Table of Contents

  1. Vulnerabilities
    1. New Unc0ver jailbreak released, works on all recent iOS versions
    2. Bluetooth Vulnerability: BIAS
    3. RangeAmp attacks can take down websites and CDN servers
    4. Critical Android bug lets malicious apps hide in plain sight
  2. Leaks
    1. 47.5 Million Indian Truecaller Records on Sale In Darkweb for (only) $1000!
    2. EasyJet faces £18 billion class-action lawsuit over data breach
    3. PetFlow - 990,919 breached accounts
    4. Artsy - 1,079,970 breached accounts
    5. Lifebear - 3,670,561 breached accounts
    6. A Massive Database of 8 Billion Thai Internet Records Leaks
    7. White House Press Secretary Accidentally Reveals Trump’s Private Banking Info
  3. Malware
    1. Russian cyberspies use Gmail to control updated ComRAT malware
    2. Thousands of enterprise systems infected by new Blue Mockingbird malware gang
    3. Trojanized Discord Client Grabs Passwords and User Tokens
    4. Hacking group builds new Ketrum malware from recycled backdoors
  4. Ransomware
    1. Ragnar Ransomware Operators Targets Birch Communications
    2. New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map
  5. Crime
    1. Hacker extorts online shops, sells databases if ransom not paid
    2. Hacker Selling 80,000 Users' Data Stolen From Cryptocurrency Wallets
    3. Hackers leak credit card info from Costa Rica's state bank
    4. The FBI investigating hacking of Covid research by “PRC-affiliated cyber actors”
  6. OSINT
    1. Leveraging Street Art in OSINT Investigations

Vulnerabilities

New Unc0ver jailbreak released, works on all recent iOS versions

A team of hackers, security researchers, and reverse engineers have released a new jailbreak package for iOS devices. By default, Apple does not allow users to have full control over their iPhones and other iOS devices, citing security reasons. Jailbreaks are a type of custom software that works by exploiting bugs in the iOS operating system in order to grant users root access and full control over their device. The Unc0ver team released Unc0ver 5.0.0, the latest version of their jailbreaking software, which can root and unlock all iOS devices, even those running the most recent iOS release - iOS v13.5. This is possible, they said, because Unc0ver 5.0.0 utilizes a zero-day vulnerability in the iOS operating system, a vulnerability that Apple is not aware of.

Bluetooth Vulnerability: BIAS

The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. This paper, shows that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. Researchers describe each vulnerability in detail, and exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. The attacks were named Bluetooth Impersonation AttackS (BIAS).

RangeAmp attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP "Range Requests" attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations.

Critical Android bug lets malicious apps hide in plain sight

A critical Android security vulnerability dubbed StrandHogg 2.0 can allow malicious apps to camouflage as most legitimate applications and steal sensitive information from Android users. According to Promon security researchers who found the bug, StrandHogg 2.0 impacts all devices running Android 9.0 and below (Android 10 is not affected), and it can be exploited by attackers without root access. After exploiting the critical vulnerability tracked as CVE-2020-0096 on an Android device, malicious actors can easily steal the users' credentials with the help of overlays or their data by abusing app permissions.

Leaks

47.5 Million Indian Truecaller Records on Sale In Darkweb for (only) $1000!

CybleInc has discovered a legit looking database of Indian 47.5 million records, and it includes interesting information such as Phone Number, Carrier, Name, Gender, City, Email, Facebook ID and others.

EasyJet faces £18 billion class-action lawsuit over data breach

Made public on May 19, easyJet said that information belonging to nine million customers may have been exposed in a cyberattack, including over 2,200 credit card records. The "highly sophisticated" attacker to blame for the security incident managed to access this financial information, as well as email addresses and travel details. EasyJet is still contacting impacted travelers. The carrier did not explain how or exactly when the data breach took place, beyond that "unauthorized access" has been "closed off." The National Cyber Security Centre (NCSC) and the UK's Information Commissioner's Office (ICO) have been notified, of which the latter has the power to impose heavy fines under GDPR if an investigation finds the carrier has been lax in data protection and security. easyJet has a legal concern due to law firm PGMBM, which has issued a class-action claim with a potential liability of £18 billion, or up to £2,000 per impacted customer.

PetFlow - 990,919 breached accounts

In December 2017, the pet care delivery service PetFlow suffered a data breach which consequently appeared for sale on a dark web marketplace. Almost 1M accounts were impacted and exposed email addresses and passwords stored as unsalted MD5 hashes.

Artsy - 1,079,970 breached accounts

In April 2018, the online arts database Artsy suffered a data breach which consequently appeared for sale on a dark web marketplace. Over 1M accounts were impacted and included IP and email addresses, names and passwords stored as salted SHA-512 hashes.

Lifebear - 3,670,561 breached accounts

In early 2019, the Japanese schedule app Lifebear appeared for sale on a dark web marketplace amongst a raft of other hacked websites. The breach exposed almost 3.7M unique email addresses, usernames and passwords stored as salted MD5 hashes.

A Massive Database of 8 Billion Thai Internet Records Leaks

Thailand's largest cell network AIS has pulled a database offline that was spilling billions of real-time internet records on millions of Thai internet users. Security researcher Justin Paine said in a blog post that he found the database, containing DNS queries and Netflow data, on the internet without a password. With access to this database, Paine said that anyone could "quickly paint a picture" about what an internet user (or their household) does in real-time. Paine alerted AIS to the open database on May 13. But after not hearing back for a week, Paine reported the apparent security lapse to Thailand's national computer emergency response team, known as ThaiCERT, which contacted AIS about the open database. The database was inaccessible a short time later. AIS spokesperson Sudaporn Watcharanisakorn confirmed AIS owned the data, and apologized for the security lapse.

White House Press Secretary Accidentally Reveals Trump’s Private Banking Info

The White House press secretary, Kayleigh McEnany, showed a bank statement during a briefing trying to demonstrate that President Donald Trump is donating his salary to a worthy cause, only to reveal way too much private banking information. Companies in the financial sector invest considerable resources in efforts to keep consumer information private and safe from intrusions. Financial information is a prized commodity on the dark web, and it usually requires compromising secure networks to get them. But McEnany, the recently appointed White House press secretary, revealed Trump's banking information during a briefing. She held a small piece of paper, a bank statement from Capital One that showed how the presidential salary was going to the Department of Health and Human Services, to help combat the COVID-19 pandemic.

Malware

Russian cyberspies use Gmail to control updated ComRAT malware

ESET security researchers have discovered a new version of the ComRAT backdoor controlled using the Gmail web interface and used by the state-backed Russian hacker group Turla for harvesting and stealing in attacks against governmental institutions. Using Gmail for command-and-control purposes fits right in with other exploits of the Russian-speaking Turla group (also tracked as Waterbug, Snake, or VENOMOUS BEAR) seeing that they are known for using unorthodox methods of achieving their cyber-espionage goals. In the past, they've developed backdoor trojans with their own APIs designed to reverse communication flows, used comments on Britney Spears Instagram photos to control malware, sent PDF email attachments with commands to control servers infected with their Outlook backdoor, and hijacked the infrastructure and malware of Iranian-sponsored OilRig to use in their own campaigns.

Thousands of enterprise systems infected by new Blue Mockingbird malware gang

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird. Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019. Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component. Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Trojanized Discord Client Grabs Passwords and User Tokens

A threat actor updated the AnarchyGrabber trojan into a new version that steals passwords and user tokens, disables 2FA, and spreads malware to a victim's friends. AnarchyGrabber is a popular trojan that is commonly spread for free on hacker forums and within YouTube videos that explain how to steal Discord user tokens. Threat actors then distribute the trojan on Discord, where they pretend it's a game cheat, hacking tool, or copyrighted software.

Hacking group builds new Ketrum malware from recycled backdoors

The Ke3chang hacking group historically believed to be operating out of China has developed new malware dubbed Ketrum by merging features and source code from their older Ketrican and Okrum backdoors. The cyber-espionage activities of the Ke3chang advanced persistent threat (APT) group (also tracked as APT15, Vixen Panda, Playful Dragon, and Royal APT) go as far as 2010 according to FireEye researchers. Ke3chang's operations target a wide range of military and oil industry entities, as well as government contractors and European diplomatic missions and organizations. A new report from Intezer researchers shows how they discovered three Ketrum backdoor samples this month on the VirusTotal platform and associated them with the Chinese cyberspies after noticing that it reused both code and features from Ke3chang's Ketrican and Okrum backdoors.

Ransomware

Ragnar Ransomware Operators Targets Birch Communications

Once again, the Ragnar ransomware operators traps a big fish in their trap. In this instance, they targeted Birch Communications LLC which is the leading integrated cloud solutions provider. Birch Communications is an American provider of IP-based communications, network broadband, cloud computing, and information technology services to small, mid-sized, enterprise and wholesale business customers in the United States, Canada, and Puerto Rico. The ransomware operators have posted a list of files highly sensitive and confidential files and data of the company. As per the Cyble Research Team, the data breach attack may have taken place in the month of March 2020, and as the company could not make an agreement with the ransomware operators, this leads to the data leak of their database.

New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map

A new ransomware threat called [F]Unicorn has been encrypting computers in Italy by tricking victims into downloading a fake contact tracing app that promises to bring real-time updates for COVID-19 infections. The attacker used convincing social engineering that made it look like the malicious executable was delivered by the Italian Pharmacist Federation (FOFI).

Crime

Hacker extorts online shops, sells databases if ransom not paid

More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the amount of stolen data is much larger. The attacker is hacking into insecure servers that are reachable over the public web, copies the databases, and leaves a note asking for a ransom in return of the stolen data.

Hacker Selling 80,000 Users' Data Stolen From Cryptocurrency Wallets

A hacker who was behind the cyber attack on Ethereum.org is now selling data tied to key cryptocurrency wallets like Keepkey, Trezor, Ledger and online investment platform Bnktothefuture. The hacker has three large databases with information pertaining to at least 80,000 customers. This includes the customer's email address, name, phone number, residential address and other data.

Hackers leak credit card info from Costa Rica's state bank

Maze ransomware operators have published credit card data stolen from the Bank of Costa Rica (BCR). They threaten to leak similar files every week. The hackers are doing this in support of their claim to have breached BCR in the past and the bank's denial of these intrusions. In a post on their "leak" site this week, Maze operators shared a 2GB spreadsheet with payment card numbers from customers of Banco de Costa Rica. The attackers say that they released the data because they are not looking to make any profit off it. Instead, they want to draw attention to the bank's security lapses when it comes to protecting sensitive information. The bank issued a public statement that day saying that following an "exhaustive verification" they can "firmly confirm that the institution's systems have not been violated." In response, Maze released four days later a spreadsheet with details about systems they claim to be from BCR's network. On May 21 they dumped the payment card data. The bank issued another statement on May 22 reiterating that multiple analyses from internal and external specialists confirmed that the systems were not accessed without authorization and that clients' transactions were not impacted.

The FBI investigating hacking of Covid research by “PRC-affiliated cyber actors”

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are issuing this announcement to raise awareness of the threat to COVID-19-related research. The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.

OSINT

Leveraging Street Art in OSINT Investigations

Secjuice wrote another OSINT article, this time focusing on geolocating street art.