Table of Contents

  1. Twitter
    1. Apple, Kanye, Gates, Bezos, more hacked in Twitter account crypto scam
    2. Twitter internal panel linked to account hijackings
    3. Who’s Behind Wednesday’s Epic Twitter Hack?
    4. Hackers Tell the Story of the Twitter Attack From the Inside
    5. 130 high-profile Twitter accounts targeted in hacking attack
  2. Crime
    1. World’s Most Wanted Man Jan Marsalek Located in Belarus; Data Points to Russian Intel Links
    2. Israeli Water Infrastructure Hit Again by Cyberattacks
    3. Diebold Nixdorf: ATMs in Europe Hacked
    4. Money Mule Reined In
    5. Possibly largest ever bust of banknote counterfeiters in the history of the euro
    6. Inside the surveillance software tracking child porn offenders across the globe
    7. Hacker behind Ripoff Report extortion attempt extradited to the US
  3. Privacy
    1. The FBI Secretly Used Travel Company 'Sabre' As A Global Surveillance Tool
    2. European court strikes down EU-US Privacy Shield user data exchange agreement as invalid
    3. Homeland Security Worries Covid-19 Masks Are Breaking Facial Recognition, Leaked Document Shows
    4. CBP does end run around warrants, simply buys license plate-reader data
    5. Firefox on Android: Camera remains active when phone is locked or the user switches apps
    6. Google is facing a lawsuit for tracking people even when they opt out
    7. South Korean regulator fines TikTok over mishandling child data
  4. Politics
    1. Pressure from Trump led to 5G ban, Britain tells Huawei
    2. US judge: WhatsApp lawsuit against Israeli spyware firm NSO can proceed
    3. Who has been using spyware on Catalan independence campaigners?
    4. Insecure IoT devices could be banned and destroyed if they fail to meet UK security standards
    5. Russian state-sponsored hackers target Covid-19 vaccine researchers
    6. Spanish deputy PM urges investigation into Catalan spyware claims
    7. UK says Russia sought to interfere in 2019 election by leaking documents online
    8. Chinese state hackers target Hong Kong Catholic Church
    9. Report: CIA received more offensive hacking powers in 2018
  5. Malware
    1. Emotet spam trojan surges back to life after 5 months of silence
    2. New Android malware steals your dating and social accounts
    3. Fake WordPress Plugin SiteSpeed Serves Malicious Ads & Backdoors
    4. New phishing campaign abuses a trio of enterprise cloud services
    5. Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators
    6. The Fake Cisco
  6. Misc
    1. Cloudflare outage on July 17, 2020
    2. Magento adds 2FA to protect against card skimming attacks
    3. Apple has €13bn Irish tax bill overturned
    4. Google says a bug is erroneously showing security alerts for TiVO devices
    5. The Day I Trolled The Entire Internet: An Accidental Research Project on CVE-2020-1350
  7. Breaches
    1. “Zero logs” VPN exposes millions of logs including user passwords, claims data is anonymous
    2. Iranian cyberspies leave training videos exposed online
    3. X-rays of male genitalia may have been shared online by central Pa. imaging employee: police
    4. Orange confirms ransomware attack exposing business customers' data
    5. Cloud provider stopped ransomware attack but had to pay ransom demand anyway
    6. University of Lethbridge reveals details regarding privacy breach at health centre
    7. US actor casting company leaked private data of over 260,000 individuals
    8. Wattpad - 268,765,495 breached accounts
    9. Citrix: No breach, hacker stole business info from third party
    10. New Zealand property management company leaks 30,000 users’ passports, driver’s licenses and other personal data
    11. Intentional privacy breach?: Govt considers releasing patients’ personal data
    12. LinkedIn Sued Over ‘Brazen’ Privacy Breach
  8. Vulnerabilities
    1. What changed in OpenSSL after heartbleed
    2. Threat modelling and IoT hubs
    3. Container Networking Security Issue (CVE-2020-8558)
    4. MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
    5. 2 Million Users Affected by Vulnerability in All in One SEO Pack
    6. BadPower attack corrupts fast chargers to melt or set your device on fire
    7. Critical SIGred Windows DNS bug gets micropatch after PoCs released

Twitter

Apple, Kanye, Gates, Bezos, more hacked in Twitter account crypto scam

Hackers are taking over high profile verified Twitter accounts to promote a cryptocurrency scam promising to give away up to 5,000 bitcoins to those sending between 0.1 BTC to 20 BTC to a "contribution" address. The scammers are using the hijacked accounts to send the messages through Twitter's web app and, so far, they have managed to collect 11.39174745 BTC (which amounts to roughly $105,000) on just one of the Bitcoin addresses used in the scam.

Twitter internal panel linked to account hijackings

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool. The internal tool interface was leaked on Twitter during the attack by data breach monitoring and prevention service Under The Breach and a number of other accounts. Right after they shared the screenshots of the internal user admin panel, the tweets were removed by Twitter staff who only left behind a "This Tweet violated the Twitter Rules" message and temporarily suspended the accounts who shared the info.

Who’s Behind Wednesday’s Epic Twitter Hack?

KrebsOnSecurity published an investiagtion into the hack, revealing ties with the individuals involved in SIM swapping schemes.

Hackers Tell the Story of the Twitter Attack From the Inside

Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.

130 high-profile Twitter accounts targeted in hacking attack

One hundred and 30 accounts were affected in the unprecedented attack, Twitter said in a statement on Friday morning, adding: "For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts." Twitter has not yet explained if its employees were working with the attackers to take over the impacted accounts, if they only provided the hackers with access to the internal tools, or if the scammers were able to take control of Twitter's internal systems without the employees' knowledge.

Crime

Bellingcat has investigated the disappearance of Wirecard's COO finding links to Russia and tracking back his location to Belarus.

Israeli Water Infrastructure Hit Again by Cyberattacks

The cyberattacks on Israeli infrastructure continue, with the Israeli Water Authority confirming on Thursday that another cyberattack targeted two Israeli water infrastructure facilities this week. According to officials, the attacks were aimed at agricultural water pumps in the Upper Galilee and infrastructure in the center of the country. The hacks did not cause any damage, the authorities said. "These were small specific drainage facilities in the agricultural sector, that were immediately and independently repaired by the local authorities. It did not cause any damage to the service, and had no real effect," the Water Authority said in a press release.

Diebold Nixdorf: ATMs in Europe Hacked

Diebold Nixdorf, a major manufacturer of ATMs, has issued an alert about "jackpotting" or "cash-out" attacks that are draining cash from its machines in several European countries. "Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM," according to the alert. "The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc." Mike Weber, vice president at research security and pen testing firm Coalfire Labs, tells Information Security Media Group the threat actors may have obtained Diebold Nixdorf's software from a discarded machine.

Money Mule Reined In

A small Texas school district suffered a major blow in 2018, losing nearly $2 million in a business email compromise (BEC) scheme. And a Florida man who helped facilitate the crime is now serving time behind bars. Two years ago, an employee of a school district near Fort Worth received an email requesting a wire transfer payment for a school construction project. The school district was building a new elementary school at the time, and the employee sent the money as instructed. However, unbeknownst to the employee, the email was actually from a scammer posing as the construction company. The wiring instructions directed money to an account controlled by criminals.

Possibly largest ever bust of banknote counterfeiters in the history of the euro

Law enforcement authorities from Italy, Belgium and France, supported by Europol, dismantled an organised crime network involved in euro counterfeiting. On the action day on 15 July 2020, officers from the Italian Carabinieri Corps (Carabinieri) and its specialised Anti-Counterfeit Currency Unit arrested 44 suspects and froze criminal assets worth €8 million in Italy. Asset recovery measures taken so far during the overall operation in Italy include the confiscation of 50 apartments, 8 business premises, 2 farms, 10 companies operating in various sectors, 12 vehicles, 1 luxurious boat and 22 bank accounts, all with an estimated total value of approximately €8 million.

Inside the surveillance software tracking child porn offenders across the globe

The Child Protection System "has had a bigger effect for us than any tool anyone has ever created. It's been huge," said Dennis Nicewander, assistant state attorney in Broward County, Florida, who has used the software to prosecute about 200 cases over the last decade. "They have made it so automated and simple that the guys are just sitting there waiting to be arrested." The Child Rescue Coalition gives its technology for free to law enforcement agencies, and it is used by about 8,500 investigators in all 50 states. It's used in 95 other countries, including Canada, the U.K. and Brazil. Since 2010, the nonprofit has trained about 12,000 law enforcement investigators globally.

Hacker behind Ripoff Report extortion attempt extradited to the US

A Cypriot national has been extradited to the US to face charges of hacking into review portal Ripoff Report, extorting the company, and selling access to its backend to a third-party. The man, named Joshua Polloso Epifaniou, 21 years, and a resident of Nicosia, Cyprus, arrived in the US on Friday and is scheduled to be arraigned in front of a US court on Monday, July 20, where he'll be formally charged. According to court documents obtained by ZDNet, US authorities believe Epifaniou used a brute-force attack to gain access to the credentials of a Ripoff Report employee in October 2016.

Privacy

The FBI Secretly Used Travel Company 'Sabre' As A Global Surveillance Tool

Forbes understands the FBI is using info from Sabre, the world's largest travel data holder, to conduct surveillance around the world. Officials have reportedly asked the company to "actively spy" on targets, even while they're in the midst of travelling. In December 2019, the FBI asked Sabre for "real time" weekly surveillance of an Indian fugitive, Deepanshu Kher, for the space of six months. The firm was required to provide "travel orders, transactions or reservations" for Kher, who was caught in January and placed under house arrest. The travel data has also been used to catch people like alleged card scam site operator Alexei Burkov [in 2015], according to Forbes.

European court strikes down EU-US Privacy Shield user data exchange agreement as invalid

A crucial mechanism for transferring EU citizen data between the United States and Europe has been ruled as invalid in what could be a major blow to thousands of companies. Known as the EU-US Data Privacy Shield, the pact was designed for the exchange of data across country borders with high and legally-enforced data protection standards, including preventing the bulk collection of user information and limiting access to EU citizen data. "Data flows between Europe and the United States are an integral part of the European economy and of the day-to-day lives of millions of European consumers, and the SCCs are the backbone for many of those data transfers," Peets said. "As for the privacy shield, the European commission will be highly focused on finding a resolution and will be actively working work with the US government to identify a path forward."

Homeland Security Worries Covid-19 Masks Are Breaking Facial Recognition, Leaked Document Shows

A Homeland Security intelligence note dated May 22 expresses law enforcement anxiety, as public health wisdom clashes with the prerogatives of local and federal police who increasingly rely on artificial intelligence tools. The bulletin, drafted by the DHS Intelligence Enterprise Counterterrorism Mission Center in conjunction with a variety of other agencies, including Customs and Border Protection and Immigration and Customs Enforcement, "examines the potential impacts that widespread use of protective masks could have on security operations that incorporate face recognition systems --- such as video cameras, image processing hardware and software, and image recognition algorithms --- to monitor public spaces during the ongoing Covid-19 public health emergency and in the months after the pandemic subsides."

CBP does end run around warrants, simply buys license plate-reader data

America's border-protection agency "can track everyone's cars all over the country thanks to massive troves of automated license plate scanner data, a new report reveals," reports Ars Technica. And they didn't need to request search warrants from the courts, the article explains, since "the agency did just what hundreds of other businesses and investigators do: straight-up purchase access to commercial databases." U.S. Customs and Border Protection (CBP) has been buying access to commercial automated license plate-reader databases since 2017, TechCrunch reports, and the agency says bluntly that there's no real way for any American to avoid having their movements tracked. "CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control," the agency wrote in its most recent privacy assessment. "The only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic...."

Firefox on Android: Camera remains active when phone is locked or the user switches apps

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. While this raises issues with streams continuing to consume the user's bandwidth, the bug was also deemed a major privacy issue as Firefox would continue to stream from the user's device in situations where the user expected privacy by switching to another app or locking the device. "From our analysis, a website is allowed to retain access to your camera or microphone whilst you're using other apps, or even if the phone is locked," a spokesperson for Traced, a privacy app, told ZDNet, after alerting us to the issue.

Google is facing a lawsuit for tracking people even when they opt out

A class-action lawsuit alleges that Google tracks users on hundreds of thousands of apps even when they opt out of "Web & App Activity" in the settings. The data privacy lawsuit accuses the search engine giant of violating wiretap law and California privacy law by recording what users are looking at in apps. It also alleges the tracking occurs through Google's Firebase, a popular set of software for app makers.

South Korean regulator fines TikTok over mishandling child data

Video sharing platform TikTok has been fined by a South Korea regulator for mishandling child data. The Korea Communications Commission (KCC), the country's telecommunications watchdog, said it has fined the company 186 million won - around $155,000 - for failing to protect users' private data. The fine is equivalent to 3% of the company's annual sales in South Korea, an amount designated for such violations under local privacy laws. The investigation began last year in October, the KCC said.

Politics

Pressure from Trump led to 5G ban, Britain tells Huawei

The British government privately told the Chinese technology giant Huawei that it was being banned from Britain's 5G telecoms network partly for "geopolitical" reasons following huge pressure from President Donald Trump, the Observer has learned. As part of the high-level behind-the-scenes contacts, Huawei was told that geopolitics had played a part, and was given the impression that it was possible the decision could be revisited in future, perhaps if Trump failed to win a second term and the anti-China stance in Washington eased.

US judge: WhatsApp lawsuit against Israeli spyware firm NSO can proceed

An Israeli company whose spyware has been used to target journalists in India, politicians in Spain, and human rights activists in Morocco may soon be forced to divulge information about its government clients and practices after a judge in California ruled that a lawsuit against the company could proceed. NSO Group was sued by WhatsApp, which is owned by Facebook, last year, after the popular messaging app accused the company of sending malware to 1,400 of its users over a two-week period and targeting their mobile phones.

Who has been using spyware on Catalan independence campaigners?

In spring last year, Sergi Miquel Gutiérrez realised something odd was going on with his mobile. "I remember some issues, for example losing some information on WhatsApp, and losing emails and having them appear in places I didn't put them," he said. The glitches upset Gutiérrez but, given his day job, they also made him suspicious. Gutiérrez works for the Council for the Republic, the Waterloo-based organisation set up by the former Catalan regional president Carles Puigdemont, who fled Spain to avoid arrest after staging a unilateral and illegal independence referendum in October 2017. Fairly certain that the mobile was being monitored, Gutiérrez changed his phone. He was not the only one to sense something was amiss at the time. In Barcelona, the pro-independence speaker of the Catalan regional parliament was also having technical difficulties.

Insecure IoT devices could be banned and destroyed if they fail to meet UK security standards

IoT devices could be banned from sale and destroyed if they fail to meet basic security standards, according to proposals put forward by the UK Government. The UK Government Department for Digital, Culture, Media and Sport (DCMS) has published proposals for a new law designed to protect purchasers of so-called "smart devices" from cybercriminals. Working with the National Cyber Security Centre (NCSC), the DCMS has detailed three key requirements that it wants IoT device manufacturers to follow -- and the potential penalties it is prepared to mete out if they are not met.

Russian state-sponsored hackers target Covid-19 vaccine researchers

Russian state-sponsored hackers are targeting UK, US and Canadian organisations involved in developing a coronavirus vaccine, according to British security officials. The UK's National Cyber Security Centre (NCSC) said drug companies and research groups were being targeted by a group known as APT29, which was "almost certainly" part of the Kremlin's intelligence services. British officials would not say if any of the attacks had been successful in their goal of stealing medical secrets. They stressed, however, that none of the vaccine research had been compromised as a result. The advisory reveals that Cozy Bear starts its attacks with spear phishing but it also exploits known severe vulnerabilities in Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Fortigate (CVE-2019-13379) products and Zimbra's Collaboration Suite (CVE-2019-9670) software. Patches exist for all these flaws.

Spanish deputy PM urges investigation into Catalan spyware claims

The Spanish deputy prime minister, Pablo Iglesias, has become the most senior political figure to call for a parliamentary investigation into the use of spyware to target prominent members of the Catalan independence movement, saying such practices are "unacceptable in a democracy". A joint investigation this week by the Guardian and El País has revealed that Roger Torrent, the speaker of the Catalan parliament, and former regional foreign minister Ernest Maragall are among at least four pro-independence activists who have been targeted using Israeli spyware that its makers said is sold only to governments. Spanish government has denied spying.

UK says Russia sought to interfere in 2019 election by leaking documents online

Russian actors "sought to interfere" in last winter's general election by amplifying an illicitly acquired NHS dossier that was seized upon by Labour during the campaign, the foreign secretary has said. Dominic Raab's statement is the first time ministers have admitted that the Kremlin has tried to distort the workings of British democracy -- a practice the foreign secretary said was "completely unacceptable".

Chinese state hackers target Hong Kong Catholic Church

China's government hackers have targeted members of the Hong Kong Catholic Church in a series of spear-phishing operations traced back to May this year. The attacks have come to light after reports that some of Hong Kong's church leaders and clergy have been directly involved in supporting pro-democracy protests despite orders from the Vatican to remain neutral. The spear-phishing campaign fits recent reports that Chinese government hacking groups focusing cyber-espionage efforts on the Hong Kong region after pro-democracy protests begun last year.

Report: CIA received more offensive hacking powers in 2018

US President Donald Trump gave broad powers to the Central Intelligence Agency (CIA) in 2018 to carry out offensive cyber operations across the globe. Yahoo News reported that the agency used its newly acquired powers to orchestrate "at least a dozen operations" across the world. The CIA was already authorized to conduct silent surveillance and data collection, but the new powers allow it to go even further. "This has been a combination of destructive things - stuff is on fire and exploding - and also public dissemination of data: leaking or things that look like leaking," a former US government official told Yahoo News.

Malware

Emotet spam trojan surges back to life after 5 months of silence

After months of inactivity, the notorious Emotet spamming trojan has come alive again as it spews out a massive campaign of malicious emails targeting users worldwide. Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim's computer, which installs other malware over time and using the infected computer to send further spam emails. Binary Defense researcher James Quinn told BleepingComputer that Emotet was last seen on Feb 7th, 2020, after which the spamming trojan went quiet and has not sent out any spam emails since.

New Android malware steals your dating and social accounts

A new Android banking trojan dubbed BlackRock steals credentials and credit card information from a list of 337 apps many of them used for many non-financial purposes. The malware was discovered in May by ThreatFabric analysts and it is derived from the leaked source code of the Xerxes banking malware, a known strain of the LokiBot Android trojan. Besides being the only Android malware based on Xerxes' source code, BlackRock also features another peculiarity: unlike other banking trojans, it targets a lot of non-financial Android apps, with a focus on social, communication, networking, and dating platforms.

Fake WordPress Plugin SiteSpeed Serves Malicious Ads & Backdoors

Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites. During a recent investigation, Sucuri team discovered a fake component which was masquerading as a legitimate plugin. Named SiteSpeed, it contained a lot of interesting malicious capabilities.

New phishing campaign abuses a trio of enterprise cloud services

A new phishing campaign uses a trio of enterprise cloud services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud, as part of an attempt to steal your login credentials. BleepingComputer recently analyzed a new phishing campaign that pretends to from a help desk named "servicedesk.com" that mimics similar wording used by real IT helpdesk domains in corporate environments. The email imitates a "quarantined mail" notification frequently sent out in workplaces by email security products and spam filters, asking the user to "release" messages stuck in the queue.

Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators

Apple macOS users are being targeted in a fresh campaign aiming to pilfer cryptocurrency from their wallets. Trojanized cryptocurrency trading software and applications designed for Apple's operating system have been spotted recently by ESET researchers, who detailed their findings in a blog post on Thursday. The Trojanized applications are being offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has created a desktop terminal app for crypto trades. ESET is not sure of the exact infection attack vector, but it does appear that social engineering is in play, especially considering Kattana's warning in March that users were being directly approached to download malware-laden apps. Copycat websites claiming to be versions of Kattana have also been spotted.

The Fake Cisco

F-Secure labs has investigated counterfeit Cisco devices to look for backdoors, and has posted a lengthy report here.

Misc

Cloudflare outage on July 17, 2020

A configuration error in Cloudflare backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes and resulted in a traffic drop by about 50% across Cloudflare network. Because of the architecture of the backbone this outage didn't affect the entire Cloudflare network and was localized to certain geographies. The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, Cloudflare network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.

Magento adds 2FA to protect against card skimming attacks

Adobe has added two-factor authentication (2FA) throughout the Magento platform in response to the widespread number of attacks where skimmer scripts are deployed on hacked e-commerce sites to steal customers' credit cards. "Using 2FA security will better protect you from malicious users attempting to perform unauthorized logins in three different areas: Magento.com accounts, Cloud Admin, and the Magento Admin," Adobe says. The Magento 2FA extension supports multiple authenticators including but not limited to Google Authenticator, Authy, Duo, and U2F keys. 2FA applies to Magento Admin users only and it is not available for online store customer accounts.

Apple has €13bn Irish tax bill overturned

Apple has been told it will not have to pay Ireland €13bn (£11.6bn) in back taxes after winning an appeal at the European Union's second-highest court. It overturns a 2016 ruling which found the tech giant had been given illegal tax breaks by Dublin. The EU's General Court said it had annulled that decision because there was not enough evidence to show Apple broke EU competition rules.

Google says a bug is erroneously showing security alerts for TiVO devices

Google says that a bug on its side is responsible for showing scary security alerts to owners of TiVO streaming dongles. The process requires users to set up and link a Google account on the device in order to receive access to the official Play Store and install streaming apps. For the past two weeks, TiVO Stream 4K owners say that as soon as they link their account on the device, Google sends them an alert warning in their inboxes, warning that the device has extensive access to their personal data and that Google has not verified the device/app developer.

The Day I Trolled The Entire Internet: An Accidental Research Project on CVE-2020-1350

Andy Gill from ZeroSec has posted a bogus PoC for the Microsoft DNS vulnerability discovered recently, and many have picked it up thinking it was real. He has written a follow up post analyzing the data he has gathered from this experiment.

Breaches

“Zero logs” VPN exposes millions of logs including user passwords, claims data is anonymous

Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.

Iranian cyberspies leave training videos exposed online

One of Iran's top hacking groups has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action. Discovered by IBM's X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits. According to X-Force analysts, the videos were recorded with a screen-recording app named BandiCam, suggesting they were recorded on purpose and not accidentally by operators who got infected by their own malware.

X-rays of male genitalia may have been shared online by central Pa. imaging employee: police

Fairview Township police are investigating reports that a Quantum Imaging employee broke patient confidentiality to share X-rays of male genitalia in a Facebook group. Chief Jason Loper told PennLive a detective was assigned to the case, but no arrests have been made at this point. In a press release posted to Facebook, Quantum said "reports of possible criminal activity involving a patient privacy breach" by a non-physician employee were received on Tuesday. The imaging company immediately shared this with the police, according to the release.

Orange confirms ransomware attack exposing business customers' data

On July 15th, 2020, the ransomware operators behind the Nefilim Ransomware added Orange to their data leak site and stated that they breached the company through their "Orange Business Solutions" division. Orange confirmed to BleepingComputer that they suffered a ransomware attack targeting their Orange Business Services division on the night of Saturday, July 4th, 2020, into July 5th.

Cloud provider stopped ransomware attack but had to pay ransom demand anyway

Blackbaud, a provider of software and cloud hosting solutions, said it stopped a ransomware attack from encrypting files earlier this year but still had to pay a ransom demand anyway after hackers stole data from the company's network and threatened to publish it online. The incident took place in May 2020, the company revealed in a press release on Thursday. Blackbaud said hackers breached its network and attempted to install ransomware in order to lock the company's customers out of their data and servers. "After discovering the attack, our Cyber Security team-together with independent forensics experts and law enforcement-successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system," the company said.

University of Lethbridge reveals details regarding privacy breach at health centre

The University of Lethbridge says an Excel document with personal information of 1,225 patients at its health centre was inadvertently shared with a student. The document that was the subject of a privacy breach included names, dates of birth, personal health numbers, genders and a list of family physicians whom patients had seen since 2015.

US actor casting company leaked private data of over 260,000 individuals

In a report shared exclusively with ZDNet, the cybersecurity team from Safety Detectives, led by Anurag Sen, said the breach was discovered at the beginning of June this year. New Orleans-based MyCastingFile.com is an online casting agency that recruits talent. Users can sign up - for free or on a subscription basis - to apply for casting notices. The company claims to have provided actors for productions including True Detective, Pitch Perfect, NCIS: New Orleans, and Terminator Genisys. Safety Detectives discovered an open Elasticsearch server, hosted by Google Cloud, in the United States. The database was not secured via any form of authentication and in total, close to 10 million records were exposed. The database was 1GB in size and upon investigation, the team found that over 260,000 users of the website had their profiles leaked, including aspiring actors and potentially members of staff.

Wattpad - 268,765,495 breached accounts

In June 2020, the user-generated stories website Wattpad suffered a huge data breach that exposed almost 270 million records. The data was initially sold then published on a public hacking forum where it was broadly shared. The incident exposed extensive personal information including names and usernames, email and IP addresses, genders, birth dates and passwords stored as bcrypt hashes.

Citrix: No breach, hacker stole business info from third party

Citrix has published an official statement to deny allegations that the company's network was breached by a malicious actor who also claims that he was also able to steal customer information. The actor is now selling what he claims to be a database with information on 2,000,000 Citrix customers on the dark web, with a price tag of 2.15 bitcoins (roughly $19,700). "As recently as today, there are reports of Citrix data for sale on the dark web," Citrix's CISO Fermin J. Serna says."Many of these reports today erroneously imply a Citrix compromise."

New Zealand property management company leaks 30,000 users’ passports, driver’s licenses and other personal data

CyberNews received information from reader Jake Dixon, a security researcher with Vadix Solutions, who discovered an unsecured Amazon Simple Storage Solution (S3) database containing more than 31,000 images of users' passports, driver's licenses, evidence of age documents, and more. These files are publicly accessible to anyone who has the URL and appears to be owned by the Wellington, New Zealand company LPM Property Management. Due to the type of company it is, the unsecured database (which appears to only host image files for the company) also contains pictures of applicants and some property requiring maintenance.

Intentional privacy breach?: Govt considers releasing patients’ personal data

The national COVID-19 task force is considering releasing patients' personal data in an effort to encourage adherence to health protocols in affected areas. Task force chief and National Disaster Mitigation Agency (BNPB) head Doni Monardo said such data would only be made available to people living in the patients' neighborhoods. "Current regulations don't allow authorities to publish patient data. But if this data could be known by people living in their neighborhoods, it could help the surrounding community prepare preventive actions," Doni said during a meeting with House of Representatives Commission VIII overseeing social affairs on Monday, as quoted by kompas.com.

LinkedIn Sued Over ‘Brazen’ Privacy Breach

Social networking company LinkedIn was hit with a class-action complaint alleging that it engaged in "a particularly brazen, indefensible privacy violation" by reading data from Apple users' clipboards. "Until abruptly exposed by Apple and independent developers, LinkedIn had programmed its iPhone and iPad applications to abuse Apple's Universal Clipboard to brazenly read and divert LinkedIn users' most sensitive data - including sensitive data from other Apple devices - without their consent or knowledge," New York resident Adam Bauer alleges in a class-action complaint filed Friday in U.S. District Court for the Northern District of California.

Vulnerabilities

What changed in OpenSSL after heartbleed

The OpenSSL project made tremendous improvements to code quality and security after Heartbleed. By the end of 2016, the number of commits per month had tripled, 91 vulnerabilities were found and fixed, code complexity decreased significantly, and OpenSSL obtained a CII best practices badge, certifying its use of good open source development practices. The OpenSSL project provides a model of how an open source project can adapt and improve after a security event. The evolution of OpenSSL shows that the number of known vulnerabilities is not a useful indicator of project security. A small number of vulnerabilities may simply indicate that a project does not expend much effort to finding vulnerabilities. This study suggests that project activity and CII badge best practices may be better indicators of code quality and security than vulnerability counts.

Threat modelling and IoT hubs

PentestPartners have analyzed the VeraEdge IoT hub and found that the provider has full backdoor access to the devices, even if those are inferred in the device documentation, appearing to be intended functionality.

Container Networking Security Issue (CVE-2020-8558)

AWS is aware of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same host, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1).

MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface

This post is the first of a multi-part series by Mateusz Jurczyk from Project Zero from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices.

2 Million Users Affected by Vulnerability in All in One SEO Pack

On July 10, 2020, Wordfence Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel's 'all posts' page.

BadPower attack corrupts fast chargers to melt or set your device on fire

Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt components, or even set devices on fire. The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent. According to researchers, BadPower works by corrupting the firmware of fast chargers -- a new type of charger that was developed in the past few years to speed up charging times. A fast charger looks like any typical charger but works using special firmware. This firmware "talks" to a connected device and negotiates a charging speed, based on the device's capabilities. If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds. The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver's components, as they heat up, bend, melt, or even burn.

Critical SIGred Windows DNS bug gets micropatch after PoCs released

The critical remote code execution security vulnerability in Windows DNS known as SIGRed has received a micropatch for servers without an Extended Security Updates (ESU) license. SIGRed can be exploited in a wormable fashion, allowing an adversary to expand their attack to all affected systems on the network without user interaction. It received the tracking number CVE-2020-1350 and the maximum severity score, 10 out of 10. Proof-of-concept (PoC) scripts that trigger the vulnerability and create a denial-of-service condition are already publicly available. It is safe to assume that a reliable exploit to achieve remote code execution is in the works.