Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they “assume at least 30 million people had some of their data leaked.” MGM Resorts, a hotel and casino chain, did not respond to The Register‘s request for comment.

The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter’s Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

But while crooks initially sold those 142 million records on a dark-web marketplace for about $3,000 as a packaged deal, this time the data is freely available on Telegram, which vpnMentor rightly describes as “much more accessible for even the least tech-savvy people.”

Perhaps the recent takedown of stolen-data market RaidForums and the Hydra dark-web souk has something to do with this? Or that the info is no longer worth selling, or no one’s interested in buying it, perhaps.

According to the VPN services company, the data dumped on Telegram includes the following customer information from before 2017:

• Full names
• Postal addresses
• Over 24 million unique email addresses
• Over 30 million unique phone numbers
• Dates of birth

[…]

Source: MGM Resorts’ customer data now leaked on Telegram for free • The Register

On the same day Russia celebrated its role in defeating Nazi Germany, many of the country’s online platforms were defaced in protest of the war in Ukraine. The Washington Post reported on Monday that Russians with smart TVs saw channel listings replaced with a message implicating them in the ongoing conflict. “The blood of thousands of Ukrainians and hundreds of murdered children is on your hands,” the message read, according to the outlet. “TV and authorities are lying. No to war.”

In addition to smart TVs, the apparent hack targetted some of the country’s largest internet companies, including Yandex. Hackers also went after Rutube, Russia’s alternative to YouTube. “Our video hosting has undergone a powerful cyberattack. At the moment, it is not possible to access the platform,” the service said in a statement it posted on its Telegram channel. Rutube later stated it had isolated the attack and that its content library wasn’t accessed in the incident.

[…]

Source: Hackers deface Russian platforms and smart TVs to display anti-war messages | Engadget

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.

The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.

[…]

The dropper copies the legitimate OS error handling file WerFault.exe to ‘C:\Windows\Tasks’ and then drops an encrypted binary resource to the ‘wer.dll’ (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code.

[…]

Legezo says that the dropper’s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 – ‘AB’ in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager.

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs” – Denis Legezo, lead security researcher at Kaspersky

The new technique analyzed by Kaspersky is likely on its way to becoming more popular as source code for injecting payloads into Windows event logs has been available in the public space for a brief period.

[…]

Source: Hackers are now hiding malware in Windows Event Logs

In response to Russia’s invasion of Ukraine, several Hollywood studios announced the immediate suspension of new releases in Russia. Unexpectedly, some Russian theaters are still able to show movies such as The Batman on the big screen but this isn’t down to the studios. The movies are sourced from illegal torrent sites and few seem afraid to admit it.

[…]

 

Source: Russian Cinemas Are Showing Pirated Movies Downloaded From Torrents * TorrentFreak

WASHINGTON/THE HAGUE, April 12 (Reuters) – U.S. and European authorities said on Tuesday they had seized RaidForums, a popular website used by hackers to buy and sell stolen data, and the United States also unsealed charges against the website’s founder and chief administrator Diego Santos Coelho.

Coelho, 21, of Portugal, was arrested in the United Kingdom on Jan. 31, and remains in custody while the United States seeks his extradition to stand trial in the U.S. District Court for the Eastern District of Virginia, the U.S. Justice Department said.

The department said it had obtained court approval to seize three different domain names that hosted the RaidForums website: raidforums.com, Rf.ws and Raid.lol.

Among the types of data that were available for sale on the site included stolen bank routing and account numbers, credit card information, log-in credentials and social security numbers.

In a parallel statement, Europol also lauded the takedown saying the RaidForums online marketplace had been seized in an operation known as “Operation Tourniquet,” that helped coordinate investigations by authorities from the United States, the United Kingdom, Germany, Sweden, Portugal and Romania.

[…]

Source: U.S. and European partners take down hacker website RaidForums | Reuters

Cybercriminals have used fake emergency data requests (EDRs) to steal sensitive customer data from service providers and social media firms. At least one report suggests Apple, and Facebook’s parent company Meta, were victims of this fraud.

Both Apple and Meta handed over users’ addresses, phone numbers, and IP addresses in mid-2021 after being duped by these emergency requests, according to Bloomberg.

EDRs, as the name suggests, are used by law enforcement agencies to obtain information from phone companies and technology service providers about particular customers, without needing a warrant or subpoena. But they are only to be used in very serious, life-or-death situations.

As infosec journalist Brian Krebs first reported, some miscreants are using stolen police email accounts to send fake EDR requests to companies to obtain netizens’ info. There’s really no quick way for the service provider to know if the EDR request is legitimate, and once they receive an EDR they are under the gun to turn over the requested customer info.

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” Krebs wrote.

Large internet and other service providers have entire departments that review these requests and do what they can to get the police emergency data requested as quickly as possible, Mark Rasch, a former prosecutor with the US Department of Justice, told Krebs.

“But there’s no real mechanism defined by most internet service providers or tech companies to test the validity of a search warrant or subpoena” Rasch said. “And so as long as it looks right, they’ll comply.”

[…]

 

Source: Fraudsters use ‘fake emergency data requests’ to steal info • The Register

A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe.

The malware, dubbed AcidRain by researchers at SentinelOne, is designed to brute-force device file names and wipe every file it can find, making it easy to redeploy in future attacks.

SentinelOne says this might hint at the attackers’ lack of familiarity with the targeted devices’ filesystem and firmware or their intent to develop a reusable tool.

AcidRain was first spotted on March 15 after its upload onto the VirusTotal malware analysis platform from an IP address in Italy as a 32-bit MIPS ELF binary using the “ukrop” filename.

Once deployed, it goes through the compromised router or modem’s entire filesystem. It also wipes flash memory, SD/MMC cards, and any virtual block devices it can find, using all possible device identifiers.

“The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as root, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,” SentinelOne threat researchers Juan Andres Guerrero-Saade and Max van Amerongen explained.

To destroy data on compromised devices, the wiper overwrites file contents with up to 0x40000 bytes of data or uses MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) system calls.

After AcidRain’s data wiping processes are completed, the malware reboots the device, rendering it unusable.

Used to wipe satellite communication modems in Ukraine

[…]

This directly contradicts a Viasat incident report on the KA-SAT incident saying it found “no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.”

However, Viasat confirmed SentinelOne’s hypothesis, saying the data destroying malware was deployed on modems using “legitimate management” commands.

[…]

The fact that Viasat shipped almost 30,000 modems since the February 2022 attack to bring customers back online and continues to even more to expedite service restoration also hints that SentinelOne’s supply-chain attack theory holds water.

[…]

Seventh data wiper deployed against Ukraine this year

AcidRain is the seventh data wiper malware deployed in attacks against Ukraine, with six others having been used to target the country since the start of the year.

The Computer Emergency Response Team of Ukraine recently reported that a data wiper it tracks as DoubleZero has been deployed in attacks targeting Ukrainian enterprises.

One day before the Russian invasion of Ukraine started, ESET spotted a data-wiping malware now known as HermeticWiper, that was used against organizations in Ukraine together with ransomware decoys.

The day Russia invaded Ukraine, they also discovered a data wiper dubbed IsaacWiper and a new worm named HermeticWizard used to drop HermeticWiper payloads.

ESET also spotted a fourth data-destroying malware strain they dubbed CaddyWiper, a wiper that deletes user data and partition information from attached drivers and also wipes data across Windows domains it’s deployed on.

A fifth wiper malware, tracked as WhisperKill, was spotted by Ukraine’s State Service for Communications and Information Protection (CIP), who said it reused 80% of the Encrpt3d Ransomware’s code (also known as WhiteBlackCrypt Ransomware).

In mid-January, Microsoft found a sixth wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine, disguised as ransomware.

[…]

Source: Viasat confirms satellite modems were wiped with AcidRain malware

The US Justice Department today announced indictments against four Russian government employees, who it alleges attempted a hacking campaign of the global energy sector that spanned six years and devices in roughly 135 countries. The two indictments were filed under seal last summer, and are finally being disclosed to the public.

The DOJ’s decision to release the documents may be a way to raise public awareness of the increased threat these kinds of hacks pose to US critical infrastructure in the wake of Russia’s invasion of Ukraine. State-sponsored hackers have targeted energy, nuclear, water and critical manufacturing companies for years, aiming to steal information on their control systems. Cybersecurity officials noticed a spike in Russian hacking activity in the US in recent weeks.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.

The indictments allege that two separate campaigns occurred between 2012 and 2018. The first one, filed in June 2021, involves Evgeny Viktorovich Gladkikh, a computer programmer at the Russian Ministry of Defense. It alleges that Gladkik and a team of co-conspirators were members of the Triton malware hacking group, which launched a failed campaign to bomb a Saudi petrochemical plant in 2017. As TechCrunch noted, the Saudi plant would have been completely decimated if not for a bug in the code. In 2018, the same group attempted to hack US power plants but failed.

The second indictment charges three hackers who work for Russia’s intelligence agency, the Federal Security Service (FSB), as being the members of the hacking group Dragonfly, which coordinated multiple attacks on nuclear power plants, energy companies, and other critical infrastructure. It alleges that the three men, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov engaged in multiple computer intrusions between 2012 and 2017. The DOJ estimates that the three hackers were able to install malware on more than 17,000 unique devices in the US and abroad.

A second phase known as Dragonfly 2.0, which occurred between 2014 and 2017, targeted more than 3,300 users across 500 different energy companies in the US and abroad. According to the DOJ, the conspirators were looking to access the software and hardware in power plants that would allow the Russian government to trigger a shutdown.

The US government is still looking for the three FSB hackers. The State Department today announced a $10 million award for any information on their whereabouts. However, as the Washington Post notes, the US and Russia do not have an extradition treaty, so the likeliness of any of the alleged hackers being brought to trial by these indictments is slim.

Source: Justice Department indicts four Russian government workers in energy sector hacks | Engadget

British cops investigating a cyber-crime group have made a string of arrests.

Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21.

In a statement, the force said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”

Among them is a 16-year-old boy from Oxford who has been accused of being one of the crew’s leaders, the BBC reported. He cannot be identified for legal reasons.

[…]

Bloomberg first reported the boy’s alleged involvement with the extortion gang on Wednesday, and claims by security researchers that he was the crew’s mastermind. Lapsus$ is the devil-may-care team of miscreants that have broken into major firms including Microsoft, Samsung, Vodafone, and Okta.

It is said the boy netted about $14m in Bitcoin from his online life, and was lately doxxed – which means he had his personal info leaked online – after an apparent falling out with his business partners.

[…]

The cyber-crime ring rose to fame in recent months for its brash tactics and its propensity to brag about its exploits on Telegram. Its standard operating procedure is to infiltrate a big target’s network, steal sensitive internal data, make demands to prevent the public release of this material – and usually release some of it anyway.

[…]

In February, however, the criminals sneaked into Nvidia‘s networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ said it had raided Samsung and stole 190GB of internal files including some Galaxy device source code.

The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft.

‘Motivated by theft and destruction’

Microsoft, in its days-late confirmation that Lapsus$, which the Windows giant calls DEV-0537, did indeed steal some of its source code, and said the crime group seems to be “motivated by theft and destruction.”

[…]

 

Source: British cops arrest seven in Lapsus$ crime gang probe • The Register

Samsung confirmed on Monday that a cybersecurity attack exposed sensitive internal data including source code for Galaxy smartphones.

The group claiming responsibility for the attack, Lapsus$, is the same hacking outfit that breached Nvidia last week and leaked employee credentials and proprietary information onto the internet. In the Samsung hack, the group purportedly posted a 190GB torrent file to its Telegram channel, claiming it contains algorithms for biometric login authentication and bootloader—code that could be used to bypass some operating system controls.

Samsung disclosed the breach but didn’t confirm the identity of the hackers or the materials stolen.

[…]

After successfully breaching Nvidia, Lapsus$ blackmailed the GPU maker by threatening to release stolen internal data unless GPU drivers were made open source and Ethereum cryptocurrency mining limiters were removed from Nvidia 30-series graphics cards. The group, which is said to have members in South America and Western Europe, reportedly compromised the credentials of more than 71,000 past and current Nvidia employees.

For Samsung, the data breach arrives shortly after reports emerged claiming the company deliberately limits the performance of around 10,000 apps, including Instagram and TikTok. Samsung said its “Game Optimizing Service” was designed to balance performance and cooling, but many saw this as performance throttling and slammed the Korean tech giant for selectively excluding benchmarking apps.

[…]

 

Source: Samsung Galaxy Source Code Stolen in Data Breach

Ukrainian news website Ukrainska Pravda says the nation’s Centre for Defence Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website.

The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn’t verify dip-sampled data.

[…]

Whether or not the database’s contents is real, the impact on Russian military morale – knowing that your country’s enemies have your personal details and can contact your family if you’re captured, killed, or even still alive – won’t be insignificant.

As Russia’s invasion of Ukraine progresses, or not, cyber-attacks orchestrated by or for the benefit of the Kremlin against Ukraine and the West appear limited, while on the ground, more than 2,000 civilians have been killed, according to Ukrainian officials.

Former UK National Cyber Security Centre (NCSC) chief Ciaran Martin noted in a blog post that even those skeptical of claims that Russia would wage cyber-Armageddon during the invasion will be surprised at the lack of activity. The online assaults against Ukraine of late represent Russia’s “long-standing campaign of cyber harassment of the country … rather than a serious escalation of it,” he wrote.

[…]

Source: 120,000 Russians soldier details leak – Ukraine media • The Register

And now you get into the combatant following orders kind of argument – do you really want to be the side attacking their spouses and children back home?

Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as “Lapsus$” by sneaking back into the hacker’s system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

Source: Hackers Demand NVIDIA Open Source Their Drivers Or They Leak More Data – Slashdot

[…]

Candiru — another Israeli firm with a long list of questionable customers, including Uzbekistan, Saudi Arabia, United Arab Emirates, and Singapore.

Now there’s another name to add to the list of NSO-alikes. And (perhaps not oddly enough) this company also calls Israel home. Reuters was the first to report on this NSO’s competitor’s ability to stay competitive in the international malware race.

A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.

Like NSO, QuaDream sold a “zero-click” exploit that could completely compromise a target’s phones. We’re using the past tense not because QuaDream no longer exists, but because this particular exploit (the basis for NSO’s FORCEDENTRY) has been patched into uselessness by Apple.

But, like other NSO competitors (looking at you, Candiru), QuaDream has no interest in providing statements, a friendly public face for inquiries from journalists, or even a public-facing website. Its Tel Aviv office seemingly has no occupants and email inquiries made by Reuters have gone ignored.

QuaDream doesn’t have much of a web presence. But that’s changing, due to this report, which builds on earlier reporting on the company by Haaretz and Middle East Eye. But even the earlier reporting doesn’t go back all that far: June 2021. That report shows the company selling a hacking tool called “Reign” to the Saudi government. But that sale wasn’t accomplished directly, apparently in a move designed to further distance QuaDream from both the product being sold and the government it sold it to.

[…]

Reign is apparently the equivalent of NSO’s Pegasus, another powerful zero-click exploit that appears to still be able to hack most iPhone models. But it’s not a true equivalent. According to this report, the tool can be rendered useless by a single system software update and, perhaps more importantly, cannot be remotely terminated by the entity deploying it, should the infection be discovered by the target. This means targeted users have the opportunity to learn a great deal about the exploit, its deployment, and possibly where it originated

[…]

Source: Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones | Techdirt

For the past two weeks, observers of North Korea’s strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government. At least one of the central routers that allow access to the country’s networks appeared at one point to be paralyzed, crippling the Hermit Kingdom’s digital connections to the outside world.

[…]

But responsibility for North Korea’s ongoing internet outages doesn’t lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.

Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.

So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,” says the hacker. (P4x spoke to WIRED and shared screen recordings to verify his responsibility for the attacks but declined to use his real name for fear of prosecution or retaliation.)

[…]

P4x says he’s found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country’s few internet-connected networks depend on.

[…]

he named, as an example, a known bug in the web server software NginX that mishandles certain HTTP headers, allowing the servers that run the software to be overwhelmed and knocked offline. He also alluded to finding “ancient” versions of the web server software Apache,

[…]

“It’s pretty interesting how easy it was to actually have some effect in there.”

[…]

He acknowledges that his attacks amount to no more than “tearing down government banners or defacing buildings,” as he puts it. But he also says that his hacking has so far focused on testing and probing to find vulnerabilities. He now intends to try actually hacking into North Korean systems, he says, to steal information and share it with experts. At the same time, he’s hoping to recruit more hacktivists to his cause with a dark website he launched Monday called the FUNK Project—i.e. “FU North Korea”—in the hopes of generating more collective firepower.

[…]

he was nonetheless shocked and appalled by the realization that he’d been personally targeted by North Korea.

P4x says he was later contacted by the FBI but was never offered any real help to assess the damage from North Korea’s hacking or to protect himself in the future. Nor did he ever hear of any consequences for the hackers who targeted him, an open investigation into them, or even a formal recognition from a US agency that North Korea was responsible. It began to feel, as he put it, like “there’s really nobody on our side.”

[…]

While he acknowledges that his attacks likely violate US computer fraud and hacking laws, he argues he hasn’t done anything ethically wrong. “My conscience is clear,” he says.

[…]

Source: North Korea Hacked Him. So He Took Down Its Internet | WIRED

[…]

Hackers stole more than $324 million in cryptocurrency from Wormhole, the developers behind the popular blockchain bridge confirmed Wednesday.

The platform provides a connection that allows for the transfer of cryptocurrency between different decentralized-finance blockchain networks. Wormhole said in a series of tweets Wednesday afternoon that thieves made off with 120,000 wETH, or wrapped ethereum, worth nearly $324 million at current exchange rates. The platform’s network was also taken offline for maintenance.

[…]

Wormhole on Thursday confirmed via Twitter that “all funds have been restored” and its services are back up. It also promised to share a full incident report.

Source: Blockchain platform Wormhole says it’s retrieved the $324M stolen by hackers – CNET

Finland’s government says the mobile devices of its diplomats have been hacked using Pegasus spyware.

The Finnish foreign ministry stated on Friday that some of its officials abroad had been targeted by the sophisticated software.

“The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part,” the Foreign Ministry said in a statement.

“Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.”

[…]

NSO says it only sells Pegasus to governments for the purpose of fighting crime and terrorism.

But an investigation last year revealed that the spyware had been used to target journalists, activists and politicians in a number of countries — including France, Spain, and Hungary.

A recent Citizen Lab report also found that critics of Poland’s right-wing government were hacked using Pegasus.

[…]

Source: Finnish diplomats were targeted by Pegasus spyware, says foreign ministry | Euronews

[…]

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data,” the post reads.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

Hacker Gained Access to All User Data

According to ‘oss’, the hacker gained access to email addresses, usernames and passwords, but promised that the data would be erased after the payment was made. That promise was not kept.

While no member data was leaked last August, on January 11, 2022, OpenSubtitles received new correspondence from a “collaborator of the original hacker” who made similar demands. Contacting the original hacker for help bore no fruit and on January 15 the site learned that the data had been leaked online the previous day.

Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more.

 

 

“In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers’ personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes,” the site reports.

[…]

Source: OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online * TorrentFreak

Trading platform Crypto.com lost about $34 million worth of cryptocurrency in a hack on Monday, according to a new blog post by the company published overnight. The company had previously declined to say much about the hack, which forced users to stop withdrawals for most of the day, and only reassured customers they wouldn’t lose any money.

Hackers made off with 4,836.26 ethereum, 443.93 bitcoin, and approximately $66,200 in other crypto coins from precisely 483 users, according to the company. Crypto.com, which has about 10 million users, halted all withdrawals on Monday for about 14 hours after “suspicious activity” was detected, and forced all users to reset their two-factor authentication methods.

The ethereum that was taken is worth about $15.3 million and the bitcoin is worth $18.6 million at today’s conversion rate, bringing the grand total to about $34 million in lost funds. But Crypto.com is quick to note that no users have lost any money because the company has topped up their accounts.

[…]

The unknown hackers are currently trying to launder their stolen crypto using crypto mixers, as Gizmodo reported yesterday. The ethereum is being laundered through an app called Tornado Cash, which bills itself as a privacy tool. The bitcoin appears to be getting laundered through an unknown bitcoin mixer, sometimes known as a tumbler or peel chain.

[…]

Source: Crypto.com Finally Acknowledges $34 Million Stolen by Hackers

Microsoft warned Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.

In a blog post, the company said that Thursday — around the same time that government agencies in Ukraine found their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organisations, all based in Ukraine,” Microsoft said.

The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end.

[…]

The code, as described by the company’s investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.

[…]

 

Source: Microsoft warns of destructive cyberattack on Ukrainian computer networks | bdnews24.com

The European Space Agency (ESA) is inviting applications from attackers who fancy having a crack at its OPS-SAT spacecraft.

It’s all in the name of ethical hacking, of course. The plan is to improve the resilience and security of space assets by understanding the threats dreamed up by security professionals and members of the public alike.

OPS-SAT has, according to ESA, “a flight computer 10 times more powerful than any current ESA spacecraft” and the CubeSat has been in orbit since 2019, providing a test bed for software experiments.

It is therefore the ideal candidate for l33t h4x0rs to turn their attention to, while ESA engineers ensure the environment is kept under control.

“The in-built robustness of OPS-SAT makes it the perfect flying platform for ethical hackers to demonstrate their skills in a safe but suitably realistic environment,” explained Dave Evans, OPS-SAT mission manager.

Ideas need to be submitted by 18 February and the successful applicants will be given controlled, technical access to OPS-SAT during the April CYSAT conference. It’ll be a challenge since teams will only have six-minute communication slots available with the satellite in which to unleash their creations.

Running code submitted by the public in space is not a particularly new concept – the AstroPi hardware on board the International Space Station (ISS) is a great example of such outreach.

However, the engagement with cybersecurity experts via the OPS-SAT demo will give space agencies an opportunity to learn what works – and what does not – from a security standpoint as satellites become ever more complicated and the surface area for attack grows.

Interestingly, ESA’s announcement had originally been made a month ago and then hurriedly pulled. Possibly because the original title “Hack an ESA spacecraft” caused at least one of the agency’s bosses to pass their morning caffeinated beverage through a nostril. Or, as an ESA insider put it, seek to “review” the emission.

Source: Hack our spacecraft, says ESA • The Register

[…]

The Federal Security Service (FSB), Russia’s domestic intelligence agency, said in a press release Friday that it had recently conducted raids at 25 residences across Moscow, Leningrad, Lipetsk, and St. Petersburg, where 14 members of the cybercriminal gang were arrested. During the raids, authorities seized more than 426 million rubles, $600,000, and €500,000, along with 20 luxury vehicles and hordes of computer equipment.

While the identities of the hackers have not been made public at this time, video provided by the FSB shows officers chasing and handcuffing various individuals, while also rifling through apartments.

[…]

REvil has been high on America’s shit-list ever since it carried out the massive Kaseya ransomware attack last summer. The attack used malicious software updates in the tech firm’s popular IT products to infect upwards of 1,500 different companies worldwide—including many in the U.S.

[…]

But the gang has also allegedly been involved in attacks on hardware manufacturer Acer, celebrity law firm Grubman Shire Meiselas & Sacks (they reportedly leaked 2.4 gigabytes of Lady Gaga’s legal documents), and Quanta, a prominent computer parts supplier that works for Apple, among other big names. It also conducted a disruptive ransomware attack on meat-processing giant JBS Foods last May, temporarily forcing the company to shut down a number of its food production sites. All in all, they’ve caused quite a lot of damage.

[…]

Some commentators have noted the odd timing of the FSB’s operation, however. The U.S. and Russia are currently experiencing severe tensions over the political situation in Ukraine—where some U.S. commentators have alleged that Russia is preparing for a military invasion. As such, the possibility that Russia has arrested REvil as a kind of bargaining tactic with the U.S. seems plausible to some. “I think being concerned about Russia’s ulterior motives is perfectly reasonable,” John Hultquist, vice president of threat intelligence at cyber firm Mandiant, recently told WIRED.

[…]

Source: Russia Arrests Members of Notorious Ransomware Gang REvil

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.

David Colombo explained in the thread that the flaw was “not a vulnerability in Tesla’s infrastructure. It’s the owner’s faults.” He claimed to be able to disable a car’s remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car’s exact location.

[…]

On a related note, early on Wednesday morning, a third-party Tesla app called TezLab reported that it saw the “simultaneous expiry of several thousand Tesla authentication tokens from Tesla’s side.” TezLab’s app makes use of Tesla APIs that allow apps to do things like log in to the car and enable or disable the anti-theft camera system, unlock the doors, open the windows, and so on.

Source: Teen hacker finds bug that lets him control 25+ Teslas remotely | Ars Technica

[…]

Commissioners told the court that all of Bernalillo County, which covers the US state of New Mexico’s largest city Albuquerque, had been affected by a January 5, 2022, ransomware attack, including the Metropolitan Detention Center (MDC) that houses some of the state’s incarcerated.

[…]

Over the phone, a spokesperson for the facility told The Register on Wednesday that services are still being repaired.

The attack took automatic security doors offline on January 5th, requiring officials to open doors manually with keys until that particular function could be revived.

Officials said in their filing that County-operated databases, servers, and internet service had been compromised. At MDC, this has meant limited access to email and no access to County wireless internet. This is particularly problematic, the officials say, because the MDC’s structure and location interferes with cellular service.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” they explained. “As of the evening of January 5th, there was no access to cameras within the facility.”

MDC instituted a temporary lockdown in response to the situation. Court-related video conferences are also not happening.

Several County databases at MDC are also believed to have been corrupted by the attack.

“The Incident Tracking System (ITS), the database in which MDC creates and houses all incident reports, including inmate fights, use of force, allegations of violations of the Prison Rape Elimination Act, is not currently available as it is suspected to be corrupted by the attack,” the filing states.

“Further, the Offender Management System (OMS) which MDC uses to store and access information about inmates including inmate account data is likewise unavailable at the present.”

[…]

The plaintiffs in the case have taken the opportunity to submit the statement [PDF] of a registered nurse who announced that she was quitting her job at MDC because of concerns about conditions there. The nurse, Taileigh Sanchez, describes dire staff shortages at MDC and problems with a new electronic medical records system, issues that have been made worse by the ransomware attack.

The attack denied access to current medical records, she said, which may have prevented some inmates from getting their medications.

Sanchez said she told supervisors about her concerns – which date back before the ransomware hit – but faced retaliation. “Even though I like my job, and have even been here 11 years, I will be resigning my full-time position effective immediately due to the safety concerns I have for our clientele and our staff,” she said in her declaration.

Source: Ransomware puts New Mexico prison in lockdown • The Register

The news comes via internal documents shared with The T-Mo Report, embedded below. They state that there was “unauthorized activity” on some customer accounts. That activity was either the viewing of customer proprietary network information (CPNI), an active SIM swap by a malicious actor, or both.

• 

• 

This comes just on the heels of a previous breach back in August. This time around, though, the damage appears to be much less severe. It seems only a small subset of customers are affected. There is no further detail about what exactly happened, with the documents simply saying that some info was leaked.

Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.

The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.

The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.

[…]

Source: [Update: T-Mobile Statement] Exclusive: T-Mobile Has Suffered Yet Another Data Breach

The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.

We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.

The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.

The NCA sent Hunt a statement explaining how it found the passwords:

During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.

The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.

The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.

• flamingo228
• Alexei2005
• 91177700
• 123Tests
• aganesq

Today’s release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.

[…]

Source: UK National Crime Agency finds 225 million previously unexposed passwords • The Register