[…] researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.

[…]

Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.

Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.

[…]

Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.

Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was texted to the victim’s phone via iMessage. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device.

[…]

what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics—the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files—the Xpdf implementation of JBIG2.

Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.

[…]

The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in September), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.

[…]

Source: How NSO Group’s iPhone-Hacking Exploit Works

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe.

“As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized,” the Cyberpolice Department of the National Police of Ukraine said.

“The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site’s name was not revealed in the press release).

On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info.

[…]

Source: Ukraine arrests 51 for selling data of 300 million people in US, EU

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.

The 0-day was tweeted along with a POC posted on GitHub. Since this vulnerability is still very new, there isn’t a CVE to track it yet. This has been published as CVE-2021-44228.

This post provides resources to help you understand the vulnerability and how to mitigate it for yourself.

Who is impacted?​

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.

Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.

Simply changing an iPhone’s name has been shown to trigger the vulnerability in Apple’s servers.

Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.

Affected Apache log4j2 Versions​

2.0 <= Apache log4j <= 2.14.1

Permanent Mitigation​

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

The release can also be downloaded from the Apache Log4j Download page.

[…]

Source: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

You can find sites that have been exloited https://github.com/YfryTchsGD/Log4jAttackSurface

The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.

The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.

The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.

[…]

Source: Cuba ransomware gang scores almost $44m from 49 victims: FBI • The Register

Cryptocurrency exchange BitMart has coughed to a large-scale security breach relating to ETH and BSC hot wallets. The company reckons that hackers made off with approximately $150m in assets.

Security and analytics outfit PeckShield put the figure at closer to $200m.

“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately 150 million USD,” BitMart said.

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” it added.

Worryingly for customers, BitMart has blocked withdrawals until it has completed a “thorough security review” or, in the common metaphor, shut the stable door after the horse has bolted.

[…]

Source: $150m of digital assets stolen in BitMart security breach • The Register

Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.

Some of the tactics Mandiant has recently observed include:

• Compromise of multiple technology solutions, services, and reseller companies since 2020.
• Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
• Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
• Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
• Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
• Use of a new bespoke downloader we call CEELOADER.
• Abuse of multi-factor authentication leveraging “push” notifications on smartphones

In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.

The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.

[…]

Source: Suspected Russian Activity Targeting Government and Business Entities Around the Globe | Mandiant

Hackers are attacking business receipt printers to insert pro-labor messages, according to a report from Vice and posts on Reddit. “Are you being underpaid?”, reads one message and “How can the McDonald’s in Denmark pay their staff $22 an hour and still manage to sell a Big Mac for less than in America?” another states.

Numerous similar images have been posted on Reddit, Twitter and elsewhere. The messages vary, but most point readers toward the r/antiwork subreddit that recently became popular during the COVID-19 pandemic, as workers starting demanding more rights.

Some users suggested that the messages were fake, but a cybersecurity firm that monitors the internet told Vice that they’re legit. “Someone is… blast[ing] raw TCP data directly to printer services across the internet,” GreyNoise founder Andrew Morris told Vice. “Basically to every single device that has port TCP 9100 open, and print[ing] a pre-written document that references /r/antiwork with some workers rights/counter capitalist messaging.”

The individual[s] behind the attack are using 25 separate servers, according to Morris, so blocking one IP won’t necessarily stop the attacks. “A technical person is broadcasting print requests for a document containing workers rights messaging to all printers that are misconfigured to be exposed to the internet, and we’ve confirmed that it is printing successfully in some number of places,” he said.

[…]

Source: Someone is hacking receipt printers with ‘antiwork’ messages | Engadget

New research shows that someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. As first reported by The Record, the activity would appear to be emanating from one particular user who is persistent, sophisticated, and somehow has the resources to run droves of high-bandwidth servers for years on end.

[…]

The malicious servers were initially spotted by a security researcher who goes by the pseudonym “nusenu” and who operates their own node on the Tor network. On their Medium, nusenu writes that they first uncovered evidence of the threat actor—which they have dubbed “KAX17”—back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017.

In essence, KAX appears to be running large segments of Tor’s network—potentially in the hopes of being able to track the path of specific web users and unmask them.

[…]

in the case of KAX17, the threat actor appears to be substantially better resourced than your average dark web malcontent: they have been running literally hundreds of malicious servers all over the world—activity that amounts to “running large fractions of the tor network,” nusenu writes. With that amount of activity, the chances that a Tor user’s circuit could be traced by KAX is relatively high, the researcher shows.

Indeed, according to nusenu’s research, KAX at one point had so many servers—some 900—that you had a 16 percent likelihood of using their relay as a first “hop” (i.e., node in your circuit) when you logged onto Tor. You had a 35 percent chance of using one of their relays during your 2nd “hop,” and a 5 percent chance of using them as an exit relay, nusenu writes.

There’s also evidence that the threat actor engaged in Tor forum discussions, during which they seem to have lobbied against administrative actions that would have removed their servers from the network.

[…]

Many of the threat actor’s servers were removed by the Tor directory authorities in October 2019. Then, just last month, authorities again removed a large number of relays that seemed suspicious and were tied to the threat actor. However, in both cases, the actor seems to have immediately bounced back and begun reconstituting, nusenu writes.

It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence, that they are actually performing de-anonymization attacks, but they are in a position to do so,” nusenu writes. “The fact that someone runs such a large network fraction of relays…is enough to ring all kinds of alarm bells.”

“Their actions and motives are not well understood,” nusenu added.

Source: Someone Is Running Hundreds of Malicious Servers on Tor Network

Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.

The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.

The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology. Previously, a list of numbers with potential targets including some American officials surfaced in reporting on NSO, but it was not clear whether intrusions were always tried or succeeded.

Reuters could not determine who launched the latest cyberattacks.

NSO Group said in a statement on Thursday that it did not have any indication their tools were used but canceled access for the relevant customers and would investigate based on the Reuters inquiry.

[…]

Source: U.S. State Department phones hacked with Israeli company spyware – sources | Reuters

Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts.

The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.”

An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.

Specifically, the hack used the same token as both the tokenIn and tokenOut, which are methods for exchanging the value of one token for another. MonoX updates prices after each swap by calculating new prices for both tokens. When the swap is completed, the price of tokenIn—that is, the token sent by the user—decreases and the price of tokenOut—or the token received by the user—increases.

By using the same token for both tokenIn and tokenOut, the hacker greatly inflated the price of the MONO token because the updating of the tokenOut overwrote the price update of the tokenIn. The hacker then exchanged the token for $31 million worth of tokens on the Ethereum and Polygon blockchains.

There’s no practical reason for exchanging a token for the same token, and therefore the software that conducts trades should never have allowed such transactions. Alas, it did, despite MonoX receiving three security audits this year.

[…]

Blockchain researcher Igor Igamberdiev took to Twitter to break down the makeup of the drained tokens. Tokens included $18.2 million in Wrapped Ethereum, $10.5 in MATIC tokens, and $2 million worth of WBTC. The haul also included smaller amounts of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X.

Only the latest DeFi hack

MonoX isn’t the only decentralized finance protocol to fall victim to a multimillion-dollar hack. In October, Indexed Finance said it lost about $16 million in a hack that exploited the way it rebalances index pools. Earlier this month, blockchain-analysis company Elliptic said so-called DeFi protocols have lost $12 billion to date due to theft and fraud. Losses in the first roughly 10 months of this year reached $10.5 billion, up from $1.5 billion in 2020.

[…]

Source: Really stupid “smart contract” bug let hackers steal $31 million in digital coin | Ars Technica

Finland is working to stop a flood of text messages of an unknown origin that are spreading malware.

The messages with malicious links to malware called FluBot number in the millions, according to Aino-Maria Vayrynen, information security specialist at the National Cyber Security Centre. Telia Co AB, the country’s second-biggest telecommunications operator, has intercepted some hundreds of thousands of messages.

“The malware attack is extremely exceptional and very worrying,” Teemu Makela, chief information security officer at Elisa Oyj, the largest telecoms operator, said by phone. “Considerable numbers of text messages are flying around.”

The messages started beeping of Finns’ mobiles late last week, prompting the National Cyber Security Centre to issue a “severe alert.” The campaign is worse than a previous bout of activity in the summer, Antti Turunen, fraud manager at Telia, said.

Many of the messages claim that the recipient has received a voice mail, asking them to open a link. On Android devices, that brings up a prompt that requests user to allow installation of an application that contains the malware, and on Apple Inc.’s iPhones users are taken to other fraudulent material on the website, authorities said.

[…]

Source: Malware Attack Via Millions of Text Messages Spreads in Finland – Bloomberg

Don’t click on linkbait!

GoDaddy has admitted to America’s financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.

In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an “unauthorized third-party” had been roaming around part of its Managed WordPress service, which essentially stores and hosts people’s websites.

[…]

Those infosec sleuths, we’re told, found evidence that an intruder had been inside part of GoDaddy’s website provisioning system, described by Comes as a “legacy code base,” since September 6, gaining access using a “compromised password.”

The miscreant was able to view up to 1.2 million customer email addresses and customer ID numbers, and the administrative passwords generated for WordPress instances when they were provisioned. Any such passwords unchanged since the break-in have been reset.

According to GoDaddy, the sFTP and database usernames and passwords of active user accounts were accessible, too, and these have been reset as well.

“For a subset of active customers, the SSL private key was exposed,” Comes added. “We are in the process of issuing and installing new certificates for those customers.” GoDaddy has not responded to a request for further details and exact numbers of users affected.

[…]

Source: GoDaddy Managed WordPress compromised, user data exposed • The Register

A Canadian teenager has been arrested for allegedly stealing $37 million worth of cryptocurrency ($46M Canadian) via a SIM swap scam, making it the largest virtual cash heist affecting a single person yet, according to police.

Together with the FBI and the US Secret Service Electronic Crimes Task Force, Hamilton Police in the Canadian province of Ontario launched a joint probe to investigate the breach of a US resident’s mobile phone account.

The victim was reportedly targeted with a SIM swap attack – their phone number was hijacked and ported to a different phone belonging to the attacker. The miscreant was then able to enter personal accounts via two-factor authentication requests and obtain details of the victim’s cryptocurrency wallet. From there, millions of dollars were siphoned off, it’s claimed.

“The joint investigation revealed that some of the stolen cryptocurrency was used to purchase an online username that was considered to be rare in the gaming community,” according to a statement from Hamilton Police.

“This transaction led investigators to uncover the account holder of the rare username,” it confirmed.

The teen was arrested for theft and possession of property. Police have seized over $5.5 million worth of cryptocurrencies in the case so far.

Source: Canadian teen arrested for stealing $36.5m of cryptocurrency • The Register

A 36-year-old man from Portage, Michigan, was arrested on Thursday for allegedly renting thousands of textbooks from Amazon and selling them rather than returning them.

[…]

Also indicted were three alleged co-conspirators: Gregory Mark Gleesing, 43, and Lovedeep Singh Dhanoa, 25, both from Portage, Michigan, and Paul Steven Larson, 32, from Kalamazoo, Michigan

From January 2016 through March 2021, according to the indictment, Talsma rented textbooks from the Amazon Rental program in order to sell them for a profit. The indictment describes what occurred as “a sophisticated fraud scheme.”

Talsma allegedly disguised his identity by creating multiple customer accounts with different names, mailing addresses, email addresses, and phone numbers. He supposedly did so to bypass the 15 book limit Amazon placed on textbook rentals.

His alleged fraud scheme involved using Amazon gift cards to rent the textbooks and prepaid MyVanilla Visa cards with minimal credit balances to cover the buyout price charged for books not returned.

[…]

made sure that the MyVanilla Visa cards did not have sufficient credit balances, or any balance at all, when the textbook rentals were past due so that Amazon could not collect the book buyout price from those cards.”

[…]

As the scheme progressed, the indictment says, Talsma “recruited individuals, including defendants Gregory Mark Gleesing, Lovedeep Singh Dhanoa, and Paul Steven Larson, and other individuals known to the grand jury, to allow him to use their names and mailing addresses to further continue receiving rental textbooks in amounts well above the fifteen-book limit.”

Talsma would call Amazon’s customer service department and claim that instead of the textbooks ordered, he had received other items that could not be returned by mail, like flammable objects. Or he would claim he never received any textbooks, in the hope Amazon would credit him for unreceived goods and forget about the rental. And later, he is said to have taught Gleesing, Dhanoa, and Larson to do the same.

Titles taken included “Compensation,” by Jerry Newman, Barry Gerhart, and George Milkovich, which lists a Buyout Price of $172.05, and “Economics,” by Campbell McConnell, Stanley Brue, and Sean Flynn, which lists a Buyout Price of $108.00.

The scheme appears to have been fairly successful: The indictment says the four alleged scammers stole 14,000 textbooks worth over $1.5m.

[…]

Source: Amazon textbook rental service scammed for $1.5m • The Register

The FBI appears to have been used as a pawn in a fight between hackers and security researchers. According to Bleeping Computer, the FBI has confirmed intruders compromised its email servers early today (November 13th) to send fake messages claiming recipients had fallen prone to data breaches. The emails tried to pin the non-existent attacks on Vinny Troia, the leader of dark web security firms NightLion and Shadowbyte.

The non-profit intelligence organization Spamhaus quickly shed light on the bogus messages. The attackers used legitimate FBI systems to conduct the attack, using email addresses scraped from a database for the American Registry for Internet Numbers (ARIN), among other sources. Over 100,000 addresses received the fake emails in at least two waves.

The FBI described the hack as an “ongoing situation” and didn’t initially have more details to share. It asked email recipients to report messages like these to the bureau’s Internet Crime Complaint Center or the Cybersecurity and Infrastructure Security Agency. Troia told Bleeping Computer he believed the perpetrators might be linked to “Pompomourin,” a persona that has attacked the researcher in the past.

[…]

Source: FBI email servers were hacked to target a security researcher | Engadget

This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers. In August 2021, we disclosed to Microsoft a new vulnerability in Cosmos DB that ultimately allowed us to retrieve numerous internal keys that can be used to manage the service, following this high-level workflow:

1. Set up a Jupyter Notebook container on your Azure Cosmos DB
2. Run any C# code to obtain root privileges
3. Remove firewall rules set locally on the container in order to gain unrestricted network access
4. Query WireServer to obtain information about installed extensions, certificates and their corresponding private keys
5. Connect to the local Service Fabric, list all running applications, and obtain the Primary Key to other customers’ databases
6. Access Service Fabric instances of multiple regions over the internet

In this post we walk you through every step of the way, to the point where we even gained administrative access to some of the magic that powers Azure.

[…]

Conclusion

We managed to gain unauthorized access to customers’ Azure Cosmos DB instances by taking advantage of a chain of misconfigurations in the Jupyter Notebook Container feature of Cosmos DB. We were able to prove access to thousands of companies’ Cosmos DB Instances (database, notebook environment, notebook storage) with full admin control via multiple authentication tokens and API keys. Among the affected customers are many Fortune 500 companies. We also managed to gain access to the underlying infrastructure that runs Cosmos DB and we were able to prove that this access can be maintained outside of the vulnerable application—over the internet. Overall, we think that this is as close as it gets to a “Service Takeover”.

Disclosure Timeline

August 09 2021 – Wiz Research Team first exploited the bug and gained unauthorized access to Cosmos DB accounts.
August 11 2021 – Wiz Research Team confirmed intersection with Wiz customers.
August 12 2021 – Wiz Research Team sent the advisory to Microsoft.
August 14 2021 – Wiz Research Team observed that the vulnerable feature has been disabled.
August 16 2021 – Microsoft Security Response Center (MSRC) confirmed the reported behavior (MSRC Case 66805).
August 16 2021 – Wiz Research Team observed that some obtained credentials have been revoked.
August 17 2021 – MSRC awarded $40,000 bounty for the report.
August 23 2021 – MSRC confirmed that several thousand customers were affected.
August 23 2021 – MSRC and Wiz Research Team discussed public disclosure strategy.
August 25 2021 – Public disclosure.

Source: ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough | Wiz Blog

The blog post is well worth reading

As we head into another Northern Hemisphere pandemic winter and hope that things won’t be quite as bad this year, next summer seems an extremely long time away in the future. But it will be upon us sooner than we might think, and along with it will we hope come a resumption of full-scale hacker camps. One of the biggest will be in the Netherlands, where MCH 2022 will take lace at the end of July, and if you’re up to casting your minds ahead far enough for that then they’re inviting submissions to their Call for Participation. Their events are always a memorable and relaxed opportunity to spend a few days in the sun alongside several thousand other like-minded individuals, so we’d urge you to give it some consideration.

If you’ve never delivered a conference talk before then it can be a daunting prospect, but in fact a hacker camp can be an ideal place to give it a first try. Unlike a more traditional technology conference where most of the attendees file into the auditorium, at hacker camps there is so much else on offer that many talks are delivered to only that sub group of attendees for whom the subject is of real interest. So there is less of the huge auditorium of anonymous crowds about it, and more of the small and friendly crowd of fellow enthusiasts. The great thing about our community is that there are as many different interests within it as there are individuals, so whatever your product, specialism, or favourite hobby horse might be, you’ll find people at a hacker camp who’d like to hear what you have to say.

If you’re still seeking inspiration, of course you might find it by looking at the schedule from SHA, the last Dutch camp.

Source: Got Anything To Talk About? These Dutch Hackers Want You To Say It To Them | Hackaday

Someone recently hacked and attempted to extort Robinhood, the popular investment and trading platform, gaining access to millions of customers’ email addresses and full names in the process.

The platform revealed the security incident in a blog post published Monday, assuring users that nobody had lost any money as a result of the incident.

“An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers,” the company revealed, while emphasizing that the breach had since been contained and that there had been “no financial loss to any customers.”

The incident, which took place on Nov. 3, was apparently the result of a social engineering scheme that targeted a customer support employee. The hacker convinced the employee that they were cleared to access “certain customer support systems,” and subsequently gained access to the email addresses of approximately 5 million customers and the full names of approximately 2 million customers, the company said.

For a much smaller subset of customers, the data breach was substantially more invasive: “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed,” the company’s blog post says.

Afterward, the criminal attempted to extort the company with the information it had stolen.

[…]

Source: Robinhood Hack Compromises Millions of Customer Email Addresses

Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The incident, detected earlier today by blockchain security firms PeckShield and SlowMist, was confirmed by the Cream Finance team earlier today.

The attackers are believed to have found a vulnerability in the platform’s lending system —called flash loaning— and used it to steal all of Cream’s assets and tokens running on the Ethereum blockchain, according to blockchain security firm BlockSec, which also posted an explanation of the security flaw on Twitter earlier today.

Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX

— BlockSec (@BlockSecTeam) October 27, 2021

A breakdown of the stolen funds is available below, courtesy of the SlowMist team.

Roughly six hours after the attack, Cream Finance said it fixed the bug exploited in the hack with the help of cryptocurrency platform Yearn.

Even if the attacker’s initial wallet, used to exfiltrate a large chunk of the funds, has been identified, the funds have already been moved to new accounts, and there appears to be a small chance the stolen crypto can be tracked down and returned to the platform.

Third time’s a charm

Today’s hack marks the third time Cream Finance has been hacked this year after the company lost $37 million in February and another $29 million in August.

All attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, CipherTrace said in a report in August.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the same CipherTrace said in a report last year.

The Cream heist also marks the second-largest cryptocurrency hack this year after DeFi platform Poly Network lost $600 million in August. However, the individual behind the Poly hack eventually returned all the stolen funds two weeks later on the promise the company won’t seek charges.

Source: Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year – The Record by Recorded Future

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

Lionel Messi and Sergio Aguero data leaked on Twitter

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

Hacker has a copy of the data, plans to sell and leak it

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

[…]

Source: Hacker steals government ID database for Argentina’s entire population – The Record by Recorded Future

Yet again we see how centralised databases are such a good idea. And if countries are so terrible at protecting extremely sensitive data, how do you think weakening protections by allowing countries master key type access to encrypted data is going to make anything better for anyone?

[…]A hacker gang, […] has been infiltrating telecoms throughout the world to steal phone records, text messages, and associated metadata directly from carrier users.

That’s according to a new report from cybersecurity firm CrowdStrike, which published a technical analysis of the mysterious group’s hacking campaign on Tuesday. The report, which goes into a significant amount of detail, shows that the hackers behind the campaign have managed to infiltrate 13 different global telecoms in the span of just two years.

Researchers say that the group, which has been active since 2016, uses highly sophisticated hacking techniques and customized malware to infiltrate and embed within networks. Reuters reports that this has included exfiltrating “calling records and text messages” directly from carriers. Earlier research on the group suggests it has also been known to target managed service providers as an entry point into specific industries—such as finance and consulting.[…]

Source: Cybercrime Group Has Been Hacked Telecoms All Over the World

An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.

Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.

His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable’s radiations could then be picked up by the SDR (in Guri’s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.

Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.

“We could transmit both text and binary, and also achieve faster bit-rates,” acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.”

[…]

Source: LANtenna attack reveals Ethernet cable traffic contents • The Register

A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school’s airplanes. In some cases, planes that previously had maintenance issues had been “cleared” to fly, according to a police report. The hack, according to the school’s CEO, could have put pilots in danger.

Lauren Lide, a 26-year-old who used to work for the Melbourne Flight Training school, resigned from her position of Flight Operations Manager at the end of November of 2019, after the company fired her father. Months later, she allegedly hacked into the systems of her former company, deleting and changing records, in an apparent attempt to get back at her former employer, according to court records obtained by Motherboard.

[…]

Source: Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly