[*] [-] [-] [x] [A+] [a-]  
[l] at 8/4/20 4:04am
Maze ransomware operators published internal data from LG and Xerox after the company did not pay the ransom.

Ransomware crews are very active during these months, Maze ransomware operators have published tens of GB of internal data allegedly stolen from IT giants LG and Xerox following failed extortion attempts.

Maze ransomware operators published 50.2 GB from LG’s network and 25.8 GB from Xerox.

In June, researchers at threat intelligence firm Cyble discovered a data leak of LG Electronics published by Maze ransomware operators.

As usual, the Maze ransomware operators threaten the victims to pay the ransom to avoid their data being leaked online. A few days ago the group released a press release in which they warned the companies to not try to recover their files from their backup, it also announced the forthcoming LG Electronics data leak.

At the time, the Maze ransomware operators only released three screenshots as proof of the data breaches on the Maze ransomware leak site:

Researchers from ZDNet who analyzed the leaked data confirmed that it included source code for the firmware of various LG products, including phones and laptops.

“In an email in June, the Maze gang told ZDNet that they did not execute their ransomware on LG’s network, but they merely stole the company’s proprietary data and chose to skip to the second phase of their extortion attempts.” read a Maze’s statement reported by ZDNet.

“We decided not to execute [the] Maze [ransomware] because their clients are socially significant and we do not want to create disruption for their operations, so we only have exfiltrated the data,” the Maze gang told ZDNet via a contact form on their leak site.

Maze ransomware operators have also breached the systems of the Xerox Corporation and stolen files before encrypting them.

The company did not disclose the cyberattack, but early June the Maze ransomware operators published some screenshots that showed that a Xerox domain has been encrypted. One screenshot showed that hosts on “eu.xerox.net,” managed by Xerox Corporation, was hacked.

Another screenshot demonstrated that the ransomware operators were in the Xerox network till June 25th, 2020.

Xerox Corporation is an American corporation that sells print and digital document products and services in more than 160 countries. The company declared over $1.8 billion in revenue in Q1 2020 and has 27,000 employees across the globe. It’s currently tracking at 347 of the Fortune 500 list.

On June 24, Maze ransomware operators included Xerox in the list of the victims published on their leak site.

Anyway, it is still unclear the extent of the attack, what internal systems have been encrypted by Maze gang and which files have been exfiltrated.

Experts from threat intelligence company Bad Packets speculated that both company were hacked by exploiting the known CVE-2019-19781 vulnerability in Citrix ADC servers they were running.  Bad Packets experts discovered that both organizations were running unpatched servers that could have been the entry point of the attackers.

In the past months Maze Ransomware gang breached the US chipmaker MaxLinear and Threadstone Advisors LLP, a US corporate advisory firm specialising in mergers ‘n’ acquisitions.

Maze operators were very active during the past months, they have also stolen data from US military contractor Westech and the ST Engineering group, and they have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Previous victims of the ransomware gang include IT services firms Cognizant and Conduent.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Maze Ransomware operators published data from LG and Xerox appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Cybercrime, Maze ransomware, Xerox]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/4/20 2:47am
NetWalker ransomware operators continue to be very active, according to McAfee the cybercrime gang has earned more than $25 million since March 2020.

McAfee researchers believe that the NetWalker ransomware operators continue to be very active, the gang is believed to have earned more than $25 million since March 2020.

The malware has been active at least since August 2019, over the months the NetWalker ransomware was made available through a ransomware-as-a-service (RaaS) model attracting criminal affiliates.

McAfee published a report about NetWalker’s operations, the researchers were able to track payments monitoring transactions to a pool of known Bitcoin addresses associated with the ransomware operators.

“Since 2019, NetWalker ransomware has reached a vast number of different targets, mostly based in western European countries and the US. Since the end of 2019, the NetWalker gang has indicated a preference for larger organisations rather than individuals.” reads the report. “During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals will not be targeted; whether they keep to their word remains to be seen.”

NetWalker ransomware operators have recently begun choosing affiliates specialized in targeted attacks against high-value entities in the attempt to maximize their effort with surgical operations.

High-value enterprises are expected to pay bigger ransom demands compared to small companies.

The affiliates used to deliver the threat via brute-forcing attacks on RDP servers or exploiting known vulnerabilities in VPN servers and firewalls.

netwalker ransomware

The NetWalker author, who goes online with the moniker “Bugatti”, was only interested in doing business with Russian-speaking customers.

Threat actors spreading the NetWalker ransomware carried out cyber attacks that leveraged exploits in Oracle WebLogic and Apache Tomcat servers, brute-forcing RDP endpoints, and carrying out spear-phishing attacks on staff at major companies.

Last week, the FBI has issued a new security flash alert to warn of Netwalker ransomware attacks targeting U.S. and foreign government organizations. The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

“As of June 2020, the FBI has received notifications of Netwalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors.” reads the alert. “Netwalker became widely recognized in March 2020, after intrusions on an Australian transportation and logistics company and a U.S. public health organization. Cyber actors using Netwalker have since taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims.”

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

“Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935).” continues the alert. “Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.”

The analysis of the transactions related bitcoin addresses involved in the Netwalker ransomware operations, McAfee observed 2,795 bitcoins being transferred between wallets operated by the gang between March 1st, 2020, and July 27th,2020.

“The total amount of extorted bitcoin that has been uncovered by tracing transactions to these NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020. By using historic bitcoin to USD exchange rates, we estimate a total of 25 million USD was extorted with these NetWalker related transactions,” continues the McAfee’s report.

“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money.”

In order to force the victims into paying the ransom, the gang set up a leak site where it publishes the data of the victim that refuse to pay. This tactic is becoming very common in the cybercrime ecosystem and many companies decided to pay to avoid having their name listed on the site and their data leaked online.

McAfee also shared YARA rules for the threat along with Indicators of Compromise and MITRE ATT&CK Techniques.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post NetWalker ransomware operators have made $25 million since March 2020 appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, Hacking, hacking news, information security news, IT Information Security, malware, NetWalker, Pierluigi Paganini, ransomware, Security Affairs, Security News]

[*] [-] [-] [x] [A+] [a-]  
[l] at 8/4/20 2:47am
NetWalker ransomware operators continue to be very active, according to McAfee the cybercrime gang has earned more than $25 million since March 2020.

McAfee researchers believe that the NetWalker ransomware operators continue to be very active, the gang is believed to have earned more than $25 million since March 2020.

The malware has been active at least since August 2019, over the months the NetWalker ransomware was made available through a ransomware-as-a-service (RaaS) model attracting criminal affiliates.

McAfee published a report about NetWalker’s operations, the researchers were able to track payments monitoring transactions to a pool of known Bitcoin addresses associated with the ransomware operators.

“Since 2019, NetWalker ransomware has reached a vast number of different targets, mostly based in western European countries and the US. Since the end of 2019, the NetWalker gang has indicated a preference for larger organisations rather than individuals.” reads the report. “During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals will not be targeted; whether they keep to their word remains to be seen.”

NetWalker ransomware operators have recently begun choosing affiliates specialized in targeted attacks against high-value entities in the attempt to maximize their effort with surgical operations.

High-value enterprises are expected to pay bigger ransom demands compared to small companies.

The affiliates used to deliver the threat via brute-forcing attacks on RDP servers or exploiting known vulnerabilities in VPN servers and firewalls.

netwalker ransomware

The NetWalker author, who goes online with the moniker “Bugatti”, was only interested in doing business with Russian-speaking customers.

Threat actors spreading the NetWalker ransomware carried out cyber attacks that leveraged exploits in Oracle WebLogic and Apache Tomcat servers, brute-forcing RDP endpoints, and carrying out spear-phishing attacks on staff at major companies.

Last week, the FBI has issued a new security flash alert to warn of Netwalker ransomware attacks targeting U.S. and foreign government organizations. The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

“As of June 2020, the FBI has received notifications of Netwalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors.” reads the alert. “Netwalker became widely recognized in March 2020, after intrusions on an Australian transportation and logistics company and a U.S. public health organization. Cyber actors using Netwalker have since taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims.”

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

“Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935).” continues the alert. “Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.”

The analysis of the transactions related bitcoin addresses involved in the Netwalker ransomware operations, McAfee observed 2,795 bitcoins being transferred between wallets operated by the gang between March 1st, 2020, and July 27th,2020.

“The total amount of extorted bitcoin that has been uncovered by tracing transactions to these NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020. By using historic bitcoin to USD exchange rates, we estimate a total of 25 million USD was extorted with these NetWalker related transactions,” continues the McAfee’s report.

“Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money.”

In order to force the victims into paying the ransom, the gang set up a leak site where it publishes the data of the victim that refuse to pay. This tactic is becoming very common in the cybercrime ecosystem and many companies decided to pay to avoid having their name listed on the site and their data leaked online.

McAfee also shared YARA rules for the threat along with Indicators of Compromise and MITRE ATT&CK Techniques.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post NetWalker ransomware operators have made $25 million since March 2020 appeared first on Security Affairs.

[Category: Uncategorized]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/3/20 2:39pm
2gether has disclosed a security breach, hackers have stolen roughly €1.2 million worth of cryptocurrency from cryptocurrency investment accounts. 

Hackers stole roughly €1.183 million worth of cryptocurrency from investment accounts of 2gether, 26.79% of overall funds stored by the accounts.

The attack took place on July 31 at 6.00 pm CEST, when hackers compromised the company servers.

“As you know, since last Friday July 31, we’ve been managing an extremely difficult situation which has brought us all a lot of uncertainty, caused by the hacking of a substantial part of all the cryptocurrencies available in the 2gether user accounts.” reads a security breach notification published by the company.

“From the moment we became aware of the attack, we’ve been fighting nonstop on different fronts. First, we worked on stopping the hit, limiting the theft to ~€1.183M (which amounted to 26.79% of the positions in the user accounts in Kraken) and preserving the integrity of the euro accounts, the BTC & ETH wallets, and the 2GT accounts.”

2gether is a crypto trading app, in which traders and beginners buy and sell cryptocurrencies at real market price, without added fees, in just one click. The native coin used by the organization is the 2GT token.

2together CEO Ramón Ferraz Estrada confirmed that general wallets and Euro accounts were not impacted in the security breach, he also pointed out that hackers did not steal the financial details of payment cards used to deposit funds. 

We continue working:
– Wallets are safe
– Euro accounts are safe
– The hack affects the crypto investment accounts
Additionally, user passwords have been compromised. Even though they are encrypted, we recommend you change them if you are using the same ones on other platforms

— Ramón Ferraz Estrada (@monchoferraz) August 1, 2020

Estrada urges users to change their passwords because they have been compromised in the attack. 

The company did not share technical details of the attack, it only confirmed that an investigation is still ongoing.

</div></dd>
<dt id=Reading the 2020 Cost of a Data Breach Report

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/3/20 7:54am
2020 Cost of a Data Breach Report: the global total cost of a data breach averaged $3.86 million in 2020, down about 1.5% from the 2019 study.

Every year, I write about the annual report published by the Ponemon Institute on the cost of a data breach, it is a very interesting study that explores the economic impact of a “data breach.”

This year the researchers analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. 

According to the 2020 Cost of a Data Breach Report, the global total cost of a data breach averaged $3.86 million in 2020, down about 1.5% from the 2019 study. Victim organizations The average time to identify and contain a data breach was 280 days in the 2020 study, quite identical to 2019 (279).

This year, the experts analyzed the impact of vulnerability testing and red team testing on the cost of a data breach and discovered that conducting red team testing could allow reducing average costs of about $243,000, while conducting vulnerability testing could allow reducing costs of about $173,000.

The report for the first time explores the cost impact of remote work and the security skills shortage.

“Organizations with remote work arrangements cited costs that were nearly $137,000 higher than the global average of $3.86 million, while organizations estimated that the security skill shortage increased costs by an average of $257,000 compared to the global average.” reads the post published by IBM that introduces the report.

For the first time, the report goes deep into analyzing the per-record cost of a data breach based on the type of records involved. The experts pointed out that the customer personally identifiable information (PII) was the most expensive type of record. The customer PII records have a cost of an average $150 per lost or stolen record, followed by intellectual property records ($147), anonymized customer records ($143) or employee PII ($141). Unfortunately, customer PII was present in 80% of the incident analyzed.

52% of data breaches observed in 2020 were caused by malicious attacks.

The analysis of the attack vectors revealed that most prominent ones were compromised credentials (19% of malicious breaches), cloud misconfiguration (19%) and vulnerabilities in third-party software (16%).

For the first time, the report analyzed the cost of breaches involving destructive malware, experts estimated that the average destructive malware breach cost $4.52 million and the average ransomware breach cost $4.44 million. The overall average cost of a malicious breach was $4.27 million.

You can explore the impacts of these cost factors and more – some that amplify costs and others that mitigate costs – using the interactive cost calculator that is a companion to this year’s report. You can register to access the full calculator to see the estimated impact of 25 cost factors on the average cost of a data breach in 17 geographies and 14 industries.See the 2020 Cost of a Data Breach report and calculator.

Another novelty for the 2020 Cost of a Data Breach Report is represented in the analysis of data breach based on the type of attacker.

Most of the malicious breach was caused by financially motivated threat actors (53%), followed by nation-state actors (13%) and hacktivist threat actors (13%). According to the experts, the average cost of a breach was higher for state-sponsored breaches ($4.43 million) and hacktivist breaches ($4.28 million) than financially motivated breaches ($4.23 million).

Let me suggest reading the full Cost of a Data Breach Report, which contains a lot of interesting data. IBM Security also implements an interactive calculator, a global map and other tools for exploring the data for insights and recommendations.

The complete report is available here.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Cost of data breach)

The post Reading the 2020 Cost of a Data Breach Report appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Reports, Cost of a Data Breach 2020, Hacking]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/3/20 3:24am
Last week, the Minister of Internal Affairs of Belarus announced the arrest of a 31-year-old man that is accused of distributing the infamous GandCrab ransomware.

Last week, the Minister of Internal Affairs of Belarus announced the arrest of a man on charges of distributing the infamous GandCrab ransomware.

The arrest is the result of an investigation conducted with help from law enforcement from the UK and Romania.

The authorities did not reveal the name of the man, they arrested him in Gomel (Belarus). He had no previous criminal records at the time of the arrest, but it is known to be a member of a cybercrime forum to become an affiliate for the GandCrab ransomware operation.

He allegedly subscribed the GandCrab ransomware-as-a-service to create his own version of the malware and spread it running a spam campaign.

The GandCrab ransomware-as-a-service first emerged from Russian crime underground in early 2018.

The GandCrab was advertised in the Russian hacking community, researchers from LMNTRIX who discovered it noticed that authors was leveraging the RIG and GrandSoft exploit kits to distribute the malware.

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the first advertisement for this threat:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the GandCrab RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

According to Belarussian authorities, the man infected more than 1,000 computers with his customized variant of GandCrab, but is not known how many victims paid the ransom. He was demanding the payment of around $1,200 worth of Bitcoin.

Officials believe that the man infected computers in more than 100 countries, most of them in India, the US, Ukraine, the UK, Germany, France, Italy, and Russia. GandCrab made more than 54,000 victims across the world, including 156 in Belarus, officials said.

Authorities also added that the man was involved in the distribution of cryptominers and wrote malware for other users on the same hacking forums.

The GandCrab Ransomware-as-a-Service shut down operations in June 2019 and told affiliates to stop distributing the ransomware. The authors of the ransomware are still unknown and are at large.

Security researchers Damian and David Montenegro, who follow the evolution of the GandCrab since its appearance, the GandCrab operators announced their decision of shutting down their operation in a post in popular hacking forums:

Start of GandCrab Ransomware : 28-1-2018 .. </div></dd>
<dt id=Havenly discloses data breach, 1.3M accounts available online

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/3/20 1:46am
Havenly, a Denver-Based company, that realized an interior designer marketplace has disclosed a data breach that impacted 1.3 million users.

The US-based interior design web site Havenly has disclosed a data breach after the known threat actor ShinyHunters has leaked for free the databases of multiple companies on a hacker forum.

Last week, BleepingComputer reported that ShinyHunterswas offering on a hacker forum the databases stolen from eighteen companies, over 386 million user records available online.

The threat actors released nine new databases belonging to several companies, including Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird, and Vakinha. The remaining nine databases were already released by ShinyHunters in the past.

The ShinyHunters hacker posted the Havenly database containing 1.3 million user records for free.

Source BleepingComputer

The leaked records included a login name, full name, MD5 hashed password, email address, phone number, zip, and other data related.

The company has notified impacted users via email, it admitted to having recently discovered the data breach, in response to the incident it has forced a password reset.

“We take the security of our community very seriously. As a precaution, we wanted to let you know that we recently became aware of a potential incident that may have affected the security of certain customer accounts. We are working with external security experts to investigate this matter.” reads the data breach notification.

“However, in the meantime, out of an abundance of caution, we are logging all existing customers out of their Havenly accounts and asking our customers to reset their password when they next log in to the Havenly website. As a best practice, we also encourage all of our customers to use different passwords across all online services and applications, and to update those passwords now and on a regular basis,”

The company revealed that financial data was not exposed because it does store only the last four digits of users’ credit cards.

“We suspect that many of you will be concerned about the credit card numbers that you’ve used with Havenly in the past. Please note: we do NOT store credit card information, apart from the last 4 digits of the card in some cases, which is not enough to engage in credit card fraud,” Havenly disclosed.

Havenly users could check if their data was exposed by querying the popular data breach notification service Have I Been Pwned.

New breach: Korean interior decoration website 집꾸미기 (Decorating the House) had 1.3M records breached earlier this year. Data included names, usernames, email addresses and phone numbers. 22% were already in @haveibeenpwned. Read more https://t.co/uWK9rzxZ4B

— Have I Been Pwned (@haveibeenpwned) August 2, 2020

Users are invited to change passwords for any other service where they share the same Havenly’ login credentials to avoid being victims of credential stuffing attacks.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Havenly)

The post Havenly discloses data breach, 1.3M accounts available online appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Hacking, data breach, hacking news, havenly, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 11:24pm
Researchers uncovered a disinformation campaign aimed at discrediting NATO via fake news content distributed through compromised news websites.

Security experts from FireEye have uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.

“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.

According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.

“We have dubbed this campaign ‘Ghostwriter,’ based on its use of inauthentic personas posing as locals, journalists, and analysts within the target countries to post articles and op-eds referencing the fabrications as source material to a core set of third-party websites that publish user-generated content,” continues the report.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries. to manipulate content, spreading reports of falsified correspondence from military officials, fake quotes from political figures and more.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.

Another piece of fabricated content was a letter presented as to be authored by NATO Secretary General Jens Stoltenberg, which was written to bolster a narrative suggesting that the Atlantic alliance was planning to withdraw from Lithuania in response to the COVID-19 pandemic

“This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists, and analysts within those countries.” continues the report.

“These articles and op-eds, primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, most notably OpEdNews.com, BalticWord.com, and the pro-Russian site TheDuran.com, among others, as well as to suspected Ghostwriter-affiliated blogs.”

The report published by FireEye included details about tactics, techniques, and procedures used by threat actors behind the Ghostwriter and confirms that it could be part of a larger disinformation campaign orchestrated by a foreign government.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, disinformation)

The post Ghostwriter disinformation campaign aimed at discrediting NATO appeared first on Security Affairs.

[Category: Breaking News, Cyber warfare, Intelligence, disinformation campaign, Ghostwriter, Hacking, information security news, IT Information Security, malware, NATO, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 10:29am
The FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The FBI has issued a new security flash alert to warn of Netwalker ransomware attacks targeting U.S. and foreign government organizations. The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

“As of June 2020, the FBI has received notifications of Netwalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies by unidentified cyber actors.” reads the alert. “Netwalker became widely recognized in March 2020, after intrusions on an Australian transportation and logistics company and a U.S. public health organization. Cyber actors using Netwalker have since taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims.”

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

“Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935).” continues the alert. “Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.”

Below the recommended mitigations provided by the FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.

The FBI advises victims not to pay the ransom.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

The post FBI issued a flash alert about Netwalker ransomware attacks appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Cybercrime, FBI, malware, ransomware]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 7:14am
BleepingComputer researchers confirmed that Garmin has received the decryption key to recover their files encrypted with the WastedLocker Ransomware.

BleepingComputer first revealed that Garmin has received the decryption key to recover the files encrypted with the WastedLocker Ransomware in the recent attack.

On July 23, smartwatch and wearables maker Garmin has shut down several of its services due to a ransomware attack that targeted its internal network and some production systems.

The outage also impacted the company call centers, making it impossible for the company to provide information to its users.

Most of the services used by customers of the company rely on the Garmin Connect service to sync data about runs and bike rides with its servers.

Even if the company did not provide technical details of the outage, several employees shared details about the alleged ransomware attack on social media.

Some employees later told BleepingComputer that the ransom demand was $10 million.

Some employees speculate the involvement of a new strain of ransomware called WastedLocker

On July 27, the company announced that its computer networks were coming back after the ransomware attack.

Now BleepingComputer confirmed the malware family involved in the attack was the Wastedlocker ransomware after it has gained access to an executable created by the Garmin IT department to decrypt a workstation.

This means that the company allegedly paid the ransomware operators to obtain the decryptors for its files.

“To obtain a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously stated, an employee had told BleepingComputer that the original ransom demand was for $10 million.” reported BleepingComputer.

“When extracted, this restoration package includes various security software installers, a decryption key, a WastedLocker decryptor, and a script to run them all.”

garmin wastedlocker ransomware restoration package

Experts reported that upon executing the restoration package, it decrypts the files stored on the computer and then installs security software. 

Bleepingcomputer reported that the script used by Garmin has a timestamp of 07/25/2020, a circumstance that suggests the company paid the ransom between July 24th and July 25th.

BleepingComputer researchers were able to encrypt a virtual machine using the sample of WastedLocker involved in the Garmin attack, then tested the decryptor.

The decryptor used by the company includes references to cybersecurity firm Emsisoft and ransomware negotiation service firm Coveware.

Both companies did not comment on this ransomware attacks

Emsisoft team is able to develop custom ransomware decryptors when the ransomware operators provide the victims the decryptor after the payment of the ransomware.

“If the ransom has been paid but the attacker-provided decryptor is slow or faulty, we can extract the decryption code and create a custom-built solution that decrypts up to 50 percent faster with less risk of data damage or loss,” Emsisoft’s ransomware recovery services page states.

Garmin did not comment the story.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Garmin, wastedlocker ransomware)

The post Garmin allegedly paid for a decryptor for WastedLocker ransomware appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Hacking, Malware, Garmin, garmin wastedlocker ransomware, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News, WastedLocker ransomware]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 5:13am
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. Records for 7.5 million users of the digital banking app Dave leaked online REMnux 7, a Linux toolkit for malware analysts released FBI warns cyber actors abusing protocols as new DDoS attack vectors Garmin says many of the systems are returning to operation NSA/CISA joint report warns on attacks on critical industrial systems Shadow attacks allow replacing content in signed PDF files Source code of Cerberus Android Trojan offered for sale for $100,000 FBI warns US companies on the use of Chinese Tax Software Hacking IoT & RF Devices with BürtleinaBoard Nefilim ransomware operators leaked data alleged stolen from the Dussmann group Pirate Ship Sailing to Developing World: Group-IB Uncovers Real Captains of Online Piracy Crew QSnatch malware infected over 62,000 QNAP NAS Devices ShinyHunters leaked over 386 million user records from 18 companies Doki, an undetectable Linux backdoor targets Docker Servers North Korea-Linked Lazarus APT is behind the VHD ransomware U.S. experts claim China-linked hackers have infiltrated Vatican networks BootHole issue allows installing a stealthy and persistent malware Expert discloses details of 3 Tor zero-day flaws … new ones to come Operation North Star – North-Korea hackers targeted US defense and aerospace companies Cisco fixes critical and high-severity flaws in Data Center Network Manager EU has imposed sanctions on foreign actors for the first time ever IndieFlix streaming service leaves thousands of confidential agreements, filmmaker SSNs, videos exposed on public server Updates provided by Red Hat for BootHole cause systems to hang Four individuals charged for the recent Twitter hack The author of FastPOS PoS malware pleads guilty Trump says he will ban popular Chinese video app TikTok in the US window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 275 appeared first on Security Affairs.

[Category: Breaking News, Newsletter]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 3:27am
The Taiwanese vendor QNAP urges its users to update the Malware Remover app following the alert on the QSnatch malware.

The Taiwanese company QNAP is urging its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

This week, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint advisory about a massive ongoing campaign spreading the QSnatch data-stealing malware.

“CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.” reads the alert. “Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom.”

The malicious code specifically targets QNAP NAS devices manufactured by Taiwanese company QNAP, it already infected over 62,000 QNAP NAS devices.

The QSnatch malware implements multiple functionalities, such as:  

  • CGI password logger  
    • This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
  • Credential scraper
  • SSH backdoor  
    • This allows the cyber actor to execute arbitrary code on a device.
  • Exfiltration
    • When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
  • Webshell functionality for remote access
QSnatch QNAP

QSnatch (aks Derek) is a data-stealing malware that was first details by the experts at the National Cyber Security Centre of Finland (NCSC-FI) in October 2019. The experts were alerted about the malware in October and immediately launched an investigation.

At the time, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 devices have been infected in Germany alone.

QNAP attempted to downplay the effects of the campaign aimed at infecting its NAS devices.

“QNAP reaffirms that at this moment no malware variants are detected, and the number of affected devices shows no sign of another incident.” reads a post published by the company.

“Certain media reports claiming that the affected device count has increased from 7,000 to 62,000 since October 2019 are inaccurate due to a misinterpretation of reports from different authorities,”

The vendor recommends installing the latest version of the Malware Remover app that is available through the QTS App Center or on its website.

“Users are urged to install the latest version of the Malware Remover app from the QTS App Center or by manual downloading from the QNAP website. QNAP also recommends a series of actions for enhancing QNAP NAS security. They’re also detailed in the security advisory.” continues the advisory.

Below some of the actions recommended by the vendor:

  1. Update QTS and Malware Remover.
  2. Install and update Security Counselor.
  3. Change the admin password and use a strong one.
  4. Enable IP and account access protection to prevent brute force attacks.
  5. Disable SSH and Telnet connections if they are not necessary.
  6. Avoid using default ports (i.e. 443 and 8080).

Even though the attach chain is not clear, the joint alert reveals that some QSnatch samples will intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.

According to the experts, currently, the attack infrastructure behind the previous QSnatch campaign is not more active, but users have to update their NAS devices as soon as possible to prevent future attacks.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, QSnatch)

The post QNAP urges users to update Malware Remover after QSnatch joint alert appeared first on Security Affairs.

[Category: Breaking News, Hacking, Internet of Things, hacking news, information security news, IoT, IT Information Security, malware, Pierluigi Paganini, QSnatch, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/2/20 2:35am
A critical flaw in the wpDiscuz WordPress plugin could be exploited by remote attackers to execute arbitrary code and take over the hosting account.

Security experts from Wordfence discovered a critical vulnerability impacting the wpDiscuz WordPress plugin that is installed on over 80,000 sites.

The vulnerability could be exploited by attackers to execute arbitrary code remotely after uploading arbitrary files on servers hosting the vulnerable WordPress sites.

wpDiscuz provides an Ajax real-time comment feature that stores the comments into a local database.

Researchers from WordFence reported the flaw to the wpDiscuz’s development team on June 19, the issue was fully addressed on July 23, with the release of version 7.0.5.

The developers initially attempted to fix the issue with the release of version 7.0.4, but they failed to fix it.

The vulnerability is rated as a critical severity and received a CVSS base score of 10/10.

Experts observed that unpatched versions of the wpDiscuz plugin fail to verify types of the files uploaded by the users. The plugin normally would allow users to only allow image attachments.

“wpDiscuz is a plugin designed to create responsive comment areas on WordPress installations. It allows users to discuss topics and easily customize their comments using a rich text editor. In the latest overhaul of the plugin, versions 7.x.x, they added the ability to include image attachments in comments which are uploaded to the site and included in the comments.” reads the analysis published by WordFence. “Unfortunately, the implementation of this feature lacked security protections creating a critical vulnerability.”

An attacker could upload a malicious file to a vulnerable site’s hosting server, then he would get the file path location with the request’s response to execute it on the server and achieve remote code execution (RCE).

“This made it possible for attackers to create any file type and add image identifying features to files to pass the file content verification check.” continues the report. “A PHP file attempting to bypass this verification could look something like this in a request:

------WebKitFormBoundaryXPeRFAXCS9qPc2sB
Content-Disposition: form-data; name="wmu_files[0]"; filename="myphpfile.php"
Content-Type: application/php

‰PNG

The file path location was returned as part of the request’s response, allowing a user to easily find the file’s location and access the file it was uploaded to the server. This meant that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”

The wpDiscuz 7.0.5, which was released on July 23, had just over 40,000 downloads at the time of writing this post, this means that at least 40,000 WordPress sites are still impacted by the issue.

Due to the critical severity of this issue and the simplicity in exploiting it, WordFence did not release a proof of concept video for this issue. 

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, wpDiscuz)

The post A critical flaw in wpDiscuz WordPress plugin lets hackers take over hosting account appeared first on Security Affairs.

[Category: Breaking News, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News, Wordpress, wpDiscuz]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/1/20 12:55pm
A 30-year-old Moldovan man pleaded guilty this week for creating the FastPOS malware that infected PoS systems worldwide.

The Moldovan citizen Valerian Chiochiu (30), aka Onassis, pleaded guilty on Friday for creating the infamous FastPOS Point-of-Sale (POS) malware.

Chiochiu was a member of the Infraud global cybercrime organization involved in stealing and selling credit card and personal identity data.

According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.

The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that allowed to buy and sell payment card and personal data.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

The main website was a crime forum that was founded in 2010, it first operated at infraud.cc and infraud.ws.

Chiochiu sold the FastPOS malware on the forum, it first appeared in the threat landscape since 2016.

The malware was first spotted by experts at Trend Micro, it was dubbed FastPOS because of its ability to quickly exfiltrate harvested data.

FastPOS PoS malware has a modular structure that includes a memory scraper component and a Key Logger.

The components FastPOS’s new version is sporting are:

  • Serv32.exe – creates and monitors a mailslot and sends its contents to the C&C server
  • Kl32.exe – keylogger component (32-bit)
  • Kl64.exe – keylogger component (64-bit)
  • Proc32.exe – RAM scraper (32-bit)
  • Proc64.exe – RAM scraper (64-bit)
fastpos-malware-2

When card data are captured on the infected system they are not locally stored, but they are directly transferred to command and control servers in clear text.

The malware was used by threat actors to target both enterprises and SMBs in several countries across the world, including the United States, Brazil, France, Japan, Hong Kong, and Taiwan.

The FastPOS malware was usually served via compromised websites, via VNC access using stolen credentials or brute-force attacks, or through a file-sharing service.

In February 2018, the US authorities dismantled the Infraud Organization and Chiochiu stopped his activity. At the time, the Justice Department announced indictments for 36 people charged with being part of the crime ring.

At the end of June, Sergey Medvedev (aka “Stells”), one of the two Infraud administrators, pleaded guilty for his role in the crime organization.

Chiochiu will be sentenced on December 11.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, FastPOS)

The post The author of FastPOS PoS malware pleads guilty appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Malware, credit card, FastPOS, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, POS malware, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/1/20 6:21am
Four suspects were charged for their alleged involvement in the recent Twitter hack, announced the Department of Justice.

US authorities announced the arrest of 17-year-old Graham Ivan Clark from Tampa, Florida, it is suspected to have orchestrated the recent Twitter hack. The arrest is the result of an operation coordinated by the FBI, the IRS, and the Secret Service.

The arrest of Clark, who is suspected to be the “mastermind” behind the attack, was first reported by Florida news outlet WFLA-TV.

“Hillsborough State Attorney Andrew Warren filed 30 felony charges against the teen this week for “scamming people across America” in connection with the Twitter hack that happened on July 15.” states WFLA-TV. “The charges he’s facing include one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information and one count of access to computer or electronic device without authority.”

Hillsborough State Attorney Andrew Warren filed charges against Clark for being the “mastermind” behind the attack that compromised 130 accounts.

The teen is believed to have gained access to Twitter’s backend, then he used an internal tool to take over several high-profile accounts and promote a cryptocurrency scam. The attackers posted messages urging the followers of the hacked accounts to send money to a specific bitcoin wallet address to receive back larger sums.

The hackers were able to take control of 45 of them sending out some posts on behalf of the owners, and downloaded data from eight.

The list of hacked accounts includes Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Michael Bloomberg, and others.

With this fraudulent scheme, threat actors obtained nearly $120,000 worth of bitcoins (approximately 12.86 bitcoins were amassed by attackers in “accounts associated with Clark”) from the unaware followers of the hacked accounts.

Below some of the charges reported in a press release from Warren’s office:

  • organized fraud (over $50,000) – 1 count
  • communications fraud (over $300) – 17 counts
  • fraudulent use of personal information (over $100,000 or 30 or more victims) – 1 count
  • fraudulent use of personal information – 10 counts
  • access computer or electronic device without authority (scheme to defraud) – 1 count

In a separate announcement, the US Department of Justice announced additional charges against two Clark’s accomplices, Mason Sheppard (19), aka “Chaewon,” and Nima Fazeli (22), aka “Rolex,” from Orlando, Florida.

“Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.” states the DoJ.

“Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.

The third defendant is a juvenile.  With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter hack)

The post Four individuals charged for the recent Twitter hack appeared first on Security Affairs.

[Category: Breaking News, Cyber Crime, Social Networks, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News, social networks, Twitter hack]

[*] [+] [-] [x] [A+] [a-]  
[l] at 8/1/20 4:51am
President Donald Trump announced that he plans to ban the popular short video app TikTok from operating in the US as early as Saturday.

President Donald Trump has announced he is going to ban the popular Chinese video-sharing app TikTok in the US.

The US President is ready to sign an executive order as early as Saturday to block the popular application owned by Chinese firm ByteDance.

US security officials have expressed concern that the app could be used by the Chinese government to collect the personal data of Americans.

Trump told reporters aboard Air Force One on Friday that he could use “emergency economic powers or an executive order” to ban the app.

“As far as TikTok is concerned, we’re banning them from the United States,” Mr Trump told reporters aboard Air Force One.

tiktok Source: Messagero

TikTok has denied any accusation of sharing data with the Beijing government. TikTok confirmed that all US user data is stored in the US, with a backup in Singapore.

The app is reported to have around 800 million active monthly users, most of whom are from the US and India.

The number of its users continues to grow worldwide, it has up to 80 million active monthly users in the US. All accounts are public by default, but users can also restrict uploads to their contacts.

It is not clear how President Trump can ban the Chinese app for the US and what legal challenges it would face.

The trump’s announcement came hours after reports broke that Microsoft could buy TikTok for $50 billion, but Trump confirmed its opposition to an operation that could bring an American company to acquire TikTok.

Microsoft has reportedly been in talks to buy the app from ByteDance, but Mr Trump appeared to cast doubt that such a deal would be allowed to go through.

A TikTok spokesperson declined to comment on Trump’s announcement, he told US media outlets the company was “confident in the long-term success of TikTok” in the US.

The announcement is the result of tensions between Trump and the Chinese government that is accused of aggressive conduct against the US government and its business.

Other states have already blocked Chinese apps or are planning to do it, such as India.

US officials have for weeks called action against TikTok due to its alleged connections to the Chines governemnt. 

Earlier this month, Secretary of State Mike Pompeo announced that the Trump administration was considering banning Chinese apps due to national security concerns. 

Last year, the US Treasury Department’s Committee on Foreign Investment in the United States opened an investigation into ByteDance.

Last week the US government approved legislation banning the use of TikTok on federal devices. 

TikTok recently announced it would increase transparency on its operations, it also plans to allow reviews of its algorithms.

“We are not political, we do not accept political advertising and have no agenda – our only objective is to remain a vibrant, dynamic platform for everyone to enjoy,” said the CEO of TikTok, Kevin Mayer.

“TikTok has become the latest target, but we are not the enemy.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, China)

The post Trump says he will ban popular Chinese video app TikTok in the US appeared first on Security Affairs.

[Category: Breaking News, Intelligence, Mobile, China, cyber espionage, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News, TikTok, Trump]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/31/20 2:51pm
Red Hat is warning customers to not install the package updates released to address the BootHole vulnerability due to possible problems reported by the users.

This week, firmware security company Eclypsium reported that billions of Windows and Linux devices are affected by a serious GRUB2 bootloader issue (CVE-2020-10713), dubbed BootHole, that can be exploited to install a stealthy malware.

According to researchers from the firmware security firm Eclypsium, which discovered the issue, the BootHole flaw affects any operating system that uses GRUB2 with Secure Boot.

GRUB2 (the GRand Unified Bootloader version 2) is a replacement for the original GRUB Legacy boot loader, which is now referred to as “GRUB Legacy”. The mechanism is designed to protect the boot process from attacks.

Immediately after the disclosure of the issue maintainers of major Linux distributions have started releasing updated packages to fix it.

Red Hat confirmed that the BootHole impacts Enterprise Linux 7 and 8, Atomic Host, and the OpenShift Container Platform 4.

The company recommended users to update their grub2, kernel, fwupdate, fwupd, shim and dbxtool packages.

Unfortunately, users that updated the packaged started reporting that their systems failed to boot.

“Applying the RHSA-2020:3216 grub2 security update and the RHSA-2020:3218 kernel security and bug fix update on a fresh “minimal” installation of RHEL 8.2 renders the system unbootable.” reads a ticket opened on Red Hat’s bug tracker.

Steps to Reproduce:
1. Install RHEL 8.2 "minimal" version from Binary DVD iso downloaded on 7/29/2020 on system running in EFI mode
2. Apply current updates as of 7/29/2020 with "yum update"
3. Reboot system

Actual results:
System hangs after POST and the grub menu never loads

Now Red Hat has updated its advisory recommending users to avoid updating the grub2, fwupd, fwupdate or shim packages until new packages will be available.

Red Hat has released instructions for how users who have already installed the buggy updates can restore their system. The company says it has identified the cause of the problem and is working on a fix.

Red Hat Enterprise Linux 7.8 and 8.2 are confirmed to be impacted, versions 7.9 and 8.1 EUS could also be affected.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, BootHole)

The post Updates provided by Red Hat for BootHole cause systems to hang appeared first on Security Affairs.

[Category: Breaking News, Security, BootHole, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Red Hat, Security Affairs, Security News, The Hacking News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/31/20 8:51am
Cisco addressed critical and high-severity vulnerabilities affecting its Data Center Network Manager (DCNM) network management platform.

Cisco addressed this week some critical and high-severity vulnerabilities impacting its Data Center Network Manager (DCNM) network management platform.

One of the most security issues is a critical authentication bypass vulnerability, tracked as CVE-2020-3382. The vulnerability can allow a remote, unauthenticated attacker to bypass authentication and perform actions with admin privileges on the vulnerable device.

“A vulnerability in the REST API of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the advisory published by Cisco.

“The vulnerability exists because different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges.”

The company also addressed several high-severity vulnerabilities in Data Center Network Manager (DCNM). The list of high-severity issues includes CVE-2020-3377, CVE-2020-3384, CVE-2020-3383, CVE-2020-3386, CVE-2020-3376, they are arbitrary command injection, path traversal and arbitrary file writing, and bypassing authorization and escalating privileges flaws.

The tech giant states that most of these vulnerabilities could be exploited only by authenticated attackers, only the CVE-2020-3376 issue could be exploited by an unauthenticated attacker to bypass authentication and execute arbitrary actions.

“A vulnerability in the Device Manager application of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions on an affected device.” reads the security advisory.

“The vulnerability is due to a failure in the software to perform proper authentication. An attacker could exploit this vulnerability by browsing to one of the hosted URLs in Cisco DCNM. A successful exploit could allow the attacker to interact with and use certain functions within the Cisco DCNM.”

Cisco also fixed three medium-severity vulnerabilities in DCNM, including XSS, SQL injection and information disclosure issues.

This week, Cisco also addressed a critical vulnerability in the management interface of the SD-WAN vManage software tracked as CVE-2020-3374. The issue can be exploited by an authenticated attacker to access potentially sensitive information, modify the configuration of the system, or trigger a DoS condition.

The good news is that none of these vulnerabilities has been exploited by threat actors in the wild.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DCNM)

The post Cisco fixes critical and high-severity flaws in Data Center Network Manager appeared first on Security Affairs.

[Category: Breaking News, Security, authentication bypass, CISCO, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/31/20 6:32am
The CyberNews research team discovered an unsecured data bucket on a publicly accessible Amazon Simple Storage (S3) server containing confidential data belonging to IndieFlix.

Original post at: https://cybernews.com/security/indieflix-leaks-thousands-of-filmmaker-ssns-confidential-agreements-videos/

IndieFlix is a US-based entertainment company offering a subscription-based online video streaming service that mainly specializes in independent titles, including feature films, shorts, and documentaries.

The data bucket discovered by CyberNews contains over 90,000 files related to the IndieFlix streaming service. This includes scans of confidential motion picture acquisition agreements, tax ID requests that include filmmaker social security numbers and employer identification numbers, as well as relatively detailed contact information of thousands of film professionals. Additionally, the bucket hosts thousands of video files of short films, movie clips, and trailers that can be accessed and downloaded by anyone with a direct link to the files.

After CyberNews contacted IndieFlix and Amazon Web Services, the bucket has been secured and is no longer accessible.

What data is in the bucket?

The unsecured Amazon S3 bucket contains 93,867 publicly accessible files, including:

  • 4,275 motion picture acquisition agreements and contract addendums
  • 3,217 scans of requests for tax identification numbers that include addresses, signatures, as well as social security numbers and/or employer identification numbers of the filmmakers or their distribution agents
  • A contact list of 5,966 film industry professionals, including their full names, email addresses, street addresses, phone numbers, and zip codes
  • 15,225 video files, which include short films as well as clips and trailers from the platform’s Quick Pick feature library

The vast majority of the files stored in the unsecured bucket are film thumbnail pictures and various promotional materials. The motion picture acquisition agreements, tax ID requests, and contract addendum scans all date between 2013 and 2016. 

Example of motion picture acquisition agreement:

censored motion picture acquisition agreement

Example of tax ID request:

Example of filmmaker contact records:

During our correspondence with IndieFlix, CEO Scilla Andreen indicated that the confidential documents stored in the bucket were uploaded to the server by mistake. “We have been storing these types of documents in a secure private drive, not in AWS. The documents in the S3 bucket were an old archive that was mistakenly uploaded,” says Andreen.

Storing anything on a publicly accessible server without any kind of authentication process in place is dangerous, which is a lesson many organizations still tend to learn the hard way. Seeing small, socially-minded companies like IndieFlix fail to secure their data is particularly heartbreaking.

Who had access to the bucket?

At the time of writing this report, it is unclear if anyone had access to the unsecured bucket. While IndieFlix believes that the bucket has been publicly accessible since May 2015, the company has not found any suspicious activity or unauthorized access attempts to any of its accounts during the period.

According to Scilla Andreen, the IndieFlix administrative team uses “password management software and multi-factor authentication (where available) to secure [their] accounts” and, in order to increase their efforts to secure their customer and client data, IndieFlix assured CyberNews that the streaming service will be “immediately dedicating time and resources towards an information security audit.”

With that being said, the files were stored on a publicly accessible Amazon S3 server. Accessing and downloading files hosted on public servers requires almost no technical knowledge, which means that there is a possibility that the data contained in this bucket may have been accessed by bad actors for malicious purposes.

What’s the impact?

Even though most of the personally identifiable data stored by IndieFlix on the unsecured Amazon server is not deeply sensitive, a single social security number contained in a tax ID request can fetch about $4 – a relatively good price – on the dark web, putting the total black market value of the SSNs found in the bucket at up to $13,000.

Acquiring someone’s social security number or employer identification number is one of the first steps toward committing identity theft. By adding more personal details like names, emails, phone numbers, addresses – some of which are present in the contact file stored in this bucket – as well as acquiring scans of other documents like passports and driver’s licenses on the black market, cybercriminals can, in the worst-case scenario, take out loans (for example, coronavirus relief loans), credit cards, or other paid services in the victims’ names.

Even the humble email address can be enough for bad actors to run spamming campaigns and send phishing emails to the unsuspecting recipient.

Finally, attackers can use the data to blackmail filmmakers or their agents by threatening to publicize the confidential content found in the motion picture acquisition agreements.

What to do if you’ve been affected?

For film industry professionals and organizations that have signed agreements with IndieFlix or given the company their contact details between 2013 and 2016, we recommend doing the following in case of any suspicious activity or fraud:

  • Review recent activities on their email accounts for suspicious messages and requests
  • Set up identity theft monitoring
  • Notify law enforcement in case of any blackmail attempts
Disclosure

We discovered the unsecured bucket on July 15 and immediately notified IndieFlix about the leak. However, we received no response from the company. For that reason, we reached out to Amazon on July 22 in order to help secure the server. They contacted the owner and the database was closed on the same day.

About the author Edvardas Mikalauskas:

Edvardas Mikalauskas is a writer for CyberNews.com. Ed’s interests include all things tech and cybersecurity. He’s been featured in Forbes, TechRadar, Reason, TechRepublic, and more. You can reach him via email or find him on Twitter chuckling at jokes posted by parody accounts.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking,IndieFlix )

The post IndieFlix streaming service leaves thousands of confidential agreements, filmmaker SSNs, videos exposed on public server appeared first on Security Affairs.

[Category: Breaking News, Data Breach, Amazon S3 bucket, data leak, Hacking, hacking news, indieflix, information security news, IT Information Security, malware, Pierluigi Paganini, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/31/20 3:04am
For the first-ever time, the EU has imposed economical sanctions on Russia, China, and North Korea following cyber-attacks aimed at the EU and its member states.

The Council of the European Union announced sanctions imposed on a Russia-linked military espionage unit, as well as companies operating for Chinese and North Korean threat actors that launched cyber-attacks against the EU and its member states.

This is the first time that the Council of the EU used a framework established on May 17, 2019, which allow the EU to impose targeted restrictive measures to deter and respond to cyber-attacks aimed at the EU or its member states.

The sanctions include asset freezes, forbid EU organizations and individuals from transferring funds to sanctioned organizations and individuals.

“The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as ‘WannaCry‘, ‘NotPetya‘, and ‘Operation Cloud Hopper‘.” reads the press release issued by the EU.

“The sanctions imposed include a travel ban and an asset freeze. In addition, EU persons and entities are forbidden from making funds available to those listed.”

The EU imposed sanctions on the following six individuals:

  1. GAO Qiang (China)
  2. ZHANG Shilong (China)
  3. Alexey Valeryevich MININ (Russia)
  4. Aleksei Sergeyvich MORENETS (Russia)
  5. Evgenii Mikhaylovich SEREBRIAKOV (Russia)
  6. Oleg Mikhaylovich SOTNIKOV (Russia)

The first two individuals in the list are Chinese citizens accused to be members of the China-linked APT10 cyberespionage group. The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The remaining individuals in the list are four Russian citizens that were agents of the Russian military intelligence GRU that were involved in the attempted hack against the WiFi network of the OPCW, in the Netherlands.

“The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work.” states the Council of the European Union.” “The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.”

The EU also targeted the following front-end companies operation for the threat actors behind the attacks:

  1. Tianjin Huaying Haitai Science and Technology Development Co. Ltd (Huaying Haitai) (China)
  2. Chosun Expo (North Korea)
  3. Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) (Russia)

In September 2018, US charged a North Korea agent, working for North Korean military intelligence agency Reconnaissance General Bureau (RGB), over Sony Pictures hack and WannaCry.

The US intelligence highlighted that North Korea hackers were free to operate from Chine. Chosun Expo Joint Venture helped fund North Korean hacking groups by covering their activities with legitimate programming work from an office in Dalian, China. 

Chosun Expo is considered a front company for the North Korea-linked APT38 group, which is a subgroup of the Lazarus Group.

The Council believe that the APT group was behind the massive ‘WannaCry’ campaign and cyber-attacks against the Polish Financial Supervision Authority and Sony Pictures Entertainment. The group is also accused of cyber-attacks against the Bangladesh Bank.

Huaying Haitai is another company hit by the EU sanctions, it was mentioned in an investigation disclosed in December 2018. at the time, the US Department of Justice charged two Chinese hackers for hacking numerous companies and government agencies in a dozen countries, US Indicts Two Chinese Government Hackers Over Global Hacking Campaign.

The company is linked to the Chinese-linked APT10 group and was sanctioned for its involvement in the ‘Operation Cloud Hopper’ cyber-espionage campaign.

“Targeted restrictive measures have a deterrent and dissuasive effect and should be distinguished from attribution of responsibility to a third state.” conclude the EU.

“The EU remains committed to a global, open, stable, peaceful and secure cyberspace and therefore reiterates the need to strengthen international cooperation in order to promote the rules-based order in this area.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, EU sanctions)

The post EU has imposed sanctions on foreign actors for the first time ever appeared first on Security Affairs.

[Category: APT, Breaking News, Cyber warfare, Intelligence, Laws and regulations, cyber espionage, EU sanctions, Hacking, hacking news, information security news, IT Information Security, malware, North Korea, Pierluigi Paganini, Russia, Security Affairs, Security News]

[*] [+] [-] [x] [A+] [a-]  
[l] at 7/30/20 3:53pm
A security researcher published the details about two Tor zero-day vulnerabilities and plans to release three more flaws.

The security researcher Dr. Neal Krawetz has published technical details about two Tor zero-day vulnerabilities over the past week and promises to release three more. Oppressive regimes could exploit these Tor zero-day flaws to prevent users from accessing the popular anonymizing network.

The expert confirmed that one of these three new issues can de-anonymize Tor servers revealing their real IP address.

I'm giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.

I'm holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.

— Dr. Neal Krawetz (@hackerfactor) June 4, 2020

Dr. Neal Krawetz decided to publicly disclose details on two zero-day flaws after the Tor Project has repeatedly failed to fix multiple vulnerabilities he reported over the past years.

The researcher also promised to reveal at least three more Tor zero-days, including one that can reveal the real-world IP address of Tor servers.

The researcher operates multiple Tor nodes, last week he published a blog post that describes how internet service providers and organizations could stop Tor connections.

“However, what if there was a distinct packet signature provided by every Tor node that can be used to detect a Tor network connection? Then you could set the filter to look for the signature and stop all Tor connections. As it turns out, this packet signature is not theoretical.” reads the post.

An attacker could use the packet signature to block Tor connections from initiating.

Today the expert published a new blog post that provides details about other Tor zero-day issues that could be exploited by attackers to detect indirect connections,

“Direct connections to the Tor network are the most common type of connection. However, there are also indirect ways to connect to the Tor network. These indirect methods are called ‘bridges’. If someone could detect every bridge protocol, then every Tor user could be blocked from accessing the Tor network, or they can be directly surveilled. (If they know your real network address, then they know who you are, and they can monitor or censor your activities.)” reads the report.

“In this blog entry, I’m going to disclose methods to identify Tor bridge network traffic. This includes two new zero-day (0day) exploits — one for detecting obfs4 and one for detecting meek.”

Tor bridges (“Tor bridge relays”) are alternative entry points to the Tor network, some of them are not listed publicly. Using a bridge makes it harder, but not impossible, for the ISP to determine a user is connecting to Tor.

According to Dr. Krawetz, an attacker can easily detect connections to Tor bridges tracking specific packets.

“Between my previous blog entry and this one, you now have everything you need to enforce the policy with a real-time stateful packet inspection system. You can stop all of your users from connecting to the Tor network, whether they connect directly or use a bridge,” continues Dr. Krawetz.

The security researcher reported multiple issues to the Tor Project, but he claims that the maintainers have never addressed them, for this reason, Dr. Krawetz decided to interrupt its collaboration with the organization.

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199"; try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Tor zero-day flaw)

The post Expert discloses details of 3 Tor zero-day flaws … new ones to come appeared first on Security Affairs.

[Category: Breaking News, Deep Web, Digital ID, Hacking, hacking news, information security news, IT Information Security, malware, Pierluigi Paganini, privacy, Security Affairs, Security News, Tor network, Tor zero-day, zero-day vulnerability]

As of 8/4/20 7:55am. Last new 8/4/20 6:29am.

Next feed in category: Dark Reading