Table of Contents

  1. Breaches
    1. 305K+ Banking records of Indian citizens Leaked on Darkweb
    2. One of the world’s largest chipmakers Got Allegedly Breached by Maze Ransomware Operators
    3. Experian South Africa discloses data breach impacting 24 million customers
    4. Unico Campania - 166,031 breached accounts
    5. Gun exchange site confirms data breach after database posted online
    6. Marriott Faces Another Data Breach Lawsuit
    7. Spies in Silicon Valley: Twitter Breach Tied To Saudi Dissident Arrests
    8. Ponca City Public Schools Address Cyber Attack
  2. Misc
    1. Spotify hit with outage after forgetting to renew a certificate
    2. Law Enforcement Websites Hit by Blueleaks May Have Been Easy to Hack
    3. Tor Project shares proposals to limit DDoS impact on Onion sites
  3. Vulnerabilities
    1. Everything old is new again: binary security of WebAssembly
    2. Researchers detail bug in wireless devices impacting critical sectors
    3. Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926
  4. Malware
    1. Lucifer cryptomining DDoS malware now targets Linux systems
    2. US govt exposes new North Korean BLINDINGCAN backdoor malware
    3. WannaRen ransomware author contacts security firm to share decryption key
    4. New FritzFrog P2P botnet has breached at least 500 enterprise, government servers
  5. Crime
    1. Tens of suspects arrested for cashing-out Santander ATMs using software glitch
    2. Voice Phishers Targeting Corporate VPNs
    3. The Attack That Broke Twitter Is Hitting Dozens of Companies

Breaches

305K+ Banking records of Indian citizens Leaked on Darkweb

Recently, the Cyble Research Team identified a threat actor who leaked in a total of 305,834 banking records of Indian citizens. As per our researchers, this leaked data appears to be from an aggregator, which refers to an entity that collects information from multiple sources and then collectively puts it on a single source. There is evidence which signifies that Axis bank and ICICI bank have been breached. As the leaked banking records contain 30,419 user records of Axis bank and 244,996 user records are of ICICI bank. In order to confirm the authenticity of leaked data, Cyble called random people and verified the data to be legit.

One of the world’s largest chipmakers Got Allegedly Breached by Maze Ransomware Operators

CybleInc researchers identified a leak disclosure post in which Maze ransomware claimed to have breached SK Hynix and in possession of the company's sensitive data. Currently, the ransomware operators only tend to publish 5% of the total company's data leak. Founded in the year 1983 as Hyundai Electric Industry than in the year 2001 as Hynix semiconductors and finally in the year 2012 as SK Hynix. Currently, SK Hynix is the world's second-largest memory chipmaker and the world's third-largest semiconductor with over 22,000 employees and earning annual revenue of around $35.27 billion.

Experian South Africa discloses data breach impacting 24 million customers

The South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday. The credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client. While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses. Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, "which resulted in the individual's hardware being impounded and the misappropriated data being secured and deleted."

Unico Campania - 166,031 breached accounts

In August 2020, the Neapolitan public transport website Unico Campania was hacked and the data extensively circulated. The breach contained 166k user records with email addresses and plain text passwords.

Gun exchange site confirms data breach after database posted online

A hacker has released the databases of Utah-based gun exchange, hunting, and Kratom sites for free on a cybercrime forum. On August 10th, a threat actor posted databases that they claim contain 195,000 user records for the utahgunexchange.com, 45,000 records for their video site, 15,000 records from the hunting site muleyfreak.com, and 24,000 user records from the Kratom site deepjunglekratom.com. "Utah Gun Exchange and UGETube remain dedicated to our mission of defending the First and Second Amendments and providing our users with a means to exercise their First and Second Amendment rights. As we know, there are many who have attacked, or will attack, Utah Gun Exchange and UGETube in an effort to stop us from accomplishing our mission to help protect your constitutional rights. We have recently learned of one such attack that affects you as our users," Utah Gun Exchange stated in their data breach notification.

Marriott Faces Another Data Breach Lawsuit

The breach of the Starwood guest reservation system ran from July 2014 to September 2018 Marriott acquired Starwood in 2016 - and exposed personal information for approximately 339 million customers worldwide. On Tuesday, a data breach representative action - aka group action or class action lawsuit - was filed in the High Court of Justice for England and Wales by Martin Bryant, who runs a Manchester, England-based consultancy called Big Revolution. Bryant's lawsuit seeks damages for Marriott losing control of customers' personal data, thus breaching the EU's General Data Protection Regulation as well as the U.K.'s Data Protection Act. It's being brought under rule 19.6 of the Civil Procedure Rules, which allows for representative actions. The lawsuit seeks to include all individuals in England and Wales - the other two nations in the U.K., Scotland and Northern Ireland, have separate legal systems - whose personal information was exposed, unless they opt out.

Spies in Silicon Valley: Twitter Breach Tied To Saudi Dissident Arrests

An internal breach at Twitter a half decade ago yielded data that was later used by Saudi Arabia to harass or arrest people critical of the government, according to lawsuits, human rights groups and the relative of a person apprehended in 2018. In 2015, two Twitter employees allegedly accessed more than 6,000 accounts while acting as spies for the government of Saudi Arabia. Some details of the incident have been disclosed by U.S. prosecutors, who charged the two men last November, and in recent lawsuits by people who alleged their accounts were among those breached. But few other details have emerged about what the Saudi government may have done with the data. Now, the sister of a Saudi man who ran an anonymous Twitter account said her brother's disappearance resulted from the activities of the alleged Twitter spies. Abdulrahman al-Sadhan was working at his office in Riyadh on March 12th, 2018 when Saudi Arabia's secret police showed up and took him away, according to his sister, Areej al-Sadhan. His family hasn't seen him since, and until he was permitted to make a short phone call to a relative in February, they worried that he might have been killed.

Ponca City Public Schools Address Cyber Attack

Superintendent Arrott said the district discovered ransomware criminals attacked PowerSchool, the system the district uses to determine schedules, contain information, and keeps parents informed. "Our PowerSchool data is encrypted. Luckily we had a back-up on an external server that wasn't online and we are working now to restore PowerSchool."

Misc

Spotify hit with outage after forgetting to renew a certificate

Spotify was hit with a brief outage after they forgot to renew a certificate used as part of their service. According to Cloudflare network engineer Louis Poinsignon, a wildcard certificate for the Spotify hostname *.wg.spotify.com had not been renewed and expired. The expired certificate would cause Spotify services that communicate with these hosts to have issues, which likely led to the outage.

Law Enforcement Websites Hit by Blueleaks May Have Been Easy to Hack

Whoever broke into 251 law enforcement websites and obtained the blueleaks trove of documents appears to have reused decades-old software for opening "backdoors" in web servers. The use of the widely available backdoors provides evidence that the hacktivist who compromised the sensitive sites, including fusion centers linked to federal agencies, didn't need to use sophisticated digital attack methods because the sites were not very secure.

Tor Project shares proposals to limit DDoS impact on Onion sites

The Tor Project proposed some defense schemes that could be used in the future to limit the impact of distributed-denial-of-service (DDoS) attacks that have been plaguing defend dark web (Onion) sites for years These defense options would maintain both usability and security after they are applied, making it possible for servers hosting onion services to no longer crash when they are hit by a denial-of-service (DoS) attack. DoS attacks targeting Onion sites (also known as introduction flooding DoS attacks) are designed to exploit the onion service rendezvous protocol by sending small messages to prompt the onion services to expend lots of resources to react to the request. Attackers can take advantage of this to overwhelm an onion service with hundreds or thousands of requests, draining out the server's CPU resources by forcing it to negotiate secure Tor network circuits that will never be used.

Vulnerabilities

Everything old is new again: binary security of WebAssembly

WebAssembly is an increasingly popular compilation target designed to run code in browsers and on other platforms safely and securely, by strictly separating code and data, enforcing types, and limiting indirect control flow. Still, vulnerabilities in memory-unsafe source languages can translate to vulnerabilities in WebAssembly binaries. In this paper, researchers analyze to what extent vulnerabilities are exploitable in WebAssembly binaries, and how this compares to native code. Many classic vulnerabilities which, due to common mitigations, are no longer exploitable in native binaries, are completely exposed in WebAssembly. Moreover, WebAssembly enables unique attacks, such as overwriting supposedly constant data or manipulating the heap using a stack overflow. Researchers present a set of attack primitives that enable an attacker (i) to write arbitrary memory, (ii) to overwrite sensitive data, and (iii) to trigger unexpected behavior by diverting control flow or manipulating the host environment.

Researchers detail bug in wireless devices impacting critical sectors

A vulnerability affecting components used in millions of critical connected devices in the automotive, energy, telecom, and medical sector could let hackers hijack the device or access the internal network. In some cases, the flaw is remotely exploitable over 3G. Researchers found it in the Cinterion EHS8 M2M module from Thales (formerly from Gemalto, acquired by Thales in 2019) but the vendor also confirmed it in BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62. Over 30,000 companies use products from Thales, which connects more than 3 billion things worldwide every year. Researchers at X-Force Red, IBM's independent team of veteran hackers, discovered a method to bypass security checks protecting the files and operational code in the EHS8 module. "Think of this module as the equivalent of a trustworthy digital lockbox, where companies can securely store a range of secrets such as passwords, credentials and operational code. This vulnerability undermines that function by allowing attackers to steal organizational secrets" IBM X-Force Red

Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926

Rocket.Chat is an open source multiplatform messaging application similar to Slack. It is available as a self-hosted solution or in a SaaS model. Rocket.Chat can be used via a web browser, iOS, Android or using Electron based clients available for Windows, Linux and MacOS. A malicious user can send a specially crafted message either to a channel or in a direct message to another user which will result in executing JavaScript in the victim's browser or inside the desktop client when the victim will use the "Reply in Thread" functionality. In the case of desktop clients cross-site scripting (XSS) vulnerability leads to a remote code execution (RCE). CVE-2020-15926 was assigned to this issue.

Malware

Lucifer cryptomining DDoS malware now targets Linux systems

A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems. While the botnet's authors named it Satan DDoS, security researchers are calling it Lucifer to differentiate it from Satan ransomware. Besides adding Linux targeting support, Lucifer's creators have also expanded the Windows version's capabilities to steal credentials and escalate privileges using the Mimikatz post-exploitation tool. As detailed in a report published by researchers at NETSCOUT's ATLAS Security Engineering & Response Team (ASERT), the Linux port displays the same welcome message as the Windows variant. The new Linux version comes with capabilities similar to the Windows counterpart, including modules designed for cryptojacking and for launching TCP, UCP, and ICMP-based flooding attacks.

US govt exposes new North Korean BLINDINGCAN backdoor malware

U.S. government agencies published a malware analysis report exposing information on a remote access trojan (RAT) malware used by North Korean hackers in attacks targeting government contractors. The malware was identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) and is known as known BLINDINGCAN. The trojan was attributed by the two agencies to the North Korean government-sponsored hacking group tracked as HIDDEN COBRA (aka Lazarus Group and APT38).

WannaRen ransomware author contacts security firm to share decryption key

A major ransomware outbreak hit Chinese internet users earlier this year in April. For about a week, a ransomware strain known as WannaRen made tens of thousands of victims among both home consumers and local Chinese and Taiwanese companies. Looking back, in retrospect, four months later, WannaRen's virality can be explained due to the fact that its code was loosely modeled after WannaCry, the ransomware strain at the heart of the May 2017 global outbreak. Just like their inspiration, the authors of the WannaRen ransomware incorporated the EternalBlue exploit into their infection chain, allowing WannaRen to spread without restrictions inside corporate networks before encrypting and ransom files. And just like WannaCry, WannaRen spread like wildfire, far beyond what the ransomware's authors had intended, creating more havoc than they anticipated, and the reason why, in the end, the malware's authors gave up the master decryption key for free, so all victims could eventually recover their files.

New FritzFrog P2P botnet has breached at least 500 enterprise, government servers

On Wednesday, cybersecurity firm Guardicore published research into FritzFrog, a peer-to-peer (P2P) botnet that has been detected by the company's sensors since January this year. According to researcher Ophir Harpaz, FritzFrog has attempted to brute-force SSH servers belonging to government, education, financial, medical, and telecom players worldwide over the last eight months. A minimum of 500 servers have been breached, including those connected to prominent US and European universities, as well as an unnamed railway company. FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or point-of-failure. After brute-forcing an SSH server, the malware deployed on infected systems is fileless and both assembles and executes only in memory -- likely in an effort to avoid detection and leave little trace of its presence. According to the team, each infected machine then becomes a bot capable of receiving and executing commands.

Crime

Tens of suspects arrested for cashing-out Santander ATMs using software glitch

The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards. According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn. Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs. The bug allowed members of criminal groups to use fake debit cards or valid preloaded debit cards to withdraw more funds from ATMs than the cards were storing.

Voice Phishers Targeting Corporate VPNs

The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers' networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. According to interviews with several sources, this hybrid phishing gang has a remarkably high success rate, and operates primarily through paid requests or "bounties," where customers seeking access to specific companies or accounts can hire them to target employees working remotely at home.

The Attack That Broke Twitter Is Hitting Dozens of Companies

Phone spear phishing" attacks have been on the rise since a bitcoin scam took over the social media platform in July. But Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies - including banks, cryptocurrency exchanges, and web hosting firms - have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that's been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services - most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.