting industrial control systems

In a research report published on Wednesday, FortiGuard Labs researchers Ben Hunter and Fred Gutierrez said that malware designed to attack industrial control systems (ICS) continues to be lucrative for threat actors. The researchers were able to obtain two modern samples, one from May and another compiled in June, which revealed some interesting features. Both Windows-based samples are written in GO, a programming language widely used in the malware development community as it is relatively easy to compile to work on different operating systems.

TrickBot malware now checks screen resolution to evade analysis

The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine. When researchers analyze malware, they typically do it in a virtual machine that is configured with various analysis tools. Due to this, malware commonly uses anti-VM techniques to detect whether the malware is running in a virtual machine. If it is, it is most likely being analyzed by a researcher or an automated sandbox system. These anti-VM techniques include looking for particular processes, Windows services, or machine names, and even checking network card MAC addresses or CPU features.

Windows POS malware uses DNS to smuggle stolen credit cards

A Windows Point-of-Sale (POS) malware has been discovered using the DNS protocol to smuggle stolen credit cards to a remote server under attacker's control. POS malware is installed on point of sale systems to monitor for payments using credit cards. When a payment is processed on a remote terminal or the local machine, the malware will scrape the credit card information from the computer's memory and send it to a remote command and control server operated by the attackers. The attackers then collect the credit card data and use it to make fraudulent purchases, clone credit cards, or sell the data on dark web marketplaces.

Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos ransomware burst onto the scene in late 2019, advertised in various forums and closed channels. Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with a customized tool to build unique payloads. This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset.

European victims refuse to bow to Thanos ransomware

A Thanos ransomware campaign targeting mid-level employees of multiple organizations from Austria, Switzerland, and Germany was met by the victims' refusal to pay the ransoms demanded to have their data decrypted. Thanos ransomware is a Ransomware-as-a-Service (RaaS) operation advertised on Russian-speaking hacker forums that allows affiliates to customize their own ransomware through a builder offered by the developer. The attacks started with a low-volume phishing campaign spreading malicious Microsoft Excel attachments sent from email accounts registered on the servers of the GMX free email provider according to the Proofpoint Threat Research Team which spotted these attacks.

Guardicore Labs Launches Botnet Encyclopedia to Aid in Global Fight Against Cybercrime

Guardicore, a leader in data center and cloud security, announced that its global research division, Guardicore Labs, has launched the Botnet Encyclopedia. Guardicore's Botnet Encyclopedia provides a continuously updated universal knowledge base of past and present botnet campaigns researched by the Labs team -- many of which previously unknown to the cybersecurity community -- showcasing the greatest threats to enterprise security in a single, open location.

University of California SF pays ransomware hackers $1.14 million to salvage research

The University of California at San Francisco (UCSF) has admitted to paying a partial ransom demand of $1.14 million to recover files locked down by a ransomware infection. The university was struck on June 1, where malware was found in the UCSF School of Medicine's IT systems. Administrators quickly attempted to isolate the infection and ringfence a number of systems that prevented the ransomware from traveling to the core UCSF network and causing further damage. While the school says the cyberattack did not affect "our patient care delivery operations, overall campus network, or COVID-19 work," UCSF servers used by the school of medicine were encrypted.

A hacker gang is wiping Lenovo NAS devices and asking for ransoms

A hacker group going by the name of 'Cl0ud SecuritY' is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back. Attacks have been happening for at least a month, according to entries on BitcoinAbuse, a web portal where users can report Bitcoin addresses abused in ransomware, extortions, cybercrime, and other online scams. Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password.

Chinese Bank Required Two Western Companies to Use Tax Software With a Hidden Backdoor

A Chinese bank required at least two western companies to install malware-laced tax software, according to a new report from the cyber-security firm Trustwave. "The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China," "Discussions with our client revealed that the malware was part of their bank's required tax software," Trustwave said Thursday... Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating from its customer's network... Trustwave said the software worked as advertised, allowing its customer to pay local taxes, but that it also installed a hidden backdoor. The security firm says this backdoor, which Trustwave codenamed GoldenSpy and said it ran with SYSTEM-level access, allowed a remote attacker to connect to the infected system and run Windows commands, or upload and install other software.

New Lucifer DDoS malware creates a legion of Windows minions

A new botnet identified in the wild leverages close to a dozen exploits for high and critical-severity vulnerabilities against Windows systems to turn them into cryptomining clients and sources for distributed denial-of-service (DDoS) attacks. The authors gave the malware the name Satan DDoS but security researchers call it Lucifer, to distinguish it from the Satan ransomware threat. The botnet grabbed the attention of researchers at Palo Alto Networks' Unit following multiple incidents involving exploitation of CVE-2019-9081, a critical vulnerability in a component of Laravel web framework that can lead to remote code execution.

Microsoft: Attackers increasingly exploit Exchange servers

Microsoft's Defender ATP Research Team issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection. The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.

Zimperium Discovers MobOk Malware Left Undetected by AV Industry for Months

zLabs researchers have uncovered a new variant of the MobOk campaign. The samples found evaded detection by AV vendors for months. Zimperium worked with Google to ensure removal from the Play Store.

Hackers Used Malicious Docker Images to Mine Monero

A recently uncovered cryptomining scheme used malicious Docker images to hide cryptocurrency mining code, according to Palo Alto Networks' Unit 42. These images were uploaded to the legitimate Docker Hub repository.

The face of tomorrow’s cybercrime: Deepfake ransomware explained

Deepfakes are the manipulation of media, may they be still images and/or videos accompanied by voice, using artificial intelligence, resulting in a believable composite that is challenging to the naked eye and/or software. Ransomware, on the other hand, is malware that holds the victim's files hostage, either by encrypting important files or locking victims out of certain computer features to prevent them from performing remediation steps, until a ransom is paid. Combining these two suggests that deepfake tech can be used in ransomware campaigns or vice versa. This is feasible, albeit a bit of a mindbender. To help us understand the concept behind this weird intermarriage, several experts in the field have given us examples of how this concept may look like in practice.

Phishing Attacks Use Social Media Notifications to Steal Credentials

Attackers are looking to steal the credentials of Instagram, Facebook, and Twitter users with elaborate phishing campaigns. The target of these campaign employees of major enterprise organizations. It might seem odd that attackers would go after social media accounts, but they have good reasons for this strategy. One of the reasons is that many people tend to use the same passwords for their personal and work accounts, which means that bad actors will often get a password that works on multiple domains. These campaigns look just like any other phishing attempt. The goal is to trick people into entering their credentials into websites that look very much like the original they're impersonating. It's a well-known method that relies on the employees' lack of training to recognize phishing campaigns. "These attacks impersonate popular social media platforms to deliver phishing emails to influential users of each platform by impersonating Instagram, Facebook, and Twitter, in an attempt to extract login credentials," say the researchers from Abnormal Security.

New Ransom X Ransomware used in Texas TxDOT cyberattack

A new ransomware called Ransom X is being actively used in human-operated and targeted attacks against government agencies and enterprises. May 2020 was not a good month for Texas as both the Texas Courts and the Texas Department of Transportation (TxDOT) were hit with ransomware attacks. At the time of the attacks, it was not known what ransomware targeted the government agencies.

“You’re Invited!” to Phishing Links Inside .ics Calendar Attachments

Every day threat actors find more and more ingenious ways to deliver phishing emails to end users. From direct attachments to using third party document hosting sites and... calendar invitations? The Cofense Phishing Defense Center (PDC) has unearthed a new phishing campaign in multiple enterprise email environments protected by Proofpoint and Microsoft that delivers .ics calendar invite attachments containing phishing links in the body. It's assumed that the attackers believe stuffing the URL inside a calendar invite would help avoid automated analysis.

Privnotes.com Is Phishing Bitcoin from Users of Private Messaging Service Privnote.com

A site called Privnotes.com has been impersonating Privnote.com, a legitimate, free service that offers private, encrypted messages which self-destruct automatically after they are read. Any messages containing bitcoin addresses will be automatically altered to include a different bitcoin address, as long as the Internet addresses of the sender and receiver of the message are not the same.

Conti ransomware shows signs of being Ryuk's successor

The Conti Ransomware is an upcoming threat targeting corporate networks with new features that allow it to perform quicker and more targeted attacks. There are also indications that this ransomware shares the same malware code as Ryuk, who has slowly been fading away, while Conti's distribution is increasing. "Based on multiple incident response matters and current assessment, it is believed that Conti ransomware is linked to the same Ryuk ransomware developer group based on the code reuse and unique TrickBot distribution. The same distribution attack vector is used widely by the Ryuk deployment group," Kremez told BleepingComputer in a conversation about the two ransomware.

Cereberus Banking Trojan Targeted Spanish Android Users

A fake currency converter app in the official Google Play store, which has been downloaded more than 10,000 times since March, hid a banking Trojan and information stealer called Cerberus, according to Avast Mobile Threat Labs. The fake app, called "'Calculadora de Moneda," appears to have targeted only Android users in Spain, Avast says. Researchers determined this app managed to bypass security features embedded in the Google Play store that are designed to keep out malware. "This banking Trojan managed to sneak onto the Google Play Store. The 'genuine' app, in this case, posed as a Spanish currency converter called 'Calculadora de Moneda,'" says Ondrej David, malware analysis team leader at Avast.

Joker Android malware keeps evading Google Play Store defenses

The threat actor behind the Joker Android malware has once again succeeded to successfully slip spyware infected apps onto the Play Store, Google's official Android app store. Android applications infected with Joker malware, a spyware and premium dialer tool also known as Bread and tracked since 2017, were originally designed to perform SMS fraud. More recently, Joker's creators have moved to new tactics after Google introduced new Play Store policies which restrict the use of SEND~SMS~ permissions and increase Google Play Protect's coverage.

More pre-installed malware has been found in budget US smartphones

Malwarebytes has discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.

Microsoft warns of Office 365 phishing via malicious OAuth apps

Microsoft warns that with the shift to remote working, customers are exposed to additional security threats such as consent phishing, besides conventional credential theft and email phishing attacks. Consent phishing is a variant of application-based attack where the targets are tricked into providing malicious Office 365 OAuth applications (web apps registered by the attackers with an OAuth 2.0 provider) access to their Office 365 accounts. Once the victims grant the malicious apps permissions to their account data, the threat actors get their hands on access and refresh tokens that allow them to take control of the targets' Microsoft accounts and make API calls on their behalf through the attacker-controlled app.

Ryuk ransomware deployed two weeks after Trickbot infection

Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware. After compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing password hashes from the Domain Admin group.

Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

Hackers hijacked an Oxford email server to deliver malicious emails as part of a phishing campaign designed to harvest Microsoft Office 365 credentials from European, Asian, and Middle Eastern targets. The attackers also made use of domain hosted on an Adobe server and used by Samsung during 2018's Cyber Monday event. By leveraging the reputable brands of Oxford University, Adobe, and Samsung within the same campaign, the threat actors' attacks had everything needed to bypass their victims' security email filters and trick the victims themselves into handing over their Office 365 credentials.

Why did this Bank of America phishing email bypass spam filters?

Threat actors trying to steal your credentials through phishing attackers is nothing new, and the number of campaigns has only been rising in recent times. Government estimates indicate that phishing is a multi-billion dollar industry, which is why cybersecurity companies exist that focus entirely on securing client's inboxes from malicious email. Due to this, attackers continuously come up with new tricks to bypass secure email gateways, such as foreign languages, CSS tricks, specially crafted ZIP files, and hacked SharePoint sites.

InvisiMole malware delivered by Gamaredon hacker group

Security researchers have demystified the attack chain of the elusive InvisiMole cyberespionage group, revealing a complicated multi-stage format that relies on vulnerable legitimate tools, target-specific encryption of payloads, and stealthy communication. InvisiMole gets access to the target network through Gamaredon, a threat actor linked to Russia that runs reconnaissance operations and identifies valuable systems. Both attack groups have been operational for at least seven years and despite their collaboration, they are considered distinct threat actors due to the clear difference in attack tactics and techniques.

Microsoft: COVID-19 malware attacks were barely a blip in total malware volume

Microsoft says that despite all the media headlines over the past few months, malware attacks that abused the coronavirus (COVID-19) theme have barely been a blip in the total volume of threats the company sees each month. These COVID-19 attacks included emails carrying malicious file attachments (also referred to as malspam) and emails containing malicious links that redirect users to phishing sites or malware downloads. According to Microsoft's Threat Protection Intelligence Team, the first attacks abusing a COVID-19 lure started after the World Health Organization (WHO) declared COVID-19 a global pandemic on January 30.

BazarBackdoor malware: What it is, how it works and how to prevent it

BazarBackdoor is a new malware with the ability to install various types of malicious programs on the infected computers. It is believed to be created by the developers of the TrickBot Trojan, a banking Trojan infecting Windows machines. This is because BazarBackdoor exhibits code and other similarities with TrickBot Trojan.

Universities Targeted by NetWalker Ransomware

Cybercriminals have found a new way to extort universities - stealing sensitive information and then threatening to share it on the dark web unless a bounty is paid. Three institutions were successfully targeted by hackers using this approach in the past two weeks. The first was Michigan State University, then the University of California, San Francisco,and, most recently, Columbia College Chicago. None of the institutions have shared how much ransom was requested. All were targeted using malicious software known as NetWalker and given a deadline of six days to pay.

Black Kingdom ransomware hacks networks with Pulse VPN flaws

Operators of Black Kingdom ransomware are targeting enterprises with unpatched Pulse Secure VPN software or initial access on the network, security researchers have found.

Imperva Takes on its Largest Recorded Account Takeover Attack on a Single Company

Imperva recently detected and mitigated the largest -- and most concentrated -- series of brute force ATO (account takeover) attacks in its history. Over the course of 60 hours from midnight on October 28, our ATO team's monitoring systems detected more than 44 million ATO attempts on the login page of a particular online banking service. We began blocking the attack within 15 minutes of learning of its existence.

Deep Analysis of a QBot Campaign – Part I

QBot is a Trojan, also known as QakBot, which has been active for years. It was originally known as a financial malware designed to target governments and businesses for financial fraud by stealing user credentials and keystrokes. It was observed by threat researchers at the time that it was delivered through phishing campaigns, or by another malware, such as Emotet. FortiGuard Labs recently captured an MS Office Word document in the wild that was spreading a variant of QBot. Normally, such Word documents are only delivered in a phishing email designed to deceive the victim into opening it. Unfortunately, we only captured the Word file, so we do not know how it is being delivered. QBot uses complicated techniques and a framework designed for it to run covertly on a victim's system.

TrickBot malware mistakenly warns victims that they are infected

The notorious TrickBot malware mistakenly left a test module that is warning victims that they are infected and should contact their administrator. In a recent release of the TrickBot malware analyzed by Advanced Intel's Vitali Kremez, the threat actors are mistakenly distributing a test version of their password-stealing grabber.dll module. When loaded, this module displays a warning in the default browser stating that the program is gathering information and that the victim should ask their system administrator.

APT

Aerospace, Defense Firms Targeted With Fake LinkedIn Profiles

A cyberespionage campaign that targeted aerospace and defense firms in Europe and the Middle East likely was the work of a hacking group with ties to North Korea, according to security firm ESET. The campaign, dubbed, "Operation In(ter)ception," started in September 2019 and lasted through December. It targeted victims using fake LinkedIn accounts that spread a new type of credential stealing malware called Inception.dll, according to ESET researchers. Two of the victimized companies allowed the security firm to conduct an analysis of the attack.

North Korean hackers linked to web skimming (Magecart) attacks, report says

North Korea's state-sponsored hacking crews are breaking into online stores to insert malicious code that can steal buyers' payment card details as they visit the checkout page and fill in payment forms. Attacks on online stores have been going on since May 2019, said Dutch cyber-security firm SanSec in a report. The highest-profile victim in this series of hacks is accessories store chain Claire's, which was breached in April and June this year.

Researchers link APT15 hackers to Chinese military company

Researchers have linked the APT15 hacking group known for Android spyware apps to a Chinese military company, Xi'an Tian He Defense Technology Co. Ltd. In a new report by Lookout Threat Intelligence, researchers show how four Android "surveillanceware" tools used to target the Uyghur ethnic minority group are part of a more extensive mobile advanced persistent campaign that has been operating for years. While the origins of the activity can be traced back to as far as 2013, Lookout has been monitoring malware families since 2015 named SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle that were distributed as Android apps.

Promethium APT attacks surge, new Trojanized installers uncovered

Promethium, the threat group also known as StrongPity, has been tracked in a new wave of attacks deploying an expanded list of Trojanized installers that abuse the popularity of legitimate applications. In new, separate reports, researchers from Cisco Talos and BitDefender have revealed not only new countries on the hit-list, but also an upgraded arsenal designed to compromise victim machines. Talos has tracked roughly 30 new command-and-control (C2) servers belonging to Promethium tied to an evolved form of the group's surveillance malware, StrongPity3, that is also believed to be linked to state-sponsorship.

Taurus: The New Stealer in Town

In early June 2020, ZScaler team has observed and began tracking a new malware campaign. The "Predator the Thief" cybercriminal group is behind the development of this stealer, named Taurus, and is selling it on dark forums for $100 or rebuilt with a new domain for $20. The group selling Taurus claims that this stealer is capable of stealing passwords, cookies, and autofill forms along with the history of Chromium- and Gecko-based browsers. Taurus can also steal some popular cryptocurrency wallets, commonly used FTP clients credentials, and email clients credentials. This stealer also collects information, such as installed software and system configuration, and sends that information back to the attacker. Taurus is designed to not execute in countries within the Commonwealth of Independent States (CIS).

Researchers connect Evilnum hacking group to cyberattacks against Fintech firms

Researchers from ESET have been investigating the APT for some time, and on Thursday, published an analysis of the threat group. According to the team, Evilnum has focused on targets located in Europe and the United Kingdom, although some victims are also located in Australia and Canada. As with many cyberattackers that specialize in financial targets, the aim is to infiltrate corporate networks, grab access credentials, and steal valuable financial information that can then either be used for fraudulent purchases or sold on in bulk to other criminals.

Business Email Compromise (BEC) Criminal Ring

For years, costly email grifts have largely been the provenance of West African scammers, particularly those based in Nigeria. A newly discovered "business email compromise" campaign, though, appears to come from a criminal group in a part of the world better known for a different brand of online mayhem: Russia. Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries.

Hidden Cobra - from a shed skin to the viper’s nest

ReversingLabs has posted an article analyzing the Hidden Cobra (often referred to as Lazarus) APT group linked to North Korea.

Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey

The Ginp mobile banking malware, which emerged in late 2019, is one of the top most prevalent Android banking malware families . It started as a SMS stealer and rapidly evolved into one of the most advanced actors in the financial fraud landscape. Ginp has primarily targeted Spanish banks, but recent evidence suggests the malware has changed or may change its targeting strategy in the near future to focus on Turkey.

Vulnerabilities

Ripple20 vulnerabilities will haunt the IoT landscape for years to come

Cyber-security experts have revealed 19 vulnerabilities in a small library designed in the 90s that has been widely used and integrated into countless of enterprise and consumer-grade products over the last 20+ years. The number of impacted products is estimated at "hundreds of millions" and includes products such as smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others.

79 Netgear router models risk full takeover due to unpatched bug

​An unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely. Discovered independently by both Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam's VNPT ISC (through Zero Day Initiative), the vulnerability lies in the HTTPD daemon used to manage the router. While ZDI's report includes brief information about the vulnerability, Nichols has released a detailed explanation of the vulnerability, a PoC exploit, and scripts to find vulnerable routers.

New Cisco Webex Meetings flaws

A new vulnerability found in the Cisco Webex Meetings client for Windows could allow local authenticated attackers to gain access to sensitive information including usernames, authentication tokens, and meeting information. Two other high severity vulnerabilities found in the Cisco Webex Meetings Desktop App for Windows and macOS that could allow unprivileged attackers to run programs and code on vulnerable machines.

Microsoft releases urgent security updates for Windows 10 Codecs bugs

Microsoft has released two out-of-band security updates to address remote code execution security vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating.

Tesco coupons easily faked to save £750 on Hotels.com bookings worldwide

Tesco is one of the most popular groceries and merchandise retailers in the UK, as well as in some European and Asian countries. Its loyalty card, Tesco Clubcard, rewards members with points for Tesco-related purchases, with members being able to redeem these points at various Partner businesses. CyberNews revealed that one of these Partners -- Hotels.com -- employs an easily-faked code that allows people to get up to £750 off hotel rooms. Since Hotels.com has more than 325,000 hotels in approximately 19,000 locations, this allows cheaters a wide variety of options where they can use these fraudulent codes. The main victim here seems to be Hotels.com, which can stand to lose millions of pounds in revenue over the lifetime of the membership deal.

Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances

Citrix patched a set of 11 vulnerabilities found to affect its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products. According to Citrix, these vulnerabilities are not related to CVE-2019-19781 remote code execution flaw the company patched in January 2020 and do not affect cloud versions of Citrix appliances. The patches released by Citrix fully resolve all the security issues, and customers are urged to apply them as soon as possible to defend against potential attacks designed to exploit them.

PoC exploits released for F5 BIG-IP vulnerabilities, patch now!

Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept (PoC) exploits show how easy it is to exploit these devices. F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers, and many consumer brands, including Microsoft, Oracle, and Facebook. On Friday, F5 disclosed that they released patches for a critical 10/10 CVSSv3 rating vulnerability tracked as CVE-2020-5902.

.NET Core vulnerability lets attackers evade malware detection

A vulnerability in the .NET Core library allows malicious programs to be launched while evading detection by security software. This vulnerability is caused by a Path Traversal bug in Microsoft's .NET Core library that allows malicious garbage collection DLLs to be loaded by users with low privileges. This bug affects the latest stable release (3.1.x versions) of .NET Core. A fix is not currently available and could let attackers execute malicious code on a system without being readily detected by antivirus and EDR products. 1

Windows 10 background image tool can be abused to download malware

A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm. Known as living-off-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity. An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services. A report from Cisco Talos last year provides a list of 13 Windows native executables that can download or execute malicious code. Researchers from SentinelOne discovered that "desktopimgdownldr.exe," located in Windows 10's system32 folder, can also serve as a LoLBin.

Fixing critical vulnerabilities in Apache's remote desktop

While Apache Guacamole is popular, with over 10 million of its docker downloads worldwide, Check Point's researchers found that some of Guacamole's ingredients didn't meet the required security standards. In particular, it was vulnerable to several critical Reverse RDP Vulnerabilities, and affected by multiple new vulnerabilities found in FreeRDP. In particular, all versions of Guacamole that were released before January 2020 are using vulnerable versions of FreeRDP.

Estonian Electronic Identity Card: Security Flaws in Key Management

The Estonian electronic identity card (ID card) is considered to be one of the most successful deployments of smart card-based national ID card systems in the world. The public-key cryptography and private keys stored on the card enable Estonian ID card holders to access e-services, give legally binding digital signatures and even cast an i-vote in national elections. This paper, describes several security flaws found in the ID card manufacturing process. The flaws have been discovered by analyzing public-key certificates that have been collected from the public ID card certificate repository. In particular, contrary to the security requirements, the ID card manufacturer has generated private keys outside the chip. In several cases, copies of the same private key have been imported in the ID cards of different cardholders, allowing them to impersonate each other. In addition, as a result of a separate flaw in the manufacturing process, corrupted RSA public key moduli have been included in the certificates, which in one case led to the full recovery of the corresponding private key.

RCE on Telia Routers

Multiple vulnerabilities could allow running arbitrary code on an intranet server and gain root access on all the customers' routers. Every Telia router or tv box has a backdoor or "management interface". It is an SSH server running on VLAN 5 and/or WAN. Usually, it is running on port 8022. Older models, like ADB, have password login enabled. The recent newer models, like Technicolor, have password login disabled and only use ssh with public key authentication.

Microsoft releases emergency security update to fix two bugs in Windows codecs

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found. Microsoft has published on Tuesday two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library. Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions.

Disclosure: Another macOS privacy protections bypass

Jeff Johnson disclosed a new macOS privacy protection bypass. The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I've discovered a way for an unauthorized app to read the contents of protected files, thus bypassing the privacy protections. This issue exists in Mojave, Catalina, and the Big Sur beta. It remains unaddressed and is therefore, in one sense, a zero-day.

Palo Alto Networks patches critical vulnerability in firewall OS

Palo Alto Networks disclosed a critical vulnerability found in the operating system (PAN-OS) of all its next-generation firewalls that could allow unauthenticated network-based attackers to bypass authentication. "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources," the company's security advisory reads.

GeoVision access control devices let hackers steal fingerprints

GeoVision, a Taiwanese fingerprint scanner, access control, and surveillance tech manufacturer, fixed critical vulnerabilities in their devices that could be abused by hackers and nation-state threat actors. During a network security audit last year, Acronis discovered numerous vulnerabilities in GeoVision devices that could allow users to gain full and unauthorized access to the cameras. The findings are important because vulnerabilities in mission-critical devices such as biometric fingerprint scanners, surveillance cameras, and other security IoTs could be exploited by nation-state actors to intercept traffic and conduct espionage.

Almost 300 Windows 10 executables vulnerable to DLL hijacking

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10. In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking. "It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?" explained Beukema.

A survey of recent iOS kernel exploits

This post from Google Project Zero summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write.

FF Sandbox Escape (CVE-2020-12388)

James Forshaw from Project Zero has written about a Firefox sandbox escape vulnerability tracked under CVE-2020-12388.

SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL

On the latest versions of PostgreSQL, the superuser is no longer allowed to load a shared library file from anywhere else besides C:\Program{=latex} Files\PostgreSQL{=latex}\11\lib{=latex} on Windows or /var/lib/postgresql/11/lib on *nix. Additionally, this path is not writable by either the NETWORK~SERVICE~ or postgres accounts. However, an authenticated database superuser can write binary files to the filesystem using "large objects" and can of course write to the C:\Program{=latex} Files\PostgreSQL{=latex}\11\data{=latex} directory. The reason for this should be clear, for updating/creating tables in the database. The underlying issue is that the CREATE FUNCTION operative allows for a directory traversal to the data directory! So essentially, an authenticated attacker can write a shared library file into the data directory and use the traversal to load the shared library. This means an attacker can get native code execution and as such, execute arbitrary code.

Nvidia squashes display driver code execution, information leak bugs

This week, the tech giant published a security advisory for a total of six bugs in the driver, varying in severity with CVSS scores of between 5.5 and 7.8 and impacting both Windows and Linux machines. The first vulnerability, CVE‑2020‑5962, is found in the Nvidia Control Panel component of the driver, in which a local attacker can corrupt system files, leading to denial of service or privilege escalation. CVE‑2020‑5963 is the second bug at hand, found in the CUDA Driver's Inter Process Communication APIs. The improper access security flaw can be exploited for code execution, denial of service, or information leaks. The third issue, now resolved, is CVE‑2020‑5964: an error in the service host component of the display driver can lead to resource integrity checks being skipped, thereby resulting in potential code execution, service denial, or information disclosure attacks. CVE‑2020‑5965 has also been patched. The problem occurs in the display driver's DirectX 11 user mode driver, in which a "specially crafted shader can cause an out of bounds access, leading to denial of service," according to Nvidia.

From Recon to Bypassing MFA Implementation in OWA by Using EWS Misconfiguration

A researcher was able to bypass MFA in Exchange Web Services due to a misconfiguration on one of the endpoints.

Heap Overflow in the NETGEAR Nighthawk R6700 Router

A researcher competing at Pwn2Own Tokyo has discovered a heap overflow vulnerability in the router that could allow malicious third parties to take control of the device from a local area network. In this post, I discuss the vulnerability in detail and provide a proof-of-concept exploit that should work out of the box against any router running firmware version V1.0.4.84~10~.0.58. The vulnerability exists in the httpd service (/usr/bin/httpd) running on affected devices. Unauthenticated attackers can send a specially crafted HTTP request to the httpd web service when connecting to the local network, which could result in remote code execution on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system. The heap overflow vulnerability exists in the file upload function processing an imported configuration file.

List of Ripple20 vulnerability advisories, patches, and updates

The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network. Treck's code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce. The company has notified its customers and issued patches but a week after the Ripple20 announcement from security research group JSOF, the full impact remains unclear. This is because Treck's code is licensed and distributed under different names or serves as a foundation for a new network stack. Concerted efforts from national-level cybersecurity agencies and private companies in the field are ongoing to identify businesses with products vulnerable to issues in the Ripple20 vulnerability set.

Remote code execution vulnerability in KensingtonWorks mouse manager

Robert Heaton has discovered a remote code execution vulnerability in the KensingtonWorks mouse manager, which opens a web server on localhost that runs commands with no authentication.

Turn on MFA Before Crooks Do It For You

Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don't take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here's the story of one such incident.

Fraunhofer FKIE: Significant security flaws detected in Home Routers

Alarming findings are published in the »Home Router Security Report 2020« by the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE. Of the 127 home routers tested from seven major manufacturers, nearly all were found to have security flaws, some of them very severe. The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago.

Smartwatch Hack Could Trick Patients To 'Take Pills' With Spoofed Alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device. From a report: These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere. But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake "take pills" reminders to patients as often as they want, they said. "A dementia sufferer is unlikely to remember that they had already taken their medication," wrote Vangelis Stykas in a blog post. "An overdose could easily result." The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch.

Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data

Two security researchers said this week that they found severe vulnerabilities and what appears to be intentional backdoors in the firmware of 29 FTTH OLT devices from popular vendor C-Data. FTTH stands for Fiber-To-The-Home, while OLT stands for Optical Line Termination. Kim and Torres said they confirmed the vulnerabilities by analyzing the latest firmware running on two devices, but they believe that the same vulnerabilities impact 27 other FTTH OLT models, as they run similar firmware. The vulnerabilities are as bad as it gets, but by far, the worst and most disturbing of the seven is the presence of Telnet backdoor accounts hardcoded in the firmware.

Zoom working on patching zero-day disclosed in Windows client

Video conferencing software Zoom is working on patching a zero-day vulnerability that was disclosed online earlier in a blog post by cyber-security firm ACROS Security. The security firm said the zero-day impacts Zoom's Windows client, but only when the clients are running on old Windows OS versions, such as Windows 7 and Windows Server 2008 R2 and earlier. Zoom clients running on Windows 8 or Windows 10 are not affected, according to ACROS Security CEO Mitja Kolsek. "The vulnerability allows a remote attacker to execute arbitrary code on victim's computer where Zoom Client for Windows (any currently supported version) is installed by getting the user to perform some typical action such as opening a document file," Kolsek said.

How to unc0ver a 0-day in 4 hours or less

At 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for iOS 13.5 (the latest signed version at the time of release) using a zero-day vulnerability and heavy obfuscation. By 7 PM, Brandon Azad had identified the vulnerability and informed Apple. By 1 AM, he sent Apple a POC and the analysis. This post takes you along that journey.

XSS Flaw Impacting 100,000 Sites Patched in KingComposer

A reflected cross-site scripting (XSS) vulnerability impacting 100,000 websites has been patched in the KingComposer WordPress plugin. KingComposer is a drag-and-drop page builder for WordPress-based domains that removes the need to program or directly code websites powered by the content management system (CMS). The Wordfence Threat Intelligence team discovered the XSS bug on June 25. Tracked as CVE-2020-15299 and issued a severity score of 6.1, the security flaw was found in Ajax functions used by the plugin to facilitate page builder features.

Disabling Google 2FA Doesn't Need 2FA

Google allows disabling 2FA without needing the second factor at all, for user convenience, and compromising user security.

80,000 printers are exposing their IPP port online

For years, security researchers have warned that every device left exposed online without being protected by a firewall is an attack surface. Hackers can deploy exploits to forcibly take control over the device, or they can just connect to the exposed port if no authentication is required. However, despite this being common knowledge among cyber-security and IT experts, we still have a large number of devices that are left exposed online unsecured. In a report published earlier this month, security researchers from the Shadowserver Foundation, a non-profit organization focused on improving cyber-security practices across the world, have published a warning about companies that are leaving printers exposed online.

BitDefender fixes bug allowing attackers to run commands remotely

Security solutions are designed to keep an organization safe, but those models crumble when that same software becomes a threat vector for the attackers to exploit. Such is the case with a new Bitdefender remote code execution vulnerability, dubbed CVE-2020-8102, lurking in its Safepay browser component. "Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 24.0.20.116," an advisory disclosed.

Netgear 0-day Vulnerability Analysis and Exploit for 79 devices

A whopping 79 Netgear router models are vulnerable to a severe security flaw that can let hackers take over devices remotely. The vulnerability has been discovered by two security researchers independently, namely Adam Nichols from cyber-security GRIMM and a security researcher going by the nickname of d4rkn3ss, working for Vietnamese internet service provider VNPT. According to Nichols, the vulnerability impacts 758 different firmware versions that have been used on 79 Netgear routers across the years, with some firmware versions being first deployed on devices released as far back as 2007. In a technical breakdown of the vulnerability, Nichols says the bug resides in the web server component that's packed inside the vulnerable Netgear router firmware.

CVE-2020-1181: SharePoint Remote Code Execution Through Web Parts

Recently, Microsoft released a patch to correct CVE-2020-1181 -- a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and as is also known as ZDI-20-694. This blog takes a deeper look at the root cause of this vulnerability. Before this patch being made available, SharePoint Server allowed an authenticated user to execute arbitrary .NET code on the server in the context and permissions of the service account of the SharePoint Web Application. For an attack to succeed, the attacker should have Add and Customize Pages permissions on the SharePoint site. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.

Bug in ‘USB for Remote Desktop’ lets hackers add fake devices

An unpatched vulnerability in software that redirects local USB devices to a remote system could help attackers elevate privileges on a target machine by adding fake devices. The flaw is identified as CVE-2020-9332 and resides in the bus driver for "USB for Remote Desktop" developed by FabulaTech. The company has an impressive customer list with high-profile organizations from a variety of sectors.

Plex fixes Media Server bugs allowing full system takeover

Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together. Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.

VLC Media Player 3.0.11 fixes severe remote code execution flaw

VideoLan has released VLC Media Player 3.0.11, and it is now available for Windows, Mac, and Linux. In addition to bug fixes and improvements, this release also fixes a security vulnerability that could allow attackers to remotely execute commands or crash VLC on a vulnerable computer. This vulnerability is tracked as CVE-2020-13428 and is a "buffer overflow in VLC's H26X packetizer" that would allow attackers to execute commands under the same security level as the user if properly exploited. According to VideoLan's security bulletin, this vulnerability can be exploited by creating a specially crafted file and tricking a user into opening it with VLC.

Adobe fixes critical flaws in Illustrator, After Effects, more

Adobe has released out-of-band security updates to address 18 critical flaws that could allow attackers to execute arbitrary code on systems running vulnerable versions of Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition on Windows and macOS devices. 18 of the security flaws patched are all rated as Critical, could lead to arbitrary code execution following successful exploitation, and were reported by researchers at Fortinet's FortiGuard Labs (Honggang Ren, Kushal Arvind Shah, and Yonghui Han) and by Mat Powell of Trend Micro Zero Day Initiative.

The Curious Case of Copy and Paste

Michał Bentkowski has posted a summary of his research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites.

D-Link leaves severe security bugs in home router unpatched

On February 28, 2020, Palo Alto Networks' Unit 42 researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware. The vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.

Hackers are quick to notice exposed Elasticsearch servers

Bad guys find unprotected Elasticsearch servers exposed on the web faster than search engines can index them. A study found that threat actors are mainly going for cryptocurrency mining and credential theft. For the duration of the experiment, a honeypot with a fake database recorded more than 150 unauthorized requests, the first one occurring less than 12 hours since being exposed.

U2F with Duo Web Phishable by default

U2F prevents MITM attack between the victim and the Duo server, but not between the victim and the application. Because Duo is a 3rd-party service, we don't have the same security properties that are associated with U2F between the victim and the server. This boils down to bypassing the Duo integration. If you can bypass the Duo prompt, then the phishing attempt will be successful, even if U2F is used. To prevent phishing, it is paramount that you enable hostname whitelisting. Without hostname whitelisting, Duo is similar to an OTP generator during a phishing attack.

A Trio of Bugs Used to Exploit Inductive Automation at Pwn2Own Miami

In January 2020, the inaugural Pwn2Own Miami contest was held at the S4 Conference and targeted Industrial Control System (ICS) products. At the contest, the team of Pedro Ribeiro and Radek Domanski used an information leak and an unsafe deserialization bug to get code execution on the Inductive Automation Ignition system. Their final effort ending Day One of the contest earned them $25,000. Now that patches are available from the vendor, they have graciously provided the following write-up and demonstration video.

Politics

Russia unbans Telegram

The Russian government has lifted its largely ineffective two-year-old ban on the Telegram instant messaging service. In a message posted on its website, Russia's media watchdog Roskomnadzor said it lifted the ban after Russian prosecutors reached an agreement with Pavel Durov, Telegram's founder. Russian officials said Durov "expressed readiness to counter terrorism and extremism" content shared on his platform. Details about the collaboration between Telegram and Russian officials have not been made public at the time of writing.

Zoom Acknowledges It Suspended Activists' Accounts At China's Request

Teleconferencing company Zoom acknowledged it shut down the accounts of several activists and online commemorations of the Tiananmen Square massacre at China's request. The revelation followed media reports, citing Hong Kong and U.S.-based activists, who found their accounts suspended. Zoom confirmed the reports, in a blog post Thursday, saying China had notified it in late May and early June of four public gatherings hosted on the platform.

US designates China's Huawei and ZTE as national security threats

The U.S. Federal Communications Commission formally designated the Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE) as national security threats to the integrity of U.S. communications networks or the communications supply chain. FCC's Public Safety and Homeland Security Bureau also says that the two Chinese companies' parents, affiliates, and subsidiaries are also considered as security threats. According to FCC's orders, Huawei and ZTE are considered highly susceptible to influence and coercion by the Chinese government, military, and intelligence community.

India bans 59 Chinese apps, including TikTok, UC Browser, Weibo, and WeChat

The Indian government has banned 59 Chinese mobile applications on the grounds of national security, according to a government mandate seen by ZDNet. The ban comes after the Indian military clashed with Chinese forces in the region of Ladakh, in northern India, on June 15, this year. The clashes resulted in at least 20 Indian soldier deaths, and more than 75 injured. The New Delhi government argues that the 59 apps have been used to collect data on Indian users, data that has been sent back to servers in China.

U.S. looking at banning Chinese social media apps, including TikTok

Secretary of State Mike Pompeo said on Monday that the United States is "certainly looking at" banning Chinese social media apps, including TikTok, suggesting it shared information with the Chinese government, a charge it denied.

TikTok to pull out of Hong Kong

TikTok said Monday night that it would pull its social video platform out of the Google and Apple app stores in Hong Kong amid a restrictive new law that went into effect last week.

TikTok ban being investigated in Australia

The Australian Government is facing calls to ban social media app TikTok over national security and spying concerns.

Facebook and WhatsApp pause Hong Kong user data requests

Facebook and WhatsApp have said they have "paused" the processing of government requests for user data in Hong Kong. The encrypted messenger Telegram has also halted cooperation with law enforcement. WhatsApp said it was pausing such reviews "pending further assessment of the impact of the national security law, including formal human rights due diligence and consultations with human rights experts".

DuckDuckGo coming back online in India following country-wide block

Following the Indian ban of almost 60 Chinese apps including TikTok and Weibo, many people living in the country now report not being able to access the privacy-centric search engine DuckDuckGo. The company confirms as much, saying that the problem isn't on its end. It's currently talking to local internet service providers to resolve the issue. It looks like these have blocked the service via their DNS servers, as the search engine is still accessible through most third-party DNS resolvers.

Repairing your smartphone or installing a ROM will now be a crime in Mexico

Installing a custom ROM, downloading and using software that does not come from the same provider, and even repairing a phone, involves breaking a digital lock (also known as DRM), which is now expressly prohibited in the Federal Copyright Law . The digital locks are TPMs using hardware manufacturers and developers for their copyrights are protected. In this way, users cannot copy the information that the systems contain and cannot access the software code.

FBI chief says China threatens families to coerce overseas critics to return to China

FBI Director Christopher Wray on Tuesday urged China-born people in the United States to contact the FBI if Chinese officials try to force them to return to China under a program of coercion that he said is led by Chinese President Xi Jinping. Wray issued the unusual appeal in an address to the Hudson Institute think tank in which he reiterated U.S. charges that China is using espionage, cyber theft, blackmail and other means as part of a strategy to replace the United States as the world's dominant economic and technological power. He said Xi has "spearheaded" a program called Fox Hunt aimed at strong-arming people born in China living outside of the country who are regarded as threats to return home in order to silence criticism of Beijing's political and human rights policies.

COVID-19 ‘Breach Bubble’ Waiting to Pop?

The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change --- and likely for the worse. The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data.

Internet cut in Ethiopia amid unrest following killing of singer

Network data from the NetBlocks internet observatory confirm that internet has been cut across most of Ethiopia from just after 9 a.m. local time (6:00 a.m. UTC) on Tuesday 30 June 2020 amid protests and unrest. Real-time metrics show that the country remains offline as of Wednesday morning 8 July 09:00 a.m. local time, with the shutdown passing 192 hours in duration on its ninth day.

Political Data Leak in Malta

After a massive leak of the voter's list showing the voting preferences, addresses, phones and dates of birth of a majority of the Maltese population, EDRi member noyb.eu will assist the Daphne Foundation and Repubblika in their class action and file complaints about the data breach in various EU Member States. At the end of March 2020, independent Maltese media reported that a database containing 337,384 records of Maltese voters' personal information had been freely accessible online for at least a year. The data did not only include the fields available in the published electoral register but also included mobile and fixed telephone numbers, dates of birth, polling booth and polling box numbers, and a numerical identifier indicating an individual's political affiliation.

Chinese malware used in attacks against Australian orgs

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country. Behind the attack is a "sophisticated" adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China.

Iran’s domestic espionage: Lessons from recent data leaks

Intel471 has written an article documenting the Iran's internal espionage and the malware being used by the government to steal information from citizens.

Twitter bans 32k accounts pushing Chinese, Russian, and Turkish propaganda

Social networking giant Twitter disclosed three new state-linked information operations that have been taken place on its platform this year. As a result of its investigation, Twitter said it banned and removed 32,242 accounts that were part of networks operated out of China, Russia, and Turkey, all three pushing local political agendas and narratives, and associated with state-sponsored entities.

Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group’s Tools

In October 2019 Amnesty International published a first report on the use of spyware produced by Israeli company NSO Group against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui. Through continued investigation, Amnesty International's Security Lab identified similar evidence of the targeting of Omar Radi, a prominent activist and journalist from Morocco from January 2019 until the end of January 2020. Evidence gathered through the technical analysis of Omar Radi's iPhone revealing traces of the same "network injection" attacks described in the earlier report that were used against Maati Monjib. This provides strong evidence linking these attacks to NSO Group's tools. These findings are especially significant because Omar Radi was targeted just three days after NSO Group released its human rights policy. These attacks continued after the company became aware of Amnesty International's first report that provided evidence of the targeted attacks in Morocco. This investigation thus, demonstrates NSO Group's continued failure to conduct adequate human rights due diligence and the inefficacy of its own human rights policy.

China's Great Firewall descends on Hong Kong internet users

At midnight on Tuesday, the Great Firewall of China, the vast apparatus that limits the country's internet, appeared to descend on Hong Kong. Unveiling expanded police powers as part of a contentious new national security law, the Hong Kong government enabled police to censor online speech and force internet service providers to hand over user information and shut down platforms. Many residents, already anxious since the law took effect last week, rushed to erase their digital footprint of any signs of dissent or support for the last year of protests. Charles Mok, a pro-democracy lawmaker who represents the technology sector, tweeted: "We are already behind the de facto firewall."

Super Secretive Russian Disinfo Operation Discovered Dating Back To 2014

Social media research group Graphika published a 120-page report unmasking a new Russian information operation of which very little has been known so far. ZDNet reports: Codenamed Secondary Infektion, the group is different from the Internet Research Agency (IRA), the Sankt Petersburg company (troll farm) that has interfered in the US 2016 presidential election. Graphika says this new and separate group has been operating since 2014 and has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America. The research team says it first learned of the group from reports published by Reddit and Facebook last year, along with previous research done by the Atlantic Council's Digital Forensic Research Lab.

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

Report on espionage attacks using LinkedIn as a vector for malware, with details and screenshots. They talk about "several hints suggesting a possible link" to the Lazarus group (aka North Korea), but that's by no means definite.

German ISPs will redirect traffic to intelligence services for trojan install

A new law being proposed in Germany would see all 19 federal state intelligence agencies in Germany granted the power to spy on German citizens through the use of trojans. The new law would force internet service providers (ISPs) to install government hardware at their data centers which would reroute data to law enforcement, and then on to its intended destination so the target is blissfully unaware that their communications and even software updates are being proxied. Specifically, Netzpolitik pointed out that the law calls for the following: "the redirected data should remain intended for forwarding to the addressee after the measure has been carried out." Germany wants to be the man in the middle The state sponsored trojans would likely be utilizing software called FinFly ISP from a company called FinFisher which has already been used by German law enforcement in the past. FinFisher claims to be able to inject trojans on target devices from the ISP level with ease:: "FinFly ISP is able to patch files that are downloaded from the destination on-the-fly or to send fake software updates for popular software."

Russia says Germany has not provided any evidence of Bundestag hack

Russian officials said that German authorities have failed to produce the evidence that Russian military hackers breached the German Parliament in 2015. The statement is in relation to an arrest warrant that Germany filed at the end of May, when they charged a Russian hacker named Dmitriy Sergeyevich Badin. German prosecutors said Badin was a member of a hacking group named APT28 (Fancy Bear, Sofacy, Strontium, Grizzly Steppe), which breached the German Parliament (Bundestag) in the first half of 2015, where he installed malware and stole government documents.

Huawei believes it can supply 5G kit to UK despite US sanctions

Huawei believes it can supply 5G hardware unaffected by White House sanctions to the UK for the next five years, sidestepping the expected conclusion of an emergency review on Tuesday next week. The company has stockpiled 500,000 pieces of kit but fears a wider ban on its equipment will be unveiled to placate Conservative rebel MPs, who say the Chinese supplier represents a national security risk.

Social media restricted in Mali amid protests against president

Network data from the NetBlocks internet observatory confirm that social media and messaging apps were partially blocked in Mali on Friday 10 July 2020 amid ongoing protests. Demonstrators seeking political reforms occupied the national broadcaster in Bamako sending transmissions off air, some calling for the resignation of President Ibrahim Boubacar Keïta. Internet restrictions affecting many but not all users remained in place to midnight.

Internet in Iran disrupted due to knock-on effect of power cut in Armenia

Network data from the NetBlocks internet observatory have identified a series of network outages in Iran from just after 8:00 p.m. local time (3:30 p.m. UTC) Wednesday 8 July 2020. The incident was ongoing as of 01:00 a.m. causing connectivity and platform reachability failures which some users experienced as port blocking or filtering.

Citizen Lab and Amnesty International Uncover Spyware Operation Against Indian Human Rights Defenders

Amnesty International and Citizen Lab have jointly published a report that nine Indian lawyers, activists, and journalists were targeted in 2019 in a coordinated malware campaign. The targets had been highly critical of police abuses. The targeting in this campaign occurred between January and October 2019. Targets were sent emails disguised as important communications, such as official summonses, bearing links to malicious software disguised as important documents. If opened, targets' computers would have been infected with NetWire, a piece of commodity malware.

Congress wants to know what commercial spyware other countries are using

Congress wants to know which foreign governments are using commercially-available surveillance tools - commonly referred to as spyware. The US government's new position was included in a draft of the Intelligence Authorization Act for Fiscal Year 2021, the bill that lays out funding for the US government's intelligence operations for next year. According to the bill's draft text (see Section 503), US officials want the Director of National Intelligence (DNI) to submit a report to Congress on the status of commercially-available software, the companies that make these hacking tools, and which foreign governments or foreign entities are using them. The bill's text shows that US lawmakers are becoming more worried about the commoditization of powerful hacking tools.

Privacy

Zoom will provide end-to-end encryption to all users after privacy backlash

The video conferencing platform Zoom announced on Wednesday it has reversed course and decided to provide end-to-end encryption to all customers, not just those who pay for a subscription. The popular app faced criticism from civil rights groups for its plans to exclude free calls from encryption services, which secure communication so they can only be read by the users involved. The company's CEO, Eric Yuan, had explained that Zoom planned to exclude free calls from end-to-end encryption to make sure it is still possible to "work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose". Zoom has also released a whitepaper documenting its E2E encryption.

TikTok App to Stop Accessing User Clipboards After Being Caught in the Act

A new feature in iOS 14 alerts users when apps read the clipboard, and it turns out some apps have been reading clipboard data excessively. TikTok users who upgraded to ‌iOS 14‌, quickly noticed constant alerts warning them that TikTok was accessing the clipboard every few seconds. After being caught, TikTok now says that it's removing the feature. In a statement to The Telegraph, TikTok said that it accessed the clipboard to identify spammy behavior.

GDPR: Teams and Zoom cannot be used in compliance with the law

The leading video conferencing systems Zoom, Teams and Skype from Microsoft as well as Google Meet, GoToMeeting, Blizz and Cisco Webex failed in a short test of Berlin data protection officer. In a report, these systems were given a red light. "With red marked providers there are deficiencies that prevent legally compliant use of the Exclude service and its elimination presumably require substantial adjustments to the business processes and / or the technology, "says an Statement released on Friday, July 3.

Only 9% of visitors give GDPR consent to be tracked

Privacy regulations such as the GDPR say that you need to seek permission from your website visitors before tracking them. Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law. In an experiment, Marko Saric has found that only 9% of visitors consent to GDPR banners allowing websites to track them.

DuckDuckGo browser seemingly sends domains a user visits to DDG servers

DuckDuckGo is a privacy-focused organization offering a popular search engine that doesn't store results or personal information, in direct opposition to Google. However, when founder and CEO Gabriel Weinberg woke up on Thursday morning, he was met with a new narrative for the company -- one that rode on a wave of concern and criticism relating to a 'design flaw' that could expose the information of users. The issue at hand is how DuckDuckGo fetches favicons, bookmark images associated with a website domain.

Reddit and LinkedIn apps also caught copying and pasting clipboard contents

Linkedin and Reddit both check your clipboard and copy and paste your clipboard contents with every keystroke -- even when you're in another app. Another set of potential privacy violators have been called out by iOS 14's new paste notifications. The discovery was publicized on Twitter by Don Cubed of urspace.io, who noted that his discovery was very similar to the experience of Jeremy Burge who called out Tik Tok for the same behavior early this week.

Amazon’s Ring Enables the Over-Policing Efforts of Some of America’s Deadliest Law Enforcement Agencies

Ring, Amazon's "smart" doorbell camera company, recently began sharing statistics on how many video requests police departments submit to users, and the numbers are staggering. In the first quarter of 2020 alone, police requested videos over 5000 times, using their partnerships with the company to email users directly and ask them to share private videos from their Ring devices.

Facebook says 5,000 app developers got user data after cutoff date

Social media giant Facebook disclosed on Wednesday a new user privacy incident. The company said that it continued sharing user data with approximately 5,000 developers even after their application's access expired. The incident is related to a security control that Facebook added to its systems following the Cambridge Analytica scandal of early 2018. Responding to criticism that it allowed app developers too much access to user information, Facebook added at the time a new mechanism to its API that prevented apps from accessing a user's data if the user did not use the app for more than 90 days.

Boston bans use of facial recognition technology

Boston has banned the use of facial surveillance technology in the city, becoming the second-largest community in the world to do so. The city council unanimously voted on Wednesday to ban the use of the technology and prohibit any city official from obtaining facial surveillance by asking for it through third parties. The measure will now go to Mayor Marty Walsh with a veto-proof majority. Walsh's office said he would review the ban. That move comes even as city officials say the technology isn't yet used by the Boston Police Department --- though the department could access those powers with a software upgrade. Law enforcement's use of facial recognition technology has come under scrutiny in recent months. Now, a man who says he was falsely arrested after a computer algorithm misidentified his face is speaking out. As NPR's Bobby Allyn reports, critics of the technology say the case shows how unreliable the tool is.

The Senate’s New Anti-Encryption Bill Is Even Worse Than EARN IT, and That’s Saying Something

The new Lawful Access to Encrypted Data Act---introduced this week by Senators Graham, Blackburn, and Cotton---ignores expert consensus and public opinion, which is unfortunately par for the course. But the bill is actually even more out of touch with reality than many other recent anti-encryption bills. Since January, we've been fighting the EARN IT Act, a dangerous anti-speech and anti-security bill that would hand a government commission, led by the Attorney General, the power to determine "best practices" online. It's easy to see how that bill would enable an attack on service providers who provide encrypted communications, because the commission would be headed by Attorney General William Barr, who's made his opposition to encrypted communications crystal clear. The best that EARN IT's sponsors can muster in defense is that the bill itself doesn't use the word "encryption"---asking us to trust that the commission won't touch encryption.

Invasive, secretive “bossware” tracking workers

COVID-19 has pushed millions of people to work from home, and a flock of companies offering software for tracking workers has swooped in to pitch their products to employers across the country. The services often sound relatively innocuous. Some vendors bill their tools as "automatic time tracking" or "workplace analytics" software. Others market to companies concerned about data breaches or intellectual property theft. We'll call these tools, collectively, "bossware." While aimed at helping employers, bossware puts workers' privacy and security at risk by logging every click and keystroke, covertly gathering information for lawsuits, and using other spying features that go far beyond what is necessary and proportionate to manage a workforce. This is not OK. When a home becomes an office, it remains a home. Workers should not be subject to nonconsensual surveillance or feel pressured to be scrutinized in their own homes to keep their jobs.

Michigan tackles compulsory microchip implants for employees with new bill

The state of Michigan has introduced a bill designed to prevent employers from forcing their staff to accept microchip implants. It might seem that the prospect of a company demanding that workers accept a tracking chip under the skin is something more suited to an episode of Black Mirror than our current reality, but the concern that this will become a common scenario in future workplaces is prevalent enough that the Michigan House is aiming to proactively stop such practices from gaining a foothold.

Apple declined to implement 16 Web APIs in Safari due to privacy concerns

Apple said this week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting. Apple claims that the 16 Web APIs above would allow online advertisers and data analytics firms to create scripts that fingerprint users and their devices.

Google Loses $56 Million Fight in French Test of EU Privacy Law

Alphabet Inc.'s Google lost its fight over a 50 million-euro ($56 million) privacy fine in France --- the biggest penalty levied so far under the European Union's beefed-up data-protection rules. France's top administrative court ruled on Friday that Google didn't deliver sufficiently clear and transparent information to Android users and didn't give them a chance to deliberately consent to their private data being processed to personalize adverts.

Oracle's BlueKai Tracks You Across the Web. That Data Spilled Online

Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users' web browsing data. One of those startups, BlueKai, which Oracle bought for a little over $400 million in 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government. BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible - your income, education, political views, and interests to name a few - in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money. But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Police Are Buying Access To Hacked Website Data

Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more. Motherboard obtained webinar slides by a company called SpyCloud presented to prospective customers. In that webinar, the company claimed to "empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice." The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data. SpyCloud confirmed the slides were authentic to Motherboard. "We're turning the criminals' data against them, or at least we're empowering law enforcement to do that," Dave Endler, co-founder and chief product officer of SpyCloud, told Motherboard in a phone call.

Germany’s Corona-Warn-App: Frequently Asked Questions

EFF has published an FAQ with the frequent questions regarding the new Corona-Warn-App from Germany.

The Dark Side of SwissCovid

Serge Vaudenay has analyzed the Swiss version of contact tracing app named SwissCovid and has published his concerns in a detailed article.

PimEyes: A Polish company is abolishing our anonymity

An investigation by netzpolitik.org shows the potential for abuse of PimEyes, a free search engine for 900 million faces. Whoever's photos have been published on the Internet could already be part of their database. PimEyes is a broad attack on anonymity and it is possibly illegal. A snapshot may be enough to identify a stranger using PimEyes. The search engine does not directly provide the name of a person you are looking for. It does however find matching faces, and in many cases the shown websites can be used to find out names, professions and much more. Whoever shows their face in public can be recognised; whether at a demonstration, in front of the polling station or on the night bus, as if we had our name tattooed on our forehead. In June the BBC and other media reported that PimEyes could be abused by stalkers. But the search engine can also expose sex workers, make so-called revenge porn more easily accessible or be used by the police to subsequently identify participants in a protest.

Google bans stalkerware ads

Google announced plans this week to ban ads that promote stalkerware, spyware, and other forms of surveillance technology that can be used to track other persons without their specific consent. The change was announced this week as part of an upcoming update to Google Ads policies, set to enter into effect next month, on August 11, 2020.

Amazon tells employees to remove TikTok from their phones due to security risk, then walks it back

Online retail giant Amazon has told employees this week to uninstall the TikTok mobile app from the smartphones they use to access Amazon's internal email servers. According to an email sent to employees , and seen by ZDNet, workers have until July 10 to remove the TikTok app from their devices. The email cited a "security risk" to using the TikTok app, but didn't go into details. But hours later an Amazon spokesperson said the request had been sent out in error and that there was no change to the company's policies at the moment.

Police surveilled protests with help from Twitter-affiliated startup Dataminr

Leveraging close ties to Twitter, controversial artificial intelligence startup Dataminr helped law enforcement digitally monitor the protests that swept the country following the killing of George Floyd, tipping off police to social media posts with the latest whereabouts and actions of demonstrators, according to documents reviewed by The Intercept and a source with direct knowledge of the matter.

A Quick and Dirty Guide to Cell Phone Surveillance at Protests

EFF has wrote a guide for protesters to protect themselves against police surveillance.

Six eBay executives and employees charged over alleged cyberstalking campaign

Six former eBay executives and employees are facing federal charges after they allegedly led a cyberstalking campaign against a Natick couple they believed was critical of the company in an online ecommerce newsletter. U.S. Attorney Andrew Lelling said the eBay employees' harassment included sending the couple "disturbing deliveries" that included a bloody pig mask, a box of live cockroaches, and a funeral wreath. The employees also allegedly sent anonymous threatening messages and traveled to Massachusetts to conduct "covert surveillance" of the victims. "It was a determined, systematic effort of senior employees of a major company to destroy the lives of a couple in Natick, all because they published content company executives didn't like," said Lelling.

Hackers use an ordinary light bulb to spy on conversations 80 feet away

Security researchers based at the Ben-Gurion University of the Negev and the Weizmann Institute of Science in Israel, have been looking at methods of eavesdropping on private conversations without needing to compromise a device with malware first. This type of hacking research isn't unique, and only last year, it was revealed that Alexa, Google Home, and Siri could potentially be compromised using lasers pointed at the device microphones. But this latest research goes beyond merely turning a device on or off as was the case with the laser pointer exploit. Indeed, these bright hackers don't even need the victim of the eavesdrop to be using a "smart" device in the first place. As long as there's a "dumb" but essential light bulb in the same room, it's all systems go.

EU privacy watchdog thinks that Clearview AI is illegal

The European Data Protection Board (EDPB) said that the use of the service by law enforcement would "likely not be consistent with the EU data protection regime." The body added that it "has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI." The statement comes amid growing concerns around potential misuses of Clearview, which matches faces to billions of photos scraped from websites.

The battle to outlaw end-to-end encryption in the U.S. is heating up

Following the introduction of the EARN IT bill in the U.S. Senate in March---a bipartisan legislation that sought to impose government-mandated "best practices" on social media and instant messaging apps, U.S. Republicans have doubled down on their desire to hold tech companies accountable for the behavior of their users. On Tuesday, Senators Lindsey Graham, Tom Cotton, and Marsha Blackburn introduced the "Lawful Access to Encrypted Data Act" which, if passed into law, would force device manufacturers and service providers (such as Apple, Google, Facebook, Twitter, and more) to "assist law enforcement with accessing encrypted data."

Breaches

Delivery Hero Confirms Data Breach After Customer Data is Posted On a Dark Web Forum

Delivery Hero, a popular food delivery service, has confirmed a data breach at the Foodora brand it bought in September 2015. The breach exposed more than 727,000 customer details from 14 countries including Singapore, Germany, Spain, France, Finland, Italy, Austria, Hong Kong, the Netherlands, Canada, Sweden, Norway, Australia and the United Arab Emirates. "Unfortunately, we can confirm that a data breach has been identified concerning personal data dating back to 2016," Delivery Hero said in a statement. "The data originates from some countries across our current and previous markets."

Business giant Xerox allegedly suffers Maze Ransomware attack

Maze ransomware operators have updated their list of victims adding Xerox Corporation to the roster. It appears that the encryption routine had completed on June 25. The company has yet to confirm or deny a cyberattack on its network but screenshots from the attacker show that computers on at least one Xerox domain have been encrypted.

Brazil's Hapvida Discloses Cyber Breach, Potential Client Data Leak

Brazilian health insurer Hapvida said in a securities filing on Monday it has suffered a cyber attack potentially involving access to the personal information of its customers. Hapvida said, after a preliminary assessment of the security breach, that the attackers did not access customers' medical records or financial information. It said the attack was blocked by Hapvida's own information security officers and third-party companies specializing in dealing with this type of issue. A thorough analysis on the extent of the breach is still under way.

Ransomware attack on insurance MSP Xchanging affects clients

Global IT services and solutions provider DXC Technology announced over the weekend a ransomware attack on systems from its Xchanging subsidiary. Xchanging is known as a managed service provider for businesses in the insurance industry but its list of customers includes companies from other fields: financial services, aerospace and defense, automotive, education, consumer packaged goods, healthcare, manufacturing.

Hackers Compromise Russian Foreign Ministry Twitter Account, Ask $600,000 For ‘Stolen’ Database

Cybercriminals who hacked a Russian Foreign Ministry Twitter account claim to have a stolen database for sale at 66 BTC. It would appear that hackers managed to compromise an official Russian Foreign Ministry Twitter account on July 2, and advertised a stolen database for 66 BTC.

Home Loan Provider Exposed 695k Records Online

Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose the recent leak found in Texas-based Southwest Funding's database containing 695k records and evidence of ransomware. Here are his findings: On May 20th I discovered a publicly accessible database that contained a large amount of records of what appeared to be home mortgage loan data. Upon further research I was able to see information that was consistent with home loan data and internal content management systems. The database required no username or password and anyone with an internet connection could have potentially had access to the 695,636 exposed records.

One of Florida’s largest orthopedic providers faces class-action lawsuit after data breach

One of Florida's largest orthopedic providers is facing a class-action lawsuit after hackers stole personal information from potentially thousands of patients. Attorney John Yanchunis of Morgan & Morgan filed the lawsuit against the Florida Orthopedic Institute, seeking at least $99 million on behalf of patients and former patients citing a "failure to properly secure and safeguard protected health information," according to the complaint filed June 30.

Serious data privacy breach at DU admit card 2020 download portal, students' personal details available

A serious data privacy breach on the DU admit card 2020 download portal was noted by two Twitter users. Personal details of all Delhi University students are now easily available to the public. Early on Thursday, two Twitter users pointed out the serious data privacy breach problems arising in the DU admit card 2020 download portal, which is part of the official Delhi University website. Anyone with the 'gateway password' can download the admit cards of all students in any Delhi University college.

Thousands of MyGov accounts for sale on dark web

Logins for more than 3600 MyGov accounts are for sale on the dark web, potentially exposing thousands of Australians to fraud and identity theft. The MyGov accounts are among a list of more than 150,000 hacked ".com.au" logins available for sale on dark web marketplaces, where logins are sold for as little as a few cents and as much as several hundred dollars.

NY Employment Nonprofit Client Data Potentially Exposed

A data breach at CNY Works may have exposed the names and Social Security numbers of 56,000 people who have used the nonprofit agency's services to find jobs. Clients potentially impacted by the breach began receiving letters from the agency this week warning that files targeted by a suspected ransomware attack on the agency's servers contained their names and Social Security numbers.

Roblox accounts hacked with pro-Trump messages

Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump's reelection campaign. Users with accounts on the Roblox multiplayer game said that profile pages on the Roblox.com website for followers and people they followed were suddenly defaced over the weekend with a message that read "Ask your parents to vote for Trump this year! #MAGA2020."

Surge of MongoDB ransom attacks use GDPR as extortion leverage

A flood of attacks is targeting unsecured MongoDB servers and wiping their databases. Left behind are notes demanding a ransom payment, or the data will be leaked, and the owners reported for GDPR violations. Once they gain access to the server, they wipe the databases and create a new database called "READ~METORECOVERYOURDATA~."

Dozens of US news sites hacked in WastedLocker ransomware attacks

The Evil Corp gang hacked into dozens of US newspaper websites owned by the same company to infect the employees of over 30 major US private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework. The employees' computers were used as a stepping point into their companies' enterprise networks as part of what looks like a series of targeted drive-by attacks. Symantec confirmed that "dozens of U.S. newspaper websites owned by the same parent company have been compromised by SocGholish injected code." Symantec previously said in a report published on June 26 that it blocked the Evil Corp gang from deploying WastedLocker ransomware payloads in attacks against 31 large private companies, including 30 US corporations, including "11 listed companies, eight of which are Fortune 500 companies."

V Shred data leak exposes PII, sensitive photos of fitness customers and trainers

Las Vegas-based V Shred is a company that offers fitness plans for women and men, with a focus on fast workouts, nutrition plans, and supplements. On Thursday, vpnMentor's research team, made the data leak public, in which an unsecured AWS S3 bucket exposed the PII of at least 99,000 individuals. The bucket, discovered on May 14, originally contained 1.3 million files, totaling 606GB of data. Among the files were three .CSV files of particular note; one that appeared to be a lead generation list, another a client email list, and a trainer list. Combined, the files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status, among other data points.

Corona contact list can be accessed unprotected on the Internet

A data leak in the digital Corona contact list from Lunchgate enabled the retrieval of the personal data of all guests. Similar to Germany, restaurants in Switzerland have to enter their guests' contact details due to Corona. This can be done not only by pen and paper, but also digitally, for example with the table reservation service Foratable from the Zurich startup Lunchgate, which has simply added a Covid19 tracing function. But not only the restaurant owner could see the contact details there, but basically anyone who can type a URL into a browser. Sven Fassbender, Joël Gunzenreiner and Thorsten Schröder from the security company Modzero discovered the non-existent security measures.

Hackers obtain Covid-19 patient database in protest at treatment of Indian health workers

Hackers claim they have accessed the personal data of 80,000 Covid-19 patients in New Delhi stored on a local government website, in protest at the treatment of beleaguered healthcare workers. The Kerala Cyber Hackers group says it broke into the Delhi Government's Delhi State Health Mission website in less than 10 minutes on Saturday night. While they posted screenshots of what appears to be a patient record sheet containing names, ages, addresses and Covid-19 test results, the group says it will not release the private information.

US schools leaked 24.5 million records in 1,327 data breaches since 2005

Since 2005, K--12 school districts and colleges/universities across the US have experienced over 1,300 data breaches, affecting more than 24.5 million records. Comparitech researchers analyzed data over the past 15 years to find out where the hot spots are, the biggest causes of these breaches, and how many students have been affected by each breach.

Unsecured Chinese companies leak users’ sensitive personal and business data

CyberNews team uncovered two unsecured databases, with millions of records, belonging to companies that are based in China and provide different types of services. One database belongs to Xiaoxintong, which offers multiple apps and services aimed at elderly care. The other database we discovered seems to be connected to Shanghai Yanhua Smartech tools, which provides services related to intelligent buildings. The database for Xiaoxintong, which serves more than 200 million elderly people in China, contains sensitive information such as GPS locations, mobile numbers, addresses, hashed passwords and more. The second database that may be from Shanghai Yanhua Smartech has even more sensitive data, such as easily-decoded audio files, names, employee ID numbers, heart rates, oxygen levels, GPS locations and more.

Seller floods hacker forum with data stolen from 14 companies

A data breach broker is selling databases containing user records for 14 different companies he claimed were breached by hackers in 2020. When a company is breached, threat actors will typically download accessible databases, including account records. These databases are then sold directly to other threat actors, or the hackers utilize data breach brokers to sell them on their behalf. Over the past month, a known and reputable data breach broker has been selling numerous databases on hacker forums that they state were acquired in data breaches conducted in 2020. Each of the fourteen databases being sold contains different information, but they all include usernames and hashed passwords.

Philippines: unauthorized disclosure of COVID-19 patients’ identities continues

As the number of coronavirus cases in the Philippines steadily increased from mid-March to late May, the National Privacy Commission (NPC) had been investigating 22 complaints of privacy breaches involving more than 150 COVID-19 patients, as well as suspected and probable cases. In at least 7 of these cases, the breach was committed by people who had access to the patients' information; in all others, the culprits were third parties, which included ordinary citizens. Among those being investigated by the NPC was the leaked manifest of the medical evacuation plane that crashed at the Ninoy Aquino International Airport (NAIA) in late March, revealing the names of the passengers and crew. The screenshot of the flight manifest made the rounds on social media.

Domestic Abuse Prevention App Exposed Voice Recordings

The app was created by a U.S. non-profit, When Georgia Smiled. It was designed to appear to be a news app, but actually featured an emergency help function that would allow domestic abuses victims to send emergency distress messages to a trusted person. Those messages could be pre-programmed by the user so that the could be activated quickly and sent via voice recording. According to researchers from vpnMentor, the developers had stored over 4,000 voice recordings on a misconfigured Amazon Web Services (AWS) S3 bucket that permitted files to be viewed and downloaded without any login required. They report that the bucket contained about 230 MB of recordings for an untold number of people, although they estimate that it may represent potentially 4,000 or more individuals. They state that the recordings might include details such as the user's name, address, current location, and nature of the emergency. The messages might also include the name of the abuser.

Impact Guru, India’s Leading Crowdfunding Platform Breached

Recently, Cyble Research Unit (CRU) identified a credible threat actor who claimed to be in possession of confidential data of Impact Guru -- A donation-based crowdfunding platform that offers global crowdfunding solutions for NGOs, social enterprises, startups and individuals. Launched by Maneka Gandhi, Union Cabinet Minister for Women & Child Development, Government of India in September 2015, Impact Guru has mobilized ₹150 crores (US$21 million) for various NGOs and social enterprises in more than 15 countries and is currently recognized as India's leading crowdfunding online site

Lawsuit against Pearson over data breach scuttled by injury claims

A Minnesota federal judge has granted a bid by subsidiaries of education company Pearson to dismiss a lawsuit brought over a data breach that resulted in the unauthorized access of personal information from 13,000 school and university accounts. Chief U.S. District Judge John Tunheim in Minneapolis on Monday found that a legal guardian, who claimed a minor's personal information was stolen by the cyber attack, lacked standing to bring the proposed class action against NCS Pearson Inc. and Pearson Education Inc.

Google Alerts catches fake data breach notes pushing malware

Fraudsters recently have started to push fake data breach notifications for big company names to distribute malware and scams. They're mixing black SEO, Google Sites, and spam pages to direct users to dangerous locations. Google Alerts helps to spread these fake notifications as the service monitors search results for user-defined keywords. Scammers created pages or used compromised websites to combine "data breach" with well-known brands.

Hackers breach E27, want "donation" to reveal vulnerabilities

Asian media firm E27 has been hacked, and attackers ask for a small "donation" to provide information on the vulnerabilities used in the attack. E27 is a media company that offers Asian technology startup news and a community where members can communicate and learn from each other.

Largest US Bubble Tea Supplier Exposed Data Online

The database contained a massive 112 million records that were publicly exposed. There were many items that appeared to be client sensitive, including names, shipping information, email addresses and references to payment data. There was also internal records that exposed the business and was at risk for a ransomware attack. Internal logs, emails, and Magento eCommerce production logs including what appeared to be payment records.

Twitter discloses billing info leak after 'data security incident'

Twitter has disclosed a 'Data Security Incident' that caused the billing information for Twitter advertisers to be stored in the browser's cache. This bug would have allowed other users on the computer to see this data. In February, Twitter disclosed that one of their APIs could have been abused by 'nation state' actors to match usernames of Twitter accounts against phone numbers. Now, this security incident has put the spotlight on the company again. , Twitter has begun emailing business customers who utilize Twitter Ads and Analytics Manager about a 'Data Security Incident' that incorrectly stored a Twitter advertiser's billing information in the browser cache.

LG Electronics allegedly hit by Maze ransomware attack

Maze ransomware operators have claimed on their website that they breached and locked the network of the South Korean multinational LG Electronics. The details of the attack have not been released but the hackers stated that they have stolen from the company proprietary information for projects that involve big U.S. Companies.

Quidd - 3,805,863 breached accounts

In 2019, online marketplace for trading stickers, cards, toys, and other collectibles Quidd suffered a data breach. The breach exposed almost 4 million users' email addresses, usernames and passwords stored as bcrypt hashes. The data was subsequently sold then redistributed extensively via hacking forums.

Dating Apps Exposed 845 GB of Explicit Photos, Chats, and More

Security researchers Noam Rotem and Ran Locar were scanning the open internet on May 24 when they stumbled upon a collection of publicly accessible Amazon Web Services "buckets." Each contained a trove of data from a different specialized dating app, including 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt. In all, the researchers found 845 gigabytes and close to 2.5 million records, likely representing data from hundreds of thousands of users. They are publishing their findings with vpnMentor.

Bank Card "Master Key" Stolen

South Africa's Postbank experienced a catastrophic security failure. The bank's master PIN key was stolen, forcing it to cancel and replace 12 million bank cards. The breach resulted from the printing of the bank's encrypted master key in plain, unencrypted digital language at the Postbank's old data centre in the Pretoria city centre. According to a number of internal Postbank reports, which the Sunday Times obtained, the master key was then stolen by employees. One of the reports said that the cards would cost about R1bn to replace. The master key, a 36-digit code, allows anyone who has it to gain unfettered access to the bank's systems, and allows them to read and rewrite account balances, and change information and data on any of the bank's 12-million cards. The bank lost $3.2 million in fraudulent transactions before the theft was discovered. Replacing all the cards will cost an estimated $58 million.

eToro accounts peddled by the thousands on cybercrime forums

A threat actor is peddling 62,000 active eToro accounts on a known cybercrime forum. They are also likely collaborating with REvil ransomware on the corporate intrusion front. The individual is considered a "rising star" in the Russian-speaking underground, their specialty being attacks against banks, financial institutions, and government agencies. The offer included login credentials, phone numbers, postal addresses, and balances for a starting price of $1,500. Each new bid would increase the price by $500, with the highest bidder winning the auction. The report from AdvIntel provides a more detailed view of REvil's collaborators, all of them high-profile hackers that have been either endorsing the gang on underground communities or providing access to targets.

Popular MMO game Stalker Online hacked, 1.2 million user records put for sale on hacker forums

A database containing over 1.2 million user records from the popular MMO Stalker Online is being sold on hacker forums. Another database, which allegedly contains more than 136,000 user records from the Stalker Online forums, is being sold separately. Stalker Online is a free to play, post-apocalyptic MMORPG developed by Australian studio BigWorld Technology, a subsidiary of Wargaming.net. The game is especially popular among hardcore gamers in Russia and Eastern Europe, and is available in both English and Russian. According to a PR Representative from Stalker Online, the sale of these user records are a result of an attack on Stalker Online's MSK server in early May. This attack resulted in the hacker-for-hire, known as Instakilla, stealing the data and altering Stalker Online's homepage.

IT giant Cognizant confirms data breach after ransomware attack

In a series of data breach notifications, IT services giant Cognizant has stated that unencrypted data was most likely accessed and stolen during an April Maze Ransomware attack. Cognizant is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.

Chipmaker MaxLinear reports data breach after Maze Ransomware attack

U.S. system-on-chip (SOC) maker company MaxLinear disclosed that some of its computing systems were encrypted by Maze Ransomware operators last month, after an initial breach that took place around April 15. In a data breach notification sent to affected individuals on June 10 MaxLinear states that the attack was discovered on May 24. According to documents filed with the U.S. Securities and Exchange Commission (SEC) on June 16, as discovered by Reuters, the attack did not affect shipment, order fulfillment, and production capabilities, and MaxLinear doesn't plan to pay the ransom Maze Ransomware requested to stop leaking the stolen data.

Avon recovering after mysterious cyber-security incident

Cosmetics giant Avon is recovering from a mysterious cyber-security incident that took place on June 8, sources have told ZDNet. The company has filed documents with the US Securities Exchange Commission disclosing the incident on June 9, a day after the company first discovered issues with some of its IT infrastructure. Details about the nature of the cyber-attack are still a mystery, but in a second document filed with the SEC on June 12, Avon promised to restore "some of its affected systems in the impacted markets" during this week.

30,000+ Italian sales agents’ personal data, IDs leaked by MLM company that distributes wellness products

CyberNews team has recently uncovered an unsecured Amazon Simple Storage Service (S3) bucket that contains more than 36,000 documents, including scans of national IDs, credit cards, and health insurance cards. The database also contains sales representative enrollment contracts that include personally identifiable information such as full names, addresses, tax identification numbers, and signatures of mostly Italian citizens. The database appears to belong to Ariix Italia, the recently launched Italian branch of Ariix, a US-based multi-level marketing company that advertises and sells health and wellness products.

City of Knoxville shuts down network after ransomware attack

The City of Knoxville, Tennessee, was forced to shut down its entire computer network following a ransomware attack that took place overnight and targeted the city's offices. Computers on Knoxville's network were encrypted overnight, with the attack being noticed by employees of the city's fire department around 4:30 AM, June 11, according to Chief Operations Officer David Brace. "Please be advised that our network has been attacked with ransomware," a notice sent to city employees on Thursday morning reads.

Live event solutions leader TAIT discloses data breach

TAIT, one of the world's leading live event solutions providers, disclosed a data breach that led to the exposure of personal and financial information stored on a server and on the email accounts of some of its employees. The data breach was discovered on April 6, 2020, when TAIT noticed that an unauthorized party gained access to one of the company's servers and the email accounts of several TAIT employees. TAIT immediately took its servers and email systems offline after discovering the incident and hired a cybersecurity company to help investigate the breach.

Fortune 500 insurance firm Genworth discloses data breach

Fortune 500 insurance holding company Genworth Financial disclosed a data breach after an unauthorized party gained access to insurance agents' online accounts using compromised login credentials. The data breach was discovered by Genworth on April 20, 2020, after the company detected unauthorized access to some insurance agents' online accounts, providing access to documents containing both personal and financial information.

Power company Enel Group suffers Snake Ransomware attack

European energy company giant Enel Group suffered a ransomware attack a few days ago that impacted its internal network. Detected on June 7, the incident is the work of EKANS (SNAKE) ransomware operators, the group that also targeted Honda earlier. Enel Group confirmed for BleepingComputer that its internal IT network was disrupted on Sunday evening following a ransomware attack caught by their antivirus before the malware could spread. Dealing with the incident required isolating the corporate network for a limited time, "to carry out all interventions aimed at eliminating any residual risk." All connectivity was safely restored on early Monday morning, the company says.

Personal Details, including SSNs, of 40K USA Citizens Leaked on Darkweb

CybleInc identified a credible actor in one of the darkweb markets claiming to have personal details of approximately 40,000 USA citizens along with their social security numbers.

Misc

System hardening in Android 11

Google has posted an article describing new security features in Android 11, which has migrated to a hardened memory allocator, uses safer default settings and other improvements. They have also published an article describing privacy and security features in the new operating system.

Targeted MitM attacks using information leakage in SSH clients

Because of an information leak in the initial key exchange message of the SSH protocol, an attacker can detect if an SSH client using the default configuration stores a host key for the target server. Thus, an attacker can focus a man-in-the-middle attack on clients that connect to a server for the first time and avoid clients that would show a warning because of a changed host key. Clients that connect to a server for the first time, ask the user to confirm the fingerprint of the host key. Users that compare the shown fingerprint by a known value are safe. However, many users rely on trust on first use and accept host keys without verification.

One Out of Every 142 Passwords is '123456'

In one of the biggest password re-use studies of its kind, an analysis of more than one billion leaked credentials has discovered that one out of every 142 passwords is the classic "123456" string. The study, carried out last month by computer engineering student Ata Hakçıl, analyzed username and password combinations that leaked online after data breaches at various companies.

German stock trading platform Xetra down, all securities affected

Frankfurt-based electronic trading system Xetra was experiencing a "technical issue," affecting all securities traded on the platform, a Deutsche Boerse spokesman said on Wednesday. The outage in Xetra, a fully-electronic cash market trading system, is affecting trading in Austria, Czech Republic, Hungary, Germany and Slovenia.

Life As A Professional Hacker

Last month Guido Vranken hosted a successful Reddit AMA, sharing insight on his experience as a professional vulnerability researcher. Top questions from Reddit included what advice he had for someone looking to make money from vulnerability research, his process for hacking, and what advice he had specifically for someone heading off to college.

The more cybersecurity tools an enterprise deploys, the less effective their defense is

The enterprise is slowly improving its response to cybersecurity incidents, but in the same breath, it is still investing in too many tools that can actually reduce the effectiveness of defense. IBM released the results of a global survey, conducted by the Ponemon Institute and featuring responses from over 3,400 security and IT staff worldwide. The research suggests that while investment and planning are on the uptake, effectiveness is not on the same incline, with response efforts hindered by complexity caused by fragmented toolsets. The research, IBM's fifth annual Cyber Resilient Organization Report, says that while organizations are improving in cyberattack planning, detection, and response, their ability to contain an active threat has declined by 13%.

Over 100k daily brute-force attacks on RDP in pandemic lockdown

The number of daily brute-force attacks against Windows remote desktop service has almost doubled during the pandemic lockdown, telemetry data shows. With the increase of remote workers during the COVID-19 period, many users no longer relied on the infrastructure monitored by the company to access sensitive information on the network. According to ESET, most of the attacks between January and May 2020 originated from IP addresses in the U.S., China, Russia, Germany, and France. ost of the targeted IP addresses were in Russia, Germany, Brazil, and Hungary, ESET telemetry data shows. The company says in a report that ransomware is the main risk following an RDP compromise since cybercriminals can extort victims for decrypting company data. However, cryptocurrency mining and backdoors are also a common end game for the attackers.

Whistleblower provides blocking orders for over 4000 websites

Hardcoded secrets, unverified tokens, and other common JWT mistakes

Vasilii Ermilov has performed a security review on npm modules that use the most popular JWT libraries and reported the findings in a blog post.

Risky blogspot.in domain for sale after Google fails to renew it

Millions of indexed blogspot.in URLs are at risk of being abused for malicious purposes after Google let the domain expire, and it was purchased and put up for sale by another company. Google allowed their blogspot.in domain expire in early June 2020, and it has been purchased by another company that is selling it for $6,000.

Hackers use Google Analytics to steal credit cards, bypass CSP

Hackers are using Google's servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. This new tactic takes advantage of the fact that e-commerce web sites using Google's web analytics service for tracking visitors are whitelisting Google Analytics domains in their CSP configuration (a security standard used to block the execution of untrusted code on web apps).

The Antitrust Case against Google

State and federal authorities are reportedly preparing to bring antitrust charges against Google, focusing on anti-competitive behavior in the company's online advertising business. Yale SOM's Fiona Scott Morton, former chief economist in the Antitrust Division of the U.S. Justice Department, recently co-authored a paper laying out a roadmap for potential action against the company, drawing on information released in an investigation in the UK.

Adobe to remove Flash Player from web site after December 2020

Adobe plans to prompt users and ask them to uninstall Flash Player from their computers by the end of the year when the software is scheduled to reach End-Of-Life (EOL), on December 31, 2020. The move was announced in a new Flash Player EOL support page that Adobe published earlier this month, six months before the EOL date. Adobe says that once Flash reached the EOL date, the company doesn't merely plan to stop providing updates, but they also plan to remove all Flash Player download links from their website.

Hackers hide credit card stealing script in favicon metadata

Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection. A common attack used to steal credit cards is to hack the website and inject malicious JavaScript scripts that steal submitted payment information when a customer makes a purchase. These stolen credit cards are then sent back to a server under the control of the threat actors where they are collected and used for fraudulent purchases or to sell on dark web criminal markets. These types of attacks are called Magecart and have been used on websites for well-known companies such as Claire's, Tupperware, Smith & Wesson, Macy's, and British Airways. "The abuse of image headers to hide malicious code is not new, but this is the first time we witnessed it with a credit card skimmer," Malwarebytes' Jérôme Segura stated in the report.

FBI warns K12 schools of ransomware attacks via RDP

The US Federal Bureau of Investigation sent out on Tuesday a security alert to K12 schools about the increase in ransomware attacks during the coronavirus (COVID-19) pandemic, and especially about ransomware gangs that abuse RDP connections to break into school systems. The alert, called a Private Industry Notification, or PIN, tells schools that "cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning."

Sony launches PlayStation bug bounty program with $50K+ rewards

Sony announced the launch of a public PlayStation bug bounty program to pay security researchers and gamers for security vulnerabilities found in PlayStation 4 devices, the PlayStation Network domains. According to the company's new PlayStation bug bounty program (aka Vulnerability Disclosure Program) hosted on HackerOne, Sony wants the research community to report any issues found in the PlayStation 4 system, operating system, accessories, and the PlayStation Network. Sony explains that only "submissions on the current released or beta version of system software" will be accepted but it may also "accept submissions on earlier versions of system software on a case by case basis."

Examining the US Cyber Budget

Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack.

France to introduce controversial age verification system for adult websites

The French Parliament unanimously agreed on Thursday to introduce a nationwide age verification system for pornography websites, months after President Emmanuel Macron pledged to protect children against such content. Macron made the protection of children against adult content online a high-profile issue well before the coronavirus crisis hit. In January, tech companies, internet services providers and the adult movies industry signed a voluntary charter, pledging to roll out tools to help ensure minors don't have access to pornographic content. Within a broader law on domestic violence, the Senate decided in June to introduce an amendment requiring pornography websites to implement an age verification mechanism. In order to enforce the law, the French audiovisual regulator CSA will be granted new powers to audit and sanction companies that do not comply --- sanctions could go as far as blocking access to the websites in France with a court order.

Microsoft's new KDP tech blocks malware by making parts of the Windows kernel read-only

Microsoft has published the first technical details about a new security feature that will soon be part of Windows 10. Named Kernel Data Protection (KDP), Microsoft says this feature will block malware or malicious threat actors from modifying (corrupting) the operating system's memory. According to Microsoft, KDP works by giving developers access to programmatic APIs that will allow them to designate parts of the Windows kernel as read-only sections.

US govt to enforce HTTPS on new .gov sites starting September 1

Starting September 1, 2020, new .gov sites will only be accessible via HTTPS as they will automatically be preloaded according to an announcement made by the U.S. Government's DotGov Program . The U.S. govt's DotGov Program is overseen by the U.S. General Services Administration (GSA) and it operates the .GOV top-level domain (TLD) and providing .gov domains to US-based government orgs, from federal agencies to local municipalities. ", the DotGov Program announces our intent to preload the .gov TLD in the future," the DotGov Registrar said.

Car autopilot security

Many companies are experimenting to the max with autopilots of varying complexity. Some are trying to build devices that actually take control of the vehicle out of human hands, while others are developing advanced driver-assistance systems (ADAS). The main issue that autopilot manufacturers must address is guaranteeing reliability and safety. After all, people's lives depend on the proper functioning of the system. In recent years, infosec researchers have become increasingly interested in cars and their electronic systems. As part of their research, attempts have been made to stop cars traveling at full speed and to confuse autopilot cameras. Almost every major infosec conference features at least one report on vulnerabilities found in vehicles. Typically, such news is presented in the media in apocalyptic tones: Cars are vulnerable! We're all going to die! But in fact, the news is positive: For the first time, it seems, researchers have taken interest in a problem before criminals --- or at least before the latter have begun to use their skills to attack cars on a large scale.

Intel adds CPU-level malware protection to Tiger Lake processors

Intel announced a new CPU-level security capability known as Control-Flow Enforcement Technology (Intel CET) that offers protection against malware using control-flow hijacking attack methods on devices with Intel's future Tiger Lake mobile processors. "Intel CET is designed to protect against the misuse of legitimate code through control-flow hijacking attacks--widely used techniques in large classes of malware," Intel VP & GM of Client Security Strategy and Initiatives Tom Garrison said.