Table of Contents
- 6,000 Roper St. Francis patients’ info possibly breached in compromised email incident
- Warner Music discloses months-long web skimming incident
- Oregon State University reports IT security incident
- Jewish Federation of Greater Washington reports $7.5 million hack
- Ministry of Justice victim of cyberattack that resulted in members of the public receiving emails with emotet
- Online marketing company exposes 38+ million US citizen records
- Facebook to list all WhatsApp security issues on a new dedicated website
- Justice Dept. plans to file antitrust charges against Google in coming weeks
- Google rolls out Secure DNS support to Chrome for Android
- European ISPs report mysterious wave of DDoS attacks
- MIT SCRAM: a new analysis platform for prioritizing enterprise security investments
- The Joys of Owning an ‘OG’ Email Account
- CISA Orders Agencies To Set Up Vulnerability Disclosure Programs
- Facebook Moves to Limit Election Chaos in November
- NSA spying exposed by Snowden was illegal and not very useful, court says
- Lawsuit Claims Yahoo Provided China With Information on Political Dissidents
- India bans 118 Chinese apps, accusing companies of stealing data
- Google removes Android app that was used to spy on Belarusian protesters
- 16-Year-Old Arrested for Cyberattacks on School's Online Learning Systems
- RCMP charge 2 Montreal men in cyberattacks at Canadian Tire, BMO and Simplii
- FBI: Thousands of orgs targeted by RDoS extortion campaign
- CNN-News18 allegedly hacked to deny PayTM hack claims
- DDoS Attacks Disrupt Miami-Dade Public Schools Virtual Learning Classes, Police Looking for Culprits
- Former IT director gets jail time for selling government's Cisco gear on eBay
- AlphaBay dark web marketplace moderator gets 11 years in prison
6,000 Roper St. Francis patients’ info possibly breached in compromised email incident
Roper St. Francis Hospital officials said on Thursday that 6,000 patients were affected by an incident where a employee's email was accessed by someone without authorization and they gained access to personal medical records and information. The incident occurred between June 13 and June 17, but Roper St. Francis officials didn't learn about it until July 8.
Warner Music discloses months-long web skimming incident
Music recording powerhouse Warner Music Group has disclosed a security incident that involved some of the company's online stores. Called "web skimming" or "magecart," this type of attack happens when hackers take control over a website and insert malicious code that logs customer details entered inside payment forms. In a data breach notification letter filed with the Office of the Attorney General in the state of California, Warner Music said it suffered one such attack earlier this year.
Oregon State University reports IT security incident
Oregon State University announced Thursday that personal information of some students and faculty may have been exposed during a recent IT security incident. A cybercriminal accessed an OSU Ecampus server that contained student and faculty directory information such as email addresses, phone numbers and mailing addresses. No social security numbers were compromised in the incident. Ecampus is the university's online education program. "We take these matters very seriously," said Steve Clark, Oregon State's vice president for university relations and marketing. "While we have no indication at this time that the personal information was seen or used, OSU has notified these students and faculty members of this incident. And we have offered information about support services that are available, including credit monitoring services that the university will enable at no cost."
Jewish Federation of Greater Washington reports $7.5 million hack
The Jewish Federation of Greater Washington reported a hack that drained $7.5 million from its endowment fund and funneled the money into international accounts. CEO Gil Preuss announced the hack to employees in a virtual call Wednesday morning, saying the initial attack targeted an employee using a personal computer while working from home.
Ministry of Justice victim of cyberattack that resulted in members of the public receiving emails with emotet
Hackers have managed to infiltrate the Justice Department's system, and even send malware to citizens who traded with these addresses. The ministry was careful not to warn the public about the attack, but after many questions from our Bureau of Investigation, it issued a terse statement last night. Justice Quebec is however miserly on details. In its responses to the Journal , the ministry nevertheless acknowledges that the hackers managed to infect 14 mailboxes on August 11 and 12. They were able to access the email addresses of citizens who spoke with these boxes.
Online marketing company exposes 38+ million US citizen records
The CyberNews research team discovered an unsecured data bucket that belongs to View Media, an online marketing company. The bucket contains close to 39 million US user records, including their full names, email and street addresses, phone numbers and ZIP codes. The database was left on a publicly accessible Amazon Web Services (AWS) server, allowing anyone to access and download the data. Following the 350 million email leak covered by CyberNews earlier in August, this is the second time this summer we encountered an unsecured Amazon bucket containing such massive amounts of user data.
Facebook Halts Oculus Quest Sales In Germany Amid Privacy Concerns
Facebook has "temporarily paused" sales of its Oculus Quest headsets to customers in Germany. "Reports suggest the move is in response to concerns from German regulators about the recently announced requirement that all Oculus users will need to use a Facebook account by 2023 to log in to the device," reports Ars Technica. From the report: "We have temporarily paused selling Oculus devices to consumers in Germany," Facebook writes in a brief message on the Oculus support site. "We will continue supporting users who already own an Oculus device and we're looking forward to resuming sales in Germany soon." Facebook declined an opportunity to provide additional comment to Ars Technica. But in a statement to German News site Heise Online, the company said the move was due to "outstanding talks with German supervisory authorities... We were not obliged to take this measure, but proactively interrupted the sale."
Apple to delay privacy change threatening Facebook, mobile ad market
TSA tries out another biometric system
The Transportation Security Administration (TSA) announced that it has launched a "pilot" at Washington National Airport (DCA) of yet another scheme for biometric identification and tracking of domestic air travelers. The new "touchless ID verification" stations at DCA include a webcam (at top center of photo above) a magnetic-stripe reader (lower left) for drivers licenses and other ID cards, and a photographic scanner for passports (lower right). Travelers who volunteer to use the new system are directed to insert their drivers license, ID card, or passport into the appropriate reader, stand on a marked spot in front of the webcam, and remove their face mask, so that the image from the ID (or, more likely, from some back-end image database linked to the ID, although that hasn't been disclosed) and the image from the webcam can be compared by some undisclosed algorithm.
Facebook to list all WhatsApp security issues on a new dedicated website
Facebook will launch a new web page where the company plans to list all the vulnerabilities that have been identified and patched in the WhatsApp instant messaging service. The app maker regularly publishes WhatsApp release notes on the iOS and Google Play Store pages; however, these changelogs don't go into detailed descriptions of the patched security bugs, most of which are described only as "security fixes." Facebook says this is "due to the policies and practices of app stores," but hopes the new page will effectively work as a security-focused changelog for interested users.
Justice Dept. plans to file antitrust charges against Google in coming weeks
The Justice Department plans to bring an antitrust case against Google as soon as this month, after Attorney General William P. Barr overruled career lawyers who said they needed more time to build a strong case against one of the world's wealthiest, most formidable technology companies, according to five people briefed on internal department conversations. Justice Department officials told lawyers involved in the antitrust inquiry into Alphabet, the parent company of Google and YouTube, to wrap up their work by the end of September, according to three of the people. Most of the 40-odd lawyers who had been working on the investigation opposed the deadline. Some said they would not sign the complaint, and several of them left the case this summer. Some argued this summer in a memo that ran hundreds of pages that they could bring a strong case but needed more time, according to people who described the document. Disagreement persisted among the team over how broad the complaint should be and what Google could do to resolve the problems the government uncovered. The lawyers viewed the deadline as arbitrary.
Google rolls out Secure DNS support to Chrome for Android
Google is rolling out DNS-over-HTTPS (DoH) support to Chrome for Android, starting with devices where the web browser has been updated to version 85. DoH enables DNS resolution over encrypted HTTPS connections instead of using plain text DNS lookups, thus preventing attackers from seeing what sites are you browsing by monitoring your DNS traffic. The company has already included the DoH secure DNS protocol in the desktop browser with the release of Chrome 83 three months ago, in May 2020. Now, Google has decided to extend DoH support to the Android version of the Chrome browser, allowing users to control when the secure DNS protocol is enabled with the help of the Secure DNS feature.
European ISPs report mysterious wave of DDoS attacks
More than a dozen internet service providers (ISPs) across Europe have reported DDoS attacks that targeted their DNS infrastructure. The list of ISPs that suffered attacks over the past week includes Belgium's EDP, France's Bouygues Télécom, FDN, K-net, SFR, and the Netherlands' Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl. Attacks lasted no longer than a day and were all eventually mitigated, but ISP services were down while the DDoS was active. NBIP, a non-profit founded by Dutch ISPs to collectively fight DDoS attacks and government wiretapping attempts, provided ZDNet with additional insights into the past week's incidents. "Multiple attacks were aimed towards routers and DNS infrastructure of Benelux based ISPs," a spokesperson said. "Most of [the attacks] were DNS amplification and LDAP-type of attacks."
MIT SCRAM: a new analysis platform for prioritizing enterprise security investments
On Thursday, MIT's Computer Science and Artificial Intelligence Lab (CSAIL) launched the Secure Cyber Risk Aggregation and Measurement (SCRAM) cryptographic platform, which aggregates data to show the weakest spots in security - and those leading to the worst financial losses. According to the researchers, at a time when many organizations are restructuring and cutting costs due to the disruption caused by COVID-19, a technological solution that is able to quantify an organization's security posture and recommend what areas to prioritize is valuable. SCRAM, developed by Taylor Reynolds, technology policy director at MIT's Internet Policy Research Initiative (IPRI), economist Professor Andrew Lo and cryptographer Vinod Vaikuntanathan, does not require users to reveal sensitive corporate data, but instead, builds its recommendations based on existing security incidents without accessing the finer points of each event.
The Joys of Owning an ‘OG’ Email Account
When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online. Because it's a relatively short username, it is what's known as an "OG" or "original gangster" account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
CISA Orders Agencies To Set Up Vulnerability Disclosure Programs
Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs - a process that is commonplace in the private sector. From a report: Now, to put an end to the feet-dragging, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs). CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It's the latest sign that federal officials are warming to white-hat hackers from various walks of life. "We believe that better security of government computer systems can only be realized when the people are given the opportunity to help," CISA Assistant Director Bryan S. Ware said in announcing the directive. The White House echoed that language in a memo to agencies backing the VDP initiative and setting deadlines for agencies to act.
Facebook Moves to Limit Election Chaos in November
The social network said it would block new political ads in late October, among other measures, to reduce misinformation and interference. Facebook on Thursday moved to clamp down on any confusion about the November election on its service, rolling out a sweeping set of changes to try to limit voter misinformation and prevent interference from President Trump and other politicians. In an acknowledgment of how powerful its effect on public discourse can be, Facebook said it planned to bar any new political ads on its site in the week before Election Day. The social network said it would also strengthen measures against posts that tried to dissuade people from voting. Postelection, it said, it will quash any candidates' attempts at claiming false victories by redirecting users to accurate information on the results.
NSA spying exposed by Snowden was illegal and not very useful, court says
Seven years after the former National Security Agency contractor Edward Snowden blew the whistle on the mass surveillance of Americans' telephone records, an appeals court has found the program was unlawful -- and that the US intelligence leaders who publicly defended it were not telling the truth. In a ruling handed down on Wednesday, the US court of appeals for the ninth circuit said the warrantless telephone dragnet that secretly collected millions of Americans' telephone records violated the Foreign Intelligence Surveillance Act and may well have been unconstitutional. Snowden, who fled to Russia in the aftermath of the 2013 disclosures and still faces US espionage charges, said on Twitter that the ruling was a vindication of his decision to go public with evidence of the National Security Agency's domestic eavesdropping operation. "I never imagined that I would live to see our courts condemn the NSA's activities as unlawful and in the same ruling credit me for exposing them," Snowden said in a message posted to Twitter.
Lawsuit Claims Yahoo Provided China With Information on Political Dissidents
A survivor of the 1989 Tiananmen Square massacre is suing Yahoo! for helping China capture political dissidents, claiming in a federal lawsuit that he was arrested, tortured and imprisoned after the web provider gave the contents of his email account to party officials.
India bans 118 Chinese apps, accusing companies of stealing data
India has banned 118 more Chinese apps as the backlash intensified against Beijing over an increasingly bitter border showdown between the giant neighbours. The government said on Wednesday the apps -- including the popular video game PUBG and other services provided by Chinese internet giant Tencent -- promoted activities "prejudicial to sovereignty and integrity of India, defence of India, security of state and public order". *The PUBG mobile app has millions of young users in India. The company said it had been made aware of the government action but had no comment. PUBG was developed by a South Korean company, but the mobile version that has taken off around the world was developed by Tencent. Other apps targeted by India include games, online payment services, dating sites and even software to edit selfies.
Google removes Android app that was used to spy on Belarusian protesters
Google has removed this week an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests. The app, named NEXTA LIVE (com.moonfair.wlkm), was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews. To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country's recent anti-government demonstrations. However, in a statement published on Telegram last week, Nexta said the app was not associated with its service and was designed to collect data from users and de-anonymize protest-goers.
Chinese Hackers Use Fresh Trojan for Espionage
Proofpoint reports that a Chinese hacking group targeted European organizations, as well as Tibetan dissidents, with a new remote access Trojan called "Sepulcher" as part of a cyberespionage campaign. Once installed within a compromised device, the Trojan can obtain information about the infected host's drives, file information, directory statistics, directory paths, directory content, running processes and services, Proofpoint says in its new report. The Sepulcher Trojan also can delete files and services as well as execute commands within infected devices. The hackers deploying the Trojan used carefully crafted phishing emails to help deliver the malware to unsuspecting victims, according to Proofpoint. This included the use of messages that appear to come from the World Health Organization and contain details about the COVID-19 pandemic.
New Python-scripted trojan malware targets fintech companies
A well-resourced hacking operation has deployed newly developed trojan malware in a campaign targeting financial tech organisations with the aim of stealing email addresses, passwords and other sensitive corporate information -- and the malicious code is bundled inside code ripped from legitimate applications. Known as Evilnum, the advanced persistent threat (APT) group first emerged in 2018 and one of the reasons for their success is how often they've changed tools and tactics as they take aim at targets related to Fintech mostly located in Europe and the UK, although some victims are located in the Americas and Australia. Uncovered by cybersecurity researchers at Cybereason who've dubbed it PyVil RAT, the trojan allows attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected.
Epic Fail: Emotet malware uses fake ‘Windows 10 Mobile’ attachments
The Emotet malware is now using malicious email attachment that pretends to be made by Windows 10 Mobile, an operating system that reached the end of life in January 2020. The Emotet botnet spreads through spam emails that contain malicious Word documents. These Word documents contain malicious macros that will download and install Emotet on a victim's computer when enabled. Once installed, Emotet will steal a victim's email to use in additional spam campaigns and download and install other malware such as TrickBot and QBot, which commonly lead to network-wide ransomware attacks.
Backdoors left unpatched in MoFi routers
Canadian networking gear vendor MoFi Network has patched only six of ten vulnerabilities that security researchers have reported to the company earlier this year, in May. Unpatched have remained a command injection vulnerability and three hard-coded undocumented backdoor mechanisms, all impacting the company's line of MOFI4500-4GXeLTE routers. These devices are very powerful business routers that MoFi describes as "high performance mission critical enterprise rugged metal router made for businesses or customers." MOFI4500-4GXeLTE routers provide high bandwidth connections to business users via LTE (4G) uplinks and are normally deployed by internet service providers or other companies that need to ensure internet access to remote business points where normal wired internet connections aren't available.
16-Year-Old Arrested for Cyberattacks on School's Online Learning Systems
A high school junior was arrested for allegedly launching a cyber attack on the web-based systems used by their Florida school district for online learning. The unidentified 16-year-old attends South Miami Senior High School, part of the Miami-Dade public school district. The student admitted to orchestrating eight DDoS (Distributed Denial of Service) cyber attacks meant to take down school district networks, including the web architecture propping up My School Online. The district has experienced more than a dozen cyber attacks since the 2020-2021 school year started. The student is charged with "computer use in an attempt to defraud," a third-degree felony, and "interference with an educational institution," a second-degree misdemeanor.
RCMP charge 2 Montreal men in cyberattacks at Canadian Tire, BMO and Simplii
The RCMP have laid charges against two Montrealers after an investigation into high-profile cyberattacks at Canadian Tire, Bank of Montreal and Simplii a few years ago. The RCMP said in a press release Thursday that Jacob Costanzo-Peterson and Félix Costanzo-Peterson have been charged with unauthorized use of a computer, identity theft and possession of a device to obtain unauthorized use of computers. The charges stem from an investigation the RCMP launched in 2017, after Canadian Tire reported that its customer loyalty rewards program had been breached and some customer information was stolen.
FBI: Thousands of orgs targeted by RDoS extortion campaign
The FBI warns US companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom. The threat actors behind this large and ongoing ransom DDoS (RDDoS or RDoS) campaign that started on August 12, 20220, are posing as well-known hacking groups such as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective in the ransom notes delivered to the targeted companies. In the MU-000132-DD Flash Alert seen by BleepingComputer and distributed to US companies last week, the US domestic intelligence service also adds that the criminal gang is currently targeting organizations from the retail, financial, travel, and e-commerce industry verticals.
CNN-News18 allegedly hacked to deny PayTM hack claims
A hacking group claims to have breached India's CNN-News18 news site to use it to refute claims that they hacked PayTM Mall earlier this week, BleepingComputer has learned. News18 is an English-language news channel that provides Indian and local news via the Indian Broadcasting Network and international news in a partnership with CNN. A hacker group that goes by the names "John Wick" and "Korean Hackers" have provided BleepingComputer with information on the hacking of the Indian Prime Minister's Twitter account and the online systems of popular Indian news channel, News18.
DDoS Attacks Disrupt Miami-Dade Public Schools Virtual Learning Classes, Police Looking for Culprits
The Miami-Dade school year is off to a rocky start, with thousands of students unable to connect to their virtual online classes through the K12 e-learning platform due to software glitches and DDoS attacks on school network systems. "As we launched the 2020-2021 school year this week using our distance learning platform, My School Online (MSO), Miami-Dade County Public Schools (M-DCPS) faced a number of connectivity issues, resulting from both a software malfunction and malicious cyber attacks," M-DCPS said. "Today, M-DCPS learned from its Internet Service provider Comcast that our systems had also been targeted by Distributed Denial-of-Service cyber attacks during the first two days of distance learning."
Former IT director gets jail time for selling government's Cisco gear on eBay
A South Carolina man was sentenced this week to two years in federal prison for taking government-owned networking equipment and selling it on eBay. The man, Terry Shawn Petrill, 48, of Myrtle Beach, worked as the IT Security Director for Horry County in South Carolina, the Department of Justice said in a press release on Tuesday. According to court documents, "beginning on June 11, 2015, through August 23, 2018, Petrill ordered forty-one Cisco 3850 switches that were to be installed on the Horry County network." US authorities said that through the years, when the switches would arrive, Petrill would take custody of the devices and tell fellow IT staffers that he would handle the installation alone.
AlphaBay dark web marketplace moderator gets 11 years in prison
Bryan Connor Herrell, a 25-year-old from Colorado, was sentenced to 11 years of prison time for acting as a moderator on the dark web marketplace AlphaBay. According to court documents, between May 2016 and July 2017, Herrell acted as a marketplace moderator and a scam watcher known under the 'Penissmith' and 'Botah' nicknames. During this time, he settled more than 20,000 disputes between AlphaBay vendors and buyers, while being paid by the marketplace owners in Bitcoin. Herrell was indicted on racketeering charges as shown by an indictment filed in December 2017 and unsealed in June 2019. He pleaded guilty to the charges on January 27, 2020. The court sentenced him to 11 years in prison, even though after pleading guilty he was facing a maximum statutory penalty of 20 years.
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability, analyzing its root cause and the exploit they found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites. Recently, Unit 42 researchers found exploits in the wild leveraging the vBulletin pre-auth RCE vulnerability CVE-2020-17496. The exploits are a bypass of the fix for the previous vulnerability, CVE-2019-16759, which allows attackers to send a crafted HTTP request with a specified template name and malicious PHP code, and leads to remote code execution. More than 100,000 sites are built on vBulletin, including the forums of major enterprises and organizations, so it's imperative to patch immediately.
Microsoft Defender can ironically be used to download malware
A recent update to Windows 10's Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer. Legitimate operating system files that can be abused for malicious purposes are known as living-off-the-land binaries or LOLBINs. In a recent Microsoft Defender update, the command-line MpCmdRun.exe tool has been updated to include the ability to download files from a remote location, which could be abused by attackers. With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers.
Cisco fixes critical code execution bug in Jabber for Windows
Cisco addressed a critical severity remote code execution vulnerability affecting multiple versions of its Cisco Jabber for Windows software. Cisco Jabber for Windows is a desktop collaboration app designed to provide users with presence, instant messaging (IM), cloud messaging, desktop sharing, as well as audio, video, and web conferencing. The vulnerability was found and reported by Olav Sortland Thoresen of Watchcom. The Cisco Product Security Incident Response Team (PSIRT) says that the flaw is not currently exploited in the wild. The security flaw tracked as CVE-2020-3495 received an almost maximum 9.9 CVSS base score from Cisco and it is caused by improper input validation of incoming messages' contents.
Magento plugin Magmi vulnerable to hijacking admin sessions
A cross-site request forgery (CSRF) vulnerability continues to be present in the Magmi plugin for Magento online stores, despite developers receiving a report from researchers that discovered it. Hackers can use the flaw to execute arbitrary code on servers running Magmi (Magento Mass Importer) by tricking authenticated administrators into clicking a malicious link. The plugin works as a Magento database client that can add a large number of products (millions, according to its wiki page) to a catalog or update it.
Somerset Berkley Regional High School a victim of ransomware attack
Somerset Berkley Regional High School was a victim of a ransomware attack, according to a letter sent to parents by Superintendent Jeffrey Schoonover. Oh July 17, some high school computer systems were encrypted, which means they could no longer operate.