Table of Contents
- Invest Bank Allegedly Breached
- Garmin shuts down services after suspected ransomware attack
- Around 43 Million user records belonging to two online platforms leaked on darknet
- 11.8 million distributor records of vestige marketing PVT LTD posted for sale on darknet
- A Amphastar Pharmaceuticals got allegedly struck by dopplepaymer
- CouchSurfing investigates data breach after 17m user records appear on hacking forum
- Spanish state-owned railway infrastructure management body got allegedly struck by REVIL
- The personal info of what could be Instacart customers is being sold online
- Breach exposed more than one million DNA profiles on a major genealogy database
- Teen Allegedly Leaked Health Information From Pagers
- University of York discloses data breach, staff and student records stolen
- College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data
- UK govt warns of ransomware, BEC attacks against sports sector
- New ‘Meow’ attack has wiped over 1,800 unsecured databases
- Twilio exposes SDK, attackers inject it with malvertising code
- New cryptojacking botnet uses SMB exploit to spread to Windows systems
- Lazarus hackers deploy ransomware, steal data using MATA malware
- Skimmers in Images & GitHub Repos
- The anti-privacy EARN IT Act could change the internet as we know it
- Fawkes protects your identity from facial recognition systems, pixel by pixel
- Government ordered to rewrite German telecom act due to privacy concerns
- New York bans use of facial recognition in schools statewide
- Swiss police automated crime predictions but has little to show for it
Invest Bank Allegedly Breached
Recently, Cyble Research Team (CRU) came across a threat actor who claims to have breached the database of the UAE Invest Bank -- Founded in the year 1975, and is one of the banks who have supported the Government of Sharjah raise a $1 billion 30- year Formosa bond, its first non-Islamic benchmark bond and the first under a Global Medium Term Note program.
Garmin shuts down services after suspected ransomware attack
Wearable device maker Garmin had to shut down some of its connected services and call centers following what the company calls a worldwide outage. "We are currently experiencing an outage that affects Garmin.com and Garmin Connect," an outage notification message displayed on the company's website says. "This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience." According to the same reports, Evil Corp gang's WastedLocker ransomware was allegedly used in the attack that caused Garmin's outage.
Around 43 Million user records belonging to two online platforms leaked on darknet
Recently, Cyble Research Unit (CRU) identified a credible threat actor who claims to be in possession of 20 million user records of Hurb and around 23 million records of Promo.com. Hurb is the largest online travel agency based in Brazil which was founded in the year 2011. Whereas, Promo.com is a popular video maker and a cloud-based video creation service that is allowing the creation of videos from stock videos, stock photos, video clips, and music.
11.8 million distributor records of vestige marketing PVT LTD posted for sale on darknet
Recently, Cyble Research Unit (CRU) identified a credible threat actor who claims to be in possession of 11.8 million distributor records of Vestige Marketing Pvt Ltd -- one of the leading Indian direct selling company dealing in world-class wellness products. With over 3000+ online and offline sales outlets pan India, multiple international offices, and several distributor centers, Vestige has been building a wide network of distributors, which is constantly growing every year.
A Amphastar Pharmaceuticals got allegedly struck by dopplepaymer
CybleInc has come across a data leak of Amphastar Pharmaceuticals attributed to Doppelpaymer ransomware.
CouchSurfing investigates data breach after 17m user records appear on hacking forum
CouchSurfing, an online service that lets users find free lodgings, is investigating a security breach after hackers began selling the details of 17 million users on Telegram channels and hacking forums. The CouchSurfing data is currently being sold for $700, ZDNet has learned from a data broker, a person who buys and sells hacked data for profit on the hacking underground. The data broker, who requested anonymity for this article, was not able to identify the hacker but said the CouchSurfing data, which first appeared in private Telegram channels last week, has been advertised as being taken from CouchSurfing's servers earlier this month, in July 2020. ZDNet received a small sample of the data. The sample included user details such as user IDs, real names, email addresses, and CouchSurfing account settings.
Spanish state-owned railway infrastructure management body got allegedly struck by REVIL
CybleInc research team came across a leak of Administrador de Infraestructuras Ferroviarias (ADIF). Founded on 1 January 2005, ADIF is a Spanish state-owned railway infrastructure manager under the responsibility of the Ministry of Development, charged with the management of most of Spain's railway infrastructure, that is the track, signalling and stations. With over 13,000 employees the company has been earning a revenue of around $8 Billion. As per now, the ransomware operators have posted a sample of sensitive data files of the company being downloaded by them. As per the Cyble Research Team, this small data leak from the large lot seems to be a warning for the company to accept the terms of the ransomware operators.
The personal info of what could be Instacart customers is being sold online
The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service. As of Wednesday, sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine. As of April, Instacart had "millions of customers across the US and Canada," according to a company spokesperson. The company denied there had been a breach of its data.
Breach exposed more than one million DNA profiles on a major genealogy database
In a statement emailed to BuzzFeed News and posted on Facebook, Verogen explained that the sudden unmasking of GEDmatch profiles that were supposed to be hidden from law enforcement was "orchestrated through a sophisticated attack on one of our servers via an existing user account." "As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours," the statement said. "During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users."
Teen Allegedly Leaked Health Information From Pagers
Australian media outlet 9News reported on Monday and Tuesday that the medical information of thousands of patients in Western Australia - including COVID-19 patients - was leaked onto a public website allegedly set up by the teenager, a self-described "script kiddie" hacker. The site has been shut down. More than 400 webpages - including messages between health officials and doctors - were posted to the website, 9News reports. As of Wednesday, it was unclear whether law enforcement had yet apprehended the unidentified teen hacker, who 9News reports is from Mandurah, West Australia.
University of York discloses data breach, staff and student records stolen
Personal information belonging to "alumni, staff and students, and extended networks and supporters" is thought to have been stolen during the incident, although the number of individuals potentially impacted has not been disclosed - nor how many years back the stolen records relate to. According to the academic institution, names, titles, genders, dates of birth, student numbers, phone numbers, email addresses, physical addresses, and LinkedIn profile records may have been taken. In addition, course information, qualifications received, details surrounding extracurricular activities, professions, employers, survey responses, and both documented alumni and fundraising activities may have been exposed. The university says that a ransomware attack against Blackbaud, a third-party cloud computing provider, was the cause of the data theft. Blackbaud provides customer relationship management (CRM) services to the University of York. Blackbaud experienced a cyberattack in May 2020. The company says that cybercriminals were able to "remove a copy of a subset of data from our self-hosted environment" before being booted from the network, and while Blackbaud insists that the attackers were not able to fully deploy ransomware and encrypt or lock up its systems, a ransom was still paid.
College recruitment database leaking nearly 1 million students’ GPAs, SAT scores, IDs, and other personal data
CyberNews recently discovered an unsecured Amazon S3 (Simple Storage Service) bucket, or database, containing nearly 1 million records of sensitive high school student academic information. Included in this unsecured bucket are GPA scores, ACT, SAT, and PSAT scores, unofficial transcripts, student IDs, and students' and parents' names, email addresses, home addresses, phone numbers and more. The unsecured bucket seems to belong to CaptainU, an online platform that purports to help connect student athletes and colleges or universities that are interested in recruiting them for their athletic programs. Because of that, the bucket also contains pictures and videos of students' athletic achievements, messages from students to coaches, and other recruitment materials.
More than 1,000 people at Twitter had ability to aid hack of accounts
More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, two former employees said, making it hard to defend against the hacking that occurred last week. Twitter Inc and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg. Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users. The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020, including some at contractors like Cognizant.
Dutch Lawmaker's Twitter Account Among 36 With Data Exposed
Geert Wilders, a member of the Dutch Parliament and leader of the Netherlands Party For Freedom, told Reuters his Twitter account was taken over. A Dutch lawmaker's Twitter account is among 36 that had some personal data compromised earlier this month when hackers targeted 130 verified accounts and launched a cryptocurrency scam. The politician told Reuters that his direct messages were accessed. In a Wednesday update, Twitter reported that the hackers accessed the direct message inboxes of 36 accounts, enabling some information to be gathered. While Twitter did not release any of the names of the victims' names, Reuters reports that Geert Wilders, a member of Parliament and leader of the Netherlands Party For Freedom, was a victim. Wilders told Reuters his account takeover lasted several days and included full access to his direct messages. "My Twitter account was not only hacked for some days and the hacker also posted tweets on my account and sent direct messages in my name, but indeed got full access to my DMs, which, of course, is unacceptable in many ways," Wilders told Reuters.
Twitter Hacking for Profit and the LoLs
Twitter Alerts Irish Privacy Regulator About Hacker Attack
Twitter Inc. has alerted a European Union data protection watchdog about the cyber-attack it fell victim to last week, days after the company said hackers had targeted just some 130 accounts and didn't steal any passwords. The Irish Data Protection Commission is assessing Twitter's notification about the incident, said Graham Doyle, a spokesman for the regulator. The agency is the lead authority in the EU for Twitter and other U.S. tech companies, which all have their EU headquarters in the country.
UK govt warns of ransomware, BEC attacks against sports sector
The UK National Cyber Security Centre (NCSC) highlighted the increasing risks posed by ransomware attacks, phishing campaigns, and Business Email Compromise (BEC) fraud schemes targeting sports organizations and teams, including Premier League football clubs. According to the cybersecurity agency's data primarily sourced from an Ipsos MORI survey commissioned by the agency, at least 70% of sports organizations experienced a breach or cyber incident during the last year, with 30% having recorded over 5 incidents during that period, "more than double the average for UK businesses." Out of these incidents, roughly 30% have also caused average financial damage of £10,000 ($12,700), with the biggest single loss reported being of more than £4 million (almost $5,100,000).
New ‘Meow’ attack has wiped over 1,800 unsecured databases
Hundreds of unsecured databases exposed on the public web are the target of an automated 'meow' attack that destroys data without any explanation. The activity started recently by hitting Elasticsearch and MongoDB instances without leaving any explanation, or even a ransom note. Attacks then expanded to other database types and to file systems open on the web. A quick search by BleepingComputer on the IoT search engine Shodan initially found dozens of databases that have been affected by this attack. Recently, the number of wiped databases increased to over 1,800. These attacks have pushed researchers into a race to find the exposed databases and report them responsibly before they become 'meowed.'
Twilio exposes SDK, attackers inject it with malvertising code
New cryptojacking botnet uses SMB exploit to spread to Windows systems
A new cryptojacking botnet is spreading across compromised networks via multiple methods that include the EternalBlue exploit for Windows Server Message Block (SMB) communication protocol. The attacker's goal is to mine for Monero (XMR) cryptocurrency and enslave as many systems as possible for this task for increased profit. Researchers at Cisco Talos named the new botnet Prometei and determined that the actor has been active since March. They tagged the attacks as a complex campaign that relies on multi-modular malware. To hop to computers on the network, the actor combines living-off-the-land binaries (LoLBins) like PsExec and WMI, SMB exploits, and stolen credentials.
Lazarus hackers deploy ransomware, steal data using MATA malware
A recently discovered malware framework known as MATA and linked to the North Korean-backed hacking group known as Lazarus was used in attacks targeting corporate entities from multiple countries since April 2018 for ransomware deployment and data theft. Among the targeted countries, security researchers with Kaspersky Lab's Global Research and Analysis Team (GReAT) who spotted MATA mentioned Poland, Germany, Turkey, Korea, Japan, and India. Lazarus (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) used MATA to compromise and infect machines of companies with activities in various industries, including but not limited to a software development company, an internet service provider, and an e-commerce company.
Skimmers in Images & GitHub Repos
Sucuri team has discovered Magecart skimmers injected inside valid images in Github repos and exfiltrating information via legitimate services like Google Tag Manager.
California Man Laundered up to $25m Through Bitcoin ATMs
An Orange County man admitted laundering up to $25 million through a network of unlicensed Bitcoin ATMs and in-person exchanges. The defendant, Kais Mohammad, knew many of his customers laundered the proceeds of crime through his Bitcoin exchange network. Kais Mohammad, 36, of Orange County, California, pleaded guilty on July 22 to one count of operating an unlicensed money transmitting business, one count of money laundering, and one count of failure to maintain an effective anti-money laundering program.
Slack credentials abundant on cybercrime markets, but little interest from hackers
Slack credentials are abundant on hacking forums and the dark web; however, an analysis of the cybercrime underworld shows there's little interest in the platform among hacker groups. The conclusion belongs to cybersecurity firm KELA, who scoured the cybercrime market for Slack credentials following last week's Twitter hack and shared their findings with ZDNet this week. KELA went looking for Slack credentials on cybercrime markets because of a New York Times report detailing last week's Twitter hack. The report claimed the massive Twitter hack took place after a teenager social-engineered a Twitter employee and gained access to the company's Slack channel.
The anti-privacy EARN IT Act could change the internet as we know it
At issue is the seemingly unrelated EARN IT Act. Pushed by Republican Sen. Lindsey Graham and a host of bipartisan co-sponsors, and voted on by the Senate Judiciary Committee last Thursday, the measure ostensibly aims to combat online child sexual abuse material. However, according to privacy and security experts who spoke with Mashable, the bill both directly threatens end-to-end encryption and promises to spur new and sustained online censorship by weakening Section 230 --- a provision of the Communication Decency Act of 1996 that protects internet providers from being held liable for their users' actions. The devil, as it so often can be found, is in the details. That's because the newly amended version of the bill essentially gives state lawmakers the ability to regulate the internet, according to Joe Mullin, a policy analyst with the Electronic Frontier Foundation, who broke down the censorship risks posed by the measure should it become law.
Fawkes protects your identity from facial recognition systems, pixel by pixel
In a paper due to be presented at the USENIX Security 2020 symposium, researchers Shawn Shan, Emily Wenger, Jiayun Zhang, Huiying Li, Haitao Zheng, and Ben Zhao introduce "Fawkes," software designed to "help individuals inoculate their images against unauthorized facial recognition models." In what could be considered the introduction of garbage code and data to images we share online, Fawkes works at the pixel level to introduce imperceptible "cloaks" to photos before they are uploaded to the Internet. Invisible to the naked eye, these tiny changes are still enough to produce inaccurate facial models accepted by deep learning systems and image scrapers -- without noticeably changing how an image looks to human viewers.
Government ordered to rewrite German telecom act due to privacy concerns
Germany's Constitutional Court has told the government to revise the Telecommunications Act by the end of next year as it violates the right of citizens to phone and internet privacy. The law at present is unconstitutional because authorities have too much access to people's data and the privacy of Germans should be better protected, the court ruled. Police investigating crimes or trying to prevent terror attacks are currently allowed to access names, addresses, birth dates and IP addresses. They are not entitled to access data involving connections to other people, the BBC reported.
New York bans use of facial recognition in schools statewide
The New York legislature passed a moratorium on the use of facial recognition and other forms of biometric identification in schools until 2022. The bill, which has yet to be signed by Governor Andrew Cuomo, comes in response to the launch of facial recognition by the Lockport City School District and appears to be the first in the nation to explicitly regulate or ban use of the technology in schools.
Swiss police automated crime predictions but has little to show for it
A review of 3 automated systems in use by the Swiss police and judiciary reveals serious issues. Real-world effects are impossible to assess due to a lack of transparency. The Swiss police and justice authorities use, by one count, over 20 different automated systems to estimate or predict inappropriate behavior. Police and justice are largely regional competencies in Switzerland; each Canton might have its own systems in place.
Adversarial Machine Learning and the CFAA
Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla, Microsoft, IBM, Google to demonstrate vulnerabilities. This paper asks, "What are the potential legal risks to adversarial ML researchers when they attack ML systems?" Studying or testing the security of any operational system potentially runs afoul the Computer Fraud and Abuse Act (CFAA), the primary United States federal statute that creates liability for hacking. Analysis shows that because there is a split in how CFAA is interpreted, aspects of adversarial ML attacks, such as model inversion, membership inference, model stealing, reprogramming the ML system and poisoning attacks, may be sanctioned in some jurisdictions and not penalized in others. It concludes with an analysis predicting how the US Supreme Court may resolve some present inconsistencies in the CFAA's application in Van Buren v. United States, an appeal expected to be decided in 2021.
US offers $2 million for info on Ukrainians charged for SEC hack
The U.S. Department of State announced rewards of up to $1 million for information that would lead to the arrest or conviction of Ukrainian nationals Artem Viacheslavovich Radchenko and Oleksandr Vitalyevich Ieremenko. The State Department is offering the $1 million bounties under the Transnational Organized Crime Rewards Program (TOCRP) and says that it has already paid over $130 million in rewards under TORCP for information leading to the apprehension of 75 transnational criminals. Radchenko and Ieremenko were charged in January 2019 with securities fraud conspiracy, computer fraud conspiracy, wire fraud conspiracy, wire fraud, as well as computer fraud in a 16-count unsealed indictment (SEC complaint here).
Popular Chinese-Made Drone Is Found To Have Security Weakness
Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the world's most popular consumer drones, threatening to intensify the growing tensions between China and the United States. From a report: In two reports, the researchers contended that an app on Google's Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft. The world's largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company's drones over security fears. DJI said the decision was about politics, not software vulnerabilities.
New 'Shadow Attack' can replace content in digitally signed PDF files
Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany. This is the second time that this very same research team has broken digital signatures for PDF viewer applications. In February 2019, the same team broke the digital signing mechanism on 21 of 22 desktop PDF viewer apps and five of seven online PDF digital signing services to create documents with fake signatures. Their new Shadow Attack is different from their first because it doesn't tamper with the digital signature, as the first attack, but with the content of the PDF without breaking the signature.
IBM Verify Gateway vulnerability allowed remote attackers to brute-force their way in
This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400. Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions. However, IVG's settings did not reach this standard when it comes to time-based one-time passwords (TOTPs), and so the bug "could allow a remote attacker to brute-force account credentials," according to IBM.
Apple Just Made It Easier To Hack An iPhone
Apple first touted the idea of providing hackable iPhones to security researchers at the 2019 Black Hat hacker conference in Las Vegas. Almost exactly one year later, Apple's Security Research Device (SRD) program has made the hackable iPhone a reality. While this is mostly a good thing, not everyone is happy out there in hacking country. Google's Project Zero technical lead, Ben Hawkes, took to Twitter to state that it probably wouldn't be able to participate because of these disclosure restrictions, which "exclude Project Zero and other researchers who use a 90-day policy." Project Zero is one of the most prolific of vulnerability hunters when it comes to Apple products. Hawkes said that it has "reported over 350 security vulnerabilities to Apple" across the last five years. While this bug hunting and reporting will continue, Hawkes tweeted, he confessed to being "pretty disappointed" with the SRD program approach.
WhatsApp messaging service blocked in Chad
Network data from the NetBlocks internet observatory confirm that messaging app WhatsApp is blocked in Chad from Wednesday 22 July 2020. Real-time metrics show that the service remains unavailable as of Thursday afternoon. Internet restrictions specifically target WhatsApp backend and frontend servers for subscribers on leading cellular networks Airtel and Tigo Tchad.
Towards native security defenses for the web ecosystem
Google Information Security Engineering team is deploying Trusted Types, Content Security Policy, Fetch Metadata Request Headers and the Cross-Origin Opener Policy across Google to help guide and inspire other developers to similarly adopt these features to protect their applications.
D-Link blunder: Firmware encryption key exposed in unencrypted image
Security researchers have demonstrated a method to decrypt proprietary firmware images embedded in D-Link routers. Firmware is the piece of code that powers low-level functions on hardware devices. It is typically hard-coded within the read-only memory. Companies encrypt firmware images in their devices to prevent their reverse engineering by competitors and threat actors, and to prevent their customers (or better yet malware) from flashing the device with customized firmware.
Exploring Fully Homomorphic Encryption
Fully homomorphic encryption has for a long time been considered one of the holy grails of cryptography. The promise of fully homomorphic encryption (FHE) is powerful: it is a type of encryption that allows a third party to perform computations on encrypted data, and get an encrypted result that they can hand back to whoever has the decryption key for the original data, without the third party being able to decrypt the data or the result themselves. As a simple example, imagine that you have a set of emails, and you want to use a third party spam filter to check whether or not they are spam. The spam filter has a desire for privacy of their algorithm: either the spam filter provider wants to keep their source code closed, or the spam filter depends on a very large database that they do not want to reveal publicly as that would make attacking easier, or both. However, you care about the privacy of your data, and don't want to upload your unencrypted emails to a third party.