Table of Contents

  1. Leaks
    1. Dating app MobiFriends silent on security breach impacting 3.6 million users
    2. Ulmon - 777,769 breached accounts
    3. Digital Ocean says it exposed customer data after it left an internal document online
    4. REvil attackers claim to have obtained megastars’ legal files from NY entertainment law firm
    5. Hackers sell stolen user data from HomeChef, ChatBooks, and Chronicle
    6. US Marshals says prisoners’ personal information taken in data breach
  2. Privacy
    1. A password less server run by NSO Group sparks contact-tracing privacy concerns
  3. Ransomware
    1. Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
  4. Crime
    1. Unemployed Americans offered ‘remote jobs’ as money mules
    2. Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries
    3. Iran-linked hackers recently targeted coronavirus drugmaker Gilead
    4. 15-year-old hacker and crew of ‘evil geniuses’ accused of $24 million crypto theft
    5. Rail vehicle manufacturer Stadler hit by cyberattack, blackmailed
  5. Vulnerabilities
    1. How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability

Leaks

Dating app MobiFriends silent on security breach impacting 3.6 million users

The personal details of 3,688,060 users registered on the MobiFriends dating app have been posted online earlier this year and are now available for download. The data was obtained in a security breach that took place in January 2019, according to a hacker who initially put the data up for sale on a hacking forum. In the meantime, the MobiFriends data leaked last month in the public domain. The data is currently being broadly shared on numerous online forums, in some cases, as a free download.

Ulmon - 777,769 breached accounts

In January 2020, the travel app creator Ulmon suffered a data breach. The service had almost 1.3M records with 777k unique email addresses, names, passwords stored as bcrypt hashes and in some cases, social media profile IDs, telephone numbers and bios. The data was subsequently posted to a popular hacking forum.

Digital Ocean says it exposed customer data after it left an internal document online

Web hosting provider Digital Ocean is currently in the process of notifying some customers about a security lapse that exposed some of their account details. According to an email the company is currently sending out, the security leak occurred due to an internal Digital Ocean document that was mistakenly left accessible online. Digital Ocean says the document contained several types of user account details. This included personally identifiable information such as customer email addresses and their respective Digital Ocean usernames, but also account technical details such as the number of droplets (servers) owned by the customer, the user's bandwidth usage, support or sales communications notes, and the amount of money the customer paid during calendar year 2018.

REvil attackers claim to have obtained megastars’ legal files from NY entertainment law firm

The Sodinokibi ransomware group threatens to release hundreds of gigabytes of legal documents from a prominent entertainment and law firm that counts dozens of international stars as their clients. The personal authorized affairs of dozens of the world's largest music and movie stars --- Lady Gaga, Elton John, Robert DeNiro, and Madonna amongst them --- are in danger of publicity following a ransomware assault on an excessive profile New York leisure legislation agency. Grubman Shire Meiselas & Sacks have reportedly been hit by the REvil ransomware (also referred to as Sodinokibi), with the attackers threatening to launch up to 756 GB of stolen knowledge in 9 staged releases.

Hackers sell stolen user data from HomeChef, ChatBooks, and Chronicle

Three more high-profile databases are being offered for sale by the same group claiming the Tokopedia and Unacademy breaches, and the more recently reported theft of Microsoft's private GitHub repositories. Going by the name Shiny Hunters, the group is now selling user records from meal kit delivery service HomeChef, from photo print service ChatBooks, and Chronicle.com, a news source for higher education.

US Marshals says prisoners’ personal information taken in data breach

A data breach at the U.S. Marshals Service exposed the personal information of current and former prisoners, TechCrunch has learned. A letter sent to those affected, and obtained by TechCrunch, said the Justice Department notified the U.S. Marshals on December 30, 2019 of a data breach affecting a public-facing server storing personal information on current and former prisoners in its custody. The letter said the breach may have included their address, date of birth and Social Security number, which can be used for identity fraud.

Privacy

A password less server run by NSO Group sparks contact-tracing privacy concerns

Israel-based private security firm NSO Group, known for making mobile hacking tools, is leading one of Israel's contact-tracing efforts. Security researcher Bob Diachenko discovered one of NSO's contact-tracing systems on the internet, unprotected and without a password, for anyone to access. After he contacted the company, NSO pulled the unprotected database offline. Diachenko said he believes the database contains dummy data. NSO told TechCrunch that the system was only for demonstrating its technology and denied it was exposed because of a security lapse. NSO is still waiting for the Israeli government's approval to feed cell records into the system. But experts say the system should not have been open to begin with, and that centralized databases of citizens' location data pose a security and privacy risk.

Ransomware

Fireye has published a lengthy article detailing the MAZE ransomware tactics, techniques and procedures and mapping them according to MITRE ATT&CK matrix.

Crime

Unemployed Americans offered ‘remote jobs’ as money mules

Cybercriminals are exploiting the increasing number of layoffs during the current pandemic to recruit new money mules which can later be used to help them launder money gained from illicit activities. Some phishing messages discovered by PhishLabs researchers are trying to convince targets from Canada and the United States who might have lost their jobs due to the COVID-19 outbreak to start working from home, promising them $5,000 per month. The potential victims are not provided with any other info regarding what the remote jobs require but are instead asked to request more info via email.

Meant to Combat ID Theft, Unemployment Benefits Letter Prompts ID Theft Worries

Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity. So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.

Iran-linked hackers recently targeted coronavirus drugmaker Gilead

Hackers linked to Iran have targeted staff at U.S. drugmaker Gilead Sciences Inc in recent weeks, according to publicly-available web archives reviewed by Reuters and three cybersecurity researchers, as the company races to deploy a treatment for the COVID-19 virus. Gilead Sciences Inc pharmaceutical company is seen after they announced a Phase 3 Trial of the investigational antiviral drug Remdesivir in patients with severe coronavirus disease (COVID-19), during the outbreak of the coronavirus disease (COVID-19), in Oceanside, California. In one case, a fake email login page designed to steal passwords was sent in April to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses. Reuters was not able to determine whether the attack was successful.

15-year-old hacker and crew of ‘evil geniuses’ accused of $24 million crypto theft

A 15-year-old hacker and his crew of "evil computer geniuses" stole nearly $24 million in cryptocurrency from an adviser to blockchain companies, according to a lawsuit filed in New York. Michael Terpin claims his phone was hacked and his money stolen in 2018 by a ring led by Westchester County, New York, teen Ellis Pinksy as part of a "sophisticated cybercrime spree." Terpin, the founder and chief executive officer of blockchain advisory firm Transform Group, is suing Pinsky, now 18, for $71 million under a federal racketeering law that allows for triple damages.

Rail vehicle manufacturer Stadler hit by cyberattack, blackmailed

International rail vehicle construction company, Stadler, disclosed that it was the victim of a cyberattack which might have also allowed the attackers to steal company and employee data. Stadler manufactures a wide range of railway vehicles from high-speed trains to tramways and trams, and it is the world's leading service provider in the rack-and-pinion rail vehicle industry. Stadler announced on Thursday evening that attackers managed to infiltrate its IT network and infect some of its machines with malware and, most probably, to collect and exfiltrate data from the compromised devices in the process. "Stadler's internal monitoring services have established that the company's IT network was attacked with malware and that it is highly probable that an outflow of data of an as yet unknown extent has occurred," the company said.

Vulnerabilities

How a Deceptive Assert Caused a Critical Windows Kernel Vulnerability

In a software update released in November 2019, a tiny code change to the Windows kernel driver win32kfull.sys introduced a significant vulnerability. The code change ought to have been harmless. On the face of it, the change was just the insertion of a single assert-type function call to guard against certain invalid data in a parameter. This article from Zero Day Initiative dissects the relevant function and see what went wrong. This bug was patched by Microsoft in February 2020 as CVE-2020-0792.