Last Week In CyberSecurity News — January 22, 2020 — LedgerOps

Proof-of-Concept Exploits Published for Microsoft-NSA Crypto Bug

Security researchers have released proof-of-concept (PoC) code for a recently disclosed vulnerability in the Windows operating system. The vulnerability, CVE-2020–0601, was initially reported to Microsoft by the U.S National Security Agency (NSA) and affects Windows CryptoAPI, a significant component that handles cryptographic operations.

According to cybersecurity researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”

According to the disclosures by the NSA, the DHS, and Microsoft, CVE-2020–0601 (also known as CurveBall) can be exploited to:

• launch MitM (man-in-the-middle) attacks as well as intercept and fake HTTPS connections
• fake signatures for files and emails
• fake signed-executable code launched inside Windows

Government agencies have been ordered to patch the vulnerability within ten days of its announcement. As PoC exploit code has been published online, it’s as important as ever to apply the proper patch updates.

Kudelski Security published the first CurveBall exploit, and shortly after, Danish security researcher group Ollypwn published their code, as well. Thankfully, Windows Defender has received updates to detect active exploitation and warn users of a potential threat to their systems.

ollypwn on Twitter

Windows Defender caught some attempts while testing. PoC should be ready soon #x509 #crypt32

Amitai Rottem on Twitter

Windows Defender Antivirus detects files w/crafted certificates exploiting the certificate validation vulnerability: ​Exploit:Win32/CVE-2020-0601.A (PE files) Exploit:Win32/CVE-2020-0601.B (Scripts) Also, #Microsoft Defender ATP has a threat report on your posture. #CVE-2020-0601

Read more here

Law Enforcement Seizes WeLeakInfo.com for Selling Access to Data From Data Breaches

The FBI has seized WeLeakInfo.com, a subscription-based search engine that allows users to explore personal information from over 10,000 data breaches. According to the U.S. Department of Justice announcement, the website illegally obtained and sold data breach information, amounting to over 12 billion records.

The two individuals allegedly involved in the WeLeakInfo operation were arrested in the Netherlands and Ireland. They are believed to have made over £200,000 of which the U.S. Department of Justice, along with other organizations, could trace back to the individual IP addresses of the arrestees.

The U.K. National Crime Agency has been able to establish “links between the purchase of cybercrime tools, such as remote access Trojans (RATs) and cryptors, and weleakinfo.com.” As seen below, to access the 12.5 billion records stolen from data breaches, users could subscribe to various plans for as little as $2.

Read more here

Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack

For almost a month now, Citrix Application Delivery Controllers (ADC) and Citrix Gateways have been vulnerable to a critical path traversal flaw (CVE-2019–1978). The flaw allows an unauthenticated entity to perform arbitrary code execution on vulnerable servers.

It affects all versions of the software, including:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Citrix’s announcement of the flaw did not initially provide any software patches; however, they did offer mitigation steps.

Thankfully, Citrix has now begun to release its first batch of updates, which provides permanent patches for ADC versions “11.1 and 12.0 that also apply to ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).”

Get more information here

Critical WordPress Bug Leaves 320,000 Sites Open to Attack

According to researchers from WebArx, two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from a new vulnerability. Both plugins contain a flaw that allows an attacker to access a site’s backend with no password. According to a WebArc blog post, an attacker only needs the admin username to access the site’s backend.

Both plugins were created to allow users to authenticate to numerous WordPress installations from one central server. According to the WordPress plugin library, 300,000 websites are running a vulnerable version of the InfiniteWP Client plugin, and 20,000 are running a vulnerable version of the WP Time Capsule plugin.

The proof-of-concept attack on InfiniteWP Client “requires a payload encoded with JSON, then Base64. Next, it is sent raw to the targeted site in a POST request,” and the WP Time Capsule Bug “only needs to contain a certain string in the body of the raw POST request.”

To mitigate the vulnerability, researchers recommend updating both software versions of the plugins.

Read more here

Bot List With Telnet Credentials for More Than 500,000 Servers and IoT Devices Leaked Online

A cybercriminal has recently dumped an extensive list of Telnet credentials for over 510,000 servers and smart devices. According to SecurityAffairs, this is the largest leak of Telnet passwords ever reported.

The list was first posted on a popular hacking forum under the operator of a DDoS booter service and includes IP addresses as well as the usernames and passwords of the Telnet service for each device.

A quick look at the list reveals that many of the device’s login information contains default, or easy-to-guess, credentials.

The top five credentials in the list were:

• root:[blank] — 782
• admin:admin — 634
• root:root — 320
• admin:default — 21
• Default:[blank] — 18

Security researcher Victor Gevers analyzed the list and found that more than 8,200 IP addresses were unique, and around 2,174 were accessible via Telnet by using the leaked credentials.

Read more here

Originally published at https://ledgerops.com on January 22, 2020.

Last Week In CyberSecurity News — January 14, 2020 — LedgerOps

56.25M US Residents’ CheckPeople Records Exposed on Chinese Server

Data from CheckPeople, a subscription-based service that allows users to search for certain information of other individuals, was recently exposed on a server with a Chinese IP address. The leaked data includes names, home addresses, phone numbers, ages, names of relatives, criminal records, and more. The archive was stored on a NoSQL database of metadata linking to CheckPeople.com.

Further investigation showed that the archive of data belongs to an IP address utilized by Alibaba’s web hosting company in Hangzhou, China. The data itself is not sensitive; however, having all the information in one place provides easy access for scammers, phishers, and other malicious actors to download it in bulk and conduct nefarious actions with it. The mass amount of data can also have negative consequences in combination with more sensitive information.

Read more here

PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability — Over 80,000 Vulnerable to Attacks

For almost a month, Citrix Application Delivery Controllers (ADC) and Citrix Gateways have been vulnerable to a critical path traversal flaw (CVE-2019–1978). The flaw allows an unauthenticated entity to perform arbitrary code execution on vulnerable servers.

It affects all versions of the software, including:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Citrix’s announcement of the flaw did not include any security patches; however, they offered mitigation steps to help system administrators guard their server against attacks.

According to Shodan, and other online-monitoring tools, over 80,000 Citrix ADC or Gateway servers are publicly accessible and exploitable due to the flaw.

As multiple groups have released proof-of-concept exploit code (Tool1, Tool2) for the vulnerability, it’s likely that thousands of attackers will begin to exploit vulnerable servers.

Read more here

Hundreds of Millions of Cable Modems Are Vulnerable to New Cable Haunt Vulnerability

Cable Haunt, a new security flaw impacting cable modems that use Broadcom chips, is believed to affect over 200 million cable modems throughout Europe. The flaw resides in a standard component in Broadcom chips, named a spectrum analyzer. A spectrum analyzer protects against signal surges and disturbances coming from a coax cable.

According to a team of Danish security researchers, the Broadcom chip spectrum analyzer lacks security in various areas, including default credentials, a programming error in its firmware, and a lack of protection against DNS rebinding attacks.

According to the security researchers and ZDNet, an attacker can use Cable Haunt to:

• Change the default DNS server
• Conduct remote man-in-the-middle attacks
• Hot-swap code or even the entire firmware
• Upload, flash, and upgrade firmware silently
• Disable ISP firmware upgrade
• Change every config file and settings
• Get and set SNMP OID values
• Change all associated MAC addresses
• Change serial numbers
• Be exploited in botnet

A white paper and a dedicated website were published by the security researchers, which contains further information about Cable Haunt.

The researchers have also provided proof-of-concept code that ISP users can implement to test their routers Cable Haunt attack vulnerabilities.

Get more information here

New York Man Sentenced in ATM Skimming Conspiracy

Bogdan Rusu has been sentenced to five years in prison for orchestrating an elaborate ATM skimming campaign, allowing him to gather $390,141 from numerous victims. According to the Department of Justice press release, Bogdan pled guilty to participating in the scheme and stated that he used card-reading devices with pinhole cameras throughout New Jersey, Massachusetts, and New York bank locations.

Once Rusu stole customer information and other data, he would then transfer the information to counterfeit payment cards which could steal money from the victims.

The case also introduced a larger ATM skimming scheme that involved over 11 individuals. The crooks were able to collect more than $868,000 from multiple accounts.

Read more here

Nemty Ransomware to Start Leaking Non-Paying Victims’ Data

To punish victims who refuse to pay their ransom, Nemty ransomware is implementing a tactic started by the Maze and Sodinokibi ransomware gangs.

Traditionally, ransomware groups encrypt files within an organization and demand a ransom to decrypt the data. Recently though, ransomware groups, including Nemty, have been stealing files before they encrypt them. And if a victim doesn’t pay the ransom, the ransomware releases small pieces of stolen data online until the victim makes payment.

Nemty plans to develop a blog website that publishes all stolen information from ransomware victims that reject the given ransom.

Read more here

Originally published at https://ledgerops.com on January 14, 2020.

Last Week In CyberSecurity News — January 7, 2020 — LedgerOps

Sodinokibi Ransomware Hits Travelex, Demands $3 Million

On December 31, Travelex, an international foreign currency exchange company, fell victim to a cyberattack that temporarily affected several services within the organization. As a precaution to protect data and reduce the spread of the virus, Travelex had to shut down all of its computer systems, causing issues for the 1,500+ stores across the world.

According to ComputerWeekly, it was a Sodinokibi ransomware attack that infiltrated the company.

A conversation between BleepingComputer and the Sodinokibi group revealed that the malicious actors have “encrypted the entire Travelex network and copied more than 5GB of personal data, which includes dates of birth, social security numbers, card information and other details.” Furthermore, the Sodinokibi group states that they’ve deleted the backup files and are demanding a $3 million ransom.

Information on how the attackers gained an initial foothold on the Travelex network has not been revealed; however, Travelex has been known to utilize insecure services in the past.

Read more here

Microsoft: RDP Brute-Force Attacks Last 2–3 days on Average

Microsoft recently published a months-long study into the impact of RDP brute-force attacks throughout various organizations in the corporate world. In the study, over 45,000 workstations running Microsoft Defender Advanced Threat protection collected data on RDP-login related events. And researchers for in total, 0.08% of RDP brute-force attacks are successful, and they last an average of 2–3 days.

RDP stands for Remote Desktop Protocol; it’s a feature within the Windows operating system that allows users to log in to a remote computer using a similar interface as a standard desktop.

According to Microsoft, “successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events.”

Recommendations for system administrators to lessen the risk of a successful RDP attack include combining and monitoring multiple signals that incorporate the:

• hour of the day and day of the week of failed sign-in and RDP connections
• timing of a successful sign-in following failed attempts
• Event ID 4625 logon type (filtered to network and remote interactive)
• Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
• cumulative count of distinct usernames that failed to sign in without success
• count (and cumulative count) of failed sign-ins
• count (and cumulative count) of RDP inbound external IPs
• count of other machines having RDP inbound connections from one or more of the same IP

Read more here

School Software Provider Active Network Discloses Data Breach

Active Network, a web-based school management software for kindergarten to twelfth-grade schools and counties, has suffered a significant security breach affecting thousands of individuals. According to the company’s breach notice, parents who accessed a portion of their accounting software to pay school fees or pay for materials between October 1, 2019, and November 13, 2019, may have had their personal information stolen.

Exposed data includes:

• Names,
• Store username and password,
• Payment card number,
• Payment card expiration date,
• Payment card security code.

Malicious actors were able to steal payment data through a software skimmer as parents sent payments through the Active Network web application.

Active Network has launched an investigation with the help of a cybersecurity firm to analyze the issue further.

Get more information here

Google Boots Security Camera Maker From Nest Hub After Private Images Go Public

A Reddit user named Dio-V first reported the issue, stating that their Google Nest Hub (which is connected to a Xiaomi Mijia 1080p Smart IP camera) shows videos of strangers instead of their footage. The post drew a great deal of attention, including Google Support — who stated that Google would disable “all Xiaomi integrations on [their] devices” while they work on the issue.

Further investigation into the issue revealed that a cache update to improve camera streaming quality was responsible for the issue and only happened in “extremely rare conditions.” A Xiaomi spokesperson spoke to Threatpost, stating that the Reddit user experienced this bug due to poor network conditions in combination with the cache update.

As connected cameras have caused significant privacy issues for consumers, bugs like these certainly do not instill confidence in the technology.

Read more here

Chrome Extension Caught Stealing Crypto-Wallet Private Keys

A Chrome extension was recently caught injecting JavaScript code into web pages to steal private keys and passwords from cryptocurrency portals and wallets. The malicious wallet, aptly named Shitcoin Wallet, allows users to manage Ethereum (ETH) coins as well as ERC20-based tokens. To use the service, though, a user has to install a chrome extension or download a Windows desktop app.

According to Harry Denley, the director of security at MyCrypto, the Shitcoin Wallet utilizes malicious code when users “navigate to five well-known and popular cryptocurrency management platforms.” The code then steals login credentials along with private keys and sends them to an erc20wallet[.]tk third-party website.

According to ZDNet and Denley, the malicious process follows these steps:

• Users install the Chrome extension
• The Chrome extension requests permission to inject JavaScript (JS) code on 77 websites [listed here]
• When users navigate to any of those 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
• This JS file contains obfuscated code [deobfuscated here]
• The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
• Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and finally, sends the data to erc20wallet[.]tk

It is still unclear whether the Shitcoin Wallet team or a third-party actor is responsible for the malicious code.

Read more here

Originally published at https://ledgerops.com on January 7, 2020.

Last Week In CyberSecurity News — December 31, 2019 — LedgerOps

Data Breach at Wyze Labs Exposes Information of 2.4 Million Customers

Last week, Wyze, a cost-effective home-security system company, experienced a large-scale breach impacting 2.4 million customers. Cybersecurity consulting firm Twelve Security notified Wyze about the breach, stating that Wi-Fi network details and email addresses of customers had been exposed for a total of 23 days. The unsecured database was connected to an Elasticsearch cluster from December 4, 2019, to December 27, 2019.

Wyze placed the cause of the data leak on an employee mistake that persisted due to a lack of security protocol enforcement. A new employee created a “flexible database to quickly pull user analytics, such as camera connectivity rates, user growth and the number of devices connected per user,” however, (s)he didn’t configure the proper security protocols on the database.

Wyze sent an email out Tuesday morning to its customers with further information about the breach and what actions the security company will take to protect its customers in the future.

Read more here

North Korean Hackers Allegedly Steal ‘Highly Sensitive Information’ From Microsoft Users

Microsoft is suing Thallium, an infamous North Korean hacking group, for allegedly stealing highly sensitive information from multiple organizations and individuals within the United States.

According to CNN and Microsoft, “Thallium targeted government employees, think tanks, university staff and members of groups that work on issues including nuclear proliferation and human rights”

More specifically, the lawsuit calls out two individuals who Microsoft believes work for Thallium. Using spear phishing attacks, Thallium has allegedly stolen passwords and other sensitive information from individual users. Once the group obtains login credentials, they scavenge emails, contact lists, and all additional information stored on Microsoft users’ accounts.

According to Microsoft, Thallium has been active since 2010 and poses a substantial threat to several organizations around the United States.

Read more here

Maze Ransomware Releases Files Stolen From City of Pensacola

Earlier this month, Pensacola became a victim of a ransomware attack, forcing the city to shut down its computer systems. Attackers used “Maze Ransomware” and demanded a $1 million ransom to decrypt the city’s files.

Last week, the cybercriminals released 2GB of the 32GB of data they stole and encrypted from the Pensacola network. In a discussion with Bleeping Computer, the attackers stated that the purpose of releasing Pensacola’s data was to prove that more than a few files were taken during the ransomware attack and that more data may be released in the future.

Get more information here

US Coast Guard Discloses Ryuk Ransomware Infection at Maritime Facility

The US Coast Guard (USCG) recently experienced a Ryuk ransomware attack, causing the organization to go offline for more than 30 hours. According to USCG officials, the initial point of compromise was a malicious email sent to a facility employee. Once the malware entered the facility’s IT network, the threat spread quickly and impacted “industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.”

According to ZDNet and Coast Guard officials, the infection caused a large disruption within the network, halting camera and physical access control systems, process control monitoring systems, and more.

Ransomware attacks have become increasingly common throughout 2019. As usual, it’s recommended to keep your antivirus software up-to-date and practice proper cybersecurity hygiene when browsing the internet.

Read more here

Special Olympics New York Hacked to Send Phishing Emails

Special Olympics New York, a nonprofit organization that provides training and athletic competitions to thousands of children and adults, experienced a security incident last week resulting in the hacking of their email servers. Due to this incident, malicious actors were able to impersonate the organization and send out phishing emails stating that an “impending donation transaction that would automatically debit $1,942,49 from the target’s account within two hours.”

The email provided a link that directs the victim to the attackers’ landing page. The landing page is no longer available, but the phisher likely utilized it to collect victims’ credit card details.

After discovering the security breach, Special Olympics New York sent out an email disclosing the hack and telling recipients to disregard the previous message (the phishing email).

Thankfully, no financial information was taken as only the communication systems were impacted by the hack.

Read more here

Originally published at https://ledgerops.com on December 31, 2019.

Last Week In CyberSecurity News — December 24, 2019 — LedgerOps

9-Month Data Breach Affects Millions of Wawa Customers

Last week, Wawa announced that millions of customers might have had their credit or debit card information stolen in a data breach impacting almost all of their store locations. According to the report, malware, which originated on March 4, was discovered on Wawa’s payment processing servers on December 10. As a result of the breach, Wawa is offering enrollment in a credit monitoring service, Experian Identity Works, free of charge.

Wawa’s CEO Chris Gheysens states that stolen information includes:

• credit and debit card numbers,
• expiration dates,
• and cardholder names on payment cards.

Potentially all Wawa in-store payment terminals and fuel dispensers became compromised at different points.

If you have been to a Wawa sometime between March and December, monitoring your payment card account statements and checking your credit reports will help mitigate any potential fraudulent activity.

Read more here

LifeLabs Data Breach Exposes Personal Info of 15 Million Customers

LifeLabs recently experienced a data breach, exposing the sensitive information of almost 15 million Canadian clinical laboratory customers. Of those 15 million customers, around 85 thousand had their lab results exposed as well.

The stolen information includes:

• Customer names
• Addresses
• Emails
• Logins
• Passwords
• Dates of birth
• Health card numbers

You can find the data breach announcement here.

Read more here

Cryptocurrency-Mining Botnet Uses a Taylor Swift Image to Hide Malware Payloads

A botnet, named MyKingz (also known as DarkCloud, Smominru, or Hexmen), is currently using an image of Taylor Swift to hide malware payloads which infect various devices over the internet.

MyKingz utilizes an internet scanning module that targets vulnerable hosts to gain an initial foothold on a victim’s device. Typically, the botnet abuses unpatched vulnerabilities in Telnet, SSH, RDP, and other software related programs; however, it’s now using steganography-based attacks.

Steganography is a tactic to hide malicious files inside of legitimate ones. According to Sophos, a UK-based security firm, MyKingz is hiding malicious EXE files inside of JPEG images of Taylor Swift. MyKingz uses this technique with the hopes of tricking security software on enterprise networks into only detecting a JPEG file download, rather than a malicious EXE file.

Cybercriminals have used other steganography-based attacks in the past, such as hiding EXE files in WAV audio files. The MyKingz attacks have proved successful as Sophos estimates it currently makes $300 a day, totaling over $3 million as of this writing.

You can read more about MyKingz here.

Get more information here

Apple Opens Its Invite-Only Bug Bounty to the Public, $1M Payout Included

Apple has officially announced its private bug bounty program, providing rewards from $25,000 to $1 million. The bug bounty encompasses a variety of products, including Macs, iPhones, iPads, and Apple TVs.

The substantial $1 million bounty requires security researchers to provide a reliable exploit for a zero-click remote chain with full kernel execution and persistence on Apple’s latest hardware as well as a bypass for Apple’s kernel Pointer authentication code.

According to Apple, vulnerability types include:

• Unauthorized iCloud account access
• Physical access to device
• Lock screen bypass
• User data extraction
• User-installed app: unauthorized access to sensitive data
• User-installed app: kernel code execution
• User-installed app: CPU side-channel attack
• Vulnerabilities that can be exploited using a malicious application
• And much more

Read more here

CVE-2019–19781 Citrix Flaw Puts 80,000 Companies at Risk

A critical vulnerability in Citrix’s Application Delivery Controller (NetScaler ADC) and Citrix Gateway has put over 80,000 companies at risk. The vulnerability, CVE-2019–19781, affects all supported versions of the product on all supported platforms.

According to the security researcher who discovered the vulnerability, the flaw allows “attackers [to] obtain direct access to the company’s local network from the Internet,” and it “does not require access to any accounts,” allowing it to be performed by any external attacker.

As Citrix applications are widely used in corporate networks, remediating the flaw is critical. Thankfully, Citrix has released steps to lessen the risk of a successful attack with a recommendation to update all vulnerable software versions.

Read more here

Originally published at https://ledgerops.com on December 24, 2019.

Last Week In CyberSecurity News — December 17, 2019 — LedgerOps

New Orleans Declares State of Emergency Following Ransomware Attack

Another ransomware attack has claimed a new victim; this time New Orleans has been forced to shut down its computers after a cyberattack. According to a press conference by Kim LaGrue, the city’s head of IT, suspicious activity was discovered around 5 a.m. last Friday. Once the city confirmed it was under attack, officials shut down its servers and computers.

Even though ransomware was detected throughout the organization, no ransom requests were made. According to BleepingComputer, the ransomware attack on the city of New Orleans was likely conducted by the Ryk Ransomware cybercriminals.

Memory dumps uploaded from a US IP address to VirusTotal contained several references to New Orleans and Ryuk. Colin Cowie of Red Flare Security discovered this, providing a picture showing that the ransomware encrypted New Orleans’s “Contracts and Revenue” file share.

According to BleepingComputer and Cowie, the memory dump is for an executable named ‘yoletby.exe.’ It contains numerous “references to the City of New Orleans, including domain names, domain controllers, internal IP addresses, usernames, file shares, and references to the Ryuk ransomware.”

As of right now, it is unknown if the attackers have requested a ransom.

Read more here

Batch of 460,000+ Payment Cards Sold on Black Market Forum

Security researchers have discovered four databases containing credit card information throughout various underground markets.

Initially, two databases, each holding the information of over 30,000 credit cards, were available on the popular black-market forum, Joker. Each card was available for $3.00, and 85 to 90 percent of the cards were valid with the proper documentation necessary to purchase items online.

According to Group-IB, a cybersecurity company based out of Singapore, the two databases are reportedly related to the Top 10 Turkish banks.

At the end of last month, two more databases opened up on the Joker’s Stash forum. Each database contained data for 190,000 to 205,000 credit cards, each costing $1.00.

According to BleepingComputer, the data within each database includes the expiration date, CVV code (card verification value), card number, and the name of the owner as well as other information such as email addresses, names, and phone numbers.

The overall source of the data is still unknown; however, you should be mindful of your credit card bill to reduce the damage of any fraudulent activity.

Read more here

New Plundervolt Attack Impacts Intel CPUs

Last week, academics disclosed a new attack that affects the information inside Intel Software Guard eXtensions (SGX), a highly secured area of Intel CPUs. The attack, named Plundervolt, exploits the interface “through which an operating system can control an Intel processor’s voltage and frequency — the same interface that allows gamers to overclock their CPUs.”

By tampering with the amount of voltage a CPU receives, researchers were able to alter bits inside SGX, causing exploitable errors. A malicious actor can use this vulnerability to recover encryption keys or inject bugs in a (previously) secure software environment.

Intel SGX is a security feature present in all modern Intel CPUs which allows developers to isolate applications in secure environments. Doing so enables the applications to trust the CPU with sensitive information away from other applications running on the operating system.

Fortunately, this vulnerability cannot be exploited remotely as it needs to run with root privileges from an app on the infected host. Patches were released last week as part of security advisory INTEL-SA-00289, providing device administrators a new BIOS option to disable the volt-changing interface on their systems.

The vulnerability impacts Intel desktops, servers, and mobile CPUs. According to Intel, the following CPU series are vulnerable to Plundervolt attacks:

• Intel® 6th, 7th, 8th, 9th & 10th Generation CoreTM processors
• Intel® Xeon® Processor E3 v5 & v6
• Intel® Xeon® Processor E-2100 & E-2200 families

Get more information here

FIN8 Targets Card Data at Fuel Pumps

Fuel pumps at gas stations seem to be a new target for the notorious FIN8 cybercrime group. According to Visa’s online public alert, two separate payment card detail skimming campaigns have emerged in the past year.

The first attack compromises point-of-sale (PoS) systems by sending phishing emails to employees that include a malicious link which installs a remote access trojan on the merchant network. After gaining a successful foothold inside a network, the attacker moves laterally into the PoS environment and harvests payment card data.

The second type of attack targets similar gas-pump dispensers within North America; however, the initial compromise of the network is still unknown.

Gas stations have become an increasingly popular target for cyberattacks due to their typical lack of security.

Read more here

SEC Charges Shopin Founder with Fraud over Unregistered $42M ICO

The United States Securities and Exchange Commission (SEC) has charged Eran Eyal, the founder of Shopin, for allegedly running a scam initial coin offering (ICO). According to the SEC, Eyal defrauded investors in his initial coin offering which raised more than $42 million. He is also accused of operating an unregistered ICO without any proper documentation.

Shopin advertised a service consisting of universal shopper profiles on the blockchain. Additionally, the service would “track customer purchase histories across online retailers and recommend products based on the collected data.” However, according to the SEC, Shopin has not developed a functional platform for the product.

The SEC also alleges that Eyal “misappropriated investor funds for his personal use, including at least $500,000 used for rent, shopping, entertainment expenses, and a dating service.” Eyal pled guilty to criminal charges brought by the New York Attorney General’s office and pled guilty to operating three security fraud schemes, including Shopin.

CoinDesk states that around $450,000 in cryptocurrency will be turned over to the New York State Attorney General, and Eyal will have to step down from his role as CEO of Shopin as well as pay over $600,000 in fines and restitution due to his actions.

Read more here

Originally published at https://ledgerops.com on December 17, 2019.

Last Week In CyberSecurity News — December 3, 2019 — LedgerOps

Data of 21 Million Mixcloud Users up for Sale on the Dark Web

Online music streaming service Mixcloud confirmed last Saturday that it had experienced a data breach affecting 21 million users. And the hacker behind the breach has contacted several journalists, providing data samples to prove its legitimacy.

The stolen data includes usernames, email addresses, hashed passwords, registration dates, IP addresses, and more. Mixcloud has stated that the hashed passwords should remain safe as they are salted and encrypted using SHA256; however, they have advised users to reset their passwords for additional protection.

The person(s) behind the breach goes by the name A_W_S and has previously worked with other hackers such as Gnosticplaters. A_W_S has also claimed to be responsible for data breaches involving Vanva, Chegg, StockX, PromoFarma, and more. According to ZDNet, the data for the previous breaches were put on sale earlier this year. And the stolen Mixcloud data is currently being advertised on the dark web for $2,000.

Read more here

Europol Shuts Down ‘Imminent Monitor’ RAT Operations with 13 Arrests

Imminent Monitor, a remote administration framework used by cybercriminals, was shut down by a coordinated international law enforcement operation. According to Europol, both buyers and sellers of the Imminent Monitor Remote Access Trojan (IM-RAT) were targeted during the operation. Over 14,500 individuals have bought the IM-RAT, and it’s been used to attack victims throughout 124 countries.

High-ranking customers of the IM-RAT were also arrested throughout the operation. These arrests were conducted throughout Australia, Colombia, Czechia, the Netherlands, Poland, Spain, Sweden, and the United Kingdom. According to TheHackerNews, the IM-RAT allows full control over the victims’ devices, allowing the malicious actor to conduct these actions:

• record keystrokes,
• steal data and passwords from browsers,
• spy on victims via their webcams,
• download/execute files,
• disable anti-virus and anti-malware software,
• terminate running processes,
• perform dozens of other actions.

The trojan itself costs as little as $25 with lifetime access, making a cheap and accessible weapon to those who want to carry out malicious attacks.

You can find Europol’s press release here.

Read more here

Upbit Cryptocurrency Exchange Hacked, $48.5 Million Worth of ETH Stolen

Upbit, a South Korean cryptocurrency exchange, has disclosed a security breach resulting in the theft of $48.5 million worth of cryptocurrency from its hot wallets. Malicious actors were able to siphon 342,000 ETH, further establishing the importance of minimizing the use of hot wallets to store large sums of cryptocurrency. The cryptocurrency has been transferred to a wallet — 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.

Upbit states that the exchange will cover the stolen funds, and it will restore regular operations in a few weeks. As a security precaution, all funds that are currently in its hot wallets have been transferred to a cold wallet.

Some users are suspicious of the incident, stating that the theft of the funds is due to an exit scam or inside job.

Get more information here

Adobe Magento Marketplace Exposes User Info in Data Breach

Magento Marketplace, a repository that provides free and paid extensions/themes for the e-commerce platform, has been breached, resulting in the theft of account information. Last year, Adobe acquired Magento for $1.68 billion.

Data from the breach includes names, emails, MageIDs, billing and shipping addresses, and phone numbers. According to BleepingComputer, other compromised information includes the percentages of payments to developers.

Magento explains that a vulnerability within the platform allowed an unauthorized third party to gain access to their system; however, the vulnerability was identified and quickly fixed.

Read more here

Dexphot Malware Hijacks 80K+ Devices to Mine Cryptocurrency

Dexphot has utilized a complex attack chain combined with antivirus evasion techniques to infect more than 80,000 devices. Once a device is infected, the malware siphons its CPU power to mine cryptocurrency. To evade security solutions, Dexphot implements “layers of obfuscation, encryption and randomized file names to hide its installation process.”

The malware also contains a script that monitors services and checks the status of the malicious processes running on the victims’ computers. If one process is interrupted, others will continue to run, adding redundancy to the malware attack.

Microsoft’s Defender ATP Research Team has released a blog post describing the malware. You can find it here.

Read more here

Originally published at https://ledgerops.com on December 3, 2019.

Last Week In CyberSecurity News — November 26, 2019 — LedgerOps

Extensive Hacking Operation Discovered in Kazakhstan

Last Friday, Qihoo 360, a Chinese cybersecurity vendor, published a report exposing an extensive hacking operation focusing on people in Kazakhstan. Targets include government agencies, foreign diplomats, researchers, journalists, and government dissidents, among others. The malicious actors are said to have extensive resources and could develop “private hacking tools, buy expensive spyware off the surveillance market and even invest in radio communications interception hardware.”

Qihoo 360 researchers named the group behind the campaign as Golden Falcon or APT-C-34. However, according to Kaspersky, Golden Falcon is another name for DustSquad, a hacking group that has been active for the past two years. The report further explains Golden Falcon’s operations, stating the information stolen was seemingly categorized by city and each city’s folder contained data from numerous victims. In total, researchers discover victims from the 13 largest cities in Kazakhstan and more.

According to ZDNet, two hacking tools were used by Golden Falcon. The first, a Remote-Control System, is a surveillance kit sold by HackingTeam, and the second is a backdoor trojan named Harpoon, which “appears to have been developed by the group itself.”

Qihoo 360 obtained the manual for the backdoor. The backdoor mechanisms include:

• Keylogging
• Stealing of clipboard data
• Taking a screenshot of the active window at predetermined intervals
• Listing the contents of a given directory
• Getting Skype login name, contact list, and chat message history
• Getting Skype and Google Hangouts contacts and voice recordings
• Recording sound via the microphone, eavesdropping
• Copying a specified file from the target computer
• Automatically copying files from removable media
• Storing all intercepted data in an encrypted data file, inside a specified directory
• Sending stolen data to a specified FTP server
• Running a program or operating system command
• Downloading files from a given FTP into a specific directory
• Remotely reconfiguring and update components
• Receiving data files from a given FTP and automatically extract the files to a specified directory
• Self-destructing

Read more here

Personal and Social Information of 1.2B People Exposed on Open Elasticsearch Install

The database, discovered by Bob Diachenko and Vinny Troia, contains more than four terabytes of data, making it one of the largest data leaks from a single organization. The leaked data includes personal and social information, such as names, email addresses, and phone numbers as well as LinkedIn and Facebook profile information. The data within the server appears to be from two different data enrichment companies, People Data Labs and OxyData.io.

The server itself was unprotected and easily accessible via http://35.199.58.125:9200. While it appears that sensitive data remained safe, leaving any server unsecured is has the potential for catastrophe.

Read more here

Coin Stealer Found in Monero Linux Binaries from Official Site

Last week, Monero’s official website was compromised, resulting in a coin stealer being implanted within their Linux 64-bit command-line Monero binaries. Multiple concerned users reported throughout Reddit, Twitter, and GitHub that the binaries downloaded from the website did not have matching hashes for over 40 minutes.

Monero || #xmr on Twitter

Monero Security Warning: CLI binaries available on https://t.co/UYopePqqdo may have been compromised at some point during the last 24h. Investigations ongoing. https://t.co/BqnONy4PPg

Moderators on Monero’s subreddit recommended that users verify the integrity of the binaries with Fluffypony’s GPG key to ensure validity. SerHack, a security researcher and contributor to the Monero project, stated that he discovered a coin stealer embedded within the non-verified CLI binaries. A detailed analysis of the malware can be found here.

Get more information here

Google Offers up to $1.5 Million Bounty for Remotely Hacking Titan M Chip

Google has announced an increase in various rewards for finding and reporting critical vulnerabilities in the Android operating system. The most significant increase includes a $1 million bug bounty for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” If a security researcher can achieve full chain remote execution in developer preview versions of Android, Google will pay an additional $500,000, making the total $1.5 million for the find.

Google’s Titan M is a dedicated chip that protects devices against boot-time attacks. The separated hardware chip works with sensitive data, passcode verification, private, keys and more. Other new bounties include data exfiltration and lock screen bypass vulnerabilities.

In total, Google has paid out $1.5 million in 2019 as part of its bug bounty program.

Read more here

TrickBot Trojan Getting Ready to Steal OpenSSH and OpenVPN Keys

TrickBot, the banking trojan that seems to evolve constantly, has upgraded its capabilities with an updated password grabber module. The new module steals OpenSSH private keys and OpenVPN passwords/configuration files. This February, the password stealer module was upgraded to take VNC, PuTTY, and Remote Desktop Protocol (RDP) credentials.

According to security researchers, TrickBot uses HTTP POST requests to send OpenSSH and OpenVPN passwords to their Command and control (C2) servers. The Unit 42 research team states that the “best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or stop TrickBot infections,” further emphasizing the importance of keeping a healthy patching schedule.

Read more here

Originally published at https://ledgerops.com on November 26, 2019.

Last Week In CyberSecurity News — November 19, 2019 — LedgerOps

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware on Your Device

Yet again, WhatsApp is experiencing troubles related to the security infrastructure of its messaging platform. Last month, the company quietly patched another critical vulnerability which allowed a malicious actor to compromise devices remotely.

The vulnerability, CVE-2019–1193, is a stack-based buffer overflow issue that resides in the way WhatsApp parses the stream data of an MP4 file. This vulnerability results in denial-of-service or remote code execution attacks in which an attacker can steal secure chat messages and files you store in the application.

To exploit the vulnerability, an attacker first develops a malicious MP4 file and sends it to a vulnerable user. The file then installs a malicious backdoor on the device without the user’s knowledge.

The vulnerability affects all users of WhatsApp, including Apple iOS, Android, and Microsoft Windows devices.

According to a statement by Facebook, the affected app versions include:

• Android versions before 2.19.274
• iOS versions before 2.19.100
• Enterprise Client versions before 2.25.3
• Windows Phone versions before and including 2.18.368
• Business for Android versions before 2.19.104
• Business for iOS versions before 2.19.100

Read more here

TSX Speculative Attack Allows Theft of Sensitive Data from Latest Intel CPUs

A new vulnerability, CVE-2019–11135, which affects the latest Intel CPUs, has been disclosed. And criminals can exploit the vulnerability to launch a TSX Speculative attack.

Transactional Synchronization Extensions (TSX) is a feature within Intel processors that adds hardware transactional memory support. The TSX feature has been implemented within all Intel CPUs manufactured since 2013.

A local attacker or malicious code can exploit this feature to steal sensitive information from the operating system kernel. This type of attack also targets speculative execution that work to improve performance within the processors.

Researchers discovered that “aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.”

You can find technical details on the Zombieload website.

Read more here

Chrome, Edge, Safari Hacked at Elite Chinese Hacking Contest

China’s top hacking competition, Tianfu Cup, is a two-day event, similar to Pwn2Own, where Chinese security researchers test zero-days against some of the most popular applications used throughout the world. On the first competition day, 32 hacking sessions were scheduled; of these, 13 were successful, seven failed, and 12 sessions were abandoned.

According to ZDNet, security researchers were successful in breaking into:

• (3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet]
• (2) Chrome [tweet]
• (1) Safari [tweet]
• (1) Office 365 [tweet, tweet]
• (2) Adobe PDF Reader [tweet]
• (3) D-Link DIR-878 router [tweet]
• (1) qemu-kvm + Ubuntu [tweet, tweet]

The organizers of the event plan to report all bugs to the respective organizations when the competition finishes.

On the second day, eight out of the 16 sessions were successful.

Successful exploits targeted:

• (4) D-Link DIR-878 [tweet]
• (2) Adobe PDF Reader [tweet]
• (1) VMWare Workstation [tweet, tweet]

Team360Vulcan won the competition, earning them $382,500 for hacking “Microsoft Edge, Microsoft Office 365, qemu+Ubuntu, Adobe PDF Reader, and VMWare Workstation.”

Get more information here

Two Charged Over Crypto Theft via SIM Swapping, Death Threats

The Boston U.S. District Court has arrested and charged two men for stealing high-value social media accounts as well as hundreds of thousands of dollars worth of cryptocurrency by using death threats, hacking, and SIM swapping attacks.

The two men, Eric Meiggs and Declan Harrington, “were charged with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse, and one count of aggravated identity theft.”

Both defendants allegedly targeted cryptocurrency executives and other high-profile targets. They stole funds by taking over various victims’ online accounts and siphoning the cryptocurrency from their Block.io or Coinbase wallets.

According to the unsealed indictment, the defendants conducted several attacks, including:

• Identifying potential victims who likely had significant amounts of cryptocurrency, for example, executives of cryptocurrency companies.
• Researching potential victims using online tools.
• Engaging in SIM swapping in order to take control of victims’ cell phone number
• Leveraging their control over victims’ cell phones to obtain unauthorized access to the victims’ online accounts, including email accounts, social media accounts, and cryptocurrency accounts.
• Using their access to victims’ accounts, to take control of, and steal things of value from, the victims’ online accounts, including their account handles and their cryptocurrency.
• Selling or otherwise transferring victims’ log-in credentials, account handles, and cryptocurrency to others in exchange for money or other things of value.
• Using victims hacked online accounts to communicate with the victims’ friends and family in order to ask for money and cryptocurrency.
• Communicating with co-conspirators via online social media and chat platforms.
• Using multiple online accounts to hide their identities and evade detection by law enforcement.

Both Meiggs and Harrington face a maximum of 20 years in prison for wire fraud with an additional two years in prison for aggravated identity theft.

Read more here

GitHub Launches Security Lab to Boost Open-Source Security

Last week, during the GitHub Universe developer conference, GitHub announced plans to launch a global platform for reporting and fixing security vulnerabilities in open-source projects. Google, Oracle, Mozilla, Intel, Uber, VMWare, and more have already partnered up with GitHub for the Security Lab project.

GitHub states that at least 40 percent of security flaws affecting open source code don’t receive a CVE when they’re announced. Therefore, those vulnerabilities are excluded from public databases which would alert customers of the risk.

As an additional security measure, GitHub also offers a token-scanning system to spot hard-coded credentials throughout various formats, a system used by 20 different cloud providers.

Read more here

Originally published at https://ledgerops.com on November 19, 2019.

Last Week In CyberSecurity News — November 12, 2019 — LedgerOps

Amazon’s Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password

Bitdefender security researchers have disclosed a high-severity vulnerability in Amazon’s Ring Video Doorbell Pro devices that allows nearby criminals to steal your Wi-Fi password, among other cyberattacks. The popular wireless home security doorbell cameras are used by millions of individuals around the world to see and speak to anyone in front of the camera.

For the device to work, you need to connect it to your Wi-Fi network, and during the setup steps, you must enable configuration mode from the doorbell. While the device is in configuration mode, it produces an access point with no password. And when you share your home’s Wi-Fi password, the device sends it insecurely through plain HTTP. During this time, a nearby attacker could connect to the unprotected access point and steal your Wi-Fi password using a man-in-the-middle attack.

Malicious actors can abuse this vulnerability by triggering the reconfiguration process of the Ring Video Doorbell Pro. Researchers state,

“One way to do this is to continuously send deauthentication packets, so that the device is dropped from the wireless network. At this point, the app loses connectivity and tells the user to reconfigure the device.”

Once the device enters configuration mode, the user has to re-share their Wi-Fi credentials, allowing an attacker to capture the plaintext.

According to Bitdefender and The Hacker News, once the attacker has the user’s Wi-Fi password, they can launch various attacks, including:

• Interacting with all devices within the household network;
• Intercepting network traffic to run man-in-the-middle attacks
• Accessing all local storage (NAS, for example) and subsequently accessing private photos, videos and other types of information,
• Exploiting all vulnerabilities existing in the devices connected to the local network and getting full access to each device, which may lead to reading emails and private conversations,
• Getting access to security cameras and stealing video recordings.

Read more here

DNA-Testing Startup Veritas Genetics Discloses Security Breach

Veritas Genetics, a “whole genome sequencing company” that provides actionable insights for a healthier life and family, has disclosed a security breach containing the exposure of customer information.

The company discovered unauthorized access to its customer-facing portal and stated only a portion of its customers has been impacted. The company did not reveal further information on when or how long customer data has been exposed. In the company’s statement, it assured customers that DNA test results and health records were not accessed.

Read more here

Quiksilver and Billabong Affected by Ransomware Attack

One of the world’s largest brands of surfwear and board sport-related equipment manufacturers was hit by a ransomware attack that affected its subsidiaries, including Quiksilver, Billabong, DC Shoes, Element, and more. The attack forced the company to shut down multiple systems all over the world. And, employees were prohibited from turning on their computers until the system was cleaned.

The attack also affected many of its communications and sales/distribution networks. The systems seem to have been restored and are now operating normally.

Get more information here

Encrypted Emails on macOS Found Stored in Unprotected Way

Bob Gendler, an Apple IT specialist, has discovered a in macOS computers in which emails that are supposed to be protected with encryption are stored in a .db file unencrypted, rendering the purpose of an encrypted email useless.

To be affected, an individual would have to “be using macOS and Apple Mail, as well as be using Apple Mail to send encrypted emails without using FileVault to encrypt the entire system.”

The flaw brings up the question as to what else is tracked and improperly stored within the operating system. Gendler informed Apple on July 29 regarding this issue, but Apple has yet to resolve or address it.

Read more here

Google Asks Three Mobile Security Firms to Help Scan Play Store Apps

Google has had a long history of battling malicious applications in its Play Store. To help maintain a safer and more cyber-conscious app environment, Google has partnered with three cybersecurity firms — , , and — to start a new project called the App Defense Alliance.

The App Defense Alliance aims to improve the security scans that Android apps go through before being published on the Play Store by utilizing various malware and threat detection engines.

Typically, when an app developer applies to be listed on the Play Store, the app is scanned using Google Play Connect and a Google-internal system called Bouncer. While these systems have caught numerous malicious applications, it hasn’t been perfect. Many malicious actors have developed mitigations to get past Bouncer and Play Protect scans, such as using a multi-stage delivery system.

In Google’s announcement, the company states that it is “integrating [its] Google Play Protect detection systems with each partner’s scanning engines” and “this will generate new app risk intelligence as apps are being queued to publish.”

As malicious applications are becoming more common, these additional processes appear to be a correct step in the never-ending process of battling trojans and other malware threats.

Read more here

Originally published at https://ledgerops.com on November 12, 2019.