Sunday, January 19, 2025
Home Blog Page 51

2FA Authenticator on GooglePlay Store loaded well-known banking trojan

By
Steven Black (n0tst3)
-
0

A fake two-factor-authentication app that has been downloaded over 10,000 times from Google Play surreptitiously installed a known banking-fraud trojan that scoured infected phones for financial data and other personal information, security firm Pradeo said.

2FA Authenticator offered real 2FA functionality, but this time it came with strings attached.

2FA Authenticator went live on Google Play two weeks ago, posing as an alternative to legitimate 2FA apps from GoogleTwilio, and other trusted companies. In fact, researchers from security firm Pradeo said on Thursday, the app steals personal data from user devices and uses it to determine whether infected phones should download and install a banking trojan already known to have infected thousands of phones in the past.

The vulturs are circling

Vultur is an advanced piece of Android malware. One of its many innovations is its use of a real implementation of the VNC screen-sharing application to mirror screens of infected devices so attackers can glean in real time the login credentials and other sensitive data from banking and finance apps.

To make 2FA Authenticator look real, its developers started with this legitimate sample of the open source Aegis authentication application. An analysis of the malware shows that it really was programmed to provide the authentication service it advertised.

Malicous 2FA Authenticator Continued

Behind the scenes, however, stage one of the 2FA Authenticator collected a list of apps installed on the device along with the device’s geographic location. The app would also disable the Android lock screen, download third-party apps with the pretense they were “updates,” and overlay other mobile app interfaces to confuse users.

In the event infected phones were in the right locations and had the right apps installed, stage two of 2FA Authenticator would install Vultur, which at last check was programmed to record Android device screens when any of 103 banking, financial, or cryptocurrency apps are running in the foreground.

Pradeo said that 2FA Authenticator went live on January 12, that company researchers notified Google that the app was malicious on January 26, and that Google removed it about 12 hours later. Over the two weeks it was available in Play, the app was installed by about 10,000 users. It’s not clear if Google has notified any of them that the security app they thought they were getting was, in fact, a banking-fraud trojan.

In retrospect, there were red flags that experienced Android users could have spotted that 2FA Authenticator was malicious. Chief among them were the extraordinary number and breadth of system permissions it required. They included:

  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.INTERNET
  • android.permission.FOREGROUND_SERVICE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.DISABLE_KEYGUARD
  • android.permission.WAKE_LOCK

The official Aegis open source app code requires none of these permissions. App downloads posing as updates might be another telltale sign that something was amiss with 2FA Authenticator.

A Review on Google Play Store

An email seeking comment from the developer address listed in the Google Play listing didn’t receive an immediate response. The same malicious 2FA Authenticator app remains available in third-party marketplaces herehere, and here. Google representatives weren’t immediately available for comment.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

US Says National Water Supply ‘Absolutely’ Vulnerable to Hackers

By
Steven Black (n0tst3)
-
0
whitehouse
whitehouse

Cyber defenses for US drinking water supplies are “absolutely inadequate” and vulnerable to large-scale disruption by hackers, a senior official said Thursday.

“There’s inadequate resilience to even a criminal sector,” the official said. “The threshold of resilience is not what it needs to be.”

President Joe Biden has attempted to address infrastructure cybersecurity but is limited by the fact that the vast majority of services are provided by private, not government, companies.

The scale of the challenge became clear in May last year when a ransomware attack temporarily crippled the Colonial Pipeline, a major oil pipeline network. A similar attack was carried out on JBS, one of the world’s biggest meat-processing companies.

Vulnerable to Hackers

US officials, who spoke to reporters on condition of anonymity, unrolled a plan to get water companies to cooperate with the government in a concerted effort to close up security gaps. The government is asking companies to share information about attacks and to cooperate in hardening defenses.

“The bottom line is that really after decades of us kicking the can down the road… the administration really takes steps to reverse this trend,” one official said.

However, the program, similar to initiatives already in place for the electric and natural gas sectors, is voluntary.

There’s also a hurdle in the sheer number of different water providers — about 150,000 systems serving 300 million Americans, the official said.

These systems are increasingly automated, with computers managing treatment, storage and distribution. “These processes — I want to underscore this point — could all be vulnerable to cyberattacks, which could disable or manipulate monitoring control systems,” the official said.

“We’re particularly concerned that a cyberattack could be carried out, for example, to manipulate treatment processes to produce unsafe water. Also to damage water infrastructure or even to stop the flow of water,” the official said.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

By
Steven Black (n0tst3)
-
0

Microsoft announced to have mitigated a record 3.47 Tbps distributed denial of service attack targeting an Azure customer, the largest DDoS to date

Updated Aug 2022: NEW RECORD-SETTING DDOS ATTACK

Disclosed August 2022, was the 3rd HTTPS attack this year to get to 10s of millions of RPS, after two lower-volume assaults were mitigated by Cloudflare.

The very first of them peaked at 15.3 million RPS, Cloudflare revealed in April, while the 2nd reached  26 million RPS, the web security company introduced in June. The strike that Google revealed today clearly towers over the previously divulged incidents, as it was roughly 76% bigger compared to the previous record.

The attack, Google states, began at 9:45 am PT, on June 1, as well as lasted for roughly 69 mins. For most of its duration, the attack was low-intensity– it jumped from 100,000 to 46 million RPS within 10 secs, however reduced over the next minute and a fifty percent to the first degrees Read More

Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps). The news of the attack was reported in the “Azure DDoS Protection —2021 Q3 and Q4 DDoS attack trends.”

“In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history.”

“Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak, and the overall attack lasted approximately 15 minutes.”

largest DDoS to date, reads the report.
largest DDoS to date, inbound UDP attack Graph, showing 3.47TBps of traffic
UDP Graph Attack, MS

The Largest DDoS To Date

The largest DDoS to date, took place in November and hit a customer in Asia, it originated from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.

The 3.47 Tbps attack was the largest DDoS to date that MS has had to mitigate

The IT giant also reported that other two massive DDoS attacks targeted Asian Azure customers in December, they peaked at 3.25 Tbps and 2.55 Tbps respectively.

Microsoft pointed out that as with the first half of 2021, the majority of the DDoS attacks were short-lived, experts observed a rise in attacks that lasted longer than an hour, with the composition more than doubling from 13 percent to 27 percent. The researchers warn that multi-vector attacks continue to remain prevalent.

Predecessor of the Largest DDoS To Date

In October, Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represented the largest DDoS to date recorded, but the recent attack overwhelmed it. The attack hit the Russian internet giant Yandex and was launched by a new DDoS botnet, tracked as Mēris (Latvian word for ‘plague’).

“The concentration of attacks in Asia can be largely explained by the huge gaming footprint10, especially in China, Japan, South Korea, Hong Kong, and India, which will continue to grow as the increasing smartphone penetration drives the popularity of mobile gaming in Asia.” concludes the report. “In India, another driving factor may be that the acceleration of digital transformation, for example, the “Digital India” initiative11, has increased the region’s overall exposure to cyber risks.”

Conclusion

DDoS attacks have evolved a lot over the years, and they changed the meaning of using brute force. It probably won’t be long until we see the next largest DDoS to date. The worst thing is that analysts expect that they will continue to grow bigger, more violent, and more powerful in years to come.

Hackers are creating bigger botnets by hacking more devices, and the advancements of technology and the introduction of all kinds of smart gadgets are making it happen even faster. The only way to fight against this kind of attack would be to spread awareness about securing user devices. Anything that has a connection to the internet can be used as a device, and the more we progress towards a smart society, the more weapons bad actors get at their disposal.

Meanwhile, DDoS attacks are not only increasing in strength, but also in the number, and there are even services that offer DDoS for hire, which the authorities have desperately tried to dismember for years now, with only partial success.

Article data correct at time of writing, January 27th 2022.

You may also enjoy reading, Assange Wins First Stage in Effort to Appeal US Extradition

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

LockBit ransomware hits European firms & French Ministry of Justice

By
Steven Black (n0tst3)
-
0
ransomware

The LockBit ransomware operators claim to have hit business in the United Kingdom, France, Spain, Italy and Germany.

The infamous LockBit ransomware gang is claiming to have hit the Ministry of Justice of France (justice.fr) as part of its recent spree of ransomware attacks. Although the details of the attack are limited, according to the group’s official website the Ministry has 13 days to meet its demands or sensitive data of it will be published on February 10th, 2022.

LockBit ransomware gangs hits Europe

As posted on hackread, the ransomware attack was not limited to the French Ministry of Justice. In fact, the group is claiming responsibility for hitting several top companies and businesses in several European countries including Spain, Italy, France, Germany, and United Kingdom.

The full list of recent alleged victims of the LockBit ransomware gang are:

  1. Izo Group, Spain (Izo.es)
  2. ESTPM, France (Estpm.fr)
  3. City of Saint Cloud, France (Saintcloud.fr)
  4. Joda, Germany (Joda.de)
  5. Heubeck AG, Germany (Heubeck.de)
  6. Isnardi, Italy (Isnardi.it)
  7. La Ponte Marmi Srl, Italy (laponte.it)
  8. AMBAU Personalservice, Germany (Ambau-team.de)
  9. Girlguiding Charity, United Kingdom (Girlguidinglaser.org.uk).

Screenshots from the LockBit ransomware gang’s official website on the dark web shows their current and most recent victims.

About LockBit ransomware gang

Like other ransomware gangs, LockBit’s modus operandi involves blocking victims’ access to computer systems in exchange for a ransom payment. LockBit, which itself is malicious software, automatically vets for valuable targets, spreads the infection and encrypts all accessible computer systems on a network.

LockBit offers a ransomware-as-a-service (RaaS) model, facilitating fellow cybercriminals or affiliates to launch ransomware attacks through its platform. The payments are usually divided between the malware developers and the entity hiring them for the attack.

The Lockbit ransomware gang emerged on the threat spectrum back in September 2019 and made waves in June 2021 after launching LockBit 2.0 and recruiting new partners. The gang claims to offers the “fastest data exfiltration on the market through StealBit,” noted Emsisoft in the gang’s profile.

StealBit is a data stealer that can download 100 GB of data from an infected system within 20 minutes. Some of the gang’s previous victims include Bangkok Airways, Accenture, and hundreds of other top-notch businesses across the globe.

As for the ongoing ransomware attack, at the time of writing, none of the aforementioned companies released any statement to address the issue. However, this article will be updated based on their confirmation or denial.

RELATED: LockBit Ransomware, FBI Issues Flash Alert

source

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Apple pays out $100k bounty for Safari webcam hack that imperilled victims’ online accounts

By
Steven Black (n0tst3)
-
0

Security vulnerabilities in Apple iCloud and Safari 15 could have enabled attackers to compromise macOS webcams and, thereafter, victims’ online account.

Ryan Pickren, an independent security researcher, netted an eye-watering $100,500 bug bounty for the universal cross-site scripting (uXSS) exploit and a total of four flaws.

uXSS Safari webcam hack

While the camera hack required user interaction, the potential impact of a successful compromise was egregious.

“While this bug does require the victim to click ‘open’ on a popup from my website, it results in more than just multimedia permission hijacking,” said Pickren in a technical write-up.

The exploit, he added, gives “the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.”

The researcher demonstrated a scenario in which a victim agrees to view a folder containing PNG images and a hidden webarchive file that injects code into icloud.com that exfiltrates their iOS camera roll.

paper (PDF) published by Google Project Zero has described uXSS bugs, which can imperil multiple online accounts because they exploit browser vulnerabilities, as “almost as valuable as a remote code execution (RCE) exploit with the sandbox escape”.

‘Subtle, but wildly impactful’

As suggested by the authors of penetration testing application Metasploit back in 2013, Pickren used webarchive files as the trojan horse for uXSS.

Safari’s alternative to HTML for saving websites locally, webarchive files specify the web origin in which the content should be rendered.

Pickren circumvented macOS Gatekeeper’s block on users opening webarchive files directly by opening the files indirectly via an approved app, Safari. The researcher discovered that the .url shortcut filetype would launch Safari and instruct the browser to open the file.

“A subtle, but wildly impactful, design flaw” in ShareBear, a backend application for sharing files via iCloud, meant an attacker could surreptitiously swap a benign file with a malicious file after it had been shared with and downloaded by a victim.

The victim would receive no notification of this file swap.

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment,” said Pickren.

The researcher fashioned the exploit after successfully performing a similar trick on Safari v14.1.1, but it soon transpired that beta Safari v15 was inadvertently impervious due to an unrelated code refactor.

He also managed to steal local files by circumventing sandbox restrictions, as well as unearthing a popup-blocker bypass and iframe sandbox escape.

Remediation

Pickren reported the bugs to Apple in July 2021. They were addressed recently in macOS Monterey 12.0.1 that has resulted in ShareBear now revealing (rather than launching) files, and by preventing WebKit from opening quarantined files in Safari 15.

The $100,000 reward dwarfs the $75,000 payout Pickren revealed in 2020 for a one-click JavaScript-to-webcam access exploit that worked on iPhones, iPads, and macOS.

Pickren soon renewed his interest in Apple webcams and once again compromised iOS and macOS cameras last year, this time via a Safari bug chain that leveraged Skype’s camera permission.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

NetWalker Ransomware’s Sites Seized by Law Enforcement

By
Steven Black (n0tst3)
-
0
ransomware

Law enforcement authorities in the U.S. and Europe have seized the dark web sites associated with the NetWalker ransomware operations and also charged a Canadian national in relation to the malware.

First spotted in 2019 and also known as Mailto, NetWalker has been available as Ransomware-as-a-Service (RaaS), and is responsible for multiple high-profile attacks, including the targeting of a public health organization in the United States, and a transportation and logistics company in Australia.

NetWalker is also believed to have been responsible for compromising the network of the University of California San Francisco (UCSF), which paid over $1 million to recover from the incident. In July, the FBI warned of NetWalker attacks targeting government organizations.

In an August 2020 report, McAfee’s security researchers estimated the total revenue generated by NetWalker to have been in excess of $25 million by July 2020.

In an announcement today, the U.S. Department of Justice pointed out that NetWalker has been used in attacks on emergency services, hospitals, law enforcement, municipalities, school districts, colleges, universities, and private companies.

“Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims,” the DoJ noted.

The Department also announced charges against Sebastien Vachon-Desjardins of Gatineau, a Canadian national, in relation to NetWalker ransomware attacks. He is believed to have obtained “at least over $27.6 million” in proceeds from the offenses described in the indictment.

On Jan. 10, authorities seized approximately $454,530.19 in cryptocurrency, composed from ransom payments received from victims. This week, Bulgarian authorities managed to dismantle the dark web sites the NetWalker operators were using to communicate with victims.

Visitors of the Tor websites are now shown a notice informing them of the law enforcement’s action: “This hidden site has been seized by the Federal Bureau of Investigation, as part of a coordinated law enforcement action taken against the NetWalker Ransomware.”

Responding to a SecurityWeek inquiry, Ivan Righi, cyber threat intelligence analyst at Digital Shadows, revealed that the leaks site (where RaaS affiliates made data stolen from their victims public) went down around 9-10 AM (CT).

Go to Cybersecurity Knowledge Base

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Apple patches new zero-day actively exploited in the wild

By
Steven Black (n0tst3)
-
0

Apple has released security updates to patch two zero-day vulnerabilities, with one publicly disclosed and the other exploited in the wild by attackers to hack into iPhones and Macs.

The first zero-day patched today (tracked as CVE-2022-22587) [12] is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey.

Successful exploitation of this bug leads to arbitrary code execution with kernel privileges on compromised devices.

“Apple is aware of a report that this issue may have been actively exploited,” Apple said when describing the zero-day bug.

The complete list of impacted devices includes:

  • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • and macOS Monterey

The bug was found by an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01).

The second zero-day is a Safari WebKit bug in iOS and iPadOS that allowed websites to track your browsing activity and users’ identities in real-time.

The bug was first disclosed to Apple by Martin Bajanik of FingerprintJS on November 28th, 2021, and publicly disclosed on January 14th, 2022. After the researcher disclosed the bug, it was assigned the CVE-2022-22594 and fixed in today’s iOS 15.3 and iPadOS 15.3 security update.

These bugs are the first zero-day vulnerabilities fixed by Apple in 2022.

However, Apple fixed what felt like a never-ending stream of zero-day bugs in 2021 that were used in attacks against iOS and macOS devices.

These bugs included vulnerabilities used to install the Pegasus spyware on the iPhones of journalists, activists, and politicians.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Massive Discord Outage Prevents Logins and Calls worldwide

By
Steven Black (n0tst3)
-
0

Discord is suffering a ‘massive outage’ preventing users from logging in to the service or using voice chats.

The outage started at 2:49 PM EST and was originally caused by a widespread API outage.

However, after resolving the issue, Discord reported that they discovered a problem with one of their database clusters, causing further issues.

Discord Outage Confirmed

“We have identified the underlying issue with the API outage but are dealing with a secondary issue on one of our database clusters. We have our entire on-call response team online and responding to the issue,” Discord explained on their status page.

Users who attempt to log into Discord are met with a spinning logo, which ultimately shows a message about the outage.

Discord error message when trying to log into service
Discord error message when trying to log into service

Developing Story

Discord states that they have begun rate limiting logins to prevent an overload of their servers while fixing the problematic database cluster.

Update – More than half of Discord users are back online and working normally. We continue to work to bring the rest of the users back online.

Jan 2613:07 PST

Update – We are continuing to work on a fix for this issue.

Jan 2613:06 PST

Update – The database is healthy again and our internal error rate has fallen to nominal levels. We are beginning to raise the login rate limit to allow users to reconnect.
Jan 2612:29 PST

Update – We are continuing to work through some issues with one of our database clusters. We are still rate limiting login traffic. Next update in 15 minutes.
Jan 2612:21 PST

Update – We have instituted a rate limit on logins to manage the traffic load. Users who are logged in are successfully using Discord at this point, and we will be slowly raising the limits here to allow more users in as we can. We expect this to be resolved in the next 15 minutes.
Jan 2612:07 PST

Identified – We have identified the underlying issue with the API outage but are dealing with a secondary issue on one of our database clusters. We have our entire on-call response team online and responding to the issue.
Jan 2612:03 PST

Investigating – We are currently investigating a widespread API outage.
Jan 2611:49 PST

discordstatus.com

If you wait long enough, you should be able to gain access to Discord as they continue to increase the number of people logging into the system.

This is a developing story and will be updated as new information becomes available.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Android Security Tool APKLeaks releases patch for RCE critical vulnerability

By
Steven Black (n0tst3)
-
0
vulnerability

The maintainers of APKLeaks have patched a critical vulnerability that could lead to remote execution of arbitrary code.

Created by Indonesia-based security engineer Dwi SiswantoAPKLeaks is open source software for scanning Android application package (APK) files for URLs, endpoints, and secrets. The application is used by FirmwareDroid, a backend solution for Android firmware analysis.

In a security advisory published on GitHub on January 21, the software’s maintainers said the security flaw “allows remote authenticated attackers to execute arbitrary OS commands via [the] package name inside application manifest”.

Escalated CVSS

The vulnerability, described as an improper neutralization of argument delimiters, is tracked as CVE-2021-21386 and has been issued a CVSS severity score of 9.3, an escalation from an original CVSS score of 7.3.

Reported by developer ‘RyotaK’ on March 19, 2021, the critical security issue surrounds a failure to protect against attackers issuing arguments that can trigger “unintended” commands, executing code remotely, or reading or tampering with sensitive information.

The advisory also notes the potential for attackers to conduct “other unintended behavior through [a] malicious package name”.

No authentication was required to exploit the vulnerability.

A patch to resolve the flaw released with APKLeaks version 2.0.3 failed to fully remedy the issue. RyotaK told The Daily Swig that the 2.0.4 patch resolved the problem correctly in the developer branch of the software, followed by v2.0.6-dev in the master branch.

You may also enjoy reading, Assange Wins First Stage in Effort to Appeal US Extradition

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Details emerge on hack of Belarusian Railways and the group behind it

By
Steven Black (n0tst3)
-
0
Cybersecurity
Cybersecurity

“An internal document recently exchanged between a Belarusian railway lead engineer and a Russian railway head of IT department.” (Belarusian Cyber Partisans / Twitter)

The Belarusian Railways Hack

In the days after a group of Belarusian hackers announced they’d breached the network of the country’s railway system, encrypted data and demanded the expulsion of Russian troops and the release of political prisoners, a lot remains unclear.

But the Belarusian Cyber Partisans, the hacktivist group behind the attacks, posted a series of screenshots to Twitter Monday afternoon showing what they say show “internal assets and docs” from the hack. The group also seemed to troll Belarusian Railways with a screenshot claiming that the agency’s employees “frequently used pirated software. Do you think it’s connected to how they got hacked?” the group asked.

It’s unclear the the extent to which the group’s hack did any lasting damage to the railway agency, or succeeded in its goals. Train service may have temporarily been affected, a local news report suggests, as well as online ticketing systems. Some of those systems were back online Wednesday morning, Belarusian Railways said in a statement posted to its website, but some work “continues.”

A person identified as the spokesperson for the group told CyberScoop that the Cyber Partisans “assess this attack as successful,” even as the full results are not yet known. “What we see (disrupted schedules, databases and systems that are still down, chaos in the Railways) shows that the regime is affected,” they said in a message late Tuesday. In a previous message, the spokesperson said even if the attack “can indirectly bring the desired results, it will be more than enough.”

The spokesperson had previously said that while some databases have been destroyed, others were merely encrypted, and that they could be decrypted if the political demands are met.

Earlier Tuesday the group shared details from one of its earlier hacks with a researcher with Curated Intelligence, a private network of information security analysts and researchers who come together to research and publish information related to cybersecurity matters.

The researcher had asked for a sample of the malware used in the Belarusian Railways attack. The Cyber Partisans declined the request, but shared a Belarusian government incident report detailing a Cyber Partisans hack from March 2021 that the group detailed in a November 2021 YouTube video. Researchers with Curated Intelligence used the report to detail some of the Cyber Partisans’ tactics, techniques and procedures, that include the use of known hacking tools such as Impacket, Chisel, Mimikatz and others.

“What our report shows is that they are a serious group that knows how to hack and uses common techniques,” William Thomas, a member of Curated Intelligence and one of the authors of the report told CyberScoop. Based on the incomplete details in the incident report, it’s clear that “these guys could do serious damage down the road.”

Steve Ragan, a member of Curated Intelligence, said Cyber Partisans are seeking attention for their political goals, and urged caution when trusting claims such as collaboration with current government employees, or any other claims the group makes.

Nevertheless, “they’re dedicated, they’re very focused on what they want to do,” Ragan said. They’re “knowledgeable. These are not just common, run-of-the-mill people. They know what tools they’re needing to use, they know how to use the tools, or they know how to obtain the information to use those tools.”

They’re a “noteworthy threat or risk to any environment,” he said. “They’re very much a threat to pay attention to.”

The hack and leak operation lands amid increasing regional military tensions and what the U.S. government believes is an imminent Russian invasion of Ukraine.

The group has been around since September of 2020, forming a month after the disputed reelection of Alexander Lukashenko, an authoritarian who has held power since 1995. A group of about 15 IT experts who left the country after the election, in conjunction with remaining members of the government security agencies, formed the group to expose Lukashenko’s corruption and drive him from power, one of the members told MIT Technology Review in August.

manifesto posted by the group in August of 2021 says Lukashenko “has been committing particularly grave crimes against the people of Belarus for the past 26 years.” The members declared “the beginning of the fight against Lukashenko’s criminal group which has usurped and is holding power in the territory of the Republic of Belarus by violence and terror, by all available means, until the enemy is defeated.”

Belarusian security forces arbitrarily detained thousands of people and tortured hundreds of others in the days following the 2020 election, according to Human Rights Watch, which the Cyber Partisans spokesperson referenced when asked if Monday’s hack risked retaliation.

“Thousands are still in prisons, around [10,000] people went through torture, 20 people are dead, many had to flee the country and the suppression don’t stop,” the spokesperson told CyberScoop. “So [Cyber Partisans] are doing what they can to stop the dictatorship regime.”

The group wants all political prisoners released, the spokesperson said, but “especially those whose medical condition [has] deteriorated and who can simply die if they are not treated properly and on time.”

The group has previously hacked and leaked documents purporting to show the corruption of the regime, sharing the data with journalists or posting it themselves. The data has included apparent corrupt business dealings involving Lukashenko and data showing inaccurate public statements about COVID-19 deaths.

In November 2021 the Belarusian Supreme Court declared the Cyber Partisans and two other pro-democracy groups a “terrorist movement.”

You may also enjoy reading, Assange Wins First Stage in Effort to Appeal US Extradition

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Bookmark
Please login to bookmarkClose
1...505152...79Page 51 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.