[*] [-] [-] [x] [A+] [a-]  
[l] at 11/29/22 3:04am
In today’s technological world, educating people about cybersecurity awareness is an absolute necessity. According to one report, 82% of data breaches involved the human element, from social attacks to misuse of technologies. These errors are not always entirely preventable, as some level of human error is inevitable, but proper training in cybersecurity awareness can greatly decrease the likelihood of human mistakes leading to data breaches. Due to the increasing use of digital tools for business operations and reliance on employee conduct to ensure security, new solutions are required. While cybersecurity awareness training can take many forms, most training programs are computer-based. It is important when developing and implementing these programs to be aware of what methods of education work best. This training must reach users who may not have any background or knowledge in cybersecurity, and it must be effective enough to ensure that security is “not only top of mind, but a fluent language.”  In service of that end, gamification is a highly effective tactic. There are many benefits to gamifying your approach to cybersecurity awareness training, all of which contribute to the goal of educating employees and decreasing risk. Gamification incentivizes and motivates employees to be more engaged, participate more actively, retain information, and implement behavioral changes moving forward. Below are five tips to gamify your cybersecurity awareness training program. 1. Visual Aids One of the most basic elements of gamification is the use of visual aids. Visual aids such as graphs, charts, pictures, or videos are a quick and efficient way to convey information that might be harder to understand in text format. Statistics and numerical data are easily transferable into a visual format, and other information can also be translated into this context. These visual aids can help to keep employees engaged with the content by breaking up what could otherwise be a monotonous block of text. They are also often more easily remembered. 2. Rewards Offering rewards for completion or performance is an incredible motivator. Whether the rewards are simply in-game points or real-life prizes like gift cards, the possibility of receiving something back for their hard work is a good incentive for employees to not only do the training, but pay attention and perform well. While there have previously been policies in place to administer consequences to employees who do not adhere to security measures, the implementation of positive repercussions is just as important in ensuring maximum retention and compliance. 3. Quizzes Multiple results can be achieved with one simple tool in the form of quizzes. Quizzing employees on their training necessitates them paying attention to the training and retaining information that is vital for cybersecurity. It also presents them with a situation where their performance determines their score, and performing well on a quiz might earn them a reward. If quizzes are leveraged for healthy competition, employees can be even more motivated to do well. 4. Simulations There are many different ways to deploy simulations in cybersecurity awareness training. Putting employees in a situation that mirrors a real-life attack, whether it be phishing emails or data breaches, gives them an opportunity to practice how they would respond should the real thing occur. This is similar to the idea behind fire drills: it is one thing to be told how to respond in case of an unfortunate event, and another thing entirely to actually go through the process of responding to it. Additionally, simulated security events are helpful for impressing upon employees that their training is not merely theoretical and that they will be expected to know what to do in a real-life attack. 5. Team Exercises Adding social elements to your cybersecurity awareness training is a good practice because it allows employees to work together just as they would have to in the event of an attack. Employees who feel isolated during their training may not trust their colleagues to be reliable in this area, whereas employees who have worked together in training are more likely to be able to work together in practice. Cooperation is key, not just for security breaches, but for all aspects of a business. Employees who understand their role in a team and know how to work together to solve problems are not just better prepared in terms of cybersecurity awareness, but also better prepared to carry out their normal operations. 6. Repetition The digital landscape is constantly changing, and cyber threats are evolving as well. This, combined with the human tendency to forget information or push it to the back of our minds after a while, means that ongoing training is vital. Refreshing information that employees have previously learned and providing new information that has emerged in the intervening time will help employees to understand that their cybersecurity awareness training is always relevant and present, rather than a distant concern. Depending on the frequency of training and the methods used, this can also allow you to track employees’ progress over time and potentially bestow rewards for consistently good performance or improvement. Conclusion As with many things in life, cybersecurity awareness training is often considered a necessary evil. While it is necessary, it does not have to be an evil at all. Gamification is a highly effective tactic to make sure that employees understand and internalize important information, and possibly even look forward to their training sessions. By leveraging simple concepts of rewards, teamwork, simulations, quizzes, and visual aids, you can give your employees an experience that is more engaging, more entertaining, and more effective than traditional methods. About the Author: PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also regular writer at Bora. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, cyberSecurity) The post Tips for Gamifying Your Cybersecurity Awareness Training Program appeared first on Security Affairs.

[Category: Breaking News, Security, awareness, Cybersecurity, gamification, IT Information Security, Pierluigi Paganini, Security Affairs]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/29/22 12:32am
Irish data protection commission (DPC) fined Meta for not protecting Facebooks users data from scraping. Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook in 2021 that exposed the data belonging to millions of Facebook users. The Data Protection Commission is also imposing a range of corrective measures on Meta. The Data Protection Commission (DPC) has today announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures. reads the DPCs press release. On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online. The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock. The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses. Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network. The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users. reported the WSJ. On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019. Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation. The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe. continues the press release. Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Meta) The post Irish data protection commission fines Meta over 2021 data-scraping leak appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Laws and regulations, Security, Social Networks, data scraping, Hacking, information security news, IT Information Security, Meta, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/28/22 1:08pm
ESET announced the discovery of a vulnerability impacting Acer laptops that can allow an attacker to deactivate UEFI Secure Boot. ESET researchers announced in a series of tweets the discovery of a vulnerability impacting Acer laptops, the issue can allow an attacker to deactivate UEFI Secure Boot. The experts explained that the flaw, tracked as CVE-2022-4020, is similar to the Lenovo vulnerabilities the company disclosed earlier this month. Same as in Lenovos case, an attacker can trigger the issue to deactivate the UEFI Secure Boot by creating NVRAM variable directly from OS. #CVE-2022-4020 is found in the DXE driver HQSwSmiDxe , which checks for the “BootOrderSecureBootDisable” NVRAM variable (notice the same name as in case of Lenovo’s #CVE-2022-3431). If the variable exists, the driver disables Secure Boot. 2/3 pic.twitter.com/AcP4IqH1lt— ESET research (@ESETresearch) November 28, 2022 The Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.” An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled. The CVE-2022-4020 impacts certain versions of Acer Aspire A315-22 from Acer, the vulnerability resides in the HQSwSmiDxe DXE driver on these consumer Acer Notebook devices. Similar to the Lenovo issues an attacker with elevated privileges can exploit the bug to modify UEFI Secure Boot settings by modifying an NVRAM variable. The DXE driver BootOrderDxe simply disables UEFI Secure Boot if NVRAM variables “BootOrderSecureBootDisable” exists. ESET explained that the flaws affects only 5 devices Aspire A315-22/22G, A115-21 and Extensa EX215-21/21G. According to Acer, an update should be distributed as a critical Windows update. Alternatively, the updated BIOS version can be downloaded here. Overall, 5 devices are affected: Aspire A315-22/22G, A115-21 and Extensa EX215-21/21G. According to Acer: https://t.co/YDVBvMastj, update should be distributed as a critical Windows update. Alternatively, updated BIOS version is available for download: https://t.co/39Ys8oFNbJ 3/3— ESET research (@ESETresearch) November 28, 2022 Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Moshen Dragon) The post A flaw in some Acer laptops can be used to bypass security features appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, Acer, hacking news, information security news, IT Information Security, Pierluigi Paganini, Secure Boot, Security Affairs, Security News, UEFI]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/28/22 8:04am
Amazon Web Services (AWS) fixed a cross-tenant vulnerability that could have allowed attackers to gain unauthorized access to resources. Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from Datadog on September 1, 2022, and the bug was solved on September 6. A confused deputy problem occurs when an entity that doesnt have permission to perform an action can coerce a more-privileged entity to perform the action. AWS provides tools to protect an account if the owner provides third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in your account. The issue is related to the AppSync service in AWS that allows developers to quickly create GraphQL and Pub/Sub APIs. We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. reads the report published by Datadog. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. Amazon investigated the potential exploitation of the issue in attacks in the wild and determined that no customers were affected. A security researcher recently disclosed a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts. reads the advisory published by Amazon. No customers were affected by this issue, and no customer action is required. AWS moved immediately to correct this issue when it was reported. Analysis of logs going back to the launch of the service has been conducted and we have conclusively determined that the only activity associated with this issue was between accounts owned by the researcher. No other customer accounts were impacted. In the attack scenario, a less-privileged entity (the attacker) can force a privileged entity or service (AppSync) to perform some action on its behalf.  The experts pointed out that to authorize the actions AppSync will perform, the developer creates a role (or AppSync can automatically create it on their behalf) with the required IAM permissions. The created role will have a trust policy that allows the AppSync service to assume the role. Using the S3 example, if a developer was building that API, they would create a role with the S3 permissions they need and allow AppSync to assume that role. When that GraphQL API is called, AppSync will assume the role, perform the AWS API call, and interpret the results. The experts pointed out that AWS does have safeguards in place to prevent AppSync from assuming arbitrary roles by validating the roles Amazon Resource Name (ARN). The check could be simply eluded by passing the serviceRoleArn parameter in a lower case. An attacker can exploit the issue to provide the identifier of a role for a different AWS account. This vulnerability in AWS AppSync allowed attackers to cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service. By using this method, attackers could breach organizations that used AppSync and gain access to resources associated with those roles. concludes the report. After finding this vulnerability, we contacted the AWS Security Team who swiftly remediated the issue. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Amazon Web Services) The post Experts found a vulnerability in AWS AppSync appeared first on Security Affairs.

[Category: Breaking News, Hacking, Amazon Web Services, AWS, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/28/22 1:25am
Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports. Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations. The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in .NET and experts noticed that deployment is similar to previous attacks attributed to the Russia-linked Sandworm APT group. On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 pic.twitter.com/WyxzCZSz84— ESET research (@ESETresearch) November 25, 2022 Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage. In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper. The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April. From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113). In September 2022, Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. The analysis of the RansomBoggs Ransomware code revealed that the authors make multiple references to the Pixar movie Monsters, Inc. The ransom note, SullivanDecryptsYourFiles.txt, shows the authors impersonating the main character of the movie James P. Sullivan and the executable file is also named Sullivan.<version?>.exe . Threat actors used a PowerShell script to spread the ransomware, the experts noticed that it is almost identical to the script detected in April during the Industroyer2 attacks against the energy sector There are similarities with previous attacks conducted by #Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the #Industroyer2 attacks against the energy sector. 4/9 pic.twitter.com/fdh6A2FCXk— ESET research (@ESETresearch) November 25, 2022 The PowerShell script was tracked by CERT UA as POWERGAP and was used to deploy the CaddyWiper wiper in April attacks against Ukrainian entities. RansomBoggs encrypts files using AES-256 in CBC mode and appends the .chsch extension to the encrypted files. The key is then RSA encrypted and written to aes.bin. In some of the variants analyzed by ESET, the RSA public key was hardcoded, while in other samples it was provided as an argument. In October, Microsoft reported a similar campaign targeting entities in Ukraine and Poland with ransomware called Prestige and attributed the attacks to Sandworm. ESET also shared Indicators of Compromise (IoCs) for RansomBoggs ransomware. IoCs:F4D1C047923B9D10031BB709AABF1A250AB0AAA2021308C361C8DE7C38EF135BC3B53439EB4DA0B4ESET Detection names:MSIL/Filecoder.Sullivan.AMSIL/Filecoder.RansomBoggs.A9/9— ESET research (@ESETresearch) November 25, 2022 Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, RansomBoggs ransomware) The post RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Hacking, Malware, Cybercrime, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, RansomBoggs Ransomware, Russia, Security Affairs, Ukraine]

[*] [-] [-] [x] [A+] [a-]  
[l] at 11/27/22 6:45am
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breachesDevices from Dell, HP, and Lenovo used outdated OpenSSL versionsGoogle fixed the eighth actively exploited #Chrome #zeroday this yearExperts investigate WhatsApp data leak: 500M user records for saleAn international police operation dismantled the spoofing service iSpoofUK urges to disconnect Chinese security cameras in government buildingsRansomExx Ransomware upgrades to Rust programming languageAn aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta RansomwareThreat actors exploit discontinues Boa web servers to target critical infrastructurePro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament siteDucktail information stealer continues to evolveExperts claim that iPhone’s analytics data is not anonymousMicrosoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966Exclusive – Quantum Locker lands in the Cloud5 API Vulnerabilities That Get Exploited by CriminalsResearcher warns that Cisco Secure Email Gateways can easily be circumventedAurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystemTwo Estonian citizens arrested in $575M cryptocurrency fraud schemeEmotet is back and delivers payloads like IcedID and BumblebeeExpert published PoC exploit code for macOS sandbox escape flawGoogle won a lawsuit against the Glupteba botnet operatorsGoogle provides rules to detect tens of cracked versions of Cobalt StrikeOctocrypt, Alice, and AXLocker Ransomware, new threats in the wildPoC exploit code for ProxyNotShell Microsoft Exchange bugs released online Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, newsletter) The post Security Affairs newsletter Round 395 appeared first on Security Affairs.

[Category: Breaking News, Cybercrime, data breach, Hacking, hacking news, information security news, IT Information Security, malware, Newsletter, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/27/22 5:16am
The U.S. Federal Communications Commission announced it will completely ban the import of electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua. The U.S. Federal Communications Commission (FCC) announced the total ban for telecom and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua due to an unacceptable national security threat. The US government has already added the companies to the Covered List and the new rules aims at protecting the Americans from national security threats involving telecommunications. The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks. reads the announcement published by FCC. In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States. “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications. The new rules implement the directive in the Secure Equipment Act of 2021, which was signed by President Biden in November. Chinese firms Hytera, Hikvision, and Dahua have to provide details about the safeguards they have implemented on the sale of their devices for government use and the surveillance of critical infrastructure facilities. In September, the U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List. The FCC explained that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control. This week, the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them. The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision.  Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Federal Communications Commission) The post US FCC bans the import of electronic equipment from Chinese firms appeared first on Security Affairs.

[Category: Breaking News, Intelligence, Security, China, FCC, Hacking, hacking news, information security news, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/26/22 2:11pm
The massive data breach suffered by Twitter that exposed emails and phone numbers of its customers may have impacted more than five million users. At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform. The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options. “The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities” The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file. In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty. “We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm. “This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.” This week, the website 9to5mac.com claimed that the data breach was word than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources. A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources. reads the post published by 9to5mac.com 9to5Macs claims are based on the availability of the dataset that contained the same information in a different format offered by a a different threat actor. The source told the website that the database was just one of a number of files they have seen. It seems that the impacted accounts are only those having the Discoverability | Phone option (which is hard to find within Twitter’s settings) enabled in late 2021. The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US. I have obtained multiple files, one per phone number country code, containing the phone number <- Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999. the source told 9to5Mac. Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset. The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches. The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability. The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Twitter) The post Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Data Breach, Hacking, Security, Cybercrime, data breach, data leak, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Twitter]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/25/22 5:35pm
Researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library. Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library. The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers. The experts analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component. EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications. The main EDKII repository is hosted on Github and is frequently updated. The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image. Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018. Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years. reads the report published by Binarly. The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip. This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues. One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL version 0.9.8zb that was released on August 4, 2014. The researchers discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to the summer of 2021. The following image reports for each vendor all the versions of OpenSSL detected by the Binarly Platform in the wild: The experts pointed out that the same device firmware code often rely on different versions of OpenSSL.  The reason for this design choice is that the supply chain of third-party code depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an extra layer of supply chain complexity. Most of the OpenSSL dependencies are linked statically as libraries to specific firmware modules that create compile-time dependencies which are hard to identify without deep code analysis capabilities. continues the report. Historically the problem within third-party code dependencies is not an easy issue to solve at the compiled code level. The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009. Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w that dates back 2012. We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor, concludes the report. A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, firmware) The post Devices from Dell, HP, and Lenovo used outdated OpenSSL versions appeared first on Security Affairs.

[Category: Breaking News, Security, Firmware, Hacking, hacking news, HP, information security news, IT Information Security, Lenovo, OpenSSL, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/25/22 6:50am
Google on Thursday released security updates to address a new zero-day vulnerability, tracked as CVE-2022-4135, impacting the Chrome web browser. Google rolled out an emergency security update for the desktop version of the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4135, that is actively exploited. The CVE-2022-4135 vulnerability is a heap buffer overflow issue in GPU. The vulnerability was reported Clement Lecigne of Googles Threat Analysis Group on November 22, 2022. As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations. Google is aware that an exploit for CVE-2022-4135 exists in the wild. reads the advisory published by Google. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. An attacker can exploit the heap buffer overflow to potentially gain arbitrary code execution on systems running vulnerable versions of the browser. Google fixed the zero-day with the release of version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, which the company plans to roll out over the coming days/weeks. The CVE-2022-4135 vulnerability is the eighth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant: CVE-2022-3723 – (October 28) type confusion issue that resides in the V8 Javascript engine CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries. CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component. Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, zero-day) The post Google fixed the eighth actively exploited #Chrome #zeroday this year appeared first on Security Affairs.

[Category: Breaking News, Hacking, Security, Chrome, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security News, zero-Day]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/25/22 5:20am
Cybernews investigated a data sample available for sale containing up-to-date mobile phone numbers of nearly 500 million WhatsApp users. Original post published by Cybernews: https://cybernews.com/news/whatsapp-data-leak/ On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included. Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens phone numbers. The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000. Such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages. WhatsApp is reported to have more than two billion monthly active users globally. Upon request, the seller of WhatsApps database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample. Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users. The seller did not specify how they obtained the database, suggesting they “used their strategy” to collect the data, and assured Cybernews all the numbers in the instance belong to active WhatsApp users. Cybernews reached out to WhatsApp’s parent company, Meta, but received no immediate response. We will update the article as soon as we learn more. The information on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service. This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping. Meta itself, long criticized for letting third parties scrape or collect user data, saw over 533 million user records leaked on a dark forum. The actor was sharing the dataset practically for free. Days after a massive Facebook data leak made the headlines, an archive containing data purportedly scraped from 500 million LinkedIn profiles had been put for sale on a popular hacker forum. Leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud. “In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data,” head of Cybernews research team Mantas Sasnauskas said. “We should ask whether an added clause of scraping or platform abuse is not permitted in the Terms and Conditions is enough. Threat actors dont care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.” If you want to know how to prevent data leaks, read the original post published by CyberNews. About the author: Jurgita Lapienytė Chief Editor at CyberNews Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, WhatsApp) The post Experts investigate WhatsApp data leak: 500M user records for sale appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Deep Web, Hacking, Cybercrime, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News, WhatsApp]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/25/22 3:27am
An international law enforcement operation has dismantled an online phone number spoofing service called iSpoof. An international law enforcement operation that was conducted by authorities in Europe, Australia, the United States, Ukraine, and Canada, with the support of Europol, has dismantled online phone number spoofing service called iSpoof. The iSpoof service allowed fraudsters to impersonate trusted corporations or contacts in an attempt to gain access to sensitive information from victims. Threat actors used the service to trick victims into disclosing financial or private information or transferring money.   The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords. reads the announcement published by Europol. The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims. The ‘spoofing’ service is believed to have caused an estimated worldwide loss in excess of GBP 100 million (EUR 115 million). According to the police, some victims have seen their savings or pension pot disappear within hours. reported the Dutch Police. The investigation, dubbed Operation Elaborate, was launched in October 2021 at the request of the UK authorities. The iSpoof was launched in December 2020 and authorities estimated it had 59,000 users. The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century. Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands. London’s Metropolitan Police Commissioner Sir Mark Rowley stated. By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people. In the coordinated effort led by the United Kingdom, 142 suspects have been arrested, including the administrator of the iSpoof website (ispoof[.]me and ispoof[.]cc). The police seized the servers behind the service and two days later Ukrainian and U.S. agencies took them offline. The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located. Europol’s Executive Director Ms Catherine De Bolle said. Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice. As cybercrime knows no borders, effective judicial cooperation across jurisdictions is key in bringing its perpetrators to court. Eurojust supports national authorities in their efforts to protect citizens against online and offline threats, and to help see that justice gets done. Eurojust President Mr Ladislav Hamran said. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, iSpoof) The post An international police operation dismantled the spoofing service iSpoof appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Cybercrime, Hacking, hacking news, iSpoof, IT Information Security, Pierluigi Paganini, Security Affairs, Security News, Social Engineering, Spoofing]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/24/22 11:35pm
The British government banned the installation of Chinese-linked security cameras at sensitive facilities due to security risks. Reuters reports that the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them. The decision comes after a review of current and future possible security risks associated with the installation of visual surveillance systems on the government estate, cabinet office minister Oliver Dowden said in a written statement to parliament. states Reuters. The security cameras of the two Chinese firms are widely adopted by a number of government departments, including the interior and business ministries. Dowden pointed out that the surveillance cameras must be carefully scrutinized because of their capability and connectivity of these systems. The review has concluded that, in light of the threat to the UK and the increasing capability and connectivity of these systems, additional controls are required, Dowden said. Departments have therefore been instructed to cease deployment of such equipment onto sensitive sites, where it is produced by companies subject to the National Intelligence Law of the People’s Republic of China. The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. Both companies are also on the Covered List maintained by the the U.S. Federal Communications Commission (FCC). The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, security cameras) The post UK urges to disconnect Chinese security cameras in government buildings appeared first on Security Affairs.

[Category: Breaking News, Digital ID, Intelligence, China, Dahua, Hacking, hacking news, Hikvision, IT Information Security, Pierluigi Paganini, privacy, Security Affairs, security camers, Security News, UK]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/24/22 2:19pm
RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language. The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language. The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language. The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages. RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version. RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains. The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants. RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys. reads the analysis published by IBM Security X-Force. The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file. The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory. RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat). concludes the report. While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group,  and continued attempts to evade detection. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, RansomExx ransomware) The post RansomExx Ransomware upgrades to Rust programming language appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Cybercrime, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, RansomEXX ransomware, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/24/22 2:59am
Researchers warn of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. In the last two weeks, the experts observed attacks against more than 10 different US-based customers. Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. Security researchers at Sentinel Labs recently shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7. In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network. QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials. reads the report published by Cybereason. Once QakBot has successfully infected an environment, the malware installs a backdoor allowing the threat actor to drop additional malware—namely, ransomware.  The attack chain starts with a QBot infection, The operators use the post-exploitation tool Cobalt Strike to take over the machine and finally deploy the Black Basta ransomware. The attacks began with a spam/phishing email containing malicious URL links. The researchers noticed that once obtained access to the network, the threat actor moves extremely fast. In some cases observed by Cybereason, the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours. The threat actor was also spotted locking the victims out of the network by disabling DNS services, making the recovery even more complex.   In most of the attacks observed by the experts, the spear-phishing email contains a malicious disk image file. Upon opening the file, Qbot is executed, then the malware connects to a remote server to retrieve the Cobalt Strike payload. Threat actors perform credential harvesting and lateral movement and use the gathered credentials to compromise as many endpoints as possible and deploy the Black Basta ransomware. Experts observed the attackers that were looking for machines without a defense sensor in an attempt to deploy additional malicious tools without being detected. The report includes indicators of compromise for this threat. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Black Basta ransomware) The post An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Black Basta ransomware, Cybercrime, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/24/22 1:46am
Microsoft reported that hackers have exploited flaws in a now-discontinued web server called Boa in attacks against critical industries. Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa. The Boa web server is widely used across a variety of devices, including IoT devices, and is often used to access settings and management consoles as well as sign-in screens. The experts pointed out that Boa has been discontinued since 2005. Researchers at Recorded Future observed several intrusion attempts on Indian critical infrastructure since 2020 and shared IOCs related to this campaign. Microsoft experts analyzed these IoCs and discovered that Boa servers were running on the IP addresses on the list of IOCs, they also explained that the electrical grid attack targeted exposed IoT devices running Boa. Microsoft also discovered that half of the IP addresses in the list published by Recorded Future returned suspicious HTTP response headers, which might be associated with the active deployment of a malicious tool identified by Recorded Future.  Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators.reads the report published by Recorded Future. Most of the suspicious HTTP response headers were returned over a short timeframe of several days, leading researchers to believe they may be associated with intrusion and malicious activity on networks. Microsoft experts explained that despite Boa being discontinued in 2005, many vendors across a variety of IoT devices and popular software development kits (SDKs) continue to use it. The researchers identified over 1 million internet-exposed Boa server components around the world over the span of a week. We assessed the vulnerable component to be the Boa web server, which is often used to access settings and management consoles and sign-in screens in devices. reads the report published by Microsoft. Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files. Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities. Boa is known to be affected by multiple flaws, including CVE-2017-9833 and CVE-2021-33558, which can allow unauthenticated attackers to read arbitrary files, obtain sensitive information, and gain remote code execution. The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network. concludes the report. As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Boa) The post Threat actors exploit discontinues Boa web servers to target critical infrastructure appeared first on Security Affairs.

[Category: Breaking News, Hacking, Boa web server, hacking news, IT Information Security, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/23/22 2:20pm
Pro-Russian hacker collective Killnet took down the European Parliament website with a DDoS cyberattack. The Pro-Russia group of hacktivists Killnet claimed responsibility for the DDoS attack that today took down the website of the European Parliament website. #KILLNET, the Pro-Russia #hacking group, claims to have launched a #DDoS attack against the European Parliaments (@Europarl_EN) official website. The website is currently unreachable from the pic.twitter.com/I8g4Fu0pgi— BetterCyber (@_bettercyber_) November 23, 2022 “KILLNET officially recognises the European Parliament as sponsors of homosexualism,” states the group.  The attack was launched immediately after lawmakers approved a resolution calling Moscow a state sponsor of terrorism. The European Parliament is under a sophisticated cyberattack. A pro-Kremlin group has claimed responsibility, said parliaments president, Roberta Metsola. Our IT experts are pushing back against it and protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism. My response: #SlavaUkraini (Glory to Ukraine). The @Europarl_EN is under a sophisticated cyberattack. A pro-Kremlin group has claimed responsibility.Our IT experts are pushing back against it & protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism. My response: #SlavaUkraini— Roberta Metsola (@EP_President) November 23, 2022 The Director General for Communication and Spokesperson of the European Parliament, Jaume Dauch, also confirmed the attack via Twitter. The availability of @Europarl_EN website is currently impacted from outside due to high levels of external network traffic. This traffic is related to a DDOS attack (Distributed Denial of Service) event. EP teams are working to resolve this issue as quickly as possible.— Jaume Duch (@jduch) November 23, 2022 European Pirate Party MEP Mikulas Peksa reported that there are reports that the pro-Russian hacking group Killnet has claimed responsibility for the attack.  If these reports are true, this is a massive attack on European democracy that will require further action, he added.  MEPs call for the further international isolation of Russia due to its aggression to Ukraine and the ongoing escalation of the attacks against civilians. Parliament calls on the European Union to further isolate Russia internationally, including when it comes to Russia’s membership of international organisations and bodies such as the United Nations Security Council. MEPs also want diplomatic ties with Russia to be reduced, EU contacts with official Russian representatives to be kept to the absolute minimum and Russian state-affiliated institutions in the EU spreading propaganda around the world to be closed and banned. states the press release published by the EU Parliament. Against the backdrop of the Kremlin’s escalating acts of terror against Ukrainian civilians, the resolution further calls on EU member states in the Council to swiftly complete its work on a ninth sanctions package against Moscow. In October, the pro-Russia hacktivist group ‘KillNet‘ claimed responsibility for massive distributed denial-of-service (DDoS) attacks against the websites of several major airports in the US. The DDoS attacks have taken the websites offline, users were not able to access them during the offensive. KillNet has previously targeted many other countries that condemned the Russian invasion of Ukraine, including Italy, Romania, Estonia, Lithuania, and Norway. Italian readers can read my comment to the Italian Press Agency ANSA. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, European Parliament) The post Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament site appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Hacking, Hacktivism, Security, DDoS, European Parliament, hacking news, information security news, IT Information Security, KillNet, Pierluigi Paganini, Russia, Security Affairs, Security News, Ukraine]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/23/22 11:53am
The operators behind the Ducktail information stealer continue to improve their malicious code, operators experts warn. In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform. Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018. The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account. The end goal is to hijack Facebook Business accounts managed by the victims. The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire. After a short pause, the DUCKTAIL campaign returned with slight changes in its TTPs. Starting on September 6, 2022, the researchers detected new samples in-the-wild with a new variant that uses the .NET 7 NativeAOT feature which allows binaries to be compiled natively (ahead-of-time) from .NET code. The format of these binaries is different from the one used by traditional .NET assemblies. NativeAOT offers similar benefits to the .NET single-file feature that previous DUCKTAIL variants used for compilation, especially because they can be compiled as a framework independent binary that doesn’t require .NET runtime to be installed on the victim’s machine. reads the report published by WithSecure. Between 2nd and 4th October 2022, the security firm discovered new DUCKTAIL samples being submitted to VirusTotal from Vietnam. The samples contained a mixture of old and new DUCKTAIL variant code bases, compiled as self-contained .NET Core 3 Windows binaries, which suggests that the group is shifting to self-contained applications. On October 5, the operators started distributing DUCKTAIL malware to victims as self-contained .NET Core Windows binaries, abandoning NativeAOT and back to using self-contained .NET binaries. The analysis of the variants written in .NET Core 3 revealed the presence of unused anti-analysis functions that were copied from a GitHub repository. This is yet another indication of the threat actor’s continuous efforts to evade analysis and detection mechanisms WithSecure observed several multi-stage subvariants of DUCKTAIL that are used to deliver the final payload, the researchers highlighted that this is the primary information stealer malware in all cases. The malware still relies on Telegram as its C&C channel. At the time of writing, three active Telegram bots and channels were observed in the latest campaign, with the threat actor re-using the same Telegram chats that were initially discovered, indicating that only the bots (and access tokens) were refreshed with stricter administrator rights concludes the report. An interesting shift that was observed with the latest campaign is that [the Telegram command-and-control] channels now include multiple administrator accounts, indicating that the adversary may be running an affiliate program. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, DUCKTAIL) The post Ducktail information stealer continues to evolve appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, DUCKTAIL, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/23/22 6:58am
Researchers discovered that analytics data associated with iPhone include Directory Services Identifier (DSID) that could allow identifying users. Researchers at software company Mysk discovered that analytics data collected by iPhone include the Directory Services Identifier (DSID), which could allow identifying users. Apple collects both DSID and Apple ID, which means that it can use the former to identify the user and retrieve associated personal information, including full name, phone number, birth date, email, and address. Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a users personal data reads a Tweet by Mysk. New Findings: 1/6Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you pic.twitter.com/3DSUFwX3nV— Mysk (@mysk_co) November 21, 2022 According to the experts, this behavior violates the privacy policy of the company that states that “none of the collected information identifies you personally.” “Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.” states the policy. “Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” Tommy Mysk, an app developer and security researcher, told Gizmodo. All these detailed analytics are going to be linked directly to you. And that’s a problem, because there’s no way to switch it off.” It is important to highlight that Mysk researchers used a jailbroken iPhone running iOS 14.6 for their tests in order to be able to decrypt the traffic and determine which data are sent back to Apple. The experts also tested an iPhone running iOS 16, but security measures implemented by Apple could not allow them to jailbreak the device to inspect the traffic. Anyway, the experts argue that a jailbroken phone would send the same data as the latest iOS version. Apple has yet to respond to a request for comment on the issue. Earlier this month, Mysk researchers also discovered that Apple collects analytics information even when the users switch off the iPhone setting Share iPhone Analytics.” 1/5The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e— Mysk (@mysk_co) November 3, 2022 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, iPhone) try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} The post Experts claim that iPhones analytics data is not anonymous appeared first on Security Affairs.

[Category: Breaking News, Digital ID, Mobile, Hacking, hacking news, information security news, iPhone, IT Information Security, Pierluigi Paganini, privacy, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/23/22 3:28am
Microsoft released an out-of-band update to fix problems tied to a recent Windows security patch that caused Kerberos authentication issues. Microsoft released an out-of-band update to address issues caused by a recent Windows security patch that causes Kerberos authentication problems. Microsoft Patch Tuesday security updates for November 2022 addressed a privilege escalation vulnerability, tracked as CVE-2022-37966, that impacts Windows Server. An attacker can trigger this flaw to gain administrator privileges on vulnerable systems. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. reads the advisory published by Microsoft. After the release of the Patch Tuesday security updates, users started reporting issues related to the Kerberos authentication. The IT giant investigated the reports and developed an out-of-band update to fix the problems. There is a known issue documented in the security updates that address this vulnerability, where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers that have installed Windows security updates released on November 8, 2022. Has an update been released that addresses this known issue? continues the advisory. Yes. The issue is addressed by out-of-band updates released to Microsoft Update Catalog on and after November 17, 2022. Customers who have not already installed the security updates released on November 8, 2022 should install the out-of-band updates instead. Customers who have already installed the November 8, 2022 Windows security updates and who are experiencing issues should install the out-of-band updates. The IT giant recommends customers who have yet to install the security updates released on November 8, 2022 of only install the out-of-band updates. Customers who have already installed the Patch Tuesday security updates and are experiencing issues should install the out-of-band updates. Microsoft is not aware of attacks in the wild exploiting the CVE-2022-37966 flaw. Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Microsoft) The post Microsoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966 appeared first on Security Affairs.

[Category: Breaking News, Security, Hacking, hacking news, information security news, IT Information Security, Kerberos, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 11/23/22 1:15am
The gang behind Quantum Locker used a particular modus operandi to target large enterprises relying on cloud services in the NACE region. Executive Summary Quantum Locker gang demonstrated capabilities to operate ransomware extortion even on cloud environments such as Microsoft Azure. Criminal operators of the Quantum gang demonstrated the ability to hunt and delete secondary backup copies stored in cloud buckets and blobs. Quantum Locker gang targets IT administration staff to gather sensitive network information and credential access.  During their intrusions, Quantum operators steal access to enterprise cloud file storage services such as Dropbox, to gather sensitive credentials. Cloud root account takeovers have been observed in q4 2022 during Quantum gang intrusions in North Europe. Source Cybereason Incident Insights During the latest weeks, the Belgian company Computerland shared insights with the European threat intelligence community about Quantum TTPs adopted in recent attacks. The shared information revealed Quantum gang used a particular modus operandi to target large enterprises relying on cloud services in the NACE region. The disclosed technical details about recent intrusions confirm the ability of the Quantum Locker gang to conduct sabotage and ransomware attacks even against companies heavily relying on cloud environments. For instance, TTPs employed in a recent attack include the complete takeover of company Microsoft cloud services through the compromise of the root account (T1531). Such action is particularly harrowing for the victim company: all the Microsoft services and users, including email services and regular users, would remain unusable until the Vendor’s response, which could last even days, depending on the reset request verification process. In addition, the insights on q4 2022 attacks reported Quantum Locker operators are able to locate and delete all the victim Microsoft Azure’s Blob storages to achieve secondary backup annihilation and business data deletion (T1485). Even if cloud services could theoretically provide support for the restoration of old blobs and buckets, the recovery of “permanently deleted” data often requires days and might not even be available due to the providers internal technical restrictions. The favorite initial targets of Quantum operators during their recent activities in North Europe were IT administrators and networking staff. Through accessing their personal resources and shared Dropbox folders, the threat actors were able to gather sensitive administrative credentials to extend the attack on the cloud surface (T1530). Incident insights from the Belgian firm also confirm Quantum is coupling these new techniques even with more traditional ransomware delivery techniques, such as the modification of domain Group Policies (T1484.001) to distribute ransomware across the on-prem Windows machines and users’ laptops, along with the abuse of the legitimate Any Desk software as remote access tool (T1219). Also, during the recent intrusions, Quantum operators extensively altered the configuration of endpoint defense tools such as Microsoft Defender (T1562.001).  In fact, threat actors were able to programmatically insert ad hoc exclusions to blind the onboard endpoint protection system without raising any shutdown warning. The Belgian firm also reports Quantum Lockers average encryption speed in real-world cloud hybrid scenario results around 13 MB/s, an amount particularly slower than other ransomware families adopting intermitted encryption, extending the responders’ windows of opportunity for in-time interception and containment.  Threat Actor Brief Quantum Locker ransomware was originally born from the hashes of the MountLocker ransomware program operated by Russian-speaking cybercriminals back in 2020. Before its actual name, Quantum Locker has been rebranded many times first with the AstroLocker name, and then with the XingLocker alias. Quantum Locker was also involved in many high-profile attacks such as the Israelian security company BeeSense, the alleged attack on the local administration of the Sardinia region in Italy, and government agencies in the Dominican Republic. Indicator of Compromise Intrusion and Exfiltration infrastructure146.70.87,66 M247-LOS-ANGELES US 42.216.183,180 NorthStar CN Distribution Infrastructure:hxxp://146.70.87,186/load/powerDEF 146.70.87,186 M247-LOS-ANGELES About the author : Luca Mella, Cyber Security Expert Follow me on Twitter: @securityaffairs and Facebook and Mastodon try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} Pierluigi Paganini (SecurityAffairs – hacking, Quantum Locker) The post Exclusive Quantum Locker lands in the Cloud appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Computerland, Cybercrime, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Quantum Locker, Security Affairs, Security News]

As of 11/29/22 3:49am. Last new 11/29/22 3:16am.

Next feed in category: Dark Reading