Table of Contents

  1. Breaches
    1. Ransomware gang publishes tens of GBs of internal data from LG and Xerox
    2. Robocall Legal Advocate Leaks Customer Data
    3. Zello resets all user passwords after data breach
    4. Aged care operator’s resident data stolen and dumped in ransomware attack
    5. Apollo Tyres allegedly breached by NetWalker
    6. Forsee Power, a well-known player in electromobility market, breached by Netwalker
  2. Politics
    1. Ahead of US election, Google bans ads linking to hacked political content
    2. Russians hacked Liam Fox's personal email to get US-UK trade dossier
    3. BlackBerry Phone Cracked
    4. Coronavirus: Iran cover-up of deaths revealed by data leak
    5. Trump gives Microsoft 45 days to clinch TikTok deal
    6. Nothing Sacred: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware
  3. Crime
    1. EFF and ACLU Tell Federal Court that Forensic Software Source Code Must Be Disclosed
    2. FBI sees surge in online shopping scams, FTC says most reports ever
    3. Hackers could have stolen PayPal funds from Meetup users
    4. 2gether hacked: €1.2m in cryptocurrency stolen, native tokens offered in exchange
  4. Malware
    1. CISA, DOD, FBI expose new Chinese malware strain named Taidoor
    2. Netwalker ransomware earned $25 million in just five months
    3. GuLoader Rises as a Top Malware Delivery Mechanism in Phishing
  5. Vulnerabilities
    1. Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites
    2. Exploiting Android Messengers with WebRTC: Part 1
  6. Misc
    1. Windows 10: HOSTS file blocking telemetry is now flagged as a risk
    2. Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security
    3. BlackBerry releases new security tool for reverse-engineering PE files
    4. TikTok: Logs, Logs, Logs
    5. Zoom & Doom: How INKY Unraveled A Credential Harvesting Phishing Scam
    6. Facebook Live streams restricted in Jordan during Teachers’ Syndicate protests

Breaches

Ransomware gang publishes tens of GBs of internal data from LG and Xerox

The operators of the Maze ransomware have published tens of GB of internal data from the networks of enterprise business giants LG and Xerox following two failed extortion attempts. The hackers leaked 50.2 GB they claim to have stolen from LG's internal network, and 25.8 GB of Xerox data. While LG issued a generic statement to ZDNet in June, neither company wanted to talk about the incident in great depth. Both leaks have been teased since late June when the operators of the Maze ransomware created entries for each of the two companies on their "leak portal."

Robocall Legal Advocate Leaks Customer Data

A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers.

Zello resets all user passwords after data breach

The push-to-talk app, Zello, has disclosed a data breach that revealed user's email addresses and hashed passwords after discovering unauthorized activity on their systems. Zello is a mobile service with 140 million users that allows first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a push-to-talk app. Zello states that they discovered unauthorized activity on one of their servers on July 8th, 2020. As part of this access, the hacker may have accessed the email addresses and hashed passwords of Zello accounts.

Aged care operator’s resident data stolen and dumped in ransomware attack

ASX-listed aged care operator Regis has been hit by an international cyber attack that has led to the release of sensitive personal data, adding to the woes of the company which is battling a coronavirus outbreak at one of its Melbourne centres. The $400 million operator told investors on Monday an "overseas third party" was responsible for an attack on its operations resulting in data being copied from its servers and publicly released. The incident has not disrupted its services, the company said.

Apollo Tyres allegedly breached by NetWalker

Recently, the Cyble Research Team came across the post in which the Netwalker ransomware operators claimed to have breached Apollo Tyres Ltd -- the world's seventh-largest tyre manufacturer having over 16000 employees and earning annual revenue of around $2.46 billion. It has a network of nearly 5,000 dealerships in India, of which over 2,500 are exclusive outlets.

Forsee Power, a well-known player in electromobility market, breached by Netwalker

Cyble threat research group came across another disclosure from the Netwalker group where they have claimed to be in possession of sensitive data of Forsee Power -- a well-known industrial group, HQ in France and USA, specializing in smart battery systems for sustainable electric transport. Considered as one of the major players in Europe, Asia, and North America with annual revenue of around $65 million and over 200 employees.

Politics

Ahead of US election, Google bans ads linking to hacked political content

Ahead of this year's US presidential election, Google announced on Friday a new policy for its advertising platform, banning ads that promote hacked political materials. The new rule is set to enter into effect on September 1, 2020, Google said in a support page announcing the new rule. Once the rule comes into effect, third-party entities won't be able to purchase ad space inside the Google Ads platform that link directly or indirectly to hacked content that was obtained from a political entity.

Russians hacked Liam Fox's personal email to get US-UK trade dossier

A personal email account belonging to Liam Fox, the former trade minister, was repeatedly hacked into by Russians who stole classified documents relating to US-UK trade talks, the Guardian understands. The security breaches last year, which are subject to an ongoing police investigation, pose serious questions for the Conservative MP who is currently the UK's nominee to become director general of the World Trade Organization. Whitehall sources indicated the documents were hacked from a personal account rather than a parliamentary or ministerial one, prompting Labour to ask why Fox was using unsecured personal emails for government business.

BlackBerry Phone Cracked

Australia is reporting that a BlackBerry device has been cracked after five years: An encrypted BlackBerry device that was cracked five years after it was first seized by police is poised to be the key piece of evidence in one of the state's longest-running drug importation investigations.

Coronavirus: Iran cover-up of deaths revealed by data leak

The number of deaths from coronavirus in Iran is nearly triple what Iran's government claims, a BBC Persian service investigation has found. The government's own records appear to show almost 42,000 people died with Covid-19 symptoms up to 20 July, versus 14,405 reported by its health ministry. The number of people known to be infected is also almost double official figures: 451,024 as opposed to 278,827.

Trump gives Microsoft 45 days to clinch TikTok deal

President Donald Trump only agreed to allow Microsoft Corp to negotiate the acquisition of popular short-video app TikTok if it could secure a deal in 45 days, three people familiar with the matter said on Sunday. The move represents an about-face for Trump and prompted the U.S. tech giant to declare its interest in the blockbuster social media deal that could further inflame U.S.-China relations. Trump said on Friday he was planning to ban TikTok amid concerns that its Chinese ownership represents a national security risk because of the personal data it handles. The proposed acquisition of TikTok, which boasts 100 millions U.S. users, would offer Microsoft a rare opportunity to become a major competitor to social media giants such as Facebook Inc and Snap Inc Microsoft also owns professional social media network LinkedIn. Trump had dismissed the idea of a sale to Microsoft on Friday. But following a discussion between Trump and Microsoft CEO Satya Nadella, the Redmond, Washington-based company said in a statement on Sunday that it would continue negotiations to acquire TikTok from ByteDance, and that it aimed to reach a deal by Sept. 15.

Nothing Sacred: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware

In May 2019, WhatsApp identified and shortly thereafter fixed a vulnerability that allowed attackers to inject NSO Group spyware onto phones with a missed WhatsApp video call. At least 1,400 WhatsApp users were targeted as part of this incident. WhatsApp attributes the attacks to NSO Group, an Israeli spyware developer. NSO spyware was used in 2019 to target Togolese civil society, including a Catholic bishop, priest, and opposition politicians. The targeting coincided with nationwide pro-reform protests which were forcibly dispersed, amidst violence and arrests.

Crime

EFF and ACLU Tell Federal Court that Forensic Software Source Code Must Be Disclosed

Can secret software be used to generate key evidence against a criminal defendant? In an amicus filed ten days ago with the United States District Court of the Western District of Pennsylvania, EFF and the ACLU of Pennsylvania explain that secret forensic technology is inconsistent with criminal defendants' constitutional rights and the public's right to oversee the criminal trial process. Mr. Ellis also explains why source code, and other aspects of forensic software programs used in a criminal prosecution, must be disclosed in order to ensure that innocent people do not end up behind bars, or worse---on death row.

FBI sees surge in online shopping scams, FTC says most reports ever

The U.S. Federal Bureau of Investigation (FBI) warned of an increased number of reports coming from victims of online shopping scams. The public service announcement, published on the agency's Internet Crime Complaint Center (IC3), says that the scam victims report that they found the scammers' websites either via direct searches on popular web search engines or through social media ads. "Victims reported they were led to these websites via ads on social media platforms or while searching for specific items on online search engines' 'shopping' pages," the FBI says. "Victims purchased items from these websites because prices were consistently lower than those offered by other online retail stores." According to an FTC report from July detailing shady sellers who never send ordered items, the number of online shopping scam reports have constantly increased every year since 2015. "In 2019, people filed more than 86,000 reports about online shopping issues, including reports about orders that never arrived," the FTC said.

Hackers could have stolen PayPal funds from Meetup users

Researchers analyzing the Meetup platform for organizing free and paid group events discovered high-severity vulnerabilities that allowed attackers to become co-organizers or steal funds. Meetup received a full report in mid-December 2019 and worked through July 15, 2020, to improve security of the service and fix all reported bugs. In a report, researchers from Checkmarx describe a stored XSS (cross-site scripting) vulnerability that allowed a regular group member to have the same permissions as an organizer. The researchers say that the privilege escalation was possible by simply posting JavaScript code in the message in the discussion area, a feature that is active by default in a Meetup. "Requests with common XSS payloads, sent as a message post in the discussion area, were blocked as we would expect. However, we were able to bypass these protections in the POST requests, which creates the opportunity for attackers to hijack a Meetup group page, escalate their role to 'co-organizer,' and completely manage the group" - Checkmarx

2gether hacked: €1.2m in cryptocurrency stolen, native tokens offered in exchange

2gether has revealed a cyberattack in which roughly €1.2 million in cryptocurrency has been stolen from cryptocurrency investment accounts. Founded in 2017, 2gether offers a cryptocurrency trading platform within the Eurozone for buying and selling without additional fees. The organization's native coin is the 2GT token, which is - or, at least, was - due to be issued during 2020 following a pre-sale in Spain. However, on July 31 at 6.00 pm CEST, the trading platform suffered a cyberattack on its servers. The unknown threat actors reportedly behind the attack made off with €1.183 million in cryptocurrency in investment accounts, which equates to 26.79% of overall funds.

Malware

CISA, DOD, FBI expose new Chinese malware strain named Taidoor

Three agencies of the US government have published a joint alert on Taidoor, a new strain of malware that has been used during recent security breaches by Chinese government hackers. Named Taidoor, according to the three agencies, this new malware has versions for 32- and 64-bit systems and is usually installed on a victim's systems as a service dynamic link library (DLL). This DLL contains two other files. "The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT)."

Netwalker ransomware earned $25 million in just five months

The Netwalker ransomware operation has generated a total of $25 million in ransom payments since March 1st according to a new report by McAfee. Netwalker is a Ransomware-as-a-Service (RaaS) operation that began operating in late 2019, where affiliates are enlisted to distribute the ransomware and infect victims in return for a 60-70% cut of ransom payments. Known as a human-operated, or enterprise-targeting, ransomware, Netwalker affiliates will hack into an organization's network and quietly gain control.

GuLoader Rises as a Top Malware Delivery Mechanism in Phishing

There's a new malware delivery mechanism in town, and it's competing in volume with the most tried-and-true delivery methods like malicious Microsoft Office macros. GuLoader, a small but dangerously sophisticated loader, emerged early this year and rapidly became one of the most popular delivery mechanisms, used by numerous threat actors to deliver a wide assortment of malware. Its popularity can be explained by its simplicity and sophistication---it is both easy to use and extremely effective, designed to evade multiple security measures and then download and execute malware while going undetected. A recent report indicates that it is sold openly, making it easier for threat actors to obtain. As long as GuLoader is profitable, its authors will have an incentive to continue to improve it, making it a potential long-term threat.

Vulnerabilities

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

In a report published by Wordfence's Threat Intelligence team, threat analyst Ram Gall says that he discovered two additional security flaws while analyzing a previous patched published by the plugin's developers on July 13. Wordfence spotted a reflected Cross-Site Scripting (XSS) flaw and a PHP Object Injection vulnerability that were both fully patched by Newsletter's development team on July 17 with the release of version 6.8.3, two days after the initial report sent on July 15. While the two flaws are rated as medium and high severity issues that could allow attackers to add rogue admins and inject backdoors after successfully exploiting the reflected XSS issue on sites running vulnerable versions of the Newsletter plugin.

Exploiting Android Messengers with WebRTC: Part 1

This is a three-part series from Google Project Zero on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks down.

Misc

Windows 10: HOSTS file blocking telemetry is now flagged as a risk

Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a 'Severe' security risk. The HOSTS file is a text file located at `C:\Windows{=latex}\system32{=latex}\driver{=latex}\etc{=latex}\HOSTS{=latex}` and can only be edited by a program with Administrator privileges. This file is used to resolve hostnames to IP addresses without using the Domain Name System (DNS). This file is commonly used to block a computer from accessing a remote site by assigning host to the 127.0.0.1 or 0.0.0.0 IP address.

Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

The Linux Foundation, announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub's Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

BlackBerry releases new security tool for reverse-engineering PE files

At the Black Hat USA 2020 security conference, BlackBerry released a new tool for the cyber-security community. Named PE Tree, this is a new Python-based app for Linux, Mac, and Windows that can be used to reverse-engineer and analyze the internal structure of Portable Executable (PE) files - a common file that malware authors have used to hide malicious payloads. The tool has been open-sourced on GitHub since last week, but now it marks its official release. "Reverse engineering of malware is an extremely time- and labor-intensive process, which can involve hours of disassembling and sometimes deconstructing a software program," the company said in a press release.

TikTok: Logs, Logs, Logs

In this article, the author tried to understand what data does TikTok regularly sends back to its servers. He decrypted the content of the requests and analysed it. As far as we can see, in its current state, TikTok doesn't have a suspicious behavior and is not exfiltrating unusual data. Getting data about the user device is quite common in the mobile world and we would obtain similar results with Facebook, Snapchat, Instagram and others.

Zoom & Doom: How INKY Unraveled A Credential Harvesting Phishing Scam

INKY has written an article detailing the Zoom phishing emails they have encountered in wild.

Facebook Live streams restricted in Jordan during Teachers’ Syndicate protests

Network data from the NetBlocks internet observatory confirm that Facebook Live video streaming features have been restricted in Jordan by multiple providers on Wednesday 29 July 2020. Real-time metrics show that the feature was restored some hours later. The restrictions came into place on Wednesday amid protests against the closure of Jordan's teachers' syndicate, during which a number of participants were arrested. Authorities also imposed a gag order, preventing local media from reporting on events and limiting online speech.