The US Justice Department today announced indictments against four Russian government employees, who it alleges attempted a hacking campaign of the global energy sector that spanned six years and devices in roughly 135 countries. The two indictments were filed under seal last summer, and are finally being disclosed to the public.

The DOJ’s decision to release the documents may be a way to raise public awareness of the increased threat these kinds of hacks pose to US critical infrastructure in the wake of Russia’s invasion of Ukraine. State-sponsored hackers have targeted energy, nuclear, water and critical manufacturing companies for years, aiming to steal information on their control systems. Cybersecurity officials noticed a spike in Russian hacking activity in the US in recent weeks.

“Russian state-sponsored hackers pose a serious and persistent threat to critical infrastructure both in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco in a statement. “Although the criminal charges unsealed today reflect past activity, they make crystal clear the urgent ongoing need for American businesses to harden their defenses and remain vigilant.

The indictments allege that two separate campaigns occurred between 2012 and 2018. The first one, filed in June 2021, involves Evgeny Viktorovich Gladkikh, a computer programmer at the Russian Ministry of Defense. It alleges that Gladkik and a team of co-conspirators were members of the Triton malware hacking group, which launched a failed campaign to bomb a Saudi petrochemical plant in 2017. As TechCrunch noted, the Saudi plant would have been completely decimated if not for a bug in the code. In 2018, the same group attempted to hack US power plants but failed.

The second indictment charges three hackers who work for Russia’s intelligence agency, the Federal Security Service (FSB), as being the members of the hacking group Dragonfly, which coordinated multiple attacks on nuclear power plants, energy companies, and other critical infrastructure. It alleges that the three men, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov engaged in multiple computer intrusions between 2012 and 2017. The DOJ estimates that the three hackers were able to install malware on more than 17,000 unique devices in the US and abroad.

A second phase known as Dragonfly 2.0, which occurred between 2014 and 2017, targeted more than 3,300 users across 500 different energy companies in the US and abroad. According to the DOJ, the conspirators were looking to access the software and hardware in power plants that would allow the Russian government to trigger a shutdown.

The US government is still looking for the three FSB hackers. The State Department today announced a $10 million award for any information on their whereabouts. However, as the Washington Post notes, the US and Russia do not have an extradition treaty, so the likeliness of any of the alleged hackers being brought to trial by these indictments is slim.

Source: Justice Department indicts four Russian government workers in energy sector hacks | Engadget

British cops investigating a cyber-crime group have made a string of arrests.

Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21.

In a statement, the force said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”

Among them is a 16-year-old boy from Oxford who has been accused of being one of the crew’s leaders, the BBC reported. He cannot be identified for legal reasons.

[…]

Bloomberg first reported the boy’s alleged involvement with the extortion gang on Wednesday, and claims by security researchers that he was the crew’s mastermind. Lapsus$ is the devil-may-care team of miscreants that have broken into major firms including Microsoft, Samsung, Vodafone, and Okta.

It is said the boy netted about $14m in Bitcoin from his online life, and was lately doxxed – which means he had his personal info leaked online – after an apparent falling out with his business partners.

[…]

The cyber-crime ring rose to fame in recent months for its brash tactics and its propensity to brag about its exploits on Telegram. Its standard operating procedure is to infiltrate a big target’s network, steal sensitive internal data, make demands to prevent the public release of this material – and usually release some of it anyway.

[…]

In February, however, the criminals sneaked into Nvidia‘s networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ said it had raided Samsung and stole 190GB of internal files including some Galaxy device source code.

The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft.

‘Motivated by theft and destruction’

Microsoft, in its days-late confirmation that Lapsus$, which the Windows giant calls DEV-0537, did indeed steal some of its source code, and said the crime group seems to be “motivated by theft and destruction.”

[…]

 

Source: British cops arrest seven in Lapsus$ crime gang probe • The Register

Samsung confirmed on Monday that a cybersecurity attack exposed sensitive internal data including source code for Galaxy smartphones.

The group claiming responsibility for the attack, Lapsus$, is the same hacking outfit that breached Nvidia last week and leaked employee credentials and proprietary information onto the internet. In the Samsung hack, the group purportedly posted a 190GB torrent file to its Telegram channel, claiming it contains algorithms for biometric login authentication and bootloader—code that could be used to bypass some operating system controls.

Samsung disclosed the breach but didn’t confirm the identity of the hackers or the materials stolen.

[…]

After successfully breaching Nvidia, Lapsus$ blackmailed the GPU maker by threatening to release stolen internal data unless GPU drivers were made open source and Ethereum cryptocurrency mining limiters were removed from Nvidia 30-series graphics cards. The group, which is said to have members in South America and Western Europe, reportedly compromised the credentials of more than 71,000 past and current Nvidia employees.

For Samsung, the data breach arrives shortly after reports emerged claiming the company deliberately limits the performance of around 10,000 apps, including Instagram and TikTok. Samsung said its “Game Optimizing Service” was designed to balance performance and cooling, but many saw this as performance throttling and slammed the Korean tech giant for selectively excluding benchmarking apps.

[…]

 

Source: Samsung Galaxy Source Code Stolen in Data Breach

Ukrainian news website Ukrainska Pravda says the nation’s Centre for Defence Strategies think tank has obtained the personal details of 120,000 Russian servicemen fighting in Ukraine. The publication has now shared this data freely on its website.

The Register and others have been unable to fully verify the accuracy of the data from the leak. The records include what appears to be names, addresses, passport numbers, unit names, and phone numbers. Some open source intelligence researchers on Twitter said they found positive matches, as did sources who spoke confidentially to El Reg; others said they couldn’t verify dip-sampled data.

[…]

Whether or not the database’s contents is real, the impact on Russian military morale – knowing that your country’s enemies have your personal details and can contact your family if you’re captured, killed, or even still alive – won’t be insignificant.

As Russia’s invasion of Ukraine progresses, or not, cyber-attacks orchestrated by or for the benefit of the Kremlin against Ukraine and the West appear limited, while on the ground, more than 2,000 civilians have been killed, according to Ukrainian officials.

Former UK National Cyber Security Centre (NCSC) chief Ciaran Martin noted in a blog post that even those skeptical of claims that Russia would wage cyber-Armageddon during the invasion will be surprised at the lack of activity. The online assaults against Ukraine of late represent Russia’s “long-standing campaign of cyber harassment of the country … rather than a serious escalation of it,” he wrote.

[…]

Source: 120,000 Russians soldier details leak – Ukraine media • The Register

And now you get into the combatant following orders kind of argument – do you really want to be the side attacking their spouses and children back home?

Hackers that infiltrated NVIDIA systems are now threatening to release more confidential information unless the company commits to open sourcing their drivers. It is unclear what the stolen data contains, but the group confirmed that there are 250GB of hardware related data in their possession. Furthermore, the group confirmed they have evaluated NVIDIA position, which means that NVIDIA is might trying to communicate with the group to prevent future leaks. The group has already published information on NVIDIA DLSS technology and upcoming architectures. Yesterday, Nvidia reportedly retaliated against the hacker group known as “Lapsus$” by sneaking back into the hacker’s system and encrypting the stolen data. The group claimed that it had a backup of the data, though.

Source: Hackers Demand NVIDIA Open Source Their Drivers Or They Leak More Data – Slashdot

[…]

Candiru — another Israeli firm with a long list of questionable customers, including Uzbekistan, Saudi Arabia, United Arab Emirates, and Singapore.

Now there’s another name to add to the list of NSO-alikes. And (perhaps not oddly enough) this company also calls Israel home. Reuters was the first to report on this NSO’s competitor’s ability to stay competitive in the international malware race.

A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.

Like NSO, QuaDream sold a “zero-click” exploit that could completely compromise a target’s phones. We’re using the past tense not because QuaDream no longer exists, but because this particular exploit (the basis for NSO’s FORCEDENTRY) has been patched into uselessness by Apple.

But, like other NSO competitors (looking at you, Candiru), QuaDream has no interest in providing statements, a friendly public face for inquiries from journalists, or even a public-facing website. Its Tel Aviv office seemingly has no occupants and email inquiries made by Reuters have gone ignored.

QuaDream doesn’t have much of a web presence. But that’s changing, due to this report, which builds on earlier reporting on the company by Haaretz and Middle East Eye. But even the earlier reporting doesn’t go back all that far: June 2021. That report shows the company selling a hacking tool called “Reign” to the Saudi government. But that sale wasn’t accomplished directly, apparently in a move designed to further distance QuaDream from both the product being sold and the government it sold it to.

[…]

Reign is apparently the equivalent of NSO’s Pegasus, another powerful zero-click exploit that appears to still be able to hack most iPhone models. But it’s not a true equivalent. According to this report, the tool can be rendered useless by a single system software update and, perhaps more importantly, cannot be remotely terminated by the entity deploying it, should the infection be discovered by the target. This means targeted users have the opportunity to learn a great deal about the exploit, its deployment, and possibly where it originated

[…]

Source: Yet Another Israeli Malware Manufacturer Found Selling To Human Rights Abusers, Targeting iPhones | Techdirt

For the past two weeks, observers of North Korea’s strange and tightly restricted corner of the internet began to notice that the country seemed to be dealing with some serious connectivity problems. On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government. At least one of the central routers that allow access to the country’s networks appeared at one point to be paralyzed, crippling the Hermit Kingdom’s digital connections to the outside world.

[…]

But responsibility for North Korea’s ongoing internet outages doesn’t lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.

Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.

So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,” says the hacker. (P4x spoke to WIRED and shared screen recordings to verify his responsibility for the attacks but declined to use his real name for fear of prosecution or retaliation.)

[…]

P4x says he’s found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country’s few internet-connected networks depend on.

[…]

he named, as an example, a known bug in the web server software NginX that mishandles certain HTTP headers, allowing the servers that run the software to be overwhelmed and knocked offline. He also alluded to finding “ancient” versions of the web server software Apache,

[…]

“It’s pretty interesting how easy it was to actually have some effect in there.”

[…]

He acknowledges that his attacks amount to no more than “tearing down government banners or defacing buildings,” as he puts it. But he also says that his hacking has so far focused on testing and probing to find vulnerabilities. He now intends to try actually hacking into North Korean systems, he says, to steal information and share it with experts. At the same time, he’s hoping to recruit more hacktivists to his cause with a dark website he launched Monday called the FUNK Project—i.e. “FU North Korea”—in the hopes of generating more collective firepower.

[…]

he was nonetheless shocked and appalled by the realization that he’d been personally targeted by North Korea.

P4x says he was later contacted by the FBI but was never offered any real help to assess the damage from North Korea’s hacking or to protect himself in the future. Nor did he ever hear of any consequences for the hackers who targeted him, an open investigation into them, or even a formal recognition from a US agency that North Korea was responsible. It began to feel, as he put it, like “there’s really nobody on our side.”

[…]

While he acknowledges that his attacks likely violate US computer fraud and hacking laws, he argues he hasn’t done anything ethically wrong. “My conscience is clear,” he says.

[…]

Source: North Korea Hacked Him. So He Took Down Its Internet | WIRED

[…]

Hackers stole more than $324 million in cryptocurrency from Wormhole, the developers behind the popular blockchain bridge confirmed Wednesday.

The platform provides a connection that allows for the transfer of cryptocurrency between different decentralized-finance blockchain networks. Wormhole said in a series of tweets Wednesday afternoon that thieves made off with 120,000 wETH, or wrapped ethereum, worth nearly $324 million at current exchange rates. The platform’s network was also taken offline for maintenance.

[…]

Wormhole on Thursday confirmed via Twitter that “all funds have been restored” and its services are back up. It also promised to share a full incident report.

Source: Blockchain platform Wormhole says it’s retrieved the $324M stolen by hackers – CNET

Finland’s government says the mobile devices of its diplomats have been hacked using Pegasus spyware.

The Finnish foreign ministry stated on Friday that some of its officials abroad had been targeted by the sophisticated software.

“The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part,” the Foreign Ministry said in a statement.

“Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.”

[…]

NSO says it only sells Pegasus to governments for the purpose of fighting crime and terrorism.

But an investigation last year revealed that the spyware had been used to target journalists, activists and politicians in a number of countries — including France, Spain, and Hungary.

A recent Citizen Lab report also found that critics of Poland’s right-wing government were hacked using Pegasus.

[…]

Source: Finnish diplomats were targeted by Pegasus spyware, says foreign ministry | Euronews

[…]

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it. He asked for a BTC ransom to not disclose this to public and promise to delete the data,” the post reads.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

Hacker Gained Access to All User Data

According to ‘oss’, the hacker gained access to email addresses, usernames and passwords, but promised that the data would be erased after the payment was made. That promise was not kept.

While no member data was leaked last August, on January 11, 2022, OpenSubtitles received new correspondence from a “collaborator of the original hacker” who made similar demands. Contacting the original hacker for help bore no fruit and on January 15 the site learned that the data had been leaked online the previous day.

Indeed, searches on data breach site Have I Been Pwned reveals that the database is now in the wild, containing all of the data mentioned by OpenSubtitles and more.

 

 

“In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers’ personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes,” the site reports.

[…]

Source: OpenSubtitles Hacked, 7 Million Subscribers’ Details Leaked Online * TorrentFreak

Trading platform Crypto.com lost about $34 million worth of cryptocurrency in a hack on Monday, according to a new blog post by the company published overnight. The company had previously declined to say much about the hack, which forced users to stop withdrawals for most of the day, and only reassured customers they wouldn’t lose any money.

Hackers made off with 4,836.26 ethereum, 443.93 bitcoin, and approximately $66,200 in other crypto coins from precisely 483 users, according to the company. Crypto.com, which has about 10 million users, halted all withdrawals on Monday for about 14 hours after “suspicious activity” was detected, and forced all users to reset their two-factor authentication methods.

The ethereum that was taken is worth about $15.3 million and the bitcoin is worth $18.6 million at today’s conversion rate, bringing the grand total to about $34 million in lost funds. But Crypto.com is quick to note that no users have lost any money because the company has topped up their accounts.

[…]

The unknown hackers are currently trying to launder their stolen crypto using crypto mixers, as Gizmodo reported yesterday. The ethereum is being laundered through an app called Tornado Cash, which bills itself as a privacy tool. The bitcoin appears to be getting laundered through an unknown bitcoin mixer, sometimes known as a tumbler or peel chain.

[…]

Source: Crypto.com Finally Acknowledges $34 Million Stolen by Hackers

Microsoft warned Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.

In a blog post, the company said that Thursday — around the same time that government agencies in Ukraine found their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organisations, all based in Ukraine,” Microsoft said.

The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end.

[…]

The code, as described by the company’s investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.

[…]

 

Source: Microsoft warns of destructive cyberattack on Ukrainian computer networks | bdnews24.com

The European Space Agency (ESA) is inviting applications from attackers who fancy having a crack at its OPS-SAT spacecraft.

It’s all in the name of ethical hacking, of course. The plan is to improve the resilience and security of space assets by understanding the threats dreamed up by security professionals and members of the public alike.

OPS-SAT has, according to ESA, “a flight computer 10 times more powerful than any current ESA spacecraft” and the CubeSat has been in orbit since 2019, providing a test bed for software experiments.

It is therefore the ideal candidate for l33t h4x0rs to turn their attention to, while ESA engineers ensure the environment is kept under control.

“The in-built robustness of OPS-SAT makes it the perfect flying platform for ethical hackers to demonstrate their skills in a safe but suitably realistic environment,” explained Dave Evans, OPS-SAT mission manager.

Ideas need to be submitted by 18 February and the successful applicants will be given controlled, technical access to OPS-SAT during the April CYSAT conference. It’ll be a challenge since teams will only have six-minute communication slots available with the satellite in which to unleash their creations.

Running code submitted by the public in space is not a particularly new concept – the AstroPi hardware on board the International Space Station (ISS) is a great example of such outreach.

However, the engagement with cybersecurity experts via the OPS-SAT demo will give space agencies an opportunity to learn what works – and what does not – from a security standpoint as satellites become ever more complicated and the surface area for attack grows.

Interestingly, ESA’s announcement had originally been made a month ago and then hurriedly pulled. Possibly because the original title “Hack an ESA spacecraft” caused at least one of the agency’s bosses to pass their morning caffeinated beverage through a nostril. Or, as an ESA insider put it, seek to “review” the emission.

Source: Hack our spacecraft, says ESA • The Register

[…]

The Federal Security Service (FSB), Russia’s domestic intelligence agency, said in a press release Friday that it had recently conducted raids at 25 residences across Moscow, Leningrad, Lipetsk, and St. Petersburg, where 14 members of the cybercriminal gang were arrested. During the raids, authorities seized more than 426 million rubles, $600,000, and €500,000, along with 20 luxury vehicles and hordes of computer equipment.

While the identities of the hackers have not been made public at this time, video provided by the FSB shows officers chasing and handcuffing various individuals, while also rifling through apartments.

[…]

REvil has been high on America’s shit-list ever since it carried out the massive Kaseya ransomware attack last summer. The attack used malicious software updates in the tech firm’s popular IT products to infect upwards of 1,500 different companies worldwide—including many in the U.S.

[…]

But the gang has also allegedly been involved in attacks on hardware manufacturer Acer, celebrity law firm Grubman Shire Meiselas & Sacks (they reportedly leaked 2.4 gigabytes of Lady Gaga’s legal documents), and Quanta, a prominent computer parts supplier that works for Apple, among other big names. It also conducted a disruptive ransomware attack on meat-processing giant JBS Foods last May, temporarily forcing the company to shut down a number of its food production sites. All in all, they’ve caused quite a lot of damage.

[…]

Some commentators have noted the odd timing of the FSB’s operation, however. The U.S. and Russia are currently experiencing severe tensions over the political situation in Ukraine—where some U.S. commentators have alleged that Russia is preparing for a military invasion. As such, the possibility that Russia has arrested REvil as a kind of bargaining tactic with the U.S. seems plausible to some. “I think being concerned about Russia’s ulterior motives is perfectly reasonable,” John Hultquist, vice president of threat intelligence at cyber firm Mandiant, recently told WIRED.

[…]

Source: Russia Arrests Members of Notorious Ransomware Gang REvil

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.

David Colombo explained in the thread that the flaw was “not a vulnerability in Tesla’s infrastructure. It’s the owner’s faults.” He claimed to be able to disable a car’s remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car’s exact location.

[…]

On a related note, early on Wednesday morning, a third-party Tesla app called TezLab reported that it saw the “simultaneous expiry of several thousand Tesla authentication tokens from Tesla’s side.” TezLab’s app makes use of Tesla APIs that allow apps to do things like log in to the car and enable or disable the anti-theft camera system, unlock the doors, open the windows, and so on.

Source: Teen hacker finds bug that lets him control 25+ Teslas remotely | Ars Technica

[…]

Commissioners told the court that all of Bernalillo County, which covers the US state of New Mexico’s largest city Albuquerque, had been affected by a January 5, 2022, ransomware attack, including the Metropolitan Detention Center (MDC) that houses some of the state’s incarcerated.

[…]

Over the phone, a spokesperson for the facility told The Register on Wednesday that services are still being repaired.

The attack took automatic security doors offline on January 5th, requiring officials to open doors manually with keys until that particular function could be revived.

Officials said in their filing that County-operated databases, servers, and internet service had been compromised. At MDC, this has meant limited access to email and no access to County wireless internet. This is particularly problematic, the officials say, because the MDC’s structure and location interferes with cellular service.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” they explained. “As of the evening of January 5th, there was no access to cameras within the facility.”

MDC instituted a temporary lockdown in response to the situation. Court-related video conferences are also not happening.

Several County databases at MDC are also believed to have been corrupted by the attack.

“The Incident Tracking System (ITS), the database in which MDC creates and houses all incident reports, including inmate fights, use of force, allegations of violations of the Prison Rape Elimination Act, is not currently available as it is suspected to be corrupted by the attack,” the filing states.

“Further, the Offender Management System (OMS) which MDC uses to store and access information about inmates including inmate account data is likewise unavailable at the present.”

[…]

The plaintiffs in the case have taken the opportunity to submit the statement [PDF] of a registered nurse who announced that she was quitting her job at MDC because of concerns about conditions there. The nurse, Taileigh Sanchez, describes dire staff shortages at MDC and problems with a new electronic medical records system, issues that have been made worse by the ransomware attack.

The attack denied access to current medical records, she said, which may have prevented some inmates from getting their medications.

Sanchez said she told supervisors about her concerns – which date back before the ransomware hit – but faced retaliation. “Even though I like my job, and have even been here 11 years, I will be resigning my full-time position effective immediately due to the safety concerns I have for our clientele and our staff,” she said in her declaration.

Source: Ransomware puts New Mexico prison in lockdown • The Register

The news comes via internal documents shared with The T-Mo Report, embedded below. They state that there was “unauthorized activity” on some customer accounts. That activity was either the viewing of customer proprietary network information (CPNI), an active SIM swap by a malicious actor, or both.

• 

• 

This comes just on the heels of a previous breach back in August. This time around, though, the damage appears to be much less severe. It seems only a small subset of customers are affected. There is no further detail about what exactly happened, with the documents simply saying that some info was leaked.

Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.

The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.

The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.

[…]

Source: [Update: T-Mobile Statement] Exclusive: T-Mobile Has Suffered Yet Another Data Breach

The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.

We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.

The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.

The NCA sent Hunt a statement explaining how it found the passwords:

During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.

The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.

The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.

• flamingo228
• Alexei2005
• 91177700
• 123Tests
• aganesq

Today’s release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.

[…]

Source: UK National Crime Agency finds 225 million previously unexposed passwords • The Register

[…] researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.

[…]

Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.

Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.

[…]

Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.

Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was texted to the victim’s phone via iMessage. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device.

[…]

what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics—the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files—the Xpdf implementation of JBIG2.

Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.

[…]

The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in September), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.

[…]

Source: How NSO Group’s iPhone-Hacking Exploit Works

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe.

“As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized,” the Cyberpolice Department of the National Police of Ukraine said.

“The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site’s name was not revealed in the press release).

On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info.

[…]

Source: Ukraine arrests 51 for selling data of 300 million people in US, EU

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.

The 0-day was tweeted along with a POC posted on GitHub. Since this vulnerability is still very new, there isn’t a CVE to track it yet. This has been published as CVE-2021-44228.

This post provides resources to help you understand the vulnerability and how to mitigate it for yourself.

Who is impacted?​

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.

Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.

Simply changing an iPhone’s name has been shown to trigger the vulnerability in Apple’s servers.

Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.

Affected Apache log4j2 Versions​

2.0 <= Apache log4j <= 2.14.1

Permanent Mitigation​

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

The release can also be downloaded from the Apache Log4j Download page.

[…]

Source: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

You can find sites that have been exloited https://github.com/YfryTchsGD/Log4jAttackSurface

The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.

The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.

The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.

[…]

Source: Cuba ransomware gang scores almost $44m from 49 victims: FBI • The Register

Cryptocurrency exchange BitMart has coughed to a large-scale security breach relating to ETH and BSC hot wallets. The company reckons that hackers made off with approximately $150m in assets.

Security and analytics outfit PeckShield put the figure at closer to $200m.

“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately 150 million USD,” BitMart said.

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” it added.

Worryingly for customers, BitMart has blocked withdrawals until it has completed a “thorough security review” or, in the common metaphor, shut the stable door after the horse has bolted.

[…]

Source: $150m of digital assets stolen in BitMart security breach • The Register

Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.

Some of the tactics Mandiant has recently observed include:

• Compromise of multiple technology solutions, services, and reseller companies since 2020.
• Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
• Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
• Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
• Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
• Use of a new bespoke downloader we call CEELOADER.
• Abuse of multi-factor authentication leveraging “push” notifications on smartphones

In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.

The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.

[…]

Source: Suspected Russian Activity Targeting Government and Business Entities Around the Globe | Mandiant