Cybersecurity and Infosec News Headlines Update on 2022-09-30

Updated on 2022-09-30

Open-source software are becoming increasingly prone to cyberattacks. A North Korean hacking group has been found employing custom malware-laced software installers against multiple industries. No matter how large a company is, it can be a potential target. A number of leading semiconductor companies became victims of ransomware attacks and extortion attempts this year. Amidst all this, a new ransomware gang is gaining popularity for all the chaos it is creating. Let’s find out what else brewed in the cybersecurity space in the last 24 hours.

More highlights from the past 24 hours

• Swachh City, an Indian government complaint redressal platform, suffered a data breach that leaked the personal information of 16 million users. According to CloudSEK, a threat actor named LeakBase shared a database that included email addresses, usernames, password hashes, mobile numbers, and other details of the affected users. Read more: Swachh City Platform Suffers Data Breach Leaking 16 Million User Records
• IceFire, a relatively new ransomware group that was first observed in March 2022, ranked in the top three most active threat groups observed by NCC Group in its report. It noted that IceFire ransomware has been deployed against English-speaking organizations.
• The European Commission published new liability rules on defective digital products and AI-related damage to prevent consumer distress, making manufacturers liable for compensation when they fail to address cybersecurity vulnerabilities. Read more: Manufacturers Failing to Address Cybersecurity Vulnerabilities Liable Under New European Rules
• An early-stage Israeli startup, Ox Security, raised $34 million in seed-stage financing to protect software supply chains. The round included Evolution Equity Partners, Team8, Rain Capital, and M12, Microsoft’s venture fund. Read more: Investors Bet on Ox Security to Guard Software Supply Chains

CISO AMA

Lightspin CISO Jonathan Rau held an AMA session on Reddit this week on his journey of becoming a CISO without having a college degree or cybersecurity certifications. Read more: I became a Chief Information Security Officer without having a college degree. Ask me anything!

Infosec F1 news

In recent years, cybersecurity firms have been rushing to sponsor F1 cars, and most of the sponsor slots have been filled for a couple of seasons now. Nevertheless, Bitdefender is now Ferrari’s sponsor, replacing Kaspersky, which is probably not having one of its best financial years right now. Because… reasons.

Read more in

• Bitdefender together with Scuderia Ferrari
• Can Kaspersky survive the Ukraine war?

HITCON videos

Talks from the HITCON PEACE 2022 security conference, which took place earlier this month, are now available on YouTube.

New red team tool—VirusTotalC2

Red team developer D1rkMtr has open-sourced a new tool named VirusTotalC2 that abuses the fact that the VirusTotal API URL might be whitelisted in some corporate networks to host command-and-control traffic inside VirusTotal comments.

New tool—Constellation

Edgeless Systems has open-sourced a new tool named Constellation, a Kubernetes engine that wraps K8s clusters in a confidential wrapper that encrypts all data and separates it from the underlying cloud infrastructure. Read more: Hi open-source community, confidential Kubernetes is now on GitHub!

Medical device vulnerabilities

Trustwave researchers have published a write-up on two vulnerabilities in Canon Medical’s Vitrea View toolkit for viewing medical images. Researchers say that exploiting these vulnerabilities could allow an attacker access to patient information. Read more: CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical’s Vitrea View

Stacked VLAN vulnerability

Security researcher Etienne Champetier has discovered a suite of vulnerabilities in the implementations of the VLAN Stacking (or QinQ) feature of modern routers and networking equipment. Champetier said in a write-up on Wednesday that these bugs can be exploited to crash devices or carry out MitM attacks on the encapsulated VLANs. Several major companies like Cisco, Arista, Juniper, and Microsoft have confirmed that their devices are vulnerable and have released patches.

Read more in

• Layer 2 network security bypass using VLAN 0, LLC/SNAP headers and invalid length
• Vulnerabilities in Layer 2 Network Security Controls Affecting Cisco Products: September 2022
• Security Advisory 0080
• CVE-2021-28444
• CVE-2022-21905

Matrix protocol vulnerabilities

Security researchers disclosed this week “several practically-exploitable cryptographic vulnerabilities” in the Matrix end-to-end encryption protocol. The research team said the vulnerabilities could be exploited to break the confidentiality of Matrix-based apps and even run MitM attacks on participants. The Matrix team released security updates this week to address all issues. You can learn more about this research from this Twitter thread from Latacora founder Thomas Ptacek.

Read more in

Practically-exploitable Cryptographic Vulnerabilities in Matrix

Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2

CloudMensis=Scarcruft

In a series of tweets on Wednesday, ESET said it was able to finally attribute an APT operation targeting macOS users that they spotted in July (which they named CloudMensis) to the ScarCruft North Korean cyber-espionage group.

Read more in

• I see what you did there: A look at the CloudMensis macOS spyware
• APT37

In July, #ESETresearch reported on macOS spyware we dubbed CloudMensis. In the blogpost, we left the malware unattributed. However, further analysis showed similarities with a Windows malware called #RokRAT, a #ScarCruft tool. @marc_etienne_, @pkalnai 1/9 https://t.co/7RFLwC952J

— ESET research (@ESETresearch) September 28, 2022

CredoMap

Security researcher Vlad Pasca has a breakdown of the CredoMap infostealer, linked to past APT28 operations in Ukraine.

Read more in

• A DeChaos oMap

Prilex PoS malware

Kaspersky researchers have published a report on the evolution of Prilex, a Brazilian cybercrime group active since 2014. The report details how the group evolved from performing ATM jackpotting attacks to creating and deploying their own strain of Point-of-Sale malware.

TP-Link credentials for sale

Security firm CyFirma said it spotted threat actors selling credentials for compromised TP-Link devices to serve as initial access inside organizations’ networks for other cybercrime groups. In addition, CyFirma said it also saw threat actors looking to collaborate with other gangs on exploiting older TP-Link vulnerabilities. Read more: Thousands of TP-Link Routers Vulnerable, Can be Exploited by Multiple Hackers

Hacktivist activity in Iran

Israeli security firm Check Point said it’s seeing an increased number of hacking groups using Telegram, Signal, and the dark web to aid anti-government protestors in Iran bypass regime restrictions. Read more: Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran

Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations. [Check Point Research] sees the sharing of open VPN servers to bypass censorship and reports on the internet status in Iran, as well as the hacking of conversations and guides.

REvil insider worked with infosec firm

Security firm Trellix said in a report on Thursday that back in 2019, after they published an initial article on the REvil ransomware strain, a “disgruntled internal source” who worked with the gang provided them with valuable insight into how the group operates, including taking a Trellix researcher for a tour around the REvil RaaS backend. Read more: Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence

The source shared multiple screenshots of the actual REvil backend panel. The Left side of the panel showed an overview of the infected victims including country and ransom price. The middle column showed the details of a single infection that was transmitted back via the config file. The right screen shows snippets of the multiple negotiation chats that were ongoing. One of the most important findings from the screenshots was that it confirmed our affiliate ID hypothesis. As visible in figure 8 it clearly shows the affiliate moniker name and their affiliate ID number in brackets, the other value was the campaign ID for the specific campaign. Essentially this means this backend system had the complete affiliate roster and would make attribution a lot easier.

Botnet creator pleads not guilty

A Northern Ireland teen pleaded not guilty to creating a DDoS botnet back in 2018 that was used to attack a large number of targets, including the servers of British and Czech police. Read more: First picture of British teen accused of ‘crashing global financial institutions’: 18-year-old denies creating virus that hit Nationwide and server hosting KSI and Logan Paul boxing match aged 14

Abdilo to be extradited to the US

An Aussie court has approved that David Kee Crees, known as Abdilo, to be extradited to the US, where he will face 22 counts of hacking and fraud-related charges. Crees was first raided in 2015 in connection to various incidents, and the US has pressed charges against him in 2021 for other more recent hacks.

Read more in

• SCOOP: Australian national known as “DR32” to stand trial in U.S. on hacking charges
• Abdilo, infamous Australian teen hacker, raided by police and ordered to surrender passwords

eBay security execs get prison sentences

Two former execs that were part of eBay’s security team were sentenced to 57 and 24 months in prison, respectively, for a coordinated harassment campaign against two of the site’s users. Read more: Two Former eBay Executives Sentenced to Prison for Cyberstalking

Fake CISO profiles

As infosec reporter Brian Krebs found this week, an unknown threat actor has been creating fake LinkedIn profiles claiming to be CISOs for various large enterprises. Read more: Fake CISO Profiles on LinkedIn Target Fortune 500s

Taiwan invests in cybersecurity defense

In the aftermath of Russia’s invasion of Ukraine and after seeing the role cyber operations played in the conflict, a Taiwanese semiconductor magnate is funding a new cyber defense training course for Taiwanese citizens. According to Axios, Taiwanese tech tycoon Robert Tsao has invested $20 million in Kuma Academy; a company founded last year that promised to train more than 3 million Taiwanese citizens for a potential Chinese invasion and the online disinformation and hybrid warfare that could accompany it. Read more: Taiwanese citizens prepare for possible cyber war

Hungary buys social media-tracking services

The Hungarian government has acquired the services of Avnan Group, an Israeli company that sells software for mapping and tracking social media activities. Avanan Group representatives told Israeli media this week that the contract has been approved by the Israeli Defense Ministry, but the sale is controversial nevertheless; as Hungary is one of the three EU member states that have been caught using spyware against journalists and political rivals, and the EU Parliament recently updated the country’s designation from a democracy to an autocracy.

Read more in

• Israeli firm to sell social media-tracking software to Orban’s Hungary
• Pegasus scandal: In Hungary, journalists sue state over spyware
• MEPs: Hungary can no longer be considered a full democracy

Germany launches IT security labels

The German government has expanded its IT Security Label program to new categories of products this week. The BSI launched the program last year for routers and email services, and then it expanded it to cameras, speakers, cleaning and gardening robots, smart toys, and smart TVs. From this week, almost all smart home consumer products are eligible to apply a security label on their products sold in Germany to show that they meet basic security standards. Read more: IT-Sicherheitskennzeichen jetzt für alle „Smarten Verbrauchergeräte“

US federal cyber insurance program

CISA and the US Treasury are asking for feedback on the possibility and feasibility of establishing a federal cyber insurance program. In particular, the agencies would want to know if the program should require policyholders to implement basic cybersecurity measures. Forcing agencies and local governments to implement basic security measures would avoid moral hazards where organizations would intentionally avoid investing in cybersecurity, knowing the federal insurance program would cover the costs of an incident. Read more: Treasury Seeks Comment on How to Structure a Cyber Insurance Program

Former NSA employee detained

The DOJ announced criminal charges against a former NSA employee who worked at the agency for less than a month but had enough time to steal and then attempt to sell top secret documents to a foreign agent—actually, an undercover FBI agent. The DOJ said the suspect, identified as Jareh Sebastian Dalke, 30, stole and attempted to sell documents on foreign targeting of US systems and information on US cyber operations. Read more: Former NSA Employee Arrested on Espionage-Related Charges

UK NCSC CEO keynote speech

Here’s the full keynote speech given by Lindy Cameron, the CEO of the UK National Cyber Security Centre, given at the Chatham House security and defense conference 2022 where she discussed, among other things, Russia’s cyber operations in Ukraine. Read more: Lindy Cameron at Chatham House security and defence conference 2022

Brave ships cookie consent blocker

The Brave team has released a new version of its browser that now comes with a built-in system to block those annoying cookie consent popups. Read more: Blocking annoying and privacy-harming cookie consent banners

Results about you

Google launched this week a new tool called “Results about you” that will notify users when Google indexes new web pages that contain a user’s personal data. Users then have the option to request that Google removes these pages from future search listings. Google announced the tool earlier this year. Read more: A new Search tool to help control your online presence

The tool is available from the Google app and the web beginning today, in the US for English to start (we’re looking to expand the tool globally in the future). Click the three dots next to any result to open the “About this results” panel, then use the “Remove result” option… pic.twitter.com/1WqRWaHtfB

— Google SearchLiaison (@searchliaison) September 28, 2022

Kazakhtelecom DDOS

Kazakhtelecom, Kazakhstan’s national telecom provider, said it suffered a massive DDoS attack from “abroad” locations at the end of last week. Read more: Информационное сообщение

BXH hacked twice

DeFi cryptocurrency platform BXH was hacked twice over the past week, according to blockchain security firm SlowMist. The first incident took place on September 23, and the company lost $2.5 million worth of BXH tokens after one of the developers’ private keys was stolen. The second incident took place on September 27, and the company lost $40,085 during a flash loan attack.

Read more in

• BXH’s Announcement on the Solution For Asset Migration of DeFi 23 Sep 2022
• 安全團隊：疑似BXH 9月21日被盜資金出現異動，1865 ETH轉移到Tornado Cash
• BXH‘s latest announcement on compensation program 30 Sep 2022
• BXH再次遭受闪电贷攻击，攻击者获利31794 USDT

Updated on 2022-09-29

As the military industry is critical to a nation’s development and security, threat actors don’t leave any stone unturned to steal highly confidential technologies and documents. In that vein, a stealthy campaign has been targeting U.S. military contractors. IRS-themed phishing attacks are back and taxpayers should be worried and wary. As per a new update, the fallout from the Optus breach keeps increasing. Let’s move on to the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• Researchers traced around 700 ransomware incidents to wholesale access markets, where people sell compromised endpoints and access over several remote protocols. Read more: Nearly 700 ransomware incidents traced back to wholesale access markets: report
• Akamai identified almost 79 million malicious domains in H1 2022, collectively representing more than 20% of newly observed domains. Read more: Flagging 13 Million Malicious Domains in 1 Month with Newly Observed Domains
• Sysdig researchers found that for every $1 worth of cryptocurrency earned by cryptomining attackers on cloud servers, victims end up losing $53. The biggest loss comes from TeamTNT attacks. Read more: Sysdig 2022 Threat Report: Cloud-native threats are increasing and maturing

New tool—YARI

Antivirus maker Avast open-sourced on Tuesday a new tool called YARI that works as a debugger for writing YARA rules. YARI is written Rust and is available as a Python package and a module for the YARA Language Server (YLS).

Read more in

• YARI: A New Era of YARA Debugging
• avast/yari

New tool—DNS Reaper

UK DevOps security firm Punk Security open-sourced last month a new tool called DNS Reaper that can scan and test domains for subdomain takeover attacks. Read more: punk-security/dnsReaper

Operation In(ter)ception

SentinelOne has a report out on Operation In(ter)ception, a Lazarus APT op targeting macOS users with cryptocurrency sector-related job offers. Read more: Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

Unattributed APTs

A fun and puzzling thread from Kaspersky’s Costin Raiu on still-unattributed APTs. If you don’t wanna go on Twitter, the list includes Project TajMahal, DarkUniverse, PuzzleMaker, Project Sauron (Strider), some clever USB worm, White Tur, PlexingEagle [PDF], SinSono, AcidBox, and Metador.

Here's my top 10 big "unattributed" #APT mysteries:

— Costin Raiu (@craiu) September 23, 2022

Vultron

Academics from the Carnegie Mellon University open-sourced Vultron, a new protocol for coordinated vulnerability disclosure (MPCVD), and a system specifically designed for coordinating across multiple parties, including both research parties and equipment vendors. Read more: Vultron: A Protocol for Coordinated Vulnerability Disclosure

Fake Cloudflare CAPTCHA pages

Sucuri said it was tracking a malware distribution campaign using fake Cloudflare CAPTCHA solving pages to trick users into downloading and installing malware on their devices. Read more: New Malware Variants Serve Bogus CloudFlare DDoS Captcha

Scammers target Russian draft dodgers

The security team of Russian bank Sberbank said it spotted a new scam going online, with cybercrime groups offering fake certificates of unfitness for military service—also known as white military IDs—to Russian men trying to avoid being mobilized by state authorities and sent to the Ukrainian front. Read more: Сбербанк предупредил о мошенничестве с продажей якобы “белых” военников

Scammers capitalize on energy crisis

In the meantime, scammers are also capitalizing on the war in Ukraine and its aftermath on the other side of the continent as well. Dutch police said on Tuesday that it received more than 500 reports about more than 60 webshops advertising wood pellets and firewood for the upcoming winter and possible energy and heating crisis but never delivering the paid goods. Read more: Oplichters spelen in op energiecrisis

New method of deleting volume shadow copies

VMWare’s security team published a report last week on a new technique they encountered in the wild, used by the Hello ransomware gang to delete volume shadow copies on systems they encrypted. Deleting volume shadow copies prevents recovering previous versions of deleted/encrypted files. Normally, security software keeps track of when an app tries to delete volume shadow copies, but VMWare says this technique can “bypass many forms of detection and prevention.”

Read more in

• Threat Report: Illuminating Volume Shadow Deletion
• Volume Shadow Copy Service

This is the method that was developed by vx-underground member @am0nsec. The code base was developed and documented 14-months ago. It is interesting that @VMware did not know this…https://t.co/Zy97gfqEFT

— vx-underground (@vxunderground) September 27, 2022

DDoS threat landscape

Network security company Netscout has published a report on the DDoS threat landscape for the first half of the year. Main findings below:

• There were 6,019,888 global DDoS attacks in the first half of 2022.
• Malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.
• When direct attacks failed, attackers switched to DNS water-torture attacks, and this trend accelerated into 2022 with a 46% increase primarily using UDP query floods against DNS nodes.
• Similarly, DDoS carpet-bombing attacks experienced a big comeback toward the end of the second quarter.
• The new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service.
• TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021.
• DNS amplification attacks decreased by 31% from 2H2021 to 1H2022.

Read more: DDoS THREAT INTELLIGENCE REPORT

Phishing gang detained in Turkey

Turkish authorities said they detained a cybercrime gang comprised of ten members in the Diyarbakır province. Authorities said the group ran email-based phishing campaigns through which they collected their victim’s passwords for various online accounts. Four members were released, while six still remain in custody. Read more: 7 ilde veri avı operasyonu: Hacker çetesi çökertildi

National Global Cyber Index 2022

Belfer Center’s ranking that rates and organizes countries based on their “cyber power” has reached its second edition. In the spirit of all cyber-related academic research, please don’t forget to go on social media to criticize its methodology and attack the authors if your country is not on the list at the position you envisioned. Read more: National Cyber Power Index 2022

Securing the IoT landscape

The Atlantic Council think tank has published a paper on the policy challenges of securing the IoT landscape in countries such as the UK, the US, Singapore, and Australia. Read more: Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem

US Coast Guard cyberspace workforce report

A GAO report found several deficiencies in how the US Coast Guard manages its cybersecurity workforce, including a possible disconnect with staffing levels needed to meet its cyberspace mission demands. Based on the most recent data, the Coast Guard has filed 91% of its cybersecurity roles, but since the agency lacks an assessment of the actual number of cyberspace experts needed for its mission, the staff shortage could actually be higher than 9%. Read more: Coast Guard: Workforce Planning Actions Needed to Address Growing Cyberspace Mission Demands

Ukraine warns that the Kremlin is preparing cyber-attacks

Officials from the Main Directorate of Intelligence of the Ministry of Defense of Ukraine said on Monday that Russia is preparing “massive cyberattacks” on the critical infrastructure of Ukraine and its allies. Read more: Окупанти готують масовані кібератаки на об’єкти критичної інфраструктури України та її союзників

With this, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. The occupying command is convinced that this will slow down the offensive actions of the Ukrainian Defense Forces. The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic states.

Rust coming to Linux 6.1

The first components written in the Rust programming language are coming to the official Linux kernel with its upcoming v6.1 release, Linus Torvalds announced last week, speaking at the Kernel Maintainers Summit. Read more: Linus Torvalds: Rust will go into Linux 6.1

Tracking via parking apps

In a study conducted between June and September 2022, security researcher Inti De Ceukelaire said he was able to track down cars based on data made available by parking applications. De Ceukelaire said he was able to find the cars of 35 of 120 volunteers (29%) who signed up for the study just by querying parking apps for certain license plates. The study’s results are available in this paper and are also summarized in this Twitter thread.

Read more in 

• Stop parking apps from exposing your location.
• “Hey Siri, follow that car!” How traffic cameras expose your location through parking apps. DE CEUKELAIRE Inti – 26.09.2022

🔥PRIVACY SCOOP: How ANYONE can track your car using only your license plate: a thread! 🧵👇 #osint #privacy (1/X) pic.twitter.com/YQGzbq6RCT

— Inti De Ceukelaire (@intidc) September 26, 2022

TikTok fine coming in the UK

The UK’s data privacy watchdog, the Information Commissioner’s Office, said this week that TikTok could face a £27 million fine in the country following an investigation that found that the company failed to protect children’s privacy on its service. More specifically:

• TikTok processed the data of children under the age of 13 without appropriate parental consent,
• TikTok failed to provide proper information to its users in a concise, transparent, and easily understood way, and
• TikTok processed special category data without legal grounds to do so.

The ICO issued a note of intent this week to TikTok, and the company will have an opportunity to counterargue against the possible fine. Read more: ICO could impose multi-million pound fine on TikTok for failing to protect children’s privacy

Cheat maker says game studio hacked its employee

Bungie, the maker of the Destiny video game series, has been countersued by the popular cheat maker AimJunkies over claims that Bungie violated the DMCA on AimJunkies cheats, hacked one of their contractor’s computers, and violated copyright law by reverse engineering the software to build countermeasures against it. Read more: Cheat Maker Sues Bungie for Hacking Its ‘Destiny 2’ Hacks

Ukraine backtracks on Viasat hack aftermath

Earlier this year, Victor Zhora, deputy chairman and chief digital transformation officer at the State Service of Special Communications and Information Protection in Ukraine, told media outlets that the hack of the Viasat satellite internet network led to a “huge huge loss in communications in the very beginning of war.” But in an interview with natsec reporter Kim Zetter at the LABScon security conference last week, Zhora said there was a misunderstanding around that quote. Zhora said that while there was a loss of communications for the Ukrainian military’s Viasat connectivity, troops coordinated operations just fine, as their primary means of communications were landlines, with Viasat being only its backup solution. Read more: Viasat Hack “Did Not” Have Huge Impact on Ukrainian Military Communications, Official Says

Updated on 2022-09-28

Today we have two servings of data breaches for the headlines. While one victim is a defense giant subsidiary in the U.S., the other is a healthcare entity that had to notify hundreds of thousands of its patients of the breach. In other news, all our fears have come true as a newborn ransomware group has already resorted to using LockBit’s leaked builder code for its own attacks. Without much ado, let’s move on to the top 10 highlights from the past 24 hours.

More highlights from the past 24 hours

• An IT security assessment discovered that over 50% of the network switches at the Harlingen VA Health Care Center, Texas, use outdated OS, with deficiencies in configuration management, contingency planning, and access controls. Read more: Over Half of Operating Systems at VA Medical Center in Texas are Outdated, Watchdog Finds
• Anonymous collective launched Operation Iran against Tehran by disrupting intelligence and police websites. The hacktivist called for action to launch DDoS attacks on Iranian websites. Read more: OpIran: Anonymous launched Operation Iran against Teheran due to the ongoing crackdown on dissent after Mahsa Amini’s death.
• New report from Trellix suggests that the average SecOps team has to manage 51 incidents every day, while 36% of 9,000 respondents stated that they deal with 50–200 daily incidents. Read more: Global Firms Deal with 51 Security Incidents Each Day
• A recent survey by SANS Institute reveals that an ethical hacker can find a bug, breach the network perimeter, and exploit the environment in less than 10 hours. Once a flaw is found, 58% of hackers can break into a network within five hours. Read more: Most Attackers Need Less Than 10 Hours to Find Weaknesses
• New York-based MPCH Labs bagged $40 million in Series A funding, led by Liberty City Ventures, with QCP Capital, Mantis VC, Human Capital, and others as participants. Read more: MPCH Raises $40M for New Crypto Security Product
• Software firm Jamf signed a definitive agreement to acquire ZecOps, a mobile detection and response platform. The deal is to close by 2023. Read more: Jamf buys ZecOps to bring high-end security to Apple enterprise

San Francisco police can now access the private security cameras belonging to residents as part of “significant events with public safety concerns”.

Perhaps I should be more alarmed, but this is only possible with the permission of the camera owner. It’s not like they’re compelling people to grant access. Effectively it’s granting police more eyes in the city, and doing so with the explicit help of citizens seems like a best-case scenario. Read more: San Francisco cops can use private cameras to live-monitor ‘significant events’

Researchers have figured out how to read people’s screens during Zoom/Meet/WebEx calls by reading the reflections in participants’ glasses.

They can evidently read text as small as 10mm with 75% accuracy with just a 720p webcam.

Read more in

• Eyeglass Reflections Can Leak Information During Video Calls
• Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing

The Pentagon has ordered a review of US Information Warfare operations being conducted via social media platforms.

Twitter and Meta both identified networks of fake accounts connected to the US Military, and the DoD is asking all branches of the military to fully report their Information Warfare ops by next month. Some examples included the use of AI-generated faces and posing as fake media organizations. Read more: The Pentagon has ordered a review of US psyops on social media

A leak of around 160,000 files from Russia’s internet regulation agency has revealed its extensive censorship and targeting of dissidents.

It highlights the campaign to identify protest sentiments and de-anonymize and surveil prominent critics. The docs were leaked in March, and the New York Times built software to index and search the documents, spreadsheets, videos, and presentations for individuals and topics of interest.

Read more in

• Inside Russia’s Vast Surveillance State: ‘They Are Watching’
• Monitoring of registry

Updated on 2022-09-27

App stores across all major operating systems promise to veto malicious apps, however, cybercriminals manage to bypass these filters time and again. This day brings us the news of dozens more malicious apps on the two biggest mobile app stores conducting ad fraud. These apps have been installed millions of times. Isn’t that scary? We also have a ransomware group targeting SQL servers, but how? Not known. In other news, a Chinese APT group is targeting Tibetan entities to drop a new backdoor. Read along for more from the past 24 hours.

More highlights from the past 24 hours

• Researchers spotted 75 apps on Google Play and 10 on App Store performing ad fraud as part of a campaign dubbed Scylla. These apps have been downloaded over 13 million times. Read more: Adware on Google Play and Apple Store installed 13 million times
• Mysterious Team Bangladesh, a Bangladeshi hacktivist group, was found targeting websites and servers belonging to Indian state governments via DDoS attacks. Read more: Bangladeshi hacktivist group targeting Indian govt websites, servers
• Hackers leaked the medical records, lab analyses, and national security numbers of patients from the Corbeil-Essonnes hospital, Paris, after the healthcare entity refused to pay ransom. Read more: Hackers Leak French Hospital Patient Data in Ransom Fight
• San Francisco-based SecurityPal raised $21 million in Series A funding, led by Craft Ventures, with Martin Casado, Frederic Kerrest, and others as participants. Red more: SecurityPal Raises $21M in Series A Funding
• IBM announced the expansion of its collaboration with Historically Black Colleges and Universities (HBCUs), spreading its Cybersecurity Leadership Centers to 14 new schools across 11 U.S. states. Read more: IBM expands HBCU cybersecurity center program to 20 schools

New tool—Quokka

Quarkslab has open-sourced Quokka, a binary exporter to manipulate a program’s disassembly without a disassembler. The source code is on GitHub.

Read more in

• Quokka: A Fast and Accurate Binary Exporter
• quarkslab/quokka

New tool—Wolfi

DevOps security firm Chainguard open-sourced last week Wolfi, a stripped-down Linux distribution designed to improve the security of the software supply chain.

Read more in

• Jit and ZAP: Improving programming security
• New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security
• Wolfi

RomHack Camp stream

A recorded live stream of the RomHack Camp 2022 security conference, which took place over the weekend, is now available on YouTube.

Seagate vulnerability

@x86matthew, a security researcher with MDSec Labs, has published a write-up on how he exploited a vulnerability (CVE-2022-40286) in a Windows Seagate media service to elevate privileges to SYSTEM level. Read more: Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286)

WhatsApp September security updates

WhatsApp has published two fixes for two vulnerabilities in its Android and iOS apps. Both issues (CVE-2022-27492 and CVE-2022-36934) allow for remote code execution scenarios when receiving a video file and video call, respectively. Read more: WhatsApp Security Advisories 2022 Updates

ModSecurity vulnerabilities

Terjanq, a security engineer at Google, published Friday a write-up on 13 vulnerabilities he discovered in the ModSecurity web server firewall module. Read more: WAF bypasses via 0days

NodeJS server vulnerability

Security researcher Octavia Johnston published details on CVE-2022-35256, a new HTTP request smuggling vulnerability impacting the NodeJS web server. The vulnerability was patched earlier this month.

Read more in

• CVE-2022-35256
• September 23rd 2022 Security Releases

BlackTech

Security researcher CyberRamen published a blog post on Saturday describing how the BlackTech Chinese APT has slowly migrated its attack infrastructure from GoDaddy to companies like PDR Ltd. and Vitalwerks Internet Solutions, LLC. Read more: So Long (Go)Daddy | Tracking BlackTech Infrastructure

Scylla campaign

Cybersecurity firm Human has published a report on Scylla, a cybercrime operation that abuses advertising SDKs to perform ad fraud. Human says the operation ran 29 Android apps that were pretending to be more than 6,000 different CTV apps in order to receive higher-priced ads. Scylla then used hidden ad displays and fake clicks to generate profits behind its users’ backs. Read more: Poseidon’s Offspring: Charybdis and Scylla

Erbium Stealer

CyFirma published a report on Sunday on the new Erbium Stealer malware, currently advertised on underground hacking forums. The new Erbium infostealer was found propagating via fake cracks and cheats for popular video games to pilfer victims’ credentials and crypto wallets. Read more: Erbium Stealer Malware Report

Gootloader SEO campaign

Deepwatch researchers have analyzed a recent Gootloader campaign that uses SEO to push websites in users’ search results. These websites are optimized for users in particular industry sectors, and they also host a malicious JavaScript file that attempts to push the Gootloader malware on users’ systems. Users working in government, legal, real estate, medical, and education were targeted, according to Deepwatch. Read more: Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team

Agent Tesla spam

Kaspersky has a report out on a massive email spam campaign spreading the Agent Tesla infostealer. Read more: Mass email campaign with a pinch of targeted spam

Crypto hacker arrested in the Philippines

South Korean police said on Friday that a hacker who stole 14 billion won ($9.85 million) worth of cryptocurrency from a local platform was arrested in the Philippines. The man was identified as Mr. A., and Korean officials said he previously worked as an IT engineer. He was extradited back to South Korea last week, where he is set to face criminal charges related to the hack and subsequent money laundering operations.

Hackers detained in Ukraine

The Security Service of Ukraine (SSU) said it detained a hacker group in Lviv that infected user devices with malware, collected, and then sold their personal data on the dark web. Officials said the group collected the personal details of 30 million users—from Ukraine and the EU—and sold it to Russian propagandists, who then created fake online profiles in the victims’ names to spread fake news and panic surrounding Russia’s invasion of Ukraine. Read more: СБУ нейтралізувала хакерське угруповання, яке «зламало» майже 30 млн акаунтів громадян України та ЄС

Dutch man sentenced in spyware case

A Dutch man was sentenced to 80 hours of community service after he was found guilty of installing spyware on his partner’s MacBook laptop back in 2020. The name of the spyware was not mentioned, but authorities said the suspect could access the device’s microphone, camera, and keystrokes.

Read more in

• Man die ex-partner via spyware bespioneerde veroordeeld tot taakstraf
• ECLI:NL:RBMNE:2022:3801

Kaspersky faces possible ban across the EU

Bloomberg reported on Friday that five countries (Latvia, Lithuania, Estonia, Ireland, and Poland) are pushing for a new set of sanctions against Russia, including a possible ban on Russian cybersecurity firm Kaspersky. Read more: EU Nations Demand Tougher Russia Sanctions in Next Package

Russia won’t mobilize IT specialists

Russia’s Ministry of Defense said on Friday that it won’t mobilize individuals who hold certain professions, such as IT specialists working in critical infrastructure, telecommunications, media, and the financial market. The exemption comes after representatives of Russia’s private sector asked the government for an exemption after already facing serious staff shortages since the start of the war. Read more: Минцифры попросили рассмотреть отсрочку от призыва на военную службу для IТ-специалистов

Russian govt TLS certs

Russia’s national Certificate Authority is now operational and has already issued TLS certificates for more than 7,000 domains, according to the Russian Ministry of Digital Development, Telecommunications, and Mass Media. Read more: TLS-сертификаты доступны для установки на смартфоны, компьютеры и планшеты

Ubuntu gets AD support

Something we missed this April is the new Ubuntu Desktop 22.04 release that now supports Active Directory integration, allowing you to run group policies on your fleet of Linux systems. Read more: New Active Directory Integration features in Ubuntu 22.04 (part 1)

Fitbit users must link to their Google accounts

Google will force all Fitbit device owners to link a Google account to their device starting next year; otherwise, their devices will stop working. Google acquired Fitbit for $2.1 billion in 2021. Read more: Fitbit Setup Requirements

Meta sued for bypassing Apple anti-tracking

A group of users has sued Meta, Facebook’s parent company, for bypassing Apple’s anti-tracking privacy protections on iOS devices. The lawsuit is based on the findings of a Google software engineer published last month.

Read more in

• Facebook users sue Meta for bypassing beefy Apple security to spy on millions
• iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser

Signal asks users to help Iranians

Secure messaging app Signal has asked its users to set up and run proxy servers and help Iranians connect to the Signal service, currently blocked inside the country following massive public protests. A ready-made server setup is also available on GitHub.

Read more in

• Help people in Iran reconnect to Signal – a request to our community
• signalapp/Signal-TLS-Proxy

Browser competition and walled gardens

Mozilla published a 66-page paper [PDF] last week describing how “walled garden” approaches in today’s tech landscape are actively harming the browser market and user privacy.

All five major platforms today (Google, Apple, Meta, Amazon, Microsoft) bundle their respective browsers with their operating systems and set them as the operating system default in the prime home screen or dock position. For many people, this placement is sufficient and they will not see or pursue extra steps to discover alternatives.

Read more: FIVE WALLED GARDENS – Why Browsers are Essential to the Internet and How Operating Systems are Holding Them Back

Vivaldi promises to keep ad blockers working

After Google is slowly starting to roll out its new core rules for Chromium extensions (called Manifest V3), the team behind the Vivaldi browser said they will still support the older V2 system going forward. The new V3 nerfs the capabilities of ad blockers, which many extension developers said Google is doing on purpose to protect its ad-biz unit. Definitely not a monopoly in the browser market. Don’t look over here EU and US authorities. Read more: Manifest V3, webRequest, and ad blockers

Pôle Léonard de Vinci hack

Two hackers claims to have breached the IT network of Pôle Léonard de Vinci, a university based in Paris, France, and are now threatening to publish more than 600GB of its data.

French hackers attacked @poledevinci @cyber_etc @S0ufi4n3 @ValeryMarchive @campuscodi https://t.co/jYIENPDGXW

— new (@newransom12) September 24, 2022

Cameras coming to NYC subway cars

New York governor Kathy Hochul, whose office in Albany oversees New York City’s subway system — for reasons that make little sense — announced this week a new plan to roll out surveillance cameras in every New York City subway car by 2025. The effort was billed as “awful” by privacy advocates, so Hochul doubled down further. “You think Big Brother’s watching you on the subways? You’re absolutely right,” she said. Yet MTA’s chair said the subway crime is down 9% and “among the safest places in New York.” So maybe make up your minds before you subject millions to additional unwanted surveillance? Or, maybe scrap the idea altogether? Just a thought. Read more: New York to install surveillance cameras in every subway car

Congress probes Meta over health data collection

Meta is under pressure from Congress about its access to sensitive medical data after an investigation by The Markup discovered that the company’s pixel tracking tool was found collecting patient data — including doctor’s appointments, prescriptions, and health conditions — from dozens of U.S. hospital websites, including in some cases password-protected patient portals. Now lawmakers want Meta (aka Facebook) to provide an account for the medical information it keeps on its users. These pixels are tiny — literally pixel-size — so can’t be easily seen on websites, but are used to transmit information back to Facebook, data that is then used to learn more about website visitors.

Read more in

• Meta Faces Mounting Questions from Congress on Health Data Privacy As Hospitals Remove Facebook Tracker
• Facebook Is Receiving Sensitive Medical Information from Hospital Websites

Artist finds private medical record photos in popular AI training data set

A very modern privacy nightmare, finding your private medical records in a dataset used for training AI models. Well that’s what happened to an AI artist who goes by the name Lapine, who found that their medical files from their doctor, who died in 2018, somehow ended up in the LAION dataset. While scraping data is legal under U.S. law, it’s less clear how legal or ethical it is to contain personal or private information of others. LAION said since it’s not hosting images, “the best way to remove an image from the Internet is to ask for the hosting website to stop hosting it.”

Read more in

• Artist finds private medical record photos in popular AI training data set
• Web scraping is legal, US appeals court reaffirms

Microsoft learns a lesson from its TrickBot sting

Bouncing to Bloomberg’s newsletter for a moment: @jeffstone500 reports and reflects on Microsoft’s not-quite-takedown of the TrickBot botnet in 2020 ahead of the U.S. election, fearing ransomware attacks designed to mess up critical voting systems.

New details on where the Microsoft/US effort to destroy the TrickBot botnet before the 2020 election fell short—>

– Coordination issues + a problematic ISP helped Russian scammers stay online
– MSFT shifting botnet approach, another takedown in the workshttps://t.co/0aDvDhdC8Q

— Jeff Stone (@jeffstone500) September 21, 2022

But TrickBot lives on, thanks to a shadow botnet network that it activated in the event of a coordinated assault by law enforcement. The takedown attempt failed, leaving one senior Microsoft executive “still a little angry” two years on. The back story, which hasn’t been told before, is well worth reading, as well as his tweet thread. Read more: Microsoft Learns a Lesson From Cybercrime Sting

Malwarebytes accidentally blocks all Google sites, chaos ensues

Ever wondered what it’s like to be completely cut off from Google? Malwarebytes customers had a fairly good idea this week when the antivirus engine blocked all Google sites. Not just search, but Gmail, Google Play — everything. The issue was quickly fixed, but not before plunging millions into a Google-less void. Read more: Antivirus Used by Millions Blocked All Google Sites by Mistake, Sowing Chaos

How U.S. schools use AI to monitor student protests

Incredible reporting from Texas about colleges and universities that use an AI system built by a company called Social Sentinel, which reporters say allows staff to monitor student protests. Many of these colleges have their own police departments (pretty standard for America), which use taxpayers dollars to monitor what students say — in dozens of cases without telling the students.

After filing hundreds of FOIA requests and reading over 56,000 pages of documents, we can confirm that 37 universities in the country have used Social Sentinel WITHOUT telling students so far. But according to the company’s founder, there are hundreds more.

— Derêka K. (@DKproduxion) September 20, 2022

Documents seen by the reports show Social Sentinel promoted the tool for “forestalling” and “mitigating” protests by monitoring social media and scanning student email accounts. Great threads by authors @ArijitDSen and @DKproduxion. Read more: How colleges use AI to monitor student protests

THREAD: The biggest story of my life is finally out. 

Since 2019, I’ve been investigating a monitoring tool called Social Sentinel. They bill it as a way to help save students’ lives. 

I found it had another purpose — surveilling campus protests. https://t.co/I0okAqeRen

— Ari Sen (@ArijitDSen) September 20, 2022

ATTENTION COLLEGE STUDENTS:

Your university is using an AI software company to monitor of your tweets as you read this. Universities that are using this software within my native state, includes but isn’t limited to #MSU, #WMU and #OU.https://t.co/2sZ9i1SMXo

— Derêka K. (@DKproduxion) September 20, 2022

Bobby Roach uncovered a vulnerability in Microsoft Teams

Bobby Roach uncovered a vulnerability in Microsoft Teams that lead to remote code execution through an NTLM relay attack if not patched. Check out how to protect yourself in his excellent write up here. Read more: Microsoft Teams — Attachment Spoofing and Lack of Permissions Enforcement Could Lead to RCE via NTLM Relay Attack or Drive-By Download Attack

Microsoft’s own security team has warned gamers about malware which allows the adversary to commit fraud through a click-bot.

“[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices,” Microsoft Security Intelligence said in a sequence of tweets over the weekend.

Oracle Cloud has been rocked by a critical vulnerability

Oracle Cloud has been rocked by a critical vulnerability which can allow threat actors to connect to virtual disks of other Oracle customers, researchers at Wiz have said. Identifying the vulnerability in their own Oracle infrastructure, the company is working to fix the problem.

Vulnerability full disclosure – New Oracle cloud vulnerability allowed users to access the virtual disks of other Oracle customers >>

— Shir Tamari (@shirtamari) September 20, 2022

[Updated on 23 September 2022]

Remember the attack on Portugal’s flag carrier airline? In a new update, a hacker group was found selling the stolen information of millions of its customers. Hackers are once again abusing the Zoom branding to spread malware; this time in the form of fake Zoom download sites. The Uyghur community was once again targeted in a mobile surveillance campaign that has been ongoing for seven years. Here are the top highlights from the past 24 hours.

More highlights from the past 24 hours

• Cyble researchers spotted six fake Zoom sites offering apps that deploy Vidar Stealer. This infostealing campaign aims to pilfer banking data and IP addresses, among others. Read more: Fake sites fool Zoom users into downloading deadly code
• Microsoft warned against a smishing campaign targeting Indian bank customers with infostealers posing as fake rewards applications. Read more: Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices
• The Identity Theft Resource Center revealed that around 40% of U.S. customers had their personal information misused, stolen, or compromised in the past year. Read more: Two-Fifths of US Consumers Suffer Personal Data Theft
• The Uyghur community suffered a wave of mobile surveillance attacks, conducted by the Scarlet Mimic threat group. The spyware campaign has been ongoing since at least 2015. Read more: 7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs
• The Anonymous collective took down Iranian government websites, including the central bank, national government portal, and state-owned media sites, amid protests following the death of Mahsa Amini. Read more: Anonymous takes down Iranian government websites amid protests following death of Mahsa Amini
• Munich-based data protection platform DataGuard raised $61 million in Series B funding, led by Morgan Stanley Expansion Capital, with One Peak as a participant. Read more: DataGuard locks down $61M for data protection as a service
• Malwarebytes received a $100 million minority investment from Vector Capital, bringing the total funds raised to $180 million. Read more: Malwarebytes Raises $100 Million From Vector Capital

Chrome vulnerability write-up

Numen Cyber Labs have published a write-up on CVE-2021–38003 and CVE-2022–1364, two Chrome zero-days patched in October 2021 and April 2022, respectively, that could be used for RCE attacks against Chrome users. The company warns that even if these two security flaws have been patched in the main Chrome browser, the patch gap that exists in software that uses Chrome’s WebKit engine as their built-in browser means that many mobile apps are still vulnerable to this, including the likes of Skype and many crypto-wallets. Read more: From Leaking TheHole to Chrome Renderer RCE

Study on jQuery vulnerabilities

Finnish security Lari Huttunen also conducted an interesting study this month. The researcher selected CVE-2020-11022, a vulnerability in the jQuery JavaScript framework, and used Shodan to scan the internet for web applications that are still vulnerable to attacks. During Shodan scans carried out over 60 days, the researcher found that:

• Approximately 26% of all the publicly reachable jQuery UI web applications contain a version of jQuery which is vulnerable to CVE-2020-11022.
• Approximately 21% of jQuery UI instances are EOL which raises my eyebrows even further.

Read more in

• Software Dependency Failures: jQuery, a Canary in the Coal Mine
• CVE-2020-11022 Detail

Arbitrum vulnerability

A white-hat hacker has reported a vulnerability to the Arbitrum cryptocurrency platform that, if exploited, could have allowed an attacker to steal all funds sent to the network. The researcher received 400 ETH ($530,000) as a bounty for his report. Read more: Hackers in Arbitrum’s Inbox

Would @arbitrum have been insolvent if that $470mm deposit a few days ago was stolen and they had to reimburse?

— riptide (@0xriptide) September 20, 2022

Juplink router vulnerabilities

NCC Group researchers have found vulnerabilities in Juplink WiFi routers that can allow an attacker to reset an admin account’s password. Read more: Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)

Scarlet Mimic

Check Point has published a report on Scarlet Mimic, a Chinese APT that has repeatedly targeted the Uyghur minority since 2016

Since then, CPR has observed the group using more than 20 different variations of their Android malware, disguised in multiple Uyghur-related baits such as books, pictures, and even an audio version of the Quran, the holy text of the Islamic faith. The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected device, as well as perform calls or send an SMS on the victim’s behalf and track their location in real-time. Also, it allows audio recording of incoming and outgoing calls, as well as surround recording. All this makes it a powerful and dangerous surveillance tool.

Read more in

• 7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs

Pro-Indian Army influence operation

The Stanford Internet Observatory published a report on Wednesday on a sprawling Twitter influence operation involving 1,198 accounts that tweeted about India and Pakistan and which pushed pro-Indian Army views. SIO said their report expands on a previous report from ASPI.

Tweets praised the Indian Army’s military successes and provision of services in India-administered Kashmir and criticized the militaries of China and Pakistan. Two accounts existed to target specific individuals who were perceived as enemies of the Indian government.

Read more in

• My Heart Belongs to Kashmir
• Inauthentic accounts increasingly shaping South Asian social media

Crytox ransomware

Zscaler has published a report on the Crytox ransomware, active since late 2020 and mostly known for its successful attack on Dutch TV station RTL Nieuws. Read more: Technical Analysis of Crytox Ransomware

Harly Android trojan

Kaspersky has published a report on Harly, an Android trojan that has been active since 2020 and which secretly subscribes infected devices to premium SMS services. Kaspersky says that since its first versions, they found the trojan in 190+ apps hosted on the official Play Store, collectively downloaded more than 4.8 million times. Read more: Harly: another Trojan subscriber on Google Play

Cryptomining on Atlassian Confluence

Trend Micro has documented a recent cryptomining campaign that has targeted Atlassian Confluence servers through CVE-2022-26134, an RCE vulnerability previously abused by nation-state actors, ransomware gangs, hacktivists, other coin-miners, and various botnets.

Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: https://t.co/C3CykQgrOJ

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022

In particular, we observed the CVE-2022-26134 being exploited to download and deploy the Cerber2021 ransomware (SHA-256: f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf).

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022

Read more in

• Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware
• Hacktivist Group DragonForce Actively Targeting Indian Entities, Shares an Exploit for a Critical Confluence Server Vulnerability CVE-2022-26134
• Crypto-Miners Leveraging Atlassian Zero-Day Vulnerability
• Kinsing & Dark.IoT botnet among threats targeting CVE-2022-26134

FIN11 phishing

A CyFirma report describes recent FIN11 phishing campaigns where the threat actor relied on impersonating Zoom meeting invites to lure users to malware downloads. Read more: FIN11 is Back : Impersonates Popular Video Conference Application

Credential stuffing is on a record pace

Authentication and authorization platform Auth0 published its yearly State of Secure Identity Report, and the company said that over the past year, credential stuffing attacks accounted for 34% of all authentication events on its platform.

Furthermore, the company also added that 58% of all customer apps also experienced login attempts with breached or leaked credentials, which Auth0 says perfectly illustrates the “widespread nature of these attacks.”

Read more in

• 2022 State of Secure Identity Report

Magento vulnerability heavily exploited

On top of this Zoho bug, Magento e-commerce stores are also under heavy attacks as well. According to Sansec, CVE-2022-24086, a vulnerability in the Magento 2 CMS template engine, is being abused these days to drop remote access trojans on unpatched stores.

Read more in

• Surge in Magento 2 template attacks
• Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)

Malicious npm package

Researchers from ReversingLabs discovered a malicious npm package disguised as the software tool Material Tailwind. When installed on a system, the package would download and run malicious Powershell code. Read more: Threat analysis: Malicious npm package mimics Material Tailwind CSS tool

[Updated on 22 September 2022]

Lately, telecom providers have been subject to constant cyberattacks across the world. In today’s instance, a data breach at an Australian telco likely impacted millions of people. DNS hijacking has gained much popularity in the threat landscape, as a subset of the technique compromised multiple domains in a phishing campaign. The BlackCat ransomware is not displaying any signs of stopping as the attackers are leveraging an upgraded data exfiltration tool. Read along for the top 10 highlights from the cyberspace.

More highlights from the past 24 hours

• Recorded Future detected 569 e-commerce domains infected with skimmers, of which 314 have been compromised with web skimmers using Google Tag Management containers. Read more: Threat Actors Continue to Abuse Google Tag Manager for Payment Card e-Skimming
• The City of Quincy, Illinois, recently revealed that the personal information— SSNs, names, and health insurance information—of some residents was potentially compromised in a data breach earlier this year. Read more: Some residents’ personal information possibly compromised in Quincy cyberattack
• Israeli cybersecurity firm Deep Instinct bagged $62 million in a venture round, from BlackRock and Chrysalis Investments of Jupiter Fund Management. Read more: Deep Instinct raises $62 million from BlackRock and Chrysalis

[Updated on 21 September 2022]

The CISA noted a total of seven vulnerabilities in the power distribution units made by Dataprobe in its latest industrial control systems advisory. These vulnerabilities could allow a cybercriminal to pull off unauthenticated remote code execution while also laying bare sensitive information. In another case of fixing a flaw, Parse Server has addressed a security gap that puts highly sensitive user data at risk. The vulnerability description as per Github advisory comprises internal fields and protected fields that can be used as query constraints.

Hackers are always on the hunt for targeting users in the banking sector. In connection with this, top Indian banks are issuing warnings to all its customers against the SOVA mobile banking trojan targeting over 200 applications.

Cyberattacks against the gaming sector have gained much traction recently. Threat actors hacked an American video game publisher and targeted its customers. Hackers finally took responsibility for the June attack on a horse racing body. The Eye Care Leaders breach tally is growing as another healthcare entity disclosed the number of patients affected.

More highlights from the past 24 hours

• Imperva stated that it thwarted a single DDoS attack that sent around 25.3 billion requests to one of its customers, a Chinese telecom service provider. Read more: Record 25.3 Billion Request Multiplexing Attack Mitigated by Imperva
• The Wolfe Eye Clinic recently revealed that the data of 542,776 patients was compromised during the December 2021 attack on Eye Care Leaders, bringing the breach tally to almost 3.6 million. Read more: Eye Care Leaders fallout grows: 543K Wolfe Clinic patients added to breach tally
• The United Veterinary Services Association published four cybersecurity recommendations following a ransomware attack that impacted 700 animal and healthcare networks worldwide. Read more: Report: Animal care companies need to heed cybersecurity calls too
• The U.S. FCC added Chinese telecommunications companies ComNet (USA) LLC and China Unicom (Americas) to its ‘Covered List’ as threats to national security. Read more: U.S. agency adds China Unicom, Pacific Networks to national security threat list
• Phishers are abusing LinkedIn’s Smart Link feature to evade email security and redirect Slovakian targets to phishing pages that steal payment details. Read more: LinkedIn Smart Links abused in evasive email phishing attacks
• Fintech fraud prevention platform Sardine raised $51.5 million in Series B funding, led by Andreessen Horowitz’s Growth Fund, with existing and new investors as participants. Read more: Sardine raises $51.5M led by a16z to sniff out fishy fintech transactions

Top Breaches Reported in Last 24 Hours

Record DDoS attack on a Chinese company

A cybersecurity firm has reported that it thwarted a significant four-hour-long DDoS attack targeting an unnamed Chinese telecommunications business. The attackers sent repeated requests using HTTP/2 multiplexing, and as many as 25.3 billion requests were recorded in June alone. The attack was launched through a botnet of nearly 170,000 different IP addresses spread across more than 180 countries, primarily the U.S, Indonesia, and Brazil. Read more: Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing

Top Malware Reported in Last 24 Hours

SOVA trojan targets the banking sector

A novel banking malware campaign leveraging the SOVA Android trojan seems to be targeting over 200 mobile applications, including banking apps and crypto wallets. This malware is distributed via smishing attacks. Once the fake app is installed, the malware accesses the user’s credentials when they login to their bank accounts. The trojan is capable of stealing cookies, collecting keystrokes, intercepting MFA tokens, and even copying infected applications. Read more: Banks alert customers about mobile banking malware targeting over 200 apps

Top Vulnerabilities Reported in Last 24 Hours

Parse Server patches a critical bug

Parse Server, an open source project backend infrastructure, was patched to fix a security bug identified as CVE-2022-36079. If exploited, the security hole permitted brute-force-styled attacks to access confidential user data on the Node.js API server and Express WAF modules. The bug was patched in versions 4.10.14 and 5.2.5 of the parse-server NPM package with all prior versions on these release lines affected. The patch requires the master key to use internal and protected fields as query restrictions.

Read more in

• Parse Server fixes brute-forcing bug that put sensitive user data at risk
• Release 4.10.14
• Release 5.2.5

Prototype bug bypasses Sanitizer API

Attackers managed to bypass the Sanitizer API, a built-in browser library, courtesy of the prototype pollution bug in the Chromium project. Using prototype pollution, attackers can manipulate an application’s behavior in various ways and compromise it by abusing the rules of JavaScript. Prototype pollution can happen both on the client side i.e browser and on the server side i.e Node.js servers. Read more: Prototype pollution bug in Chromium bypassed Sanitizer API

Ransomware attack on Bosnia’s government

Officials from Bosnia and Herzegovina are investigating a cyberattack that has crippled the operations of the country’s parliament for more than two weeks, in what experts say bears all the hallmarks of a classic ransomware attack. Read more: Bosnia and Herzegovina investigating alleged ransomware attack on parliament

NATO member Bosnia and Herzegovina

The Parliamentary Assembly of Bosnia and Herzegovina is under a cyber attack with main site down and systems taken offline.

/parlament.ba#cybersecurity #infosec @campuscodi @GossiTheDog @BleepinComputer @TheRegister pic.twitter.com/6xlBocMf6P

— Dominic Alvieri (@AlvieriD) September 16, 2022

Chrome gets a root store

After announcing its intention to develop its own root store for the Chrome browser back in late 2020, Google said it would start a slow rollout of this feature for macOS and Windows users running Chrome 105, its current stable version. Once this feature rolls out, Chrome will stop relying on the operating system’s root store and switch to its internal system to verify if an SSL certificate is valid or not when establishing a new HTTPS connection.

Read more in

• Chrome will soon have its own dedicated certificate root store
• Announcing the Launch of the Chrome Root Program
• Chrome Root Program Policy, Version 1.2

YouTube ignores user downvotes

New research conducted by the Mozilla Foundation found that user downvoting mechanisms like the Dislike button and the Not Interested menu option are ignored, and YouTube continues to show the same type of content to its users. Read more: Mozilla Investigation: YouTube’s Dislike Button, Other User Controls Largely Fail to Stop Unwanted Recommendations

Mullvad expands to security keys

VPN company Mullvad announced the creation of a sister company named Tillitis AB that will create and sell a new security key based on open-source firmware the company is currently developing.

Read more in

• Mullvad creates a hardware company
• Tillitis Key
• Tillitis AB

Indonesia privacy bill

The Indonesia Parliament has passed this week a data protection bill that comes with fines and prison sentences for companies that fail to protect or abuse user data. According to Reuters, the fines can go up to 2% of a company’s annual revenue, and prison sentences can go up to five years in jail for individuals who gather personal data illegally and up to six years in jail for those who falsify personal data for personal gains. The passing of this new law comes as the country has been faced with several major data leaks over the past years, incidents that have highlighted the poor security and broad data collection practices at most Indonesian companies. Read more: Indonesia parliament passes long-awaited data protection bill

ECJ ruling on traffic metadata retention

The European Court of Justice ruled on Tuesday on a case involving Germany’s super-broad telecommunications traffic retention policies and ruled that metadata and location information may not be stored and queried en-masse unless in situations deemed a threat to national security. The German Telecommunications Act, which the ECJ ruled not compliant with EU laws, requires telcos to store customers’ telephone and internet data for four and ten weeks, respectively, and make it available to law enforcement when requested. [See court ruling here, PDF] Read more: German data retention rules not compatible with EU law, says top court

FCC expands list of equipment/services that pose a national security threat

The US Federal Communications Commission has expanded the list of equipment vendors and service providers that it views as a national security threat with two Chinese telecom companies, namely Pacific Networks Corp and its wholly-owned subsidiary ComNet, and China Unicom. Their inclusion in this list means that US companies and state governments will not be able to use US government funds to purchase any of their equipment or services. Previously, the FCC also banned the likes of Kaspersky, China Telecom, China Mobile, Huawei, ZTE, Hytera, Hikvision, and Dahua. Read more: FCC Expands List of Equipment and Services that Pose Security Threat

DOJ’s new crypto crime enforcement rules

Security researcher Garry Warner has a tl;dr breakdown of the DOJ’s new rules [PDF] for cracking down on crimes involving cryptocurrencies, rules published by the department last week. Read more: The new DOJ Law Enforcement Crypto Reports (TL;DR)

RSOCKS admin detained in Bulgaria

US authorities announced in June that they disrupted the operations of RSOCKS, a proxy-for-hire service and botnet. In a report published a week later, infosec reporter Brian Krebs identified the service’s admin as Russian national Denis Kloster. At the time, Krebs said that attempts to contact Kloster for a statement remained unanswered. But according to a report in Bulgarian media last week, Kloster couldn’t answer because he was in police custody in Bulgaria after being detained at the request of US authorities two weeks before, on May 30, when he arrived for a vacation in Bansko, a high-end ski resort in country’s south-east mountains. The same report also said that Bulgarian authorities also approved the suspect’s extradition to the US, where he is set to face cybercrime-related charges.

Read more in

• Russian Botnet Disrupted in International Cyber Operation
• Meet the Administrators of the RSOCKS Proxy Botnet
• Руският хакер, арестуван в Банско, поиска да го екстрадират в САЩ

Underground market for Amazon merchant accounts

A BusinessInsider investigation found a thriving underground market of Amazon merchant accounts on places like Telegram and forums like PlayerUp and Swapd. BI reporters claim these accounts are used by shady sellers to skirt bans that Amazon has placed on their original accounts. Account prices range from a few hundred dollars for a new account to thousands of dollars for years-old accounts with established histories and solid customer reputations. Read more: There’s an underground market where secondhand Amazon merchant accounts are bought and sold for thousands of dollars

OSINT tooling

The Dutch Review Committee on Intelligence and Security Services (CTIVD) has published a report on how they collect, process, and use OSINT data in their investigations. Tom Uren recently had a discussion with The Grugq about how OSINT is rising to become a reliable source for intelligence collection.

Read more in

• Publication review report 74 regarding automated OSINT by the AIVD and MIVD
• Between Two Nerds: How OSINT makes clandestine HUMINT difficult

Phishing campaign targets US govt contractors

Phishing detection company Cofense published a report this week on a persistent phishing campaign that has been taking place since mid-2019 and has repeatedly targeted the M365 accounts of US government contractors. Read more: Credential Phishing Targeting Government Contractors Evolves Over Time

ChromeLoader

VMWare’s security team has published a report on the emerging ChromeLoader malware family, also known as Choziosi Loader and ChromeBack, which works by changing Chrome browser search settings to hijack search queries and direct users to malicious sites. Check out similar reports on this malware from Red Canary, Palo Alto Networks, and CyberGeeks.

Read more in

• The Evolution of the Chromeloader Malware
• ChromeLoader: a pushy malvertiser
• ChromeLoader: New Stubborn Malware Campaign
• CHROMELOADER BROWSER HIJACKER

New TeamTNT malware

Cloud security firm AquaSec said it detected at least three new malware strains that appear to have been developed by the TeamTNT crypto-mining gang. These discoveries are of note because TeamTNT announced it shut down operations in a tweet last November, and all attacks since then have been associated with zombie server infrastructure that the group has operated in previous years. Read more: Threat Alert: New Malware in the Cloud By TeamTNT

UAC-0113 (Sandworm)

Recorded Future has put out a report on UAC-0113, a group CERT Ukraine has linked to the Sandworm APT, and its recent infrastructure used to attack Ukrainian government agencies and private-sector organizations in recent months. Among its preferred tactics, UAC-0113 masqueraded as telecommunication providers operating within Ukraine, continued to rely on publicly available malware, but transitioned from DarkCrystal RAT to Colibri Loader and Warzone RAT as preferred payloads. Read more: Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine

Russia’s complicated APT landscape

The Atlantic Council published a report on the always-fascinating topic of Russia’s APT landscape and its mixture of military hackers, private companies, patriotic hackers, and elements from the criminal underground. Read more: Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior

Oracle vulnerability

Cloud service company Wiz discovered a vulnerability in Oracle’s Cloud Solutions Platform (CSP) that could have allowed a malicious threat actor to access the virtual disks of other Oracle customers. According to Wiz Head of Research Shir Tamari, the vulnerability’s root cause was the lack of permissions verification in the AttachVolume API. The issue was also apparently resolved on the same day it was reported.

This is the first time we have found a cross-tenant vulnerability in CSP's infrastructure (IaaS). We reported the vulnerability to Oracle, which fixed it the same day, with full deployment to all their environments. Kudos to their security team.

— Shir Tamari (@shirtamari) September 20, 2022

Azure Cloud Shell vulnerability

The Lightspin Research Team published details about a new Azure Cloud Shell vulnerability that can allow an attacker to steal a user’s access tokens and execute commands in other users’ terminals. Read more: Azure Cloud Shell Command Injection Stealing User’s Access Tokens

Bitbucket PoC

SuperX, a Chinese security researcher with security firm Winter Snow Lab, published last week a proof-of-concept exploit [cached] for CVE-2022-36804, a 9.9/10-rated command injection vulnerability that can allow attackers to run malicious code on Bitbucket servers using only modified HTTP requests. Atlassian fixed this issue at the end of August. According to Shodan, there are about 1,400 internet-facing servers, but it’s not immediately obvious how many have a public repository; hence are vulnerable to attacks. More on this is also available in a Rapid7 write-up.

Read more in

• CVE-2022-36804
• Critical severity command injection vulnerability – CVE-2022-36804
• CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center

Apple Maps vulnerability

Ron Masas, a security researcher with Breakpoint, has published the story of how he found CVE-2022-32883, a vulnerability in the Apple Maps service that could leak users’ locations. Apple patched this bug last week, on September 12.

• Turning Your Computer Into a GPS Tracker With Apple Maps
• About the security content of macOS Big Sur 11.7

EZVIZ smart cams vulnerabilities

Security firm Bitdefender has also published a report on vulnerabilities it found in the EZVIZ smart cams. Read more: Vulnerabilities Identified in EZVIZ Smart Cams

Firefox 105

Security updates are available for Firefox users after Mozilla released Firefox 105 on Tuesday. Read more: Version 105.0, first offered to Release channel users on September 20, 2022

New tool—varc

Cado Security has open-sourced this week a new tool called varc, a new tool that can collect a snapshot of volatile data from a system immediately after the detection of malicious behavior. This includes stuff like active network connections, the memory of running processes, the content of opened files, and more. The tool works on Windows, Linux, macOS, AWS EC2, AWS Lamda, and containerized environments.

Today we've open-sourced varc.

varc collects volatile data to tell you what is happening on a system e.g. after a detection.

E.g. running processes, process memory, network data.

varc runs on Windows, Linux, macOS, Docker … even Lambda

Get it now @https://t.co/QaLO5wl2Nt

— Cado (@CadoSecurity) September 20, 2022

Browser spellcheck leak

Otto’s research team discovered that the advanced spellchecker in the Google Chrome browser and the Microsoft Editor spellchecker in Microsoft Edge will upload some of the text they verify to Google and Microsoft servers, respectively, leading to situations where PII data or passwords may be sent to these systems. These two spellcheckers are included in both browsers but are not the default ones, and users have to manually enable them for any leaks to occur. Read more: Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords

Stray payment

Sam Curry, an Omaha-based web application security researcher, said he accidentally received $250,000 from Google in what appears to be a mistake in the company’s bug bounty payouts. Read more: He got an unexplained $250,000 payment from Google. The company says it was a mistake

It's been a little over 3 weeks since Google randomly sent me $249,999 and I still haven't heard anything on the support ticket. Is there any way we could get in touch @Google?

(it's OK if you don't want it back…) pic.twitter.com/t6f7v5erli

— Sam Curry (@samwcyo) September 14, 2022

Altenen carding forum scam

Threat intel firm Digital Shadows said a recently hacked database that was dumped on the XSS forum appears to belong to Altenen, a former Arabic and English language carding forum, known for scamming its users. Forum DMs included in the leaked database show how the site’s admins worked together to defraud their own users. Read more: There’s No Honor Among Thieves: Carding Forum Staff Defraud Users In An ESCROW Scam

FKNO

Another lame pro-Russian hacktivist group announced its existence over the weekend, claiming the super original name of FKNO, which they say stands for “F*** NATO.”

Looks like there is a new pro-russian hacktivist group starting up. Subtle name of FKNO or f@%k NATO.#cybersecurity #infosec #RussiaUkraineWar #UkraineRussiaWar #NATO pic.twitter.com/fhUy7d4OFt

— CyberKnow (@Cyberknow20) September 18, 2022

LockerGoga decrypter

Bitdefender researchers have released a decrypter for past victims of the LockerGoga ransomware. Twelve LockerGoga members were detained last year in Ukraine and Switzerland, and Bitdefender said the decrypter was created part of a joint effort between them, Europol, the NoMoreRansom Project, the Zürich Public Prosecutor’s Office, and the Zürich Cantonal Police.

Read more in

• Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement
• 12 targeted for involvement in ransomware attacks against critical infrastructure

Canadian hacker raided

Aubrey Cottle, a Canadian hacker and a member of the Anonymous hacktivist group, said he was raided last week by Ontario police. The suspect said all his devices were seized and, as a result of the raid, was also later evicted from his rented home. Cottle told Cyberscoop that he believes the FBI is also involved in the investigation but could not tell what the raid was about. Read more: Anonymous hacker, who bragged about exploits on TikTok, says he was raided by Canadian police

Crypto-scam increase

Security firm Group-IB said the number of crypto-scam-related domains rose in the first half of 2022 by five times compared to last year. Read more: Crypto giveaway scams continue to soar: the number of fake domains grows five-fold in H1 2022

According to Group-IB, 63% of the new fraudulent domain names were registered with Russian registrars, but the fake websites are primarily designed to target English and Spanish-speaking crypto investors in the US and other countries.

DEV-0796

Microsoft said they’re seeing activity from a threat actor the company tracks as DEV-0796, which is using malicious links inside YouTube comments to redirect users to malicious ISO file downloads that then install a malicious click-fraud-focused browser extensions on victims’ devices.

Microsoft researchers are tracking an ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices. Microsoft attributes the attack to a threat actor tracked as DEV-0796. pic.twitter.com/v6sexKgDSg

— Microsoft Security Intelligence (@MsftSecIntel) September 16, 2022

US cyber grant

The Biden administration on Friday launched a long-awaited federal cybersecurity grant program that will funnel up to $1 billion to state and local governments to upgrade their digital defenses. Read more: Biden admin launches $1B cyber grant program for state, local governments

Romania bans Russian antivirus products

The Romanian government has banned the use of Russian antivirus software on the network of central and local governments. Authorities cited the risk of these products being used to launch cyberattacks against government agencies. The Romanian government said the decision is only temporary and the ban will last for as long as Russia’s invasion of Ukraine. Officials ordered IT departments to uninstall all existing products or disconnect them from the internet. Polish authorities similarly banned Russian antivirus software from its government networks back in June. Read more: INFORMAŢIE DE PRESĂ privind actele normative aprobate în cadrul ședinței Guvernului României din 14 septembrie 2022 | PDF

Kosovo to establish cyber-security agency

The Kosovo government said it plans to establish a cyber-security agency later this year following a series of DDoS attacks that disrupted its major telecom provider last week. The government on Wednesday approved a draft law on cyber security, which will include forming an agency, BalkanInsight reported. Read more: Kosovo to Establish Agency for Cyber Security Amid Recent Attacks

Fortnite anti-cheat

Epic Games announced over the weekend that they are now capable of detecting when controller players use a Cronus device to cheat and reduce their recoil in their Fortnite game. Read more: WHAT’S NEW IN FORTNITE BATTLE ROYALE CHAPTER 3 SEASON 4: PARADISE

FIFA anti-cheat

On the same front, EA Games also announced a new kernel-level anti-cheat system for its popular FIFA game franchise that will be launched later this week. Read more: A Deep Dive on EA anticheat for PC

Mosoblenergo defacement

Pro-Ukrainian hacktivists have defaced the website of Mosoblenergo, Moscow’s main energy provider, and posted a photo of Oleksiy Danilov (Secretary of the Ukrainian National Security and Defense Council) against the backdrop of the Kremlin on fire. Read more: Данілов на тлі кремля у вогні: українські хакери зламали сайт мособленерго

Сайт Мособлэнерго сейчас выглядит так https://t.co/datiqATgBn
Hdr0 желает московским админам приятного пятничного вечера:) https://t.co/K4aevlUyqW pic.twitter.com/MSqxaftzfP

— Илья Пономарев / Ілля Пономарьов (@iponomarev) September 16, 2022

Starbucks Singapore

The data of more than 330,000 users who registered on the Starbucks Singapore web portal was put up for sale in underground cybercrime forums last week. The company confirmed the breach on Friday in an email sent to affected customers. Read more: 330,000 S’pore Starbucks customers’ data leaked, info sold online for $3,500

Revolut hack

Mobile banking operator Revolut confirmed it was hacked after a third-party gained access to its systems and stole the data of 50,150 of its customers. The incident came to light last week after the company disclosed the breach to Lithuania’s data privacy regulator, where the company holds a banking license. Revolut said the hacker gained access to one of its databases ” through the use of social engineering methods.” In a statement to Polish tech blog Trusted Third Party, Revolut said the breach impacted only 0.16% of its customers.

Read more in

• Valstybinė duomenų apsaugos inspekcija pradėjo tyrimą dėl „Revolut“ asmens duomenų saugumo pažeidimo
• Revolut zhakowany, wykradziono dane ponad 50 tysięcy klientów

Two thieves to tap Tesla

With the help of a friendly hacker friend, it’s possible to unlock and start a Tesla Model Y in a matter of seconds, thanks to a new attack. It requires the two thieves working together — one near the owner, with a NFC keycard or phone with a Tesla virtual key, and another thief near the car. @kimzetter reporting for The Verge. Read more: New attack can unlock and start a Tesla Model Y in seconds, say researchers

New: Researcher found new attack that lets thieves unlock and drive away a Tesla Model Y in seconds. Involves relay attack against NFC key. Story includes video. @Tesla didn’t respond. https://t.co/gZaH0JqgxX

— Kim Zetter (@KimZetter) September 12, 2022

Montenegro, Albania cyberattacks test Nato’s collective defense

NPR looks at the two cyberattacks targeting Nato countries: a ransomware attack in Montenegro, and an Iran-linked cyberattack targeting Albania. Both countries are Nato members, for which a critical component is Article 5, the collective defense clause that states “an attack on one is an attack on all.” Article 5 has only been invoked once — in the aftermath of 9/11. It’s less clear what happens in the event of a cyberattack, but we may soon find out. Read more: Examining 2 recent cyberattacks against NATO members

Airplane Wi-Fi tech vulnerable to root bug

Researchers found two potentially serious flaws in wireless LAN devices often used in airplanes for Wi-Fi access points that allow passengers to use the internet. “One of the security holes, CVE-2022-36158, is related to a hidden webpage that can be used to execute Linux commands on the device with root privileges. The device’s web-based management interface does not provide a link to this hidden page.” More in a blog post. Japan’s CERT also has more.

Read more in

• [CVE-2022-36158 / CVE-2022-36159] Contec FLEXLAN FXA2000 and FXA3000 series vulnerability report.
• JVNVU#98305100: Multiple vulnerabilities in Contec FLEXLAN FX3000 and FX2000 series

How Katie Nickels helped transform how we talk about cyber defense

A profile of @likethecoins, aka Katie Nickels, and her unparalleled expertise in MITRE ATT&CK, the framework used for describing the stages of a cyberattack, for which few others come close.

Love this profile of ⁦@likethecoins⁩ that also serves as a brief history of MITRE [email protected]. I am glad to see someone who does so much for the community getting this kind of recognition. via ⁦@KyleAlspach⁩ https://t.co/0a58gRou1u

— Allan “Ransomware Sommelier🍷” Liska (@uuallan) September 13, 2022

Customs officials have copied Americans’ phone data at massive scale

Incredible reporting here by the Post, which reports that U.S. border authorities collect and save the contacts, call logs, messages and photos from up to 10,000 travelers’ phones to a government database every year. While we know phones are frequently checked at the border (which U.S. authorities have long argued they’re allowed to because the Fourth Amendment doesn’t apply at the border — which doesn’t count as U.S. soil), it’s now known that thousands of CBP officers are allowed to access this database without a warrant, and that the data is stored for 15 years. Sen. Ron Wyden, a privacy hawk on Capitol Hill, who discovered and disclosed the program, has a bill that would require U.S. border officials to first obtain a probable-cause warrant before searching someone’s phone.

Read more in

• Customs officials have copied Americans’ phone data at massive scale
• Wyden, Paul Bill Requires Warrants to Search Americans’ Digital Devices at the Border

Hotel giant hacked by ‘vindictive’ couple

Remember the hotel giant IHG, which owns thousands of Holiday Inn, Crowne Plaza and Regent hotels around the world, was hacked a few weeks ago? The hackers, who claim to be a couple from Vietnam, told the BBC’s @joetidy that they broke into the hotel giant’s systems, deployed wiper attacks, and deleted gobs of data.

SCOOP on the IHG hotels hack: 'Vindictive' couple deleted hotel chain data for fun. Cyber crime couple from Vietnam launched destructive wiper attack deleting huge amounts of data after defenders foiled their ransomware attempt. https://t.co/VqhArSQ3HT

— Joe Tidy (@joetidy) September 17, 2022

Tidy saw screenshots, which IHG confirmed were genuine, showing access to IHG’s Microsoft Teams account, Outlook emails and server directories. According to Tidy, the hackers accessed the company’s most critical databases by finding the login for the company’s password vault — “Qwerty1234”. A FTSE 100 company, everybody.

Hackers accessed the FTSE 100 firm's most critical databases after finding the login for the companies password vault. The password for the vault was extremely weak: Qwerty1234.

— Joe Tidy (@joetidy) September 17, 2022

Read more in

• IHG hack: ‘Vindictive’ couple deleted hotel chain data for fun
• Holiday Inn hotels hit by cyber-attack

U-Haul breach leaked driver’s licenses, customer IDs

[Updated on 20 September 2022] U-haul had a data breach involving an unknown number of customer names, driver’s license numbers, and license information (address, DOB, etc.)

Moving truck service U-Haul confirmed a months-long data breach that spanned from November 2021 through this April, which saw hackers make off with names, driver’s license and state identification numbers. U-Haul said it only identified the breach in July, and only sent notification letters out earlier this month.

Read more in

• 5-month U-Haul breach leaked driver’s licenses, IDs of customers
• Security Update
• U-Haul reports data breach, customers’ info exposed

Apple, Microsoft fix zero-days

Apple fixed two zero-days in macOS Big Sur that are known to be exploited in the wild. The bugs affected the operating system’s kernel and could allow broad access to user data. Meanwhile, Microsoft fixed a mystery escalation of privileges zero-day in the Windows Common Log File System Driver, which allows an attacker root or system privileges on all supported versions of Windows — including the now-unsupported Windows 7. Not much is known about the bug, but Mandiant, one of four security firms that found the bug actively exploited by attackers, told by @carlypage_ that the exploit is likely standalone and not part of an attack chain. So how did it get on targeted computers? An infected email, possibly. Update today!

Read more in

• Apple Warns of macOS Kernel Zero-Day Exploitation
• Microsoft patches a new zero-day affecting all versions of Windows

How the feds identified and shut down massive ID theft marketplace

Remember SSNDOBCLUB, the marketplace for some 22-24 million people that was seized by U.S. authorities earlier this year? Exactly how the IRS, the lead agency on the case, identified its servers or the people behind it remained a mystery… until @jeffstone500 found an unredacted criminal complaint filed by an IRS agent that was somehow still on PACER. The filing detailed how the feds traced evidence to a Ukrainian national involved in the scheme, who’s now awaiting trial in Florida. The full tweet thread is worth the read.

just drank more coffee than any human ever should and i have some crazy details about how cops in Florida arrested an accused scammer connected to tens of millions of dollars in fraud

i can’t fit the details into a story so sharing some stuff here…

— Jeff Stone (@jeffstone500) September 12, 2022

An unredacted complaint filed by an IRS agent describes how a small squad of federal investigators obtained a SSNDOBCLUB username and password from “a source of information” (a mole?), allowing agents to covertly access the site for more than a year. https://t.co/OzVyWHtlZ1 pic.twitter.com/gKzXmVfit7

— Jeff Stone (@jeffstone500) September 12, 2022

Read more in

• FBI seizes notorious marketplace for selling millions of stolen SSNs
• FBI takes down dark web marketplace for U.S. citizen personal data

Researcher uses AI surveillance cameras to identify Instagram influencers

Here’s an interesting project: researcher Dries Depoorter built a project that uses cameras and artificial intelligence to identify where an Instagram influencer’s photo was taken. Motherboard has a good writeup about the project. It highlights just how easy it can be to identify where photos were taken, and busting a person’s opsec wide open. While it’s something that could be easily abused, it’s “a reminder that everywhere we go in the modern world, we’re being watched, even when we think we can curate and control what the world sees of us.”

Read more in

• The Follower
• Artist Uses AI Surveillance Cameras to Identify Influencers Posing for Instagram

James Webb Telescope image used for malware infection

One of the first galactic photos released by NASA from the telescope is being used by bad actors to infect systems with malware. Security analytics platform Securonix identified a new malware campaign using the image, and the company is calling it the GO#WEBBFUSCATOR. The attack starts with a phishing email containing a Microsoft Office attachment. “Hidden within the document’s metadata is a URL that downloads a file with a script, which runs if certain Word macros are enabled. That, in turn, downloads a copy of Webb’s First Deep Field photo that contains as a malicious code masquerading as a certificate. In its report about the campaign, the company said all anti-virus programs were unable to detect the malicious code in the image.” Read more: A Webb Telescope image is being used to push malware

Oath Keeper Penetration

The Anti-Defamation League’s Center on Extremism (COE) published a report this week on the Oath Keepers organization, which has the stated purpose of getting more members into positions of influence within LEO and government. Specifically, they published research showing how many known members are actually cops, or are in the military, or are either in or are running for public office.

Read more in

• Leaked Oath Keepers’ list includes hundreds of cops, dozens of elected officials
• New from ADL: Leaked Oath Keepers’ Membership List Reveals Hundreds of Current & Former Law Enforcement Officers, Members of Military, and Elected Officials

Spearmishing

There’s a new attack technique happening where new employees at a company get hit with a malicious text message that says something like, “Hey I’m the CEO of $YOURNEWCOMPANY and I need you to do X for me…” Remember, it’s easy to find your phone number on various websites, so once you’re associated with a company on LinkedIn you can be targeted.

A company’s brand new employees are getting spearsmished (ha just coined that and I know some of y’all will hate it) with “I’m the CEO, I’m in a meeting but I need you to do something, let me know if you got my message”—any ideas on how their phone numbers would already be known?

— Er•(in)³•fosec (@ErinInfosec) September 10, 2022

I’ve seen an increase in the New Hire SMS Phish attack method recently:
– new hire starts at org, they or the org announce new role on LinkedIn
– attacker looks up new hire’s phone number on data brokerage sites
– sends SMS phish pretending to be Exec to new hire in first month https://t.co/PnaXO8Y75J

— Rachel Tobac (@RachelTobac) September 10, 2022

Darktrace plummets after takeover shelved

U.K. cybersecurity company Darktrace crashed 30% in value after the U.S. private equity firm Thoma Bravo, known for snapping up cybersecurity companies, dropped its takeover bid in the company. Details of the collapse of the talks are not known, but the news comes after a string of controversies involving its co-founder Mike Lynch, who is fighting extradition to the U.S. over fraud charges, and well-documented concerns over Darktrace’s toxic workplace culture.

Read more in

• Darktrace Share Price Crashes as Takeover Pulled
• Skeletons In The Closet: $2 Billion Cybersecurity Firm Darktrace Haunted By Characters From HP’s Failed Autonomy Deal

Hackers with ties to Conti targeting Ukraine

A new Google report out this week shows financially motivated hackers with ties to the Russian-backed Conti ransomware group are reusing their tools to target hotels, NGOs and other targets in Ukraine. Ars Technica has more on the group, known as UAC-0098.

Read more in

• Initial access broker repurposing techniques in targeted attacks against Ukraine
• Ukraine is under attack by hacking tools repurposed from Conti cybercrime group

Greece wiretap and spyware claims circle around PM Mitsotakis

BBC has the latest in the ongoing scandal involving the Greek government and its use of the Cytrox-developed Predator spyware to spy on the phones of journalists and opposition politicians, a scandal that threatens to engulf the country’s current administration. The scandal has been likened to Greece’s Watergate, and for good reason — it’s already resulted in the resignation of the country’s top spy chief and one of the prime minister’s top aides, with allegations that go to the very top of the government. The European Parliament is investigating. Read more: Greece wiretap and spyware claims circle around PM Mitsotakis

The full letter of the Permanent Representative of #Greece to the EU @vrailas to the @EU_Commission which was asking for information on the ongoing investigation regarding the use of #Predator in #Greece pic.twitter.com/iCsnJBzjzj

— Efi Koutsokosta (@Efkouts) August 24, 2022

IRS mistakenly made public data for about 120,000 taxpayers

Confidential data from some Form 990-Ts, a business tax return used by tax-exempt organizations, was accessible from the IRS website’s search engine for about a year before it was spotted by an employee (of the month, or at least they should be). The IRS is obliged to notify Congress of the data lapse. Turns out data security is difficult, even when you’re a federal agency. The Wall Street Journal first reported the lapse.

Read more in

• The IRS says it mistakenly made public data for about 120,000 taxpayers
• IRS Says It Exposed Some Confidential Taxpayer Data on Website

Parsing Samsung’s data breach notice

Last Friday, just hours before the long holiday weekend began, Samsung dropped scant details of a data breach of customer data over a month earlier. The timing wasn’t a coincidence — just very bad PR — but the notice itself was incredibly barebones. I spent the weekend parsing the data breach notice and annotating it with analysis to see what Samsung didn’t say. Turns out the breach of data may be a lot more sensitive than it let on, especially if demographic data — i.e. information used for targeted advertising — was compromised. Read more: Parsing Samsung’s data breach notice

Encrypted app Signal just hired one of Big Tech’s sharpest critics

Former Google manager Meredith Whittaker (no relation) is Signal’s first president. It comes after co-founder of the end-to-end encrypted messaging app Moxie Marlinspike stepped down earlier this year. According to the Post’s profile, the two first met in the open-source community exploring privacy tech. Whittaker’s appointment comes at a critical time for Signal, which needs money to survive for the long term. It costs millions of dollars per year to develop and maintain Signal. “The only way to escape technology that makes money off your data is by paying for products that don’t,” Whittaker remarked. Prior to Signal, she is known as a vocal critic of Silicon Valley and her research into the social implications of artificial intelligence, and was tapped by the FTC as a senior adviser on AI. Read more: Encrypted app Signal just hired one of Big Tech’s sharpest critics

Professional news! On September 12 I'll be officially starting as President of @signalapp. I'm honored, I'm excited, and I can't think of anything more meaningful I could be doing with my time and energy.

Read a bit more about the role and my thinking here 👇 https://t.co/0HnABB0u0j

— Meredith Whittaker (@mer__edith) September 6, 2022

.@mer__edith will lead @signalapp and @nitashatiku has the scoop. "The only way to escape technology that makes money off your data is by paying for products that don’t" https://t.co/R2WCTduw1W

— Drew Harwell (@drewharwell) September 6, 2022

We are very happy to announce that board member, longtime friend of Signal, and advocate for digital privacy @mer__edith will be joining as Signal’s President beginning September 12.

Read the full announcement: https://t.co/ZxCXjJK8fW

— Signal (@signalapp) September 6, 2022

Number of attacks against Linux machines on the rise

A new report indicates that attackers are increasingly targeting Linux machines as the operating system becomes increasingly popular among enterprise users. Security firm Trend Micro said that there’s been a 75 percent increase in ransomware attacks against Linux systems in the first half of 2022 compared to the same stretch last year. The report also said the firm’s seen more than 1,900 instances of Linux-based malware being used against its customers in the first half of 2022. These attacks are mainly coming from the operators of the REvil and DarkSide ransomware-as-a-service groups, along with a recently released Linux version of the LockBit ransomware. Cloud computing company VMware released a different report earlier this year warning against a rise in cryptocurrency mining attacks against Linux systems, such as XMRig, to hijack CPU power on Linux machines to mine Monero and other virtual currencies. Read more: Defenders Be Prepared: Cyberattacks Surge Against Linux Amid Cloud Migration

Ubiquiti Not Hacked?

Brian Krebs has recanted his coverage of Ubiquiti being breached. Evidently what happened was a former employee stole tons of data and pretended to be an anonymous hacker, and he then sent Ubiquiti a $2 million ransom demand. He also went to Krebs, as one does, which added even more pressure to Ubiquiti. Read more: Former Ubiquiti dev charged for trying to extort his employer

TikTok Hacked?

A group called AgainstTheWest posted a message to a hacker forum claiming they have a 790GB database full of TikTok (and WeChat) data, including user data, auth tokens, etc. Despite the name, the group evidently targets groups that are against the West. TikTok has denied direct scraping, but the data could have many sources, including third parties.

Read more in

• TikTok denies security breach after hackers leak user data, source code
• Was tiktok hacked by a user ‘Against the West’?

UPDATE: while there is definitely a breach, it is still work in progress to confirm the origin of data, could be a third party. https://t.co/A3le5oWJgN

— Bob Diachenko 🇺🇦 (@MayhemDayOne) September 5, 2022

Google Targets Open-Source Vulns

Google is starting a new bug bounty program called the Open Source Software Vulnerability Rewards Program (OSS VRP) centered around open-source vulnerabilities. The program pays out between $100 and $31,337 for bugs in Google’s OSS project repositories hosted on Github, as well as related dependencies. Read more: Google’s new bug bounty program targets open-source vulnerabilities

Healthcare Security Breaches are More Often Involving Third-Party Vendors

The majority of the 10 largest healthcare sector data breaches reported to the Department of Health and Human Services Office for Civil Rights (HHS OCR) so far this year occurred on third-party vendor systems. The three largest breaches each affected more than two million individuals.

Note

• Like KeyBank (see story below), security of outsourced services can be your weakest link. Prepare to spend more time validating their security than you would expect. Don’t expect you’re going to get realtime logs from them; more likely they are going to contact you. Make sure you understand what that means, and keep that information current.
• I worked in this space in the 2000’s and I can tell you many major medical centers have to rely on third-party vendors. Almost every department may have their own unique vendor set to support their medical devices. There is barely a consideration for actual security best practices in many of these systems. Mostly because at most they feel ransomware would be the biggest threat. Most of these vendors will have direct connections into the facility and they will probably have the ability to laterally move anywhere as many of these networks are not security segmented by firewalls. I would even suspect many of them are just networks with all manner of devices connected to them freely. This doesn’t surprise me: I had to fix a vendor issue in the early days where the actual large medical manufacturer kept imaging machines that had a worm (pre-Conficker) loaded into the build on accident.

Read more in

• Biggest Healthcare Data Breaches Reported This Year, So Far
• Cases Currently Under Investigation

Draft Amendments to New York State Cybersecurity Rules for Financial Organizations

Financial institutions whose headquarters are in the state of New York may soon be compelled to abide by additional cybersecurity standards. The New York Department of Financial Services (NYDFS) has submitted draft amendments to its Cybersecurity Requirements for Financial Services Companies. The proposed new requirements include an expanded list of events subject to the 72-hour incident notification requirement, a 24-hour reporting window for ransomware payments, and “a 30-day requirement to provide a written description of why the payment was necessary, alternatives to payment that were considered, and all sanctions diligence conducted.”

Note

• There are a few areas where the proposed changes dictate particular solutions, like “password vaulting” and “endpoint detection and response,” which is never a good idea. But, while many of the proposed changes will be complained about, most of them are just common sense essential security hygiene controls that need to be in place for any hope of a reasonable level of risk.
• While some of the suggested mitigations seem mundane, it’s not a bad idea to review your existing solutions, such as EDR, to make sure they incorporate current threat and response scenarios. It’s easy to get complacent- establish a lifecycle process for your defenses.

Read more in

• New cyber rules for New York financial firms signal nationwide changes
• Proposed Second Amendment to 23 NYCRR 500 (PDF)

KeyBank Says Third-Party Breach Led to Theft of Customer Data

A third-party vendor breach led to the theft of KeyBank mortgage customer data. The attackers stole the data in early July from an insurance service provider, Overby-Seawell Company. KeyBank says it learned of the breach in early August. The stolen information includes Social Security numbers, addressed, and account numbers.

Note

• This piece, and the item (above) on healthcare breaches, just point out that most business processes involve third-party service providers and those third parties may often be the weak link in your supply chain. The flip side is your company may be the weak link in larger players’ supply chains. Both scenarios carry high risk – use these news items in a small tabletop exercise if you need to get management support for addressing.
• Third party security is as important as your insourcing. And it can be much harder to verify. Don’t just put the right to audit in the contract, have a real conversation about how you would verify as well as what incident data can be shared. If you aren’t comfortable with the working relationship, and you can’t change solutions, you’ll need to articulate that and seek resolution or documented risk acceptance prior to go-live. Remember that no matter how good your reputation is – KeyBank has an awesome community support reputation – it’s not the third party’s image but *your* image on the line.

Read more in

• KeyBank: Hackers of third-party provider stole customer data

Open Source Security Foundation’s npm Best Practices Guide

The Open Source Security Foundation (OpenSSF) has released an npm Best Practices guide that focuses on dependency management and npm supply chain security. The “document provides 1) an overview of security features of npm in the context of supply-chain, 2) explicit recommendations and 3) details or links to the official documentation to achieve these recommendations.”

Note

• Every Best Practices guide should come with a list of “How others overcame obstacles to implement…” examples. In many cases, the best security practice is common sense, but operational reasons drive shortcut approaches that are not secure. However, many companies (the ones *not* in the news for a breach) have found ways to justify how doing the right things in security up front actually can reduce cost of apps and time to market.
• Best practices are sometimes a euphemism for “This worked and we didn’t get fired.” Don’t discount your own experience about what worked. Instead, read the guide to make sure that you’ve not overlooked anything. Leverage it as support for raising the bar on your own practices.

Read more in

• npm Best Practices for the Supply-Chain
• npm Best Practices Guide

Fog Data Science’s App Offers Location Data

An investigation conducted by the Electronic Frontier Foundation (EFF) and the Associated Press (AP) found that Fog Data Science, a private data broker, has been selling location data to US law enforcement agencies at the federal, state, and local levels. The company’s web app, Fog Reveal, allows its customers to access detailed information about people’s work and personal lives. Records obtained in the course of the investigation indicate that Fog has or has had contracts to provide data to at least 18 clients.

Note

• Fog Data advertises having a network of 250 million devices providing realtime geolocation data. The issue is the service can be used for legitimate purposes, say who was around a violent crime, or to locate those going to a targeted organization, violating their privacy. This data is gathered from apps to which you have granted location services, which means you can revoke those permissions, or disable location services entirely. Globally disabling location services is too disruptive and not a viable approach. The best approach is to limit location services to applications you trust and only when needed.
• This type of data sales to Law Enforcement is not something necessarily new. Is the fact that their presence on the Internet is also very small? No, many of these data brokers also fly under the radar. The really interesting item to note here is the fact that searches and data could be gathered without warrants. The questionable part then becomes who is able to access the data and who is watching or following that data access. Can this be abused to facilitate potentially criminal activity such as stalking or other acts? The reason we have some of these laws is not just privacy but also as a protection to citizens. Location data can very well be misused. Now will something happen in this case? Something to watch.

Read more in

• Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police
• Cops wanted to keep mass surveillance app secret; privacy advocates refused
• Tech tool offers police ‘mass surveillance on a budget’

Another Chrome Update Addresses Zero-Day

Google has updated the Chrome browser stable channel to version 105.0.5195.102 for Windows, Mac, and Linux to address a vulnerability that is being actively exploited. The flaw is described only as a high severity insufficient data validation issue in Mojo.

Note

• This is the sixth zero-day patch for Chrome in 2022; CVE-2022-3075 is being exploited in the wild. It follows CVE-2022-0609 (2/14), CVE-2022-1096 (3/25), CVE-2022-1364 (4/14), CVE-2022-2294 (7/4) and CVE-2022-2856 (8/17). While Google is not sharing the details relating to exploit/attack vectors, prior zero-day exploit patterns warrant taking this seriously and pushing the update.

Read more in

• Google Chrome emergency update fixes new zero-day used in attacks
• Google Chrome zero-day flaw: Users urged to install update ‘immediately’
• Google Releases Urgent Chrome Update to Patch New Zero-Day Vulnerability
• Stable Channel Update for Desktop

ICS Medical Advisory: Multiple Vulnerabilities in Contec Health CMS8000

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an ICS Security Advisory warning of multiple vulnerabilities in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. The flaws – uncontrolled resource consumption, hard-coded credentials, active debug code, and two improper access control issues – could be exploited “to cause a denial-of-service condition, modify firmware with physical access to the device, access a root shell, or employ hard-coded credentials to make configuration changes.” Contec Health has not yet responded to CISA requests to mitigate the issues.

Note

• The flaws are relatively simple to exploit, and include the ability to load new firmware from an inserted USB drive or crash these devices in masse with a UDP packet flood. As such, mitigations include limiting physical access, network isolation only allowing devices which absolutely need to connect.

Read more in

• ICS Medical Advisory (ICSMA-22-244-01) Contec Health CMS8000
• CISA warns of possible DDoS risk in Contec patient monitor medical devices

Microsoft Detects One-Click Vulnerability in TikTok

TikTok has fixed a security issue in its Android app that could have been exploited to hijack vulnerable accounts with a single click. The vulnerability allowed attackers to bypass the app’s deeplink verification, and affected both versions of the TikTok for Android app. The flaw was found by Microsoft’s 365 Defender Research Team.

Note

• The flaw was found in both versions of the TikTok Android app. Update to the current version or remove it if you’re not actively using TikTok.

Read more in

• Vulnerability in TikTok Android app could lead to one-click account hijacking
• Microsoft finds TikTok vulnerability that allowed one-click account compromises

Baked-in AWS Credentials in Found in Hundreds of Apps

Researchers from Symantec’s Threat Hunter Team have discovered more than 1,800 apps that contain hard-coded AWS credentials. Nearly all of the affected apps are iOS apps. More than half of the apps were found to be using the same AWS tokens that were found in other apps.

Note

• These days, every wave of new technology use goes through the same pattern: (1) security needed; (2) security gets in the way; (3) shortcuts taken; (4) security compromised. This is actually an improvement over a decade ago when step (1) was ignored. Today, requiring testing of all software by off the shelf tools will detect most common instances of (3) shortcuts taken
• For years in the Cloud Penetration Testing class, we have told students that we find hardcoded AWS keys in software. Many architects or students who work on the defensive side find this hard to believe. This type of example doesn’t surprise those that have been doing this type of work for a while, but examples like this help us point to practices that are less than ideal, surely very insecure. Now for the wider impact of this, you need to dig into the details. 1,800 is a fraction of the 2 million apps in the app store today. I will say that compiled apps make it much harder to uncover flaws like this, so there are more than likely more apps that have this issue in those stores.
• The challenge is to take the time to fully understand the frameworks and services used in delivering a service or application. Make sure that you understand what access is granted. Hardcoded credentials are easier to use than rotating or transient credentials, and not only do your developers need to stop with hardcoded credentials, but also make sure that the access granted by the credentials used are only for the objects and services needed. Where using third party services, stop to understand what access they require and how that access is managed, to include separations from others using their services. Lateral movement, data modification and exfiltration risks all need to be considered.

Read more in

• Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information
• Careless Errors in Hundreds of Apps Could Expose Troves of Data
• Here’s how 5 mobile banking apps put 300,000 users’ digital fingerprints at risk
• Over 1,000 iOS apps found exposing hardcoded AWS credentials
• Hardcoded AWS Credentials in 1,800 Mobile Apps Highlight Supply Chain Issues

GitHub Environment Injection Vulnerability Affects Two Open Source Projects

Researchers from Legit Security have found continuous integration/continuous delivery (CI/CD) vulnerabilities in the GitHub environments of open source projects from Google and Apache. The flaws can be exploited to take control of the projects’ GitHub Actions CI/CD pipeline and modify source code, steal data, and move laterally within organizations.

Note

• Another one on which we do have sections on in the Cloud Penetration Testing lab is CI/CD pipelines. We abuse Environments in our labs to read sensitive items out of the CI/CD pipeline. What is really interesting here is that the attacker can fork the project, attempting to act as a developer and inject their own code. It’s not clear why GitHub is displaying sensitive data when abusing a different variable, but it is something very interesting to note. This is just one thing that you can do with Supply Chain attacks. Guard your CI/CD pipelines closely because this is just one example of how an attacker can attack these platforms. This attack is novel because it does not require you to obtain access to the repo. The repo is already visible, but instead of injecting code, you are abusing the CI/CD itself without necessarily having repo access.
• This attack takes advantage of environment variable information in the GitHub ecosystem which, if allowed to be manipulated during the build process, could allow unexpected code to be included. In 2020 a Google researcher discovered manipulation options which GitHub addressed, essentially making them read-only, via the prior practice which leveraged STDOUT. The problem is there are manipulation options using their FileCommandManager which GitHub is not going to change as they still have legitimate use. As such, you need to be extremely careful when manipulating the GITHUB_ENV file. Never write untrusted data to that file, make sure you’re enforcing least privileges on your workflow, use Actions which output parameters not environmental variables, and really understand the triggering workflow, particularly if initiated from a forked repository.

Read more in

• Google & Apache Found Vulnerable to GitHub Environment Injection
• Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects
• Two open-source projects vulnerable to ‘GitHub Environment Injection’

Malware-Laced Webb Telescope Images

Hackers are tricking users into infecting their devices with malware by hiding the malware in images from the James Webb telescope. The malware is written in Golang, a cross-platform language that is difficult to reverse-engineer and analyze.

Note

• The story has been twisted a bit as it made it into more popular media outlets. The issue here is not that people will be infected by Webb Telescope images. Instead, these are systems that are already infected and the malware downloads additional code attached to images. The intent is to fool automated detection systems. So, in some ways it is worse: Malware is downloaded and you do not even get to see the images. Enjoy those great images and have fun watching Artemis 1 (hopefully) taking off this weekend. Malware written in Go has been on the increase in recent years, in part because the defensive tooling for malware analysis has been a bit lacking for Go.
• The initial entry point is a Phishing email with a loaded MS Word attachment, which then downloads an image with embedded base 64 code that looks like a certificate, calls certutil to decode it into a malicaious executable which is then executed. Currently the tested EDR platforms as well as Virustotal didn’t detect this attack, you need to add the IOCs from the Securonix Blog to your arsenal and make sure that you’re clean.
  www.securonix.com: Securonix Threat Labs Security Advisory: New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems

Read more in

• James Webb Telescope Images Loaded With Malware Are Evading EDR
• Hackers hide malware in James Webb telescope images

FBI Warns Hackers are Exploiting DeFi Vulnerabilities to Steal Cryptocurrency

The FBI has published a Public Service Announcement warning of an increase in hackers exploiting vulnerabilities in Decentralized Finance (DeFi) platforms and stealing cryptocurrency. Specifically, the attackers are exploiting vulnerabilities in DeFi platform smart contracts.

Note

• Show your CFO this sentence in the FBI warning: “A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network.” If that doesn’t worry your CFO, explain why anything with “self-executing,” “buyer and seller” and “written directly into lines of code” in the same sentence should automatically trigger financial risk alarms to go off.
• SANS held the Blockchain Security Summit 2022 this week with talks and workshops in both English and Spanish. Slides and recordings of talks will be up shortly. Highly recommend watching the keynote and talks.
• Make sure that you understand the risks and regulations relating to crypto currency. Consider that if something goes wrong, the money is gone. As such you need to do your own research into the security of DeFi providers, to include understanding their testing and vetting processes, verify they have been independently audited, including a code audit, be wary of limited time opportunities (your phishing/scam light should go off here), don’t rely on crowdsourced/open source security vetting – too much is at stake.
• Interesting that the FBI is giving this warning as there is still a tenuous relationship between the government and this community. It is, however, important to realize that this is still software. This is highly complex software and is subject to vulnerabilities. Exchanges have many vulnerabilities that we have seen when performing penetration testing on them at work, and many of the vulnerabilities are not even on the blockchain/smart contract side. Still, they tend to steer toward general web application vulnerabilities that stem from these applications.

Read more in

• Cyber Criminals Increasingly Exploit Vulnerabilities in Decentralized Finance Platforms to Obtain Cryptocurrency, Causing Investors to Lose Money
• FBI: Look out, crooks stole $1.3b in cryptocurrency in just three months this year
• More scrutiny of DeFi platforms demanded after attacks, FBI warnings
• FBI: Hackers increasingly exploit DeFi bugs to steal cryptocurrency

Classified Cyberthreat Briefing for US Aviation Sector

This month, the White House will hold a classified cybersecurity briefing for executives in the aviation industry. The Biden administration has been offering the briefings to executives in certain critical infrastructure sectors to encourage them to invest in cyber defenses.

Note

• Nothing against threat briefings, but if the US government wants to drive improvements in commercial cybersecurity, it needs to use its buying power to do so. The Bureau of Transportation Statistics shows that the US spends about $20B per year on air transportation (not counting the $60B in aid during the pandemic peak disruption), about 10% of overall US airline revenue. If all federal procurements for air travel services included requirements for essential security hygiene, that would cause industry CEOs and CFOs to see direct threats to today’s revenue, not just potential future threats to future profits.
• This follows the successful August 4th briefing for the Railroad industry. As with that briefing, communication options will be provided for those not in attendance. Pro-tip – if you’re invited, don’t miss the actual meeting. Making this type of specific information available to the private sector helps provide context and a basis for the threats to support the case for acting. One hopes they are also provided a non-classified version of the briefing they can share with those who need to know, to include financial decision makers.

Read more in

• White House to give aviation executives classified cyberthreat briefing, latest in series of industry meetings

NSA, CISA, and ODNI Offer Supply Chain Cybersecurity Guidelines for Developers

The US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released supply chain cyber security guidance for software developers. The document was designed by the Enduring Security Framework (ESF) public-private working group. ESF plans to release two additional software supply chain cybersecurity documents – one for one for software suppliers and one for customers.

Note

• This 64-page document is a good framework for long term changes, but when the airplane is in the air, the engine is sputtering and the ground is getting closer, some immediate action is required. In the spirit of the Critical Security Controls Implementation Group 1, a starting point is requiring all software vendors to certify their software is at least free of the latest OWASP Top 10 vulnerabilities.
• The alert contains listings and references of secure development frameworks and guidance you can leverage, as well as specific design recommendations and guidance. Walk through the documents with your development team, discovering both opportunities and things you’re already doing, then set a roadmap for future improvements where needed.

Read more in

• NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers
• NSA and CISA share tips to secure the software supply chain
• Securing the Software Supply Chain | Recommended Practices Guide for Developers (PDF)

Chrome Update Includes Fixes for Two Dozen Vulnerabilities

Google has released Chrome 105 to the stable channel for Windows and for macOS/Linux. The newest versions of the browser address 24 security issues, including a critical use after free vulnerability in Network Service. The updates also address nine high-severity flaws, including use after free, heap buffer overflow, inappropriate implementation, and insufficient validation of untrusted input issues.

Note

• So you were wondering why you were getting prompted to relaunch Chrome? With the continuing influx of Chrome updates, your security teams should have already been pushing this update to both Chrome and Chromium-based browsers. Leverage managed Chrome options to not only notify users about relaunch but also limit the time they can postpone relaunching – default is 7 days.

Read more in

• Stable Channel Update for Desktop
• Google Fixes 24 Vulnerabilities With New Chrome Update

Japan’s Digital Minister Wants Government to Stop Using Floppy Disks

The Japanese government still requires the use of floppy disks for roughly 1,900 procedures; the country’s minister of digital affairs is calling for that to change. The US Department of Defense stopped using floppy disks in 2019.

Note

• Yeah, we all did a double take at “Floppy Disks.” This is really about keeping systems modernized. Japan still has business processes which require the use of disks – floppy, CD, MD, etc. The challenge is to keep processes current with modern technology and to make sure that you’ve migrated data stored on old formats to new media which can continue to be used. Don’t be the one saying “Yes, I have your data here, excuse me while is search online for something that will read it.” When looking at updating processes, make sure not to overlook implied security, actual or perceived, e.g., fax machines are seen as point to point and therefore more secure than digital transmission, irrespective of actual implementation.

Read more in

• Japan Declares ‘War’ on the Humble Floppy Disk in New Digitization Push
• Japan declares war on floppy disks for government use

Former NSA Operatives Who Worked for DarkMatter Debarred from Arms Exports

Three former NSA operatives have been prohibited from taking part in international arms exports. After leaving the NSA, the three individuals worked for DarkMatter, a security company based in the United Arab Emirates (UAE). While employed there, they conducted surveillance on dissidents, journalists, and US companies.

Note

• Be aware of ITAR and export control restrictions, particularly if working with US government data. In today’s world of distributed and remote workers, it’s very easy to employ effective workers which are not only outside our borders but also not US persons, and are not entitled to that information. When in doubt consult an expert, and if you have an issue take steps to rectify, not ignore it.

Read more in

• State Department debars ex-NSA cyber mercenaries who aided vast UAE surveillance operation
• Ex-NSA trio who spied on Americans for UAE now banned from arms exports
• U.S. Department of State Concludes Settlements of Alleged Export Violations by Ryan Adams, Marc Baier, and Daniel Gericke
• Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges Arising from Their Provision of Hacking-Related Services to a Foreign Government (September 2021)

ModernLoader delivers multiple stealers, cryptominers and RATs

Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary. The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Because of the use of off-the-shelf tools, the group improves its operational security and there are no obvious signs of who the actor behind the attacks is, except that they likely speak Russian.

Read more in

• ModernLoader delivers multiple stealers, cryptominers and RATs

LockBit ransomware group looking to add DDoS attacks to its arsenal

The LockBit ransomware group is hoping to double down on its triple extortion efforts after a recent distributed denial-of-service attack against its leaks website. The group’s public leader posted on a popular forum that it was improving its DDoS defenses after a recent hacking-back attempt from a security firm, and was also looking to add DDoS experts to its team to start triple extortion attacks. This means LockBit would steal victim’s data, threaten to leak it online, and if the target doesn’t pay the extortion payment, LockBit would target it with DDoS attacks. The group also claims to have 300GB of data stolen from software make Entrust.

[Updated on 12 September 2022] The LockBit ransomware group is using combined extortion tactics to go after victims. We all know ransomware groups encrypt files and demand money to decrypt them: that’s tactic 1. They also threaten to release the data that they stole before they encrypted it. That’s tactic 2. And finally they are now adding DDoS to the mix. So they (and other groups are combining tactics in this way) can stop you from using your data, threaten to embarrass you and create a PR incident, and/or prevent your customers from reaching you. MORE

Read more in

• LockBit ransomware gang gets aggressive with triple-extortion tactic