Table of Contents
- Brookfield Residential confirms ransomware attack
- Already in the midst of a crisis, a Houston hospital was attacked by ransomware
- Greenville Technical College claims no personal data affected by ransomware incident; threat actors claim otherwise
- Selma Unified hit with ransomware attack
- Valley Health System recovering from ransomware attack while maintaining patient care
- DarkSide Ransomware hits North American real estate developer
- Gosnell schools hit with ransomware attack
- North Okanagan pediatric clinic hacked
- REvil Allegedly Targets Another Healthcare Organization
- Volkswagen Service Center Got Allegedly Targeted by A New Group of Ransomware Operators
- City of Lafayette statement on July ransomware attack
- Search Engines May Expose Patient Health Information, ACR warns
- Report claims a popular iOS SDK is stealing click revenue from other ad networks
- Even Google engineers are confused about Google’s privacy settings
- Facebook apologizes to users for Apple’s monstrous efforts to protect privacy
- Clearview AI CEO Says 'Over 2,400 Police Agencies' Are Using Its Facial Recognition Software
- A Quarter of the Alexa Top 10K Websites Are Using Browser Fingerprinting Scripts
- TikTok, Trump, and the Future of Open Source Surveillance
- Identifying People by Their Browsing Histories
- Security researcher discloses Safari bug after Apple's delays patch
- Google Chrome 85 fixes WebGL code execution vulnerability
- Slack pays stingy $1,750 reward for a desktop hijack vulnerability
- Academics bypass PINs for Visa contactless payments
- CCC hacks Corona contact lists from popular restaurant software
- We hacked 28,000 unsecured printers to raise awareness of printer security issue
- SS7 cellular network flaw being exploited to drain bank accounts
- The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
- Chinese-Made Smartphones Are Secretly Stealing Money From People Around the World
- Google Play apps promised free shoes, but users got ad fraud malware instead
- Emotet malware's new 'Red Dawn' attachment is just as dangerous
- Malicious npm package caught trying to steal sensitive Discord and browser files
- 'Lemon Duck' Cryptominer Aims for Linux Systems
- Qbot steals your email threads again to infect other victims
- Office 365 now opens attachments in a sandbox to prevent infections
- Namecheap hosting and email DOWN in prolonged outage
- Sendgrid under siege from hacked accounts
- Why streaming a video could freeze Microsoft IIS servers
- Thousands of Pirates Tricked Into Downloading Fake 'Tenet' Torrents
- Ethereum Is a Dark Forest. A horror story
- Facebook sues maker of advertising SDK for refusing to participate in audit
- Massive telecommunications outages registered as Hurricane Laura knocks out power and internet infrastructure
- WebBundles harmful to content blocking, security tools, and the open web
- The DeathStalker cyberspy group and its tool set
- Former engineer pleads guilty to Cisco network damage, causing Webex Teams account chaos
- Confessions of an ID Theft Kingpin
- Single & penniless: FBI warns of $475M lost to romance scams
- UltraRank hackers steal credit cards from hundreds of stores
- New Zealand stock exchange halted trading after DDoS attacks
- With Empire gone, patrons eye other illegal darkweb markets
- Hackers for hire attack architecture firm via 3ds Max exploit
- Lazarus hackers target cryptocurrency orgs with fake job offers
- Ex-Nursing Home Employee Used Patient’s ID To Pay Bills: Police
- US military personnel lost over $379 million to scams in the last 5 years
- DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
- 15-year-old Merseyside boy arrested for hacking UK PayPal accounts
- Amazon Supplier Fraud
- FBI informant provides a glimpse into the inner workings of tech support scams
- Head of Danish intelligence suspended after whistleblowers hand over information
- Elon Musk confirmed Russian's plans to extort Tesla
- US sues to recover cryptocurrency funds stolen by North Korean hackers
- US Postal Service Files Blockchain Voting Patent
- Challenges, priorities, and progress in anti-censorship technology at Tor
- Iranian hackers impersonate journalists to set up WhatsApp calls and gain victims' trust
- Twitter takes down 'Dracula' botnet pushing pro-Chinese propaganda
- Israeli Phone Hacking Company 'Cellebrite' Sued To Stop Sales To Hong Kong
- Enterprise Scale: How Public Storage Buckets Leaked Private Credentials
- National Western Life Insurance company Nightmare Continues
- Utah Pathology Services notifying more than 110,000 patients of data breach
- 47 names of clergy abuse victims part of accidental email leak
- Southern Water customers could view others’ personal data by tweaking URL parameters
- ‘Human error’ results in privacy breach for Children’s Disability Services clients: Manitoba government
- Over 54,000 scanned NSW driver’s licences found in open cloud storage
- Clark County School District notifies parents after data security incident
- Scoot says ‘no data breach’ after Singapore customers not on Guangzhou-bound flight mistakenly get emails about Covid-19 testing
- Wellington-Dufferin-Guelph Public Health notification of privacy breach
- Almost 235 Million YouTube, TikTok and Instagram Profiles Exposed Online by Unsecured Database
- Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
- Primary Indian ticket vendor suffers crippling data breach
- Hackers want money to release Haywood County school district files
- 38 Japan firms’ authentication data stolen amid surge in teleworkers
Brookfield Residential confirms ransomware attack
DarkSide ransomware operators claimed to have attacked Brookfield Asset Management, they appear to have attacked Brookfield Residential, a North American land developer and residential home builder. Brookfield Residential is an independently operating portfolio company that runs on an isolated network and domain from all other Brookfield entities, including Brookfield Asset Management. A spokesperson confirmed in a statement to DataBreaches.net that the latter's network was not involved all in the cyberattack, but that there was unauthorized access to a "limited subset of files" on the Brookfield Residential network.
Already in the midst of a crisis, a Houston hospital was attacked by ransomware
On or about August 3, Maze Team --- who had briefly sworn off attacking medical facilities because of the pandemic, added UMMC to their leak site. The threat actors use the site to name victims who have not paid their ransom demands. They generally dump some of the data that they claim to have hacked, presumably to motivate their victims more to pay up before more data is dumped. Maze Team's approach has been adopted by a number of other ransomware threat actors or teams, but it is not clear to me that the naming and data dumping actually brings most victims around to paying ransom. There have only been a few cases that this blogger can recall where names were subsequently removed from a site. For the post part, it seems that if victims do not agree to pay, they continue to stand firm, even when the threat actors add their name to a leak site, dump data, attempt to auction it, or otherwise try to sell it.
Greenville Technical College claims no personal data affected by ransomware incident; threat actors claim otherwise
When threat actors gave Greenville Technical College in South Carolina until September 4 to respond to their ransomware demands, the college didn't worry. They had decided not to pay because they were able to recover from the attack without paying for a decryption key. But there was a second part to the ransomware attack --- the threat actors had claimed to have successfully exfiltrated personal information of staff and students. And now, the threat actors are claiming that the college has lied to its staff, its students, and the public in claiming that it successfully dealt with the attack.
Selma Unified hit with ransomware attack
Selma Unified School District says it was hit by hackers. The attack happened overnight locking up some of the systems Friday including the student information system.
Valley Health System recovering from ransomware attack while maintaining patient care
Valley Health Systems (VHS) has joined the unfortunate ranks of health systems that have fallen prey to a ransomware attack. VHS provides primary and preventative care to approximately 75,000 patients each year in southern West Virginia, southeastern Ohio and eastern Kentucky, operating more than 40 healthcare facilities. Their 2019 annual report noted that their sliding fee program had nearly doubled from FY 2018 to FY 2019. As the report noted, the number of patients receiving discounts had not increased during 2019, but the amount of services VHS provided to the uninsured and under-insured did increase. The largest category of sliding fee patients is "Slide A," meaning the individual or family is at 100 percent of the federal poverty level guidelines and receives the most heavily discounted or free services.
DarkSide Ransomware hits North American real estate developer
North American land developer and home builder Brookfield Residential is one of the first victims of the new DarkSide Ransomware. DarkSide is an enterprise targeting ransomware that began operating around August 10th, 2020. Like other human-operated ransomware, DarkSide will breach a network and spread laterally between devices, while stealing unencrypted data. Once they gain access to a Windows domain controller, the threat actors deploy the ransomware throughout the network. As part of their extortion strategy, DarkSide will create an entry for each victim whose data has been stolen on their data leak site. After a certain amount of time has expired, the data leak site will begin publishing the stolen data so that anyone with access to the site can download it.
Gosnell schools hit with ransomware attack
The Gosnell School District is recovering from a ransomware attack on Sunday. Superintendent Bornad Mace said ransomware software infiltrated the school's system Sunday morning. Mace said the district's tech team, the Arkansas Division of Information Services, and the P12 Cyber Threat Response Team worked to clear and recover data on Tuesday.
North Okanagan pediatric clinic hacked
Patients of a North Okanagan facility are being alerted of a privacy breach. The North Okanagan Pediatric Clinic was subject to a remote hacking attempt in late May 2020. "While patient medical charts and records, which are maintained in paper form only, were unaffected, historical patient profile information could theoretically have been accessed by the attacker during the period they had access to the local system," Dr. Michael Cooke said.
REvil Allegedly Targets Another Healthcare Organization
Recently, during the monitoring process of data leaks the Cyble Research Team identified a leak disclosure post in which the REvil ransomware operators claimed to have breached Valley Health Systems. Founded in the year 1975, and since then the Valley Health has been providing primary and preventative care to approximately 75,000 patients each year in southern West Virginia, southeastern Ohio, and eastern Kentucky. Valley Health operates over 40 healthcare facilities and has over 400 employees working across all their centers.
Volkswagen Service Center Got Allegedly Targeted by A New Group of Ransomware Operators
Recently, CybleInc researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen group. The Volkswagen Group currently employs over 304,000 employees and has been earning annual revenue of around $282.9 billion.
City of Lafayette statement on July ransomware attack
On July 27, 2020, a ransomware cyberattack on the City's computer system disabled network services resulting in disruptions to phone service, email, and online payment and reservation systems. The City's system was shut down and disconnected that morning, and any access the cyber criminals had was cut off at that time. We do not believe personal credit or debit card information was compromised because the City uses external PCI-certified payment gateways, which were not accessible or affected in the cyberattack. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.
Search Engines May Expose Patient Health Information, ACR warns
New search engine capabilities may inadvertently expose patient identifiers and other protected health information, according to a warning from the American College of Radiology (ACR), Radiological Society of North America (RSNA), and Society for Imaging Informatics in Medicine (SIIM) to radiologists and other medical professionals. "The ability to use Optical Character Recognition (OCR) at scale allows programs to quickly re-generate explicit PHI that was originally burned into the image pixels," researchers explained. "Search engines can then associate ('index') the image with that explicit PHI thereby making it discoverable."
Report claims a popular iOS SDK is stealing click revenue from other ad networks
In an explosive report, developer security firm Snyk claims it found malicious code inside a popular iOS SDK used by more than 1,200 iOS applications, all collectively downloaded more than 300 million times per month. According to Snyk, this malicious code was hidden inside the iOS SDK of Mintegral, a Chinese-based advertising platform. Mintegral provides this SDK to Android and iOS app developers for free. Developers use the SDK to embed ads inside their apps with just a few lines of code, in order to cut down development time and costs. But Snyk claims the iOS version of this SDK contains malicious features that sit silently in an iOS app's background and wait for a tap on any ad that's not its own (mobile apps regularly use multiple advertising SDKs to diversify their ads and monetization strategies). When an ad tap takes place, the Mintegratal SDK hijacks the click referral process, making it appear to the underlying iOS operating system that the user clicked on one of its ads, instead of a competitor's, effectively robbing revenue from other SDKs and advertising networks.
Even Google engineers are confused about Google’s privacy settings
Google's privacy settings don't just confuse its users --- they confuse its employees too, according to internal documents unsealed in a lawsuit over Google's data collection. "The current UI feels like it is designed to make things possible, yet difficult enough that people won't figure it out," one Google employee said, according to the heavily redacted documents that were newly unsealed recently. The lawsuit was originally filed by Arizona Attorney General Mark Brnovich in May; the new information in the unsealed documents was first reported on by The Arizona Mirror. "Even top-level Google employees do not understand under what conditions Google collects location data."
Facebook apologizes to users for Apple’s monstrous efforts to protect privacy
Facebook has apologized to its users and advertisers for being forced to respect people's privacy in an upcoming update to Apple's mobile operating system -- and promised it will do its best to invade their privacy on other platforms. The antisocial network that makes almost all of its revenue from building a vast, constantly updated database of netizens that it then sells access to, is upset that iOS 14, due out next month, will require apps to ask users for permission before Facebook grabs data from their phones. "This is not a change we want to make, but unfortunately Apple's updates to iOS14 have forced this decision," the behemoth bemoans before thinking the unthinkable: that it may have to end its most intrusive analytics engine for iPhone and iPad users.
Clearview AI CEO Says 'Over 2,400 Police Agencies' Are Using Its Facial Recognition Software
More than 2,400 police agencies have entered contracts with Clearview AI, a controversial facial recognition firm, according to comments made by Clearview AI CEO Hoan Ton-That in an interview with Jason Calacanis on YouTube. The Verge reports: The hour-long interview references an investigation by The New York Times published in January, which detailed how Clearview AI scraped data from sites including Facebook, YouTube, and Venmo to build its database. The scale of that database and the methods used to construct it were already controversial before the summer of protests against police violence. "It's an honor to be at the center of the debate now and talk about privacy," Ton-That says in the interview, going on to call the Times investigation "actually extremely fair." "Since then, there's been a lot of controversy, but fundamentally, this is such a great tool for society," Ton-That says.
A Quarter of the Alexa Top 10K Websites Are Using Browser Fingerprinting Scripts
In an academic paper published earlier this month, a team of academics from the University of Iowa, Mozilla, and the University of California, Davis, has analyzed how popular browser fingerprinting scripts are used today by website operators. Using a machine learning toolkit they developed themselves and named FP-Inspector, the research team scanned and analyzed the top 100,000 most popular websites on the internet, according to the Alexa web traffic ranking. "We find that browser fingerprinting is now present on more than 10% of the top-100K websites and over a quarter of the top-10K websites," the research team said. However, the research team also points out that despite the large number of websites that are currently using browser fingerprinting, not all scripts are used for tracking. Some fingerprinting scripts are also used for fraud detection since automated bots tend to have the same or similar fingerprints, and fingerprinting scripts are a reliable method of detecting automated behavior.
TikTok, Trump, and the Future of Open Source Surveillance
TikTok has been in the news, and not for good reasons. ByteDance, the Chinese parent company of TikTok, has been using the wildly popular social media video-sharing app to collect locations, browsing behavior, and search histories from most of its hundreds of millions of users in the U.S., Canada, Australia, and Europe. The concern has become an issue of national security. President Trump has issued multiple executive orders to ByteDance and Tencent Holdings, the Chinese parent company of the social messaging app WeChat, to divest interest in U.S. operations within 90 days. And Microsoft declared its intent (alongside interest expressed by both Oracle and Twitter) to acquire and fully patriate TikTok, its data, and its algorithms as subsidiaries of its main U.S. entity.
Identifying People by Their Browsing Histories
Researchers examined the threat to individuals' privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third parties. This work replicates and extends the 2012 paper Why Johnny Can't Browse in Peace: On the Uniqueness of Web Browsing History Patterns. The original work demonstrated that browsing profiles are highly distinctive and stable. Researchers reproduce those results and extend the original work to detail the privacy risk posed by the aggregation of browsing histories. The dataset consists of two weeks of browsing data from ~52,000 Firefox users. This work replicates the original paper's core findings by identifying 48,919 distinct browsing profiles, of which 99% are unique. High uniqueness hold seven when histories are truncated to just 100 top sites. Wethen find that for users who visited 50 or more distinct do-mains in the two-week data collection period, ~50% can be reidentified using the top 10k sites. Reidentifiability rose to over 80% for users that browsed 150 or more distinct domains.
Security researcher discloses Safari bug after Apple's delays patch
A security researcher has published details about a Safari browser bug that could be abused to leak or steal files from users' devices. Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with his findings today after the OS maker delayed patching the bug for almost a year, to the spring of 2021. In a blog post today, Wylecial said the bug resides in Safari's implementation of the Web Share API --- a new web standard that introduced a cross-browser API for sharing text, links, files, and other content. The security researcher says that Safari (on both iOS and macOS) supports sharing files that are stored on the user's local hard drive (via the <file://> URI scheme). This is a big privacy issue as this could lead to situations where malicious web pages might invite users to share an article via email with their friends, but end up secretly siphoning or leaking a file from their device.
Google Chrome 85 fixes WebGL code execution vulnerability
Slack pays stingy $1,750 reward for a desktop hijack vulnerability
Academics bypass PINs for Visa contactless payments
A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments. This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card's PIN code. The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone. However, in reality, the attacker is actually paying with data received from a (stolen) Visa contactless card that is hidden on the attacker's body.
CCC hacks Corona contact lists from popular restaurant software
First the police used the lists in restaurants and now hackers have hacked the digital form of such lists. They also found reservations from top politicians such as Health Minister Jens Spahn. Members of the Chaos Computer Club (CCC) have discovered several vulnerabilities in Gastronovi, a cloud system for catering establishments. According to the CCC, several million sensitive data records were visible in corona lists and reservations. Before the release , the CCC contacted the software company so that they could close the loopholes.
We hacked 28,000 unsecured printers to raise awareness of printer security issue
In order to help as many people as possible secure their devices against potential cyberattacks, the CyberNews security team accessed 27,944 printers around the world and forced the hijacked devices to print out a short 5-step guide on how to secure a printer, with a link to a more detailed version of the guide on their website.
SS7 cellular network flaw being exploited to drain bank accounts
Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships." But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe:
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it's also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
Chinese-Made Smartphones Are Secretly Stealing Money From People Around the World
Transsion is the Chinese company that makes Tecno and other low-priced smartphones, as well as basic handsets, for the developing world. Mxolosi, an unemployed 41-year-old, became frustrated with his Tecno W2. Pop-up ads interrupted his calls and chats. He'd wake up to find his prepaid data mysteriously used up and messages about paid subscriptions to apps he'd never asked for. He thought it might be his fault, but according to an investigation by Secure-D, a mobile security service, and BuzzFeed News, software embedded in his phone right out of the box was draining his data while trying to steal his money. Mxolosi's Tecno W2 was infected with xHelper and Triada, malware that secretly downloaded apps and attempted to subscribe him to paid services without his knowledge. Secure-D's system, which mobile carriers use to protect their networks and customers against fraudulent transactions, blocked 844,000 transactions connected to preinstalled malware on Transsion phones between March and December 2019. Secure-D Managing Director Geoffrey Cleaves told BuzzFeed News that Mxolosi's data was used up by the malware as it attempted to subscribe him to paid services.
Google Play apps promised free shoes, but users got ad fraud malware instead
Google has removed an undisclosed number of Android applications from the official Google Play Store that the company says were part of an ad fraud botnet. Named Terracotta, this botnet was discovered by the Satori mobile security team at White Ops, a security firm specialized in identifying bot behavior. White Ops researchers said they've been tracking Terracotta since late 2019 when the botnet seems to have become active.
Emotet malware's new 'Red Dawn' attachment is just as dangerous
The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever. After a five-month "vacation," the Emotet malware returned in July 2020 and began to spew massive amounts of malicious spam worldwide. On August 25th, the botnet switched to a new template that Emotet expert Joseph Roosen has named 'Red Dawn' due to its red accent colors. The Red Dawn template also moves away from its iOS theme and now states that "This document is protected" and that previewing is not available. It then prompts the user to click on 'Enable Editing' and 'Enable Content' to view the document.
Malicious npm package caught trying to steal sensitive Discord and browser files
'Lemon Duck' Cryptominer Aims for Linux Systems
The operators behind the "Lemon Duck" cryptominer have developed new techniques to better target enterprise-grade Linux systems, according to the security firm Sophos. The gang that developed the malware, which mines for monero cryptocurrency, also is now deploying new obfuscation techniques to avoid detection, Sophos says. Plus, the malware is "fileless" and will leave no trace on the network once its activities are complete. Lemon Duck, which is written in Python, was first spotted in October 2019 in China and has since become a tool used worldwide by threat actors, according to Trend Micro.
Qbot steals your email threads again to infect other victims
The Qbot trojan is again stealing reply-chain emails that can be used to camouflage malware-riddled emails as parts of previous conversations in future malicious spam campaigns. Qbot (also known as QakBot) is a banking and information-stealing malware that has been actively infecting victims for more than ten years. When installed, Qbot will attempt to steal its victims' stored passwords, cookies, credit cards, emails, and online banking credentials. This trojan is also known to download and install other malware onto compromised computers, including ProLock Ransomware payloads. According to a new report by Check Point, QBot continues to employ a tactic previously used by the Gozi ISFB banking trojan, the URSNIF information-stealing trojan, and the Emotet trojan.
Office 365 now opens attachments in a sandbox to prevent infections
Microsoft announced the launch of Application Guard for Office in public preview to protect enterprise users from threats using malicious attachments as an attack vector. Application Guard for Office (also known as Microsoft Defender Application Guard for Office) is designed to help prevent block files downloaded from untrusted sources from gaining access trusted resources by opening them within an isolated sandbox. This sandbox will automatically block maliciously crafted files from exploiting vulnerabilities, downloading other malicious tools, or manifesting any malicious behavior from impacting the users' device and data.
Namecheap hosting and email DOWN in prolonged outage
One of the world's largest domain registrars, Namecheap has been hit with a series of mysterious outages and it is not clear why. The company with over 11 million registered users and 10 million domains offers domain registration, hosting, private email services, and TLS/SSL certificates and has become one of the most recognizable names in the industry.
Sendgrid under siege from hacked accounts
Email service provider Sendgrid is grappling with an unusually large number of customer accounts whose passwords have been cracked, sold to spammers, and abused for sending phishing and email malware attacks. Sendgrid's parent company Twilio says it is working on a plan to require multi-factor authentication for all of its customers, but that solution may not come fast enough for organizations having trouble dealing with the fallout in the meantime. "It's actually quite shocking that an organization that works with business customers for marketing purposes didn't already have multi-factor authentication in place for users, and implementing it as a requirement is a critical first step that should happen urgently," says Torsten George, cybersecurity evangelist with security firm Centrify.
Why streaming a video could freeze Microsoft IIS servers
During the August 2020 Patch Tuesday, Microsoft fixed 2 zero-days and 120 flaws. When it comes to severity, the list comprises vulnerabilities deemed either "Important" or "Critical." Of these, a mysterious yet equally fascinating flaw is a Denial of Service (DoS) vulnerability being tracked under CVE-2020-1597. While the flaw has been attributed to ASP.NET Core, it actually lurks in the IIS server middleware provided as a part of the framework's source code, which makes .NET applications run on Microsoft IIS servers. Microsoft's explanation of the CVE is rather vague and cryptic: "A denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication." Researching the project's GitHub repository, however, revealed some interesting findings.
Thousands of Pirates Tricked Into Downloading Fake 'Tenet' Torrents
The official premiere of Tenet has drawn many people to the movie theaters this week. On pirate sites, there's been plenty of interest too, as thousands of people are being tricked into downloading fake copies. Pirates are not the only ones being fooled though, as Warner Bros. has its eyes set on fake releases too. TorrentFreak reports: All around the world, millions of people have waited in anticipation for the release of Christopher Nolan's sci-fi thriller 'Tenet.' The film was initially scheduled to be released in July but, after several pandemic-related delays, Warner Bros. moved the premiere ahead to the end of August. According to one anti-piracy expert, Tenet's release has all the ingredients for a "perfect storm for piracy." This prediction prompted us to take a look at how Tenet is doing on pirate sites today. This question is not hard to answer, as there is no 'real' pirated copy of the film out there. Instead, sites are overwhelmed with fake Tenet releases.
Ethereum Is a Dark Forest. A horror story
Dan Robinson and Georgios Konstantopoulos writes: "On Wednesday afternoon, someone asked whether it was possible to recover Uniswap liquidity tokens that had been accidentally sent to the pair contract itself. My initial thought was that the tokens would be locked forever. But late that night, I had the sudden realization that if the tokens were still there, they could be recovered --- by anyone."
Facebook sues maker of advertising SDK for refusing to participate in audit
Facebook has filed lawsuits in both the US and the UK against MobiBurn, a UK software company that provided advertising tools for mobile app developers. In particular, MobiBurn provided an advertising software development kit (SDK) that allowed app developers to embed ads inside their applications and monetize user behavior. But in a lawsuit, Facebook claims the SDK contained malicious code that illegally collected the personal data of Facebook users. Facebook said the data was collected when users installed any mobile app that contained the MobiBurn advertising SDK. When this happened, the code would activate and collect a person's name, time zone, email address, and gender. "Security researchers first flagged MobiBurn's behavior to us as part of our data abuse bounty program," said Jessica Romero, Facebook's Director of Platform Enforcement and Litigation.
Massive telecommunications outages registered as Hurricane Laura knocks out power and internet infrastructure
Network data from the NetBlocks internet observatory confirm significant disruption to internet connectivity across parts of Louisiana and Texas as Hurricane Laura makes landfall in the U.S. Gulf Coast and moves inland on Thursday 27 August 2020. The network outages are likely to significantly impact communications with storm victims and may hamper rescue and recovery efforts.
WebBundles harmful to content blocking, security tools, and the open web
Google is proposing a new standard called WebBundles. This standard allows websites to "bundle" resources together, and will make it impossible for browsers to reason about sub-resources by URL. This threatens to change the Web from a hyperlinked collection of resources (that can be audited, selectively fetched, or even replaced), to opaque all-or-nothing "blobs" (like PDFs or SWFs). Organizations, users, researchers and regulators who believe in an open, user-serving, transparent Web should oppose this standard.
The DeathStalker cyberspy group and its tool set
Kaspersky experts have identified a cybercriminal group that specializes in stealing trade secrets. Judging by its targets so far, the group is interested mainly in attacking fintech companies, law firms, and financial advisors, although in at least one case, it also attacked a diplomatic entity. Such a choice of targets may indicate that this group, code-named DeathStalker, is either looking for particular information to sell or offering an "attack on demand" service. In other words, the group is mercenary. The DeathStalker group has been active since 2018 or earlier, and possibly since 2012. Its use of the Powersing implant is what first caught our experts' attention. More recent operations employ similar methods as well.
Former engineer pleads guilty to Cisco network damage, causing Webex Teams account chaos
A former Cisco engineer has admitted to illegally accessing Cisco's network and wiping 456 virtual machines as well as causing disruption to over 16,000 Webex Teams accounts. Sudhish Kasaba Ramesh has taken a plea agreement in a federal court in San Jose after being accused of intentionally accessing a protected computer without authorization and recklessly causing damage, according to the US Department of Justice (DoJ). The 30-year-old engineer resigned in April 2018, but chose to access Cisco's Amazon Web Services (AWS) environment roughly five months after leaving the company in order to deploy code that deleted 456 virtual machines (VMs). On September 24, 2018, the code was launched from Ramesh's Google Cloud Project account, obliterating the VMs. As a result of this action, over 16,000 Webex Teams accounts were deactivated for two weeks.
Confessions of an ID Theft Kingpin
At the height of his cybercriminal career, the hacker known as "Hieupc" was earning $125,000 a month running a bustling identity theft service that siphoned consumer dossiers from some of the world's top data brokers. That is, until his greed and ambition played straight into an elaborate snare set by the U.S. Secret Service. Now, after more than seven years in prison Hieupc is back in his home country and hoping to convince other would-be cybercrooks to use their computer skills for good.
Single & penniless: FBI warns of $475M lost to romance scams
The Federal Bureau of Investigation is warning of online romance scams, an ongoing online fraud trend that can lead to large financial losses, as well as devastating emotional scars. The scammers behind this type of fraud are using fake online identities to gain their victims' trust on social media and dating websites. Once the targets are lured in, scammers are taking advantage of the illusion of a romantic relationship to manipulate them into sending them money or financial information later to be used in other types of fraud schemes. $475 million lost to romance scams in 2019. The 2019 Internet Crime Report published by FBI's Internet Crime Complaint Center (IC3) says that romance scams (also known as confidence fraud) are behind higher financial damages when compared to other reported online crimes. "In 2019, almost 20,000 complaints categorized as romance scams were reported to IC3 (about 1,000 more than the previous year), and the losses associated with those complaints exceeded $475 million," the FBI said.
UltraRank hackers steal credit cards from hundreds of stores
New Zealand stock exchange halted trading after DDoS attacks
New Zealand's stock exchange (NZX) has been impacted by distributed denial-of-service (DDoS) attacks, forcing it to shut down trading until the connectivity issues were resolved. NZX operates New Zealand's capital, risk, and commodity markets, and it supplies market information including real-time stock quotes, market data and news. The stock market announced that it was able to restore services after it had to halt cash markets following what it called a volumetric DDoS attack.
With Empire gone, patrons eye other illegal darkweb markets
Dark web marketplace Empire has recently made an abrupt exit after being subject to a heavy DDoS attack campaign, and extortion attempts. According to the latest reports, Empire site admins had been struggling to keep the operation afloat, and the recent blow from cyber-attacks left them no choice but to put the illicit marketplace to rest with a bleak possibility of its return. With many customers and vendors left in the dark (no pun intended) about Empire's whereabouts, and with their money stuck in escrow, what will be their next plan of action? Suffice to say, Empire's sudden disappearance has shattered the trust of darknet patrons in the so-called "escrow" systems employed by these marketplaces.
Hackers for hire attack architecture firm via 3ds Max exploit
An advanced hackers-for-hire group has compromised computers of an architecture firm involved in luxury real-estate projects worth billions of US dollars. The group carries out espionage operations, the attack vector being a malicious plugin for the Autodesk 3ds Max software for creating professional 3D computer graphics. According to an investigation from Bitdefender, the unnamed victim is an important company working with luxury real-estate developers in the U.S., the U.K., Australia, and Oman that contract services of top architects and interior designers. Evidence discovered by security researchers points to a group that provides sophisticated hacking services to various customers looking for inside financial details and negotiations about high-value contracts. "The sophistication of the attack reveals an APT-style group that had prior knowledge of the company's security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected".
Lazarus hackers target cryptocurrency orgs with fake job offers
North Korean hackers tracked as the Lazarus Group have been observed while using LinkedIn lures in an ongoing spear-phishing campaign targeting the cryptocurrency vertical in the United States, the United Kingdom, Germany, Singapore, the Netherlands, Japan, and other countries. This is not the first time the Lazarus hackers (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) have targeted cryptocurrency organizations.
Ex-Nursing Home Employee Used Patient’s ID To Pay Bills: Police
A Franklin Park woman is accused of stealing the identities of dozens of mostly elderly people. Anna Zur, 39, was arrested on Wednesday after a year-long investigation, where she was charged with felony counts of wire fraud and continuing a financial crimes enterprise, police said. When a daughter noticed fraudulent charges in her mother's checking account used to pay for her stay at Villa at Palos Heights, she contacted police. Working with the care facility's corporate office, police learned that a former employee, later identified as Zur, had access to the patient's financial information and documents, according to a news release.
US military personnel lost over $379 million to scams in the last 5 years
According to Atlas VPN investigation, US military personnel lost $379.6 million to various scams from 2015 through June 30, 2020. Military consumers made more than 680,000 reports about fraud, identity theft, or other consumer issues to the Federal Trade Commission (FTC). The FTC uses these complaints as the starting point for criminal investigations. The FTC does not resolve the accusations themselves, but they send out the data to over 2,500 law enforcers in the US.
DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
For the past weeks, a criminal gang has launched DDoS attacks against some of the world's biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks. Just this week, the group has attacked money transfer service MoneyGram, YesBank India, Worldpay, PayPal, Braintree, and Venmo, a source involved in the DDoS mitigation field has told ZDNet. The New Zealand stock exchange (NZX), which halted trading for the third day in a row today, is also one of the group's victims. The attackers have been identified as the same hacker group mentioned in an Akamai report published on August 17, last week.
15-year-old Merseyside boy arrested for hacking UK PayPal accounts
Merseyside Police have arrested, and subsequently released under investigation, a fifteen-year-old boy under the suspicion of hacking into a number of PayPal accounts in the UK earlier this year. Aside from arresting and releasing the fifteen-year-old boy under investigation, Merseyside Police's Cyber Dependent Crime Unit, along with the Matrix, carried out a search of the boy's home- finding many expensive gadgets such as an iPhone 11, iPhone 8, Apple Watch, Samsung phone, Apple Airpods, an iPad, a Sony mobile phone and a mini motorbike.
Amazon Supplier Fraud
According to the indictment, the brothers swapped ASINs for items Amazon ordered to send large quantities of different goods instead. In one instance, Amazon ordered 12 canisters of disinfectant spray costing $94.03. The defendants allegedly shipped 7,000 toothbrushes costing $94.03 each, using the code for the disinfectant spray, and later billed Amazon for over $650,000. In another instance, Amazon ordered a single bottle of designer perfume for $289.78. In response, according to the indictment, the defendants sent 927 plastic beard trimmers costing $289.79 each, using the ASIN for the perfume. Prosecutors say the brothers frequently shipped and charged Amazon for more than 10,000 units of an item when it had requested fewer than 100. Once Amazon detected the fraud and shut down their accounts, the brothers allegedly tried to open new ones using fake names, different email addresses, and VPNs to obscure their identity.
FBI informant provides a glimpse into the inner workings of tech support scams
US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant. Evidence provided by the informant along with court documents filed in the case provides an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.
Head of Danish intelligence suspended after whistleblowers hand over information
Denmark's military intelligence head has been suspended after it was revealed the agency had broken laws and misled the intelligence watchdog. Lars Findsen has been relieved from duty "for the time being" and two other employees have also been suspended. The Danish Defence Intelligence Service is said to have been spying on Danish citizens over the past six years. The investigation into the agency was launched after whistleblowers handed over information. According to local media, the Defence Intelligence Service is accused of failing to investigate allegations of espionage in the armed services. It has also been accused of obtaining and passing on information about Danish citizens. It is unclear if members of the public will ever be told if they were targeted and what information has been passed on.
Elon Musk confirmed Russian's plans to extort Tesla
The FBI thwarted the plans of 27-year-old Russian national Egor Igorevich Kriuchkov to recruit an insider within Tesla's Nevada Gigafactory, persuade him to plant malware on the company's network, and then ransom Tesla under threat that he would leak data stolen from their systems. Kriuchkov was arrested on August 22, 2020, in Los Angeles after he got a phone call from an FBI agent and tried to leave the U.S. "After being contacted by the FBI, Kriuchkov drove overnight from Reno to Los Angeles," a Department of Justice press release says. "Kriuchkov asked an acquaintance to purchase an airline ticket for him in an attempt to fly out of the country." Tesla's CEO later confirmed in a Twitter reply that the Russian national was trying to recruit a Tesla employee.
US sues to recover cryptocurrency funds stolen by North Korean hackers
The United States government has filed a lawsuit seeking to seize control over 280 Bitcoin and Ethereum accounts that are believed to be holding funds North Korean hackers stole from two cryptocurrency exchanges. Court documents did not identify the hacked exchanges, but officials said the two hacks took place in July 1, 2019, and September 25, 2019. During the first incident, North Korean hackers stole $272,000 worth of alternative cryptocurrencies and tokens, including Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens, while in the second, hackers stole multiple virtual currencies, worth in total more than $2.5 million. US officials said they used blockchain analysis to track down stolen funds from two hacked exchange portals back to the 280 accounts.
US Postal Service Files Blockchain Voting Patent
The US Postal Service has filed a patent on a blockchain voting method: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain.
Challenges, priorities, and progress in anti-censorship technology at Tor
This blog post seeks to bring clarity to the modus operandi of the Tor Project in the anti-censorship space by providing a summary of the challenges we face, the priorities we focus on, and the progress we have made so far related to our circumvention technology. Censorship circumvention is a complex and ever evolving problem, and this blog post summarizes our approach in tackling it.
Iranian hackers impersonate journalists to set up WhatsApp calls and gain victims' trust
Iranian government hackers have impersonated journalists to reach out to targets via LinkedIn, and set up WhatsApp calls to win their trust, before sharing links to phishing pages and malware-infected files. The attacks have happened in July and August this year, according to Israeli cyber-security firm ClearSky, who published a report detailing this particular campaign. The hackers are believed to be members of Iranian super group CharmingKitten, also known as APT35, NewsBeef, Newscaster, or Ajax, according to Ohad Zaidenberg, ClearSky Lead Cyber Intelligence Researcher. Zaidenberg says the recent campaign targeted academia experts, human rights activists, and journalists specialized in Iranian affairs. The ClearSky researcher said hackers contacted victims first via LinkedIn messages, where they posed as Persian-speaking journalists working for German broadcasting company Deutsche Welle and Israeli magazine Jewish Journal.
Twitter takes down 'Dracula' botnet pushing pro-Chinese propaganda
Social media research group Graphika said it identified a Twitter botnet of around 3,000 bots that pushed pro-Chinese political spam, echoing official messaging released through state propaganda accounts. Graphika said it was able to identify the botnet due to a quirk shared by the vast majority of bot accounts, most of which used quotes from Bram Stoker's Dracula book for the profile description and the first two tweets.
Israeli Phone Hacking Company 'Cellebrite' Sued To Stop Sales To Hong Kong
Human rights advocates filed a new court petition against the Israeli phone hacking company Cellebrite, urging Israel's Ministry of Defense to halt the firm's exports to Hong Kong where security forces have been using the technology in crackdowns against dissidents as China takes greater control of Hong Kong. In July, police court filings revealed that Cellebrite's phone hacking technology has been used to break into 4,000 phones of Hong Kong citizens, including prominent pro-democracy politician and activist Joshua Wong. He subsequently launched an online petition to end Cellebrite's sales to Hong Kong which gained 35,000 signatures.
Enterprise Scale: How Public Storage Buckets Leaked Private Credentials
UpGuard analysts identified a cloud storage bucket configured for public access located at the URL "dev.hortonworks.com.s3.amazonaws.com" and proceeded to download and review a sample of the files. Initial analysis by the UpGuard team showed sufficient reason to believe sensitive information stemming from Hortonworks was most likely exposed to the public internet through the discovered file repositories.
National Western Life Insurance company Nightmare Continues
On August 18, 2020, the Cyble Research Team during their daily monitoring of cyber threats and risks they identified a leak post in which the REvil ransomware operators claimed to have breached National Western Life and in possession of 656 GB of company's confidential data.
Utah Pathology Services notifying more than 110,000 patients of data breach
Approximately 112,000 patients had their personal information exposed by a data breach at Utah Pathology Services. The breach was discovered when the organization discovered "an unknown party attempted to redirect funds from within Utah Pathology," according to a press release from the company.
47 names of clergy abuse victims part of accidental email leak
A clergy abuse victim who participated in the Philadelphia Archdiocese's independent compensation program for survivors is alleging that the confidentiality of nearly 50 other victims was compromised when the program administrator mistakenly sent the individual an email in 2019 with the names of participants from another diocese's program. Since October 2016, Kenneth Feinberg and Camille Biros, national mediation experts who managed the compensation payouts to victims of the Sept. 11 attacks and the Boston Marathon bombing, have partnered with Catholic dioceses throughout the country to implement voluntary programs where victims pursue their claims outside of court.
Southern Water customers could view others’ personal data by tweaking URL parameters
Southern Water -- British supplier of the liquid of life -- botched its internal Sharepoint implementation so badly that a customer was able to view other people's account details. Reg reader Chris H discovered that the way Southern Water had set up Sharepoint to host customer information as a "your account" style section of their website exposed URLs that could be tweaked to view other people's account information.
‘Human error’ results in privacy breach for Children’s Disability Services clients: Manitoba government
The Manitoba government says 'human error' resulted in personal information about Children's Disability Services (CDS) clients being unintentionally shared this week. On Friday, the province said in a news release that the privacy breach occurred on Aug. 26, when staff from CDS "accidentally sent an email intended for the Manitoba Advocate for Children and Youth (MACY) to about 100 agencies and advocacy groups."
Over 54,000 scanned NSW driver’s licences found in open cloud storage
Tens of thousands of scanned NSW driver's licenses and completed tolling notice statutory declarations were left exposed on an open Amazon Web Services storage instance, but Transport for NSW doesn't know how the sensitive personal data ended up in the cloud. The open AWS S3 bucket was found by Bob Diachenko of Security Discovery, as part of an investigation into another data breach.
Clark County School District notifies parents after data security incident
School officials in Las Vegas notified parents of what administrators termed a "data security incident" involving district computers. The Clark County School District said Thursday the extent of the breach was being evaluated and that distance learning was not affected. The district tweeted a copy of the email it sent to parents. It really doesn't give any indication as to what type of incident this was.
Scoot says ‘no data breach’ after Singapore customers not on Guangzhou-bound flight mistakenly get emails about Covid-19 testing
Singapore budget airline Scoot issued a media statement to say that it has mistakenly emailed customers regarding requirements to undertake a Covid-19 test for a flight bound for Guangzhou, China. These included customers who have made no such bookings for the flight. A spokesperson for Scoot, which is a subsidiary of Singapore Airlines, also said today that there was no data breach or leak of personal information despite the error.
Wellington-Dufferin-Guelph Public Health notification of privacy breach
Wellington-Dufferin-Guelph Public Health is informing community members of a recent breach of privacy that affected an information dashboard that was used to display information about influenza cases in our community. This dashboard was posted on our public website between January 2020 and May 2020. The dashboard contained information on individuals with lab confirmed cases of Influenza A and B. At no time were the names of clients exposed, however, it was possible to view certain kinds of personal information and personal health information such as the address of a case, specifics about the strain of Influenza and information about their symptoms. Fewer than 100 people accessed the dashboard while it was posted and therefore the risk that any personal information of personal health information was accessed is very low.
Almost 235 Million YouTube, TikTok and Instagram Profiles Exposed Online by Unsecured Database
A security researcher has found a database with almost 235 million social media profiles scraped from the Internet, likely belonging to Social Data. Public user data is precious, and many companies want to gather it and sell it. Social media networks represent one of the best sources of this information. Many users keep their profiles open, allowing companies such as Deep Social to collect that data and compile it further. Bob Diachenko from Comparitech found three identical copies of the database online, with profiles taken from YouTube, TikTok and Instagram. While the database belonged to Social Data, the evidence point toward Deep Social, another company used to scrape data from online sources and has since dissolved.
Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
The FCM exploit originally discovered by security researcher Abss seems to have hit Microsoft Teams as well. Users have reported receiving mass spam push notifications early in the morning. The news has hit Reddit, with hundreds of users discussing the FCM spam: While Abss originally showed that the FCM exploit was possible with his proof of concept, users are now receiving mass spam notifications that seems to point that someone has performed this attack in the wild:
Primary Indian ticket vendor suffers crippling data breach
One of India's most popular travel booking hubs was left exposed without adequate security measures, and subsequently, suffered a significant data breach that exposed all production server information and led to the loss of over 43GB of data. The affected Elastic search server was left publicly exposed without password protection or encryption for several days which meant anyone with the server's IP address, could have gained access to the entire database.
Hackers want money to release Haywood County school district files
There will be no remote learning in Haywood County schools for a second day. A Ransomware attack against the district's computers shut schools down Monday. They'll be shut down again Tuesday.
38 Japan firms’ authentication data stolen amid surge in teleworkers
Sumitomo Forestry Co., Hitachi Chemical Co. and 36 other Japanese companies had authentication information to access their virtual private networks stolen and leaked by hackers this summer, an information security expert said Tuesday. VPN usage has increased as companies encourage employees to work from home due to the novel coronavirus pandemic. The stolen data could facilitate illegal third-party access to the firms' internal networks.