Table of Contents

  1. Breaches
    1. Promo - 14,610,585 breached accounts
    2. Tech unicorn Dave admits to security breach impacting 7.5 million users
    3. New ‘Meow’ attack has deleted almost 4,000 unsecured databases
    4. Blackbaud hack: More UK universities confirm breach
    5. Axens SA engineering company targeted by Netwalker
    6. Rabot Dutilleul, one of the largest construction and civil engineering group in France, allegedly struck by Netwalker
    7. Nefilim ransomware operators allegedly targeted the Dussmann Group, Germany’s largest private multi-service provider
    8. LifeSpan Health System Hit With $1 Million HIPAA Fine
    9. Promo.com discloses data breach after 22M user records leaked online
    10. Hurb - 20,727,771 breached accounts
    11. Hackers Stole GitHub and GitLab OAuth Tokens From Git Analytics Firm Waydev
    12. Source code from dozens of companies leaked online
    13. Massive data leak alert for Squareyards, Sumo Payroll, and Stashfin– around 24 gb of customers data put on sale
  2. Privacy
    1. Academics smuggle 234 policy-violating skills on the Alexa Skills Store
    2. San Francisco Police Accessed Business District Camera Network to Spy on Protestors
    3. Facebook sues EU antitrust regulator for excessive data requests
    4. ACCC alleges Google misled consumers about expanded use of personal data
    5. Google reportedly peeks into Android data to gain edge over third-party apps
  3. Malware
    1. US govt confirms active exploitation of F5 BIG-IP RCE flaw
    2. Emotet malware operation hacked to show memes to victims
    3. Cisco patches ASA/FTD firewall flaw actively exploited by hackers
    4. Garmin confirms ransomware attack, services coming back online
    5. Office 365 phishing baits employees with fake SharePoint alerts
    6. UK and US warn QNAP owners to upgrade firmware to block malware
    7. Cerberus banking Trojan team breaks up, source code goes to auction
  4. Crime
    1. Business ID Theft Soars Amid COVID Closures
    2. Apple being sued for refusing to help iTunes gift card scam victims
  5. Politics
    1. WhatsApp confirms Catalan politician's phone was target of 2019 attack
    2. How Mexico's New Copyright Law Crushes Free Expression
    3. Russia’s GRU hackers hit US government and energy targets
  6. Vulnerabilities
    1. Study finds election officials vulnerable to cyberattacks
    2. Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
  7. Misc
    1. The Hacker Battle for Home Routers
    2. Somalia internet shut down after parliament votes to remove prime minister
    3. White House Tells EPIC to Delete COVID-19 Records, EPIC Declines

Breaches

Promo - 14,610,585 breached accounts

In July 2020, the self-proclaimed "World's #1 Marketing Video Maker" Promo suffered a data breach which was then shared extensively on a hacking forum. The incident exposed 22 million records containing almost 15 million unique email addresses alongside IP addresses, genders, names and salted SHA-256 password hashes.

Tech unicorn Dave admits to security breach impacting 7.5 million users

Digital banking app and tech unicorn Dave.com confirmed a security breach after a hacker published the details of 7,516,625 users on a public forum. In an email to ZDNet today, Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform used by engineering teams. "As the result of a breach at Waydev, one of Dave's former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave," a spokesperson told ZDNet. The company said it has already plugged the hacker's point of entry and is in the process of notifying customers of the incident. Dave app passwords are also being reset after being exposed.

New ‘Meow’ attack has deleted almost 4,000 unsecured databases

Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation. The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web. A quick search by BleepingComputer on the IoT search engine Shodan initially found dozens of databases that have been affected by this attack. Recently, the number of wiped databases increased to over 1,800. These attacks have pushed researchers into a race to find the exposed databases and report them responsibly before they become 'meowed.'

Blackbaud hack: More UK universities confirm breach

More than 20 universities and charities in the UK, US and Canada have confirmed they are victims of a cyber-attack that compromised a software supplier. Blackbaud was held to ransom by hackers in May and paid an undisclosed ransom to cyber-criminals. The US-based firm is the world's largest provider of education administration, fundraising, and financial management software. Blackbaud is not revealing the scale of the breach. Dozens more charities and educational organisations may have been affected.

Axens SA engineering company targeted by Netwalker

CybleInc has came across the data leak of Axens SA been published by the NetWalker ransomware operators. Axens is a worldwide group that provides a complete range of solutions for the conversion of oil and biomass to cleaner fuels, for the production and purification of major petrochemical intermediates as well as for gas treatment and conversion options. With around 1000 employees the company has been earning annual revenue of around $806.65 million.

Rabot Dutilleul, one of the largest construction and civil engineering group in France, allegedly struck by Netwalker

The Cyble Research Team came across the post by Netwalker ransomware operators where they have claimed to be in possession of confidential data of Rabot Dutilleul, one of the well-established construction group in France with over 1500 employees and earning annual revenue of 823 million euros.

Nefilim ransomware operators allegedly targeted the Dussmann Group, Germany’s largest private multi-service provider

The Cyble Research Team came across the post of Nefilim ransomware operators in which they have claimed to have breached The Dussmann Group and in possession of the company's sensitive data.

LifeSpan Health System Hit With $1 Million HIPAA Fine

Federal regulators have slapped the Rhode Island-based health system LifeSpan with a $1 million settlement tied to a 2017 data breach involving the theft of an unencrypted laptop that potentially exposed the data of 20,000 individuals. The settlement is the largest HIPAA enforcement action by the Department of Health and Human Services so far this year and the second settlement announced within the last week.

Promo.com discloses data breach after 22M user records leaked online

Promo.com, an Israeli-based marketing video creation site, has disclosed a data breach after a database containing 22 million user records was leaked for free on a hacker forum. Promo is a web site that allows you to create promotional videos or ads that can then be shared on social networks such as Facebook, Instagram, Twitter, and LinkedIn. In a report shared with BleepingComputer by cybersecurity intelligence firm CloudSEK, a well-known seller of data breaches posted a database containing 22.1 million user records on a hacker forum. This data contains users email addresses, names, genders, geographic location, and for 2.6 million of the users, their hashed passwords.

Hurb - 20,727,771 breached accounts

In approximately March 2019, the online Brazilian travel agency Hurb (formerly Hotel Urbano) suffered a data breach. The data subsequently appeared online for download the following year and included over 20 million customer records with email and IP addresses, names, dates of birth, phone numbers and passwords stored as unsalted MD5 hashes.

Hackers Stole GitHub and GitLab OAuth Tokens From Git Analytics Firm Waydev

Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month. The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database. Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers' work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores. When users install the app, Waydev receives an OAuth token that it can use to access its customers' GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers. Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.

Source code from dozens of companies leaked online

Source code from exposed repositories of dozens of companies across various fields of activity (tech, finance, retail, food, eCommerce, manufacturing) is publicly available as a result of misconfigurations in their infrastructure. A public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, Johnson Controls; and the list keeps growing.

Massive data leak alert for Squareyards, Sumo Payroll, and Stashfin– around 24 gb of customers data put on sale

Recently, Cyble Research Unit (CRU) identified a credible actor with the alias 'South Korea' who breached SquareYards, Sumo Payroll, and Stashfin. The breaches occurred in early 2020.

Privacy

Academics smuggle 234 policy-violating skills on the Alexa Skills Store

During a recently concluded 12-month study of the Alexa Skills Store review process, academics said they managed to smuggle 234 policy-breaking Alexa skills (apps) into the official Alexa store. The study's results are actually worse than it looks because academics tried to upload 234 policy-breaking apps, and managed to get them all approved, without serious difficulties. "Surprisingly, we successfully certified 193 skills on their first submission," the research team wrote this week on a website detailing their findings.

San Francisco Police Accessed Business District Camera Network to Spy on Protestors

The San Francisco Police Department (SFPD) conducted mass surveillance of protesters at the end of May and in early June using a downtown business district's camera network, according to new records obtained by EFF. The records show that SFPD received real-time live access to hundreds of cameras as well as a "data dump" of camera footage amid the ongoing demonstrations against police violence. The camera network is operated by the Union Square Business Improvement District (BID), a special taxation district created by the City and County of San Francisco, but operated by a private non-profit organization. These networked cameras, manufactured by Motorola Solutions' brand Avigilon, are high definition, can zoom in on a person's face to capture face-recognition ready images, and are linked to a software system that can automatically analyze content, including distinguishing between when a car or a person passes within the frame. Motorola Solutions recently unveiled plans to expand its portfolio of tools for aiding public-private partnerships with law enforcement by making it easier for police to gain access to private cameras and video analytic tools like license plate readers.

Facebook sues EU antitrust regulator for excessive data requests

Facebook is suing EU antitrust regulators for seeking information beyond what is necessary, including highly personal details, for their investigations into the company's data and marketplace, the U.S. social media group said on Monday. Facebook has been under EU competition enforcers' scrutiny since last year, with one investigation focused on its trove of data and the other on its online marketplace launched in 2016 and used by 800 million Facebook users in 70 countries to buy and sell items. The company has since then provided 315,000 documents equivalent to 1.7 million pages to the Commission.

ACCC alleges Google misled consumers about expanded use of personal data

The ACCC has launched Federal Court proceedings against Google LLC (Google), alleging Google misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers' internet activity, for use by Google, including for targeted advertising. The ACCC alleges Google misled consumers when it failed to properly inform consumers, and did not gain their explicit informed consent, about its move in 2016 to start combining personal information in consumers' Google accounts with information about those individuals' activities on non-Google sites that used Google technology, formerly DoubleClick technology, to display ads. This meant this data about users' non-Google online activity became linked to their names and other identifying information held by Google. Previously, this information had been kept separately from users' Google accounts, meaning the data was not linked to an individual user.

Google reportedly peeks into Android data to gain edge over third-party apps

Google for several years has collected app-usage data collected from Android phones to develop and advance its own competing apps, a new report alleges. The project, called Android Lockbox, "collects sensitive Android user data" for use within Google and has been in effect since at least 2013, The Information reports.

Malware

US govt confirms active exploitation of F5 BIG-IP RCE flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a warning confirming the active exploitation of the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability affecting F5 Big-IP ADC devices. CISA's alert also provides additional mitigations and detection measures to help victims find out if their systems may have been compromised and recover after attacks that successfully exploited unpatched F5 devices. According to F5's security advisory, any remaining unpatched devices are probably already compromised during attacks that started just a few days after the company disclosed the security flaw.

Emotet malware operation hacked to show memes to victims

Someone is poking fun at the Emotet botnet and heavily disrupting its operations by hacking into the malware's distribution sites and replacing malicious payloads with memes and GIFs. This Emotehack operation has been happening for the past few days, providing some respite from Emotet spamming while the threat actor figures out how to regain control over their distribution sites. Emotet's distribution relies on hacked websites where the actors store payloads to be used in their spam campaigns. When victims of these campaigns fall for the ruse and open malicious spam attachments, executed macros will retrieve the Emotet malware payload from compromised sites in the botnet's network. Without a payload, the victim's computer does not fall in Emotet's grip. So whoever is replacing the malware in the botnet's distribution network is doing a huge favor to users and also keeping the threat actor busy.

Cisco patches ASA/FTD firewall flaw actively exploited by hackers

Cisco fixed a high severity and actively exploited read-only path traversal vulnerability affecting the web services interface of two of its firewall products. If successfully exploited, the security vulnerability tracked as CVE-2020-3452 may allow unauthenticated attackers to read sensitive files on unpatched systems through directory traversal attacks. CVE-2020-3452 is caused by an improper input validation of URLs in HTTP requests which allowed attackers to exploit the vulnerability by sending specially crafted HTTP requests with directory traversal character sequences to affected devices. Successful exploitation could allow remote attackers to read arbitrary files on the targeted devices, stored within the web services file system that is only enabled when the impacted devices are configured with either AnyConnect or WebVPN features.

Garmin confirms ransomware attack, services coming back online

Garmin has officially confirmed that they were victims of a ransomware attack as they slowly bring their Garmin Connect, Strava, and navigation services back online. Last week, Garmin suffered a worldwide outage that affected their Garmin Connect, Strava, inReach, and flyGarmin navigation and fitness services. BleepingComputer later confirmed through numerous sources that the outage was caused by a WastedLocker Ransomware attack that forced Garmin to shut down all of their devices to prevent them from being encrypted.

Office 365 phishing baits employees with fake SharePoint alerts

Employees using Microsoft Office 365 are targeted in a phishing campaign that makes use of bait messages camouflaged as automated SharePoint notifications to steal their accounts. The phishing emails delivered as part of this phishing campaign are addressed to all employees working at targeted organizations and have until now reached an estimated number of up to 50,000 mailboxes based on stats from email security company Abnormal Security. What makes these phishing messages potentially dangerous is the fact that they're using a shotgun approach, trying to trick at least one employee and then use their credentials to further compromise their employer's systems.

UK and US warn QNAP owners to upgrade firmware to block malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) issued an alert about the risks of infection faced by QNAP NAS devices if QSnatch malware attacks restart. Although the attack infrastructure used in previous QSnatch attacks (from early 2014 to mid-2017 and from late 2018 to late 2019) is currently not active, the two agencies urge all QNAP customers to update their NAS devices as soon as possible to block future campaigns.

Cerberus banking Trojan team breaks up, source code goes to auction

The source code of the Android-based Cerberus banking Trojan is being auctioned off due to the break-up of the development team. Motivating that the Cerberus crew split up and they no longer have the time to 24/7 support, the seller is getting rid of everything, including the customer base with an active license, contacts for customers and potential buyers.

Crime

Business ID Theft Soars Amid COVID Closures

Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic, KrebsOnSecurity has learned. This story is about the victims of a particularly aggressive business ID theft ring that's spent years targeting small businesses across the country and is now pivoting toward using that access for pandemic assistance loans and unemployment benefits.

Apple being sued for refusing to help iTunes gift card scam victims

Apple is being sued for allegedly refusing to help those who have fallen victim to a iTunes gift card scam. An 11-count class action lawsuit has been filed against the company. Apple is accused of lying when it says that there is no way to trace or refund the value of the cards ... There are a large number of scams which involve pre-paid gift cards like store cards and iTunes gift cards. Here's how the FTC describes them.

Politics

WhatsApp confirms Catalan politician's phone was target of 2019 attack

WhatsApp has confirmed that the mobile phone of a leading pro-independence politician in Catalonia was targeted over its messaging app in a 2019 attack that has been condemned as a possible case of domestic espionage in Europe. In a letter to Roger Torrent, the speaker of the Catalan parliament, and obtained by the Guardian and El Pais, the company confirmed that his personal WhatsApp account was "targeted in an attempt to gain unauthorised access to data and communications on the device". The letter also confirmed that the targeting was part of an attack against WhatsApp's users by operators of spyware made by NSO Group.

How Mexico's New Copyright Law Crushes Free Expression

When Mexico's Congress rushed through a new copyright law as part of its adoption of Donald Trump's United States-Mexico-Canada Agreement (USMCA), it largely copy-pasted the US copyright statute, with some modifications that made the law even worse for human rights. The result is a legal regime that has all the deficits of the US system, and some new defects that are strictly hecho en Mexico, to the great detriment of the free expression rights of the Mexican people. Mexico's Constitution has admirable, far-reaching protections for the free expression rights of its people. Mexico's Congress is not merely prohibited from censoring its peoples' speech - it is also banned from making laws that would cause others to censor Mexicans' speech.

Russia’s GRU hackers hit US government and energy targets

Russia's GRU military intelligence agency has carried out many of the most aggressive acts of hacking in history: destructive worms, blackouts, and---closest to home for Americans---a broad hacking-and-leaking operation designed to influence the outcome of the 2016 US presidential election. Now it appears the GRU has been hitting US networks again, in a series of previously unreported intrusions that targeted organizations ranging from government agencies to critical infrastructure. From December 2018 until at least May of this year, the GRU hacker group known as APT28 or Fancy Bear carried out a broad hacking campaign against US targets, according to an FBI notification sent to victims of the breaches in May and obtained by WIRED. According to the FBI, the GRU hackers primarily attempted to break into victims' mail servers, Microsoft Office 365 and email accounts, and VPN servers. The targets included "a wide range of US-based organizations, state and federal government agencies, and educational institutions," the FBI notification states. And technical breadcrumbs included in that notice reveal that APT28 hackers have targeted the US energy sector, too, apparently as part of the same effort.

Vulnerabilities

Study finds election officials vulnerable to cyberattacks

Election administrators across the country are vulnerable to cyberattacks that originate through malicious phishing emails, a report released Monday found. The report, compiled by cybersecurity group Area 1 Security, found that over 50 percent of election administrators have "only rudimentary or non-standard technologies" to protect against malicious emails from cyber criminals, with less than 30 percent using basic security controls to halt phishing emails.

Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)

A security issue assigned CVE-2020-8558 was recently discovered in the kube-proxy, a networking component running on Kubernetes nodes. The issue exposed internal services of Kubernetes nodes, often run without authentication. On certain Kubernetes deployments, this could have exposed the api-server, allowing an unauthenticated attacker to gain complete control over the cluster. An attacker with this sort of access could steal information, deploy crypto miners or remove existing services altogether. The vulnerability exposed nodes' localhost services -- services meant to be accessible only from the node itself -- to hosts on the local network and to pods running on the node. Localhost bound services expect that only trusted, local processes can interact with them, and thus often serve requests without authentication. If your nodes run localhost services without enforcing authentication, you are affected.

Misc

The Hacker Battle for Home Routers

Three botnet families are battling it out, seeking vulnerable home routers to take over and use as proxies, researchers at the security firm Trend Micro say. Residential routers are a prime target for cybercriminals. Most households have one, and due to the legacy of poor IoT security practices, many can be taken over easily either through exploiting security vulnerabilities or using default credentials that have never been changed.

Somalia internet shut down after parliament votes to remove prime minister

Network data from the NetBlocks internet observatory confirm that internet has been cut across much of Somalia with high impact to Mogadishu from 10:30 a.m. local time (7:30 a.m. UTC) on Sunday 26 July 2020. Connectivity was largely restored on Monday afternoon, with a recorded incident duration of 31 hours.

White House Tells EPIC to Delete COVID-19 Records, EPIC Declines

In an unusual development, the White House directed EPIC this week to delete a set of records that EPIC recently obtained from the Office of Science & Technology Policy---a request which EPIC declined. On Tuesday, EPIC published hundreds of records about the White House's response to the COVID-19 pandemic and proposals to use location data for public health surveillance. Hours later, a White House attorney sent EPIC a letter "order[ing]" EPIC "to immediately cease using and disclosing" one set of records and to "destroy all electronics copies." The letter stated that OSTP had "inadvertently and erroneously" provided EPIC with an unredacted copy of the records. Although EPIC voluntarily decided to redact personal contact information contained in the documents, EPIC informed the OSTP that it would still make the records available to the public. Under the Freedom of Information Act, a federal agency is not entitled to "claw back" a record that it discloses to a requester. EPIC has filed numerous FOIA requests concerning the federal government's COVID-19 response and has compiled a resource page about privacy and the pandemic.