Table of Contents
- LiveJournal - 26,372,781 breached accounts
- Arbonne MLM data breach exposes user passwords, personal info
- BigFooty.com Leaks 70 Million Records from Sports Fan Members
- Judge demands Capital One release Mandiant cyberforensic report on data breach
- A Government Database of 20 Million+ Taiwanese Citizens Leaked in Darkweb
- Fortune 500 company NTT discloses security breach
- Minted discloses data breach after 5M user records sold online
- Kentucky unemployment website experienced April data breach
- Michigan State University network breached in ransomware attack
- Private key of DigiCert Certificate Transparency log compromised
- ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office
- Microsoft IIS servers hacked by Blue Mockingbird to mine Monero
- Bringing VandaTheGod down to Earth: Exposing the person behind a 7-year hacktivism campaign
- Another Alleged FIN7 Cybercrime Gang Member Arrested
- Phishers Cast a Wider Net in the African Banking Sector
- Minneapolis city systems temporarily brought down by cyberattack
- Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT
- GitHub warns Java developers of new malware poisoning NetBeans projects
- Fake Valorant Mobile app pushes scams on eager gamers
- Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
- Valak targets Microsoft Exchange servers to steal enterprise data
- ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
- IcedID: When ice burns through bank accounts
- Highly-targeted attacks on industrial sector hide payload in images
- Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack
- Cisco hacked by exploiting vulnerable SaltStack servers
- 200K sites with buggy WordPress plugin exposed to wipe attacks
- Dangerous SHA-1 crypto function is about to die in SSH
- The zero-day exploits of Operation WizardOpium
- New fuzzing tool finds USB bugs in Linux, Windows, macOS, and FreeBSD
- German govt urges iOS users to patch critical Mail app flaws
- Software Bug In Bombardier Airliner Made Planes Turn the Wrong Way
REvil Ransomware Operators Targets Centroid Inc
the REvil ransomware operators struck Centroid Inc and downloaded their sensitive and highly confidential documents from the company's database. The ransomware operators have posted a list of data folders that seem to contain highly sensitive and confidential information of the company. The Cyble Research Team could not verify this data leak, but it seems that the data leak includes Centroid's financial data backup, software data backup, confidential data of the organisations which may have been in contact with Centroid Inc, and much more.
Microsoft warns about attacks with the PonyFinal ransomware
Microsoft's security team has issued an advisory warning organizations around the globe to deploy protections against a new strain of ransomware that has been in the wild over the past two months. "PonyFinal is a Java-based ransomware that is deployed in human-operated ransomware attacks," Microsoft said in a series of tweets published today. Human-operated ransomware is a subsection of the ransomware category. In human-operated ransomware attacks, hackers breach corporate networks and deploy the ransomware themselves.
Ransomware attack targets Nipissing First Nation
Nipissing First Nation has confirmed it was the victim of a ransomware attack earlier this month that affected the administration's computers and server. The First Nation provided an update about the attack in the June issue of its monthly newsletter Enkamgak. According to the statement, administration discovered the attack May 8. The attack resulted in the administration server being locked, affecting every department, and communication disruptions that are still being worked on.
LiveJournal - 26,372,781 breached accounts
In mid-2019, news broke of an alleged LiveJournal data breach. This followed multiple reports of credential abuse against Dreamwidth beginning in 2018, a fork of LiveJournal with a significant crossover in user base. The breach allegedly dates back to 2017 and contains 26M unique usernames and email addresses (both of which have been confirmed to exist on LiveJournal) alongside plain text passwords. An archive of the data was subsequently shared on a popular hacking forum in May 2020 and redistributed broadly.
Arbonne MLM data breach exposes user passwords, personal info
International multi-level marketing (MLM) firm Arbonne International exposed the personal information and credentials of thousands after its internal systems were breached by an unauthorized party last month. Arbonne is a privately held California-based company acquired by Groupe Rocher in 2018, with annual revenues of over $500 million and a network of more than 200,000 independent consultants from the United States, the United Kingdom, Canada, Australia, Poland, and New Zealand. "On the evening of April 20, 2020, Arbonne became aware of unusual activity within a limited number of its internal systems," Arbonne says in a data breach notification letter filed with the Office of the Attorney General of California.
BigFooty.com Leaks 70 Million Records from Sports Fan Members
The team at Security Detectives has discovered another leaky database. BigFooty, a popular Australian sports fan website, was found to be leaking around 132 GB (70 million records) of private information belonging to its 100,000 members. The data in some instances included "technical information relating to the company's web and mobile sites. The information was found on a compromised Elasticsearch server, and included data from the website's forum, as well as private messages sent between users.
Judge demands Capital One release Mandiant cyberforensic report on data breach
On Tuesday, Judge John Anderson from the US District Court for the Eastern District of Virginia ruled that Capital One is required to provide a copy of the report to attorneys suing the firm on behalf of customers impacted by the breach. Records from between 2015 and 2019 were accessed, including applicant names, addresses, phone numbers, email addresses, dates of birth, self-reported incomes, and some 'fragmented' information including credit scores and transaction data. A "configuration vulnerability" was exploited by the cyberattacker, of which former AWS engineer Paige Thompson is accused. Following the arrest and a search of the suspect's home, evidence obtained has led US prosecutors to believe over 30 more companies may have also had their data stolen by the same individual.
A Government Database of 20 Million+ Taiwanese Citizens Leaked in Darkweb
A few weeks ago, Cyble Inc researchers came across a leaked database on the darkweb where a known and reputable actor 'Toogod" dropped the database of "Taiwan Whole Country Home Registry DB" comprising of 20 Million+ records. According to the actor, the source of the leak is the Department of Household Registration, Under Ministry of Interior.
Fortune 500 company NTT discloses security breach
Nippon Telegraph & Telephone (NTT), the 64th biggest company in the world, according to the Fortune 500 list, has disclosed a security breach. NTT says hackers gained access to its internal network and stole information on 621 customers from its communications subsidiary, NTT Communications, the largest telecommunications company in Japan, and one of the biggest worldwide. The hack took place on May 7, and NTT says it became of the intrusion four days later, on May 11. The company says hackers breached several layers of its IT infrastructure and reached an internal Active Directory to steal data and then upload it to a remote server.
Minted discloses data breach after 5M user records sold online
Minted, a US-based marketplace for independent artists, has disclosed a data breach after a hacker sold a database containing 5 million user records on a dark web marketplace. Minted is an online marketplace that allows independent artists to submit their art, which is then voted on by the Minted community. The winning submissions are then sold as art, home décor, and stationery to consumers. Earlier this month, BleepingComputer reported that a hacking group named Shiny Hunters was selling the user records for eleven companies on a dark web marketplace.
Kentucky unemployment website experienced April data breach
Kentucky officials reported Thursday what Gov. Andy Beshear described as a "data breach" in the state's unemployment insurance web portal. The so-called breach took place on April 23, according to a release from Kentucky's Education and Workforce Development Cabinet. EWDC says its Office of Technology Services received a report at 9:17 a.m. on that day saying some unemployment insurance claimants could potentially view the identity verification documents uploaded by others. OTS took the unemployment insurance portal down completely at 11:30 a.m. By noon, EWDC says, the system had been changed to ensure no one was able to view any uploaded documents. By midnight, the security team had patched the software to correct the problem permanently.
Michigan State University network breached in ransomware attack
Michigan State University received a deadline to pay ransomware attackers under the threat that files stolen from the institution's network will be leaked to the public. The demand is from Netwalker ransomware-as-a-service (RaaS) operators, a group that recently started to recruit skilled network intruders for their affiliate program. A countdown timer on the attacker's website shows that the university has about six days to comply or "secret data" will become public. The site set up by the Netwalker ransomware gang gives no details about the attack but they posted images with directories, a passport scan, and two financial documents allegedly stolen from the university's network.
Private key of DigiCert Certificate Transparency log compromised
A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert. The attackers had access to the private key of the CT2 log. According to DigiCert, other logs operated by the company were not affected.
ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office
A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general's office, according to a new complaint filed with the government's internal affairs division. As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.
Microsoft IIS servers hacked by Blue Mockingbird to mine Monero
This month news broke about a hacker group, namely Blue Mockingbird, exploiting a critical vulnerability in Microsoft IIS servers to plant Monero (XMR) cryptocurrency miners on compromised machines. According to the security firm Red Canary, the estimated number of infections is thought to have surpassed 1,000. The CVE-2019-18935 vulnerability, with its critical 9.8 severity score, is an untrusted deserialization vulnerability within the proprietary Progress Telerik UI (for ASP.NET AJAX) library which is often bundled with .NET components, including some open-source ones.
Bringing VandaTheGod down to Earth: Exposing the person behind a 7-year hacktivism campaign
Since 2013, many official websites belonging to governments worldwide were hacked and defaced by an attacker who self-identified as 'VandaTheGod.' The hacker targeted governments in numerous countries, including: Brazil, the Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam, and New Zealand. Many of the messages left on the defaced websites implied that the attacks were motivated by anti-government sentiment, and were carried out to combat social injustices that the hacker believed were a direct result of government corruption. Although the websites' defacement gave VandaTheGod a lot of attention, the attacker's activity extended beyond that, to stealing credit card details and leaking sensitive personal credentials.
Another Alleged FIN7 Cybercrime Gang Member Arrested
The FBI has arrested another alleged member of the FIN7 cybercrime gang, which has been stealing millions of payment cards and other financial data since at least September 2015, according to federal court documents. Ukrainian national Denys Iarmak was extradited from Thailand and arrested in Seattle on Friday, according to documents unsealed by the U.S. District Court for the Western District of Washington in Seattle. He's the fourth alleged member of the group to be arrested and charged in the last two years.
Phishers Cast a Wider Net in the African Banking Sector
The Cofense Phishing Defence Center has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers. One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service's (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user's account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.
Minneapolis city systems temporarily brought down by cyberattack
City government systems in Minneapolis were temporarily brought down by a cyberattack early Thursday at the same time the city was grappling with raging protests over the police killing of George Floyd. A spokesperson for the city told The Hill that some of the city's public websites and systems were temporarily shut down by a denial of service (DoS) attack, which involves malicious hackers flooding a server with traffic until it crashes.
Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT
Zscaler ThreatLabZ team found that the newest version of the Amadey bot, of russian origin, introduced capturing screenshots on the victim's machine, and pushing the Remcos RAT.
GitHub warns Java developers of new malware poisoning NetBeans projects
GitHub has issued a security alert on Thursday warning about a new malware strain that's been spreading on its site via boobytrapped Java projects. The malware, which GitHub's security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 1.
Fake Valorant Mobile app pushes scams on eager gamers
As the eagerly anticipated tactical FPS game Valorant ends their closed beta, a fake mobile version is being distributed that displays nothing but scams to those who install it. Knowing that a mobile version is highly requested, malware distributors have created a fake Valorant mobile app and are promoting it in YouTube videos.
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April 2020, TrickBot updated one of its propagation modules known as "mworm" to a new module called "nworm." Infections caused through nworm leave no artifacts on an infected DC, and they disappear after a reboot or shutdown.
Valak targets Microsoft Exchange servers to steal enterprise data
First observed in late 2019, Valak was once classified by cybersecurity researchers as a malware loader. The malware has been spotted in active campaigns mainly focused entities in the US and Germany, having previously been bundled together with Ursnif and IcedID banking Trojan payloads. Valak, deemed "sophisticated" by the Cybereason Nocturnus team, has undergone a host of changes over the past six months, with over 20 version revisions changing the malware from a loader to an independent threat in its own right. On Thursday, the cybersecurity team said the malware has now changed to "an information stealer to target individuals and enterprises." After landing on a machine through a phishing attack using Microsoft Word documents containing malicious macros, a .DLL file called "U.tmp" is downloaded and saved to a temporary folder.
ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass
ZScaler has written an article documenting a new RAT named ShellReset. Some of the themes used in these attacks by the threat actor are related to important events that were originally scheduled to take place in London earlier this year, including the 5G Expo and Futurebuild.
IcedID: When ice burns through bank accounts
Ivan Pisarev from Group-IB has posted an article detailing the IcedID malware, and how it uses steganography to hide it's main module and configuration files.
Highly-targeted attacks on industrial sector hide payload in images
Kaspersky ICS CERT experts have identified a series of targeted attacks on organizations located in different countries. As of early May 2020, there are known cases of attacks on systems in Japan, Italy, Germany and the UK. Attack victims include suppliers of equipment and software for industrial enterprises. Attackers use malicious Microsoft Office documents, PowerShell scripts, as well as various techniques that make it difficult to detect and analyze malware.
Facebook Announces Messenger Security Features that Don't Compromise Privacy
Facebook announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provide tips and suggest you block the offenders. The feature, which Facebook started rolling out on Android in March and is now bringing to iOS, uses machine learning analysis of communications across Facebook Messenger's billion-plus users to identify shady behaviors. But crucially, Facebook says that the detection will occur only based on metadata - not analysis of the content of messages - so that it doesn't undermine the end-to-end encryption that Messenger offers in its Secret Conversations feature. Facebook has said it will eventually roll out that end-to-end encryption to all Messenger chats by default.
ACLU Accuses Clearview AI of Privacy 'Nightmare Scenario'
The American Civil Liberties Union on Thursday sued the facial recognition start-up Clearview AI, which claims to have helped hundreds of law enforcement agencies use online photos to solve crimes, accusing the company of "unlawful, privacy-destroying surveillance activities." In a suit filed in Illinois, the A.C.L.U. said that Clearview violated a state law that forbids companies from using a resident's fingerprints or face scans without consent. Under the law, residents have the right to sue companies for up to $5,000 per privacy violation. "The bottom line is that, if left unchecked, Clearview's product is going to end privacy as we know it," said Nathan Freed Wessler, a lawyer at the A.C.L.U., "and we're taking the company to court to prevent that from happening."
Immunity Passports Are a Threat to Our Privacy and Information Security
Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in so-called "immunity passports"---a system of requiring people to present supposed proof of immunity to COVID-19 in order to access public spaces, work sites, airports, schools, or other venues. In many proposed schemes, this proof would be stored in a digital token on a phone. Immunity passports would threaten our privacy and information security, and would be a significant step toward a system of national digital identification that can be used to collect and store our personal information and track our location. Immunity passports are purportedly intended to help combat the spread of COVID-19. But there is little evidence that they would actually accomplish that.
Zoom plans to roll out strong encryption for paying customers
Video conferencing provider Zoom plans to strengthen encryption of video calls hosted by paying clients and institutions such as schools, but not by users of its free consumer accounts, a company official said on Friday. The company, whose business has boomed with the coronavirus pandemic, discussed the move on a call with civil liberties groups and child-sex abuse fighters on Thursday, and Zoom security consultant Alex Stamos confirmed it on Friday. In an interview, Stamos said the plan was subject to change and it was not yet clear which, if any, nonprofits or other users, such as political dissidents, might qualify for accounts allowing more secure video meetings. He added that a combination of technological, safety and business factors went into the plan, which drew mixed reactions from privacy advocates.
Bypassing LastPass’s “Advanced” YubiKey MFA: A MITM Phishing Attack
Pepe Berba wrote an article demonstrating how to deploy a phishing attack on LastPass users even when they are protected with Yubikey physical keys, which is possible because they don't support U2F protocol.
Cisco hacked by exploiting vulnerable SaltStack servers
Cisco said that some of its Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) backend servers were hacked by exploiting critical SaltStack vulnerabilities patched last month. "Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE," a security advisory says. "Those servers were upgraded on May 7, 2020." "Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised." The hacked servers were updated and remediated by Cisco on May 7, 2020, by applying patches that address the authentication bypass vulnerability (CVE-2020-11651) and the directory traversal (CVE-2020-11652) impacting SaltStack servers.
200K sites with buggy WordPress plugin exposed to wipe attacks
Two high severity security vulnerabilities found in the PageLayer plugin can let attackers to potentially wipe the contents or take over WordPress sites using vulnerable plugin versions. PageLayer is a WordPress plugin with over 200,000+ active installations according to numbers available on its Wordpress plugins repository entry. According to Wordfence, the two security flaws can be exploited by attackers to wipe WordPress sites running older unpatched versions of the plugin, as well as launch takeover attacks. "One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things," Wordfence explains.
Dangerous SHA-1 crypto function is about to die in SSH
Developers of two open source code libraries for Secure Shell---the protocol millions of computers use to create encrypted connections to each other---are retiring the SHA-1 hashing algorithm, four months after researchers piled a final nail in its coffin. The moves, announced in release notes and a code update for OpenSSH and libssh respectively, mean that SHA-1 will no longer be a means for digitally signing encryption keys that prevent the monitoring or manipulating of data passing between two computers connected by SSH---the common abbreviation for Secure Shell.
The zero-day exploits of Operation WizardOpium
New fuzzing tool finds USB bugs in Linux, Windows, macOS, and FreeBSD
Academics say they discovered 26 new vulnerabilities in the USB driver stack employed by operating systems such as Linux, macOs, Windows, and FreeBSD. The research team, made up by Hui Peng from Purdue University and Mathias Payer from the Swiss Federal Institute of Technology Lausanne, said all the bugs were discovered with a new tool they created, named USBFuzz.
German govt urges iOS users to patch critical Mail app flaws
Germany's federal cybersecurity agency urged iOS users to immediately install the iOS and iPadOS security updates released by Apple on May 20 to patch two actively exploited zero-click security vulnerabilities impacting the default email app. "Due to the criticality of the vulnerabilities, the BSI recommends that the respective security update be installed on all affected systems immediately," the BSI (Bundesamt für Sicherheit in der Informationstechnik) said.
Software Bug In Bombardier Airliner Made Planes Turn the Wrong Way
A very specific software bug made airliners turn the wrong way if their pilots adjusted a pre-set altitude limit. The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left - or vice versa. First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set "climb to" altitude programmed into a "missed approach" procedure following an Instrument Landing System approach. It also arose if pilots used the FMS's temperature compensation function in extremely cold weather. In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility. "The bug was first uncovered when a CRJ-200 crew flying into Canada's Fort St John airport used the FMS's temperature correction function," the report adds. "They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen. The fault was swiftly reported to the authorities and the relevant manufacturers."
Germany calls in Russian envoy over hack attack
Germany's foreign ministry called in the Russian ambassador in Berlin on Thursday to complain "in the strongest possible terms" about a hack attack on the German lower house of parliament in 2015 and discuss possible sanctions against those responsible. Russia has rejected allegations that its military intelligence was behind the cyber attack after media reported that data had been stolen, including emails from Chancellor Angela Merkel's constituency office. State Secretary Miguel Berger told the ambassador that the government would call for the EU's cyber sanctions mechanism to be invoked against those responsible for the attack, said the German ministry in a statement.
Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors
Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August. Exim is a widely used MTA software for Unix-based systems and comes pre-installed in some Linux distributions as well. The vulnerability being exploited, CVE-2019-10149, allows a remote attacker to execute commands and code of their choosing. The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access -- as long as that network is using an unpatched version of Exim MTA. When the patch was released last year, Exim urged its users to update to the latest version. NSA adds its encouragement to immediately patch to mitigate against this still current threat.
Updates about government-backed hacking and disinformation
The Google Threat Analysis Group (TAG), a division inside Google's security department that tracks nation-state and high-end cybercrime groups, has published its inaugural TAG quarterly report. In the Q1 2020 TAG Bulletin, Google analysts chose to highlight two rising trends the company saw in the first three months of 2020. The first is the rising scene of hack-for-fire companies currently operating out of India, a country where such services have not been prominent until now. The second trend was the rising number of political influence operations carried out by governments across the world. This also marks the first time when Google publishes official disclosures of coordinated influence operations that abused the company's platforms.