Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date.

Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States.

Dahan identified the target of the attack only as “an Azure customer in Europe.”

The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

Dahan said Microsoft successfully mitigated the attack without Azure going down.

Prior to Microsoft’s disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon’s AWS division mitigated in February 2020.

Dahan said the largest DDoS attack that hit Azure prior to the August attack was a 1 Tbps attack the company saw in Q3 2020, while this year, Azure didn’t see a DDoS attack over 625 Mbps all year.

Record for largest volumetric DDoS attack broken days later too

Just days after Microsoft mitigated this attack, a botnet called Meris broke another DDoS record — the record for the largest volumetric DDoS attack.

According to Qrator Labs, the operators of the Meris botnet launched a DDoS attack of 21.8 million requests per second (RPS) in early September. Sources told The Record last month that the attack targeted a Russian bank that was hosting its e-banking portal on Yandex Cloud servers.

Security firm Rostelecom-Solar sinkholed around a quarter of the Meris botnet later that month.

It is unclear if the Meris botnet was behind the attack detected and mitigated by Microsoft in August. An Azure spokesperson did not return a request for comment.

Source: Microsoft said it mitigated a 2.4 Tbps DDoS attack, the largest ever

Another day, another massive privacy breach nobody will do much about. This time it’s Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:

“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

As is par for the course for this kind of stuff, the actual breach is likely much worse than what’s first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn’t even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).

[…]

Source: Neiman Marcus Breach Exposes Data Of 4.6 Million Users | Techdirt

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

One anonymous company source told VGC that the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.

Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies.

[UPDATE: Twitch has confirmed the leak is authentic: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”]

he leaked Twitch data reportedly includes:

• The entirety of Twitch’s source code with commit history “going back to its early beginnings”
• Creator payout reports from 2019
• Mobile, desktop and console Twitch clients
• Proprietary SDKs and internal AWS services used by Twitch
• “Every other property that Twitch owns” including IGDB and CurseForge
• An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
• Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users enable two-factor authentication to be safe.

If you have a Twitch account, it’s recommended that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.

To turn on two-factor identification:

• Log on to Twitch, click your avatar and choose Settings
• Go to Security and Privacy, then scroll down to the Security setting
• Choose Edit Two-Factor Authentication to see if it’s already activated. If not, follow the instructions to turn it on (you’ll need your phone)

Source: The entirety of Twitch has reportedly been leaked | VGC

A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

The company, Syniverse, revealed in a filing dated September 27 with the U.S. Security and Exchange Commission that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers.”

A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records.

[…]

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.

[…]

“The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations and connections [daily],” Syniverse wrote in a recent press release.

“Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

[…]

Syniverse disclosed the breach in an August SEC filing as the company gearing to go public at a valuation of $2.85 billion via a merger with M3-Brigade Acquisition II Corp., a special purpose acquisition company (SPAC).

[…]

Source: Company That Routes Billions of Text Messages Quietly Says It Was Hacked

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.

Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores.

Malware subscribes users to premium SMS services

If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers.

Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over €30 ($35) per month, money that are later redirected into the GriftHorse operators’ pockets.

[…]

the two Zimperium researchers said that besides numbers, the GriftHorse coders also invested in their malware’s code quality, using a wide spectrum of websites, malicious apps, and developer personas to infect users and avoid detection for as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained.

“In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,”

GriftHorse is making millions in monthly profits

Based on what they’ve seen until now, the researchers estimated that the GriftHorse gang is currently making between €1.2 million and €3.5 million per month from their scheme ($1.5 million to $4 million per month).

[…]

Source: New GriftHorse malware has infected more than 10 million Android phones – The Record by Recorded Future

Epik’s massive data breach is already affecting lives. Today the Washington Post describes a real estate agent in Pompano Beach who urged buyers on Facebook to move to “the most beautiful State.” His name and personal details “were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com”. The real estate brokerage where he worked then dropped him as an agent. The brokerage’s owner told the Post they didn’t “want to be involved with anyone with thoughts or motives like that.”

“Some users appear to have relied on Epik to lead a double life,” the Post reports, “with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online.” (Alternate URL here.) Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed…. Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing “the detective work” trying to decipher who is behind a single extremist domain. The Epik data set, she said, “is like somebody has just handed you all the detective work — the names, the people behind the accounts…”

Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous….

Aubrey “Kirtaner” Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack’s origins but said it was fueled by hackers’ frustrations over Epik serving as a refuge for far-right extremists. “Everyone is tired of hate,” Cottle said. “There hasn’t been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now … the tide is turning, and there’s a swell moving back in their direction.”
Earlier in the week, the Post reported: Since the hack, Epik’s security protocols have been the target of ridicule among researchers, who’ve marveled at the site’s apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public… The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

Source: 110,000 Affected by Epik Breach – Including Those Who Trusted Epik to Hide Their Identity – Slashdot

A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online this week after hackers previously tried to sell it earlier this year in June.

The collection, obtained by The Record from a source, is currently being shared in private Telegram channels in the form of a torrent file containing approximately 187 GB of archived data.

The Record analyzed files from this collection and found the data to be authentic, with data points such as:

• LinkedIn profile names
• LinkedIn ID
• LinkedIn profile URL
• Location information (town, city, country)
• Email addresses

While the vast majority of the data points contained in the leak are already public information and pose no threat to LinkedIn users, the leak also contains email addresses that are not normally viewable to the public on the official LinkedIn site.

[…]

Source: Hackers leak LinkedIn 700 million data scrape – The Record by Recorded Future

The Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, was a big, destructive mess—one of the largest and most unwieldy of its kind in recent memory. But new information shows the FBI could have lightened the blow victims suffered but chose not to.

A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data—thus allowing them to get their businesses back up and running. However, instead of sharing it with them or Kaseya, the IT firm targeted by the attack, the bureau kept it a secret for approximately three weeks.

The feds reportedly did this because they were planning an operation to “disrupt” the hacker gang behind the attack—the Russia-based ransomware provider REvil—and didn’t want to tip their hand. However, before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.

[…]

Source: FBI Had REvil’s Kaseya Ransomware Decryption Key for Weeks: Report

Source: Alaska discloses ‘sophisticated’ nation-state cyberattack on health service – The Record by Recorded Future

A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer.

While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.

[…]

The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation.

[…]

Both posts lead to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to pressure ransomware victims to pay.

BleepingComputer’s analysis of this file shows that it contains VPN credentials for 498,908 users over 12,856 devices.

While we did not test if any of the leaked credentials were valid, BleepingComputer can confirm that all of the IP address we checked are Fortinet VPN servers.

Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.

[…]

Kremez told BleepingComputer that the Fortinet CVE-2018-13379 vulnerability was exploited to gather these credentials.

A source in the cybersecurity industry told BleepingComputer that they were able to legally verify that at least some of the leaked credentials were valid.

It is unclear why the threat actor released the credentials rather than using them for themselves, but it is believed to have been done to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation.

[…]

Source: Hackers leak passwords for 500,000 Fortinet VPN accounts

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

[…]

Source: FTC bans spyware maker SpyFone, and orders it to notify hacked victims | TechCrunch

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

[…]

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

[…]

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf of victims, when that option is available. For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

[…]

several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said. “I don’t know why they’re getting popped so heavily.”

[…]

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily – Krebs on Security

John Binns, a 21-year-old American who now lives in Turkey, told the Wall Street Journal that he was behind the T-Mobile security breach that affected more than 50 million people earlier this month.

The intrigue: Binns said he broke through the T-Mobile defenses after discovering an unprotected router exposed on the internet, after scanning the carrier’s internet addresses for weak spots using a publicly available tool.

• “I was panicking because I had access to something big,” he wrote in Telegram messages to the Journal. “Their security is awful.”
• “Generating noise was one goal,” Binns said. He declined to say whether he sold any of the information he stole, or whether he was paid for the hack.

The big picture: It was the third major data leak the network has disclosed in the last two years, per WSJ. T-Mobile is the second-largest U.S. mobile carrier, housing the data of around 90 million cellphones.

Background: Some of the information exposed in the breach included names, dates of birth, social security numbers and personal ID information. The breach is being investigated Seattle’s FBI office, according to the Journal.

Source: T-Mobile hacker explains how he breached carrier’s security – Axios

The remote code execution flaw, CVE-2021-35395, was seen in Mirai malware binaries by threat intel firm Radware, which “found that new malware binaries were published on both loaders leveraged in the campaign.”

Warning that the vuln had been included in Dark.IoT’s botnet “less than a week” after it was publicly disclosed, Radware said: “This vulnerability was recently disclosed by IoT Inspectors Research Lab on August 16th and impacts IoT devices manufactured by 65 vendors relying on the Realtek chipsets and SDK.”

The critical vuln, rated 9.8 on the CVSS scale, consists of multiple routes to cause buffer overflows (PDF from Realtek with details) in the web management interface provided by Realtek in its Jungle SDK for its router chipset. CVE-2021-35395 is a denial-of-service vuln; crafted inputs from an attacker can be used to crash the HTTP server running the management interface, and thus the router.

[…]

Rather than having the capability to develop its own exploits, Dark.IoT sits around waiting for white hats to publish proof-of-concepts for newly discovered vulns, and Smith said they incorporate those into their botnet within “days.”

[…]

While Realtek has patched the vulns in the SDK, vendors using its white-label tech now have to distribute patches for their branded devices and then users have to install them – all while Dark.IoT and other Mirai-based criminals are looking for exploitable devices.

[…]

Source: Mirai-style IoT botnet is now scanning for router-pwning critical vuln in Realtek kit • The Register

[…]

The Belarusian Cyber Partisans, as the hackers call themselves, have in recent weeks released portions of a huge data trove they say includes some of the country’s most secret police and government databases. The information contains lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system, according to interviews with the hackers and documents reviewed by Bloomberg News.

Among the pilfered documents are personal details about Lukashenko’s inner circle and intelligence officers. In addition, there are mortality statistics indicating that thousands more people in Belarus died from Covid-19 than the government has publicly acknowledged, the documents suggest.

In an interview and on social media, the hackers said they also sabotaged more than 240 surveillance cameras in Belarus and are preparing to shut down government computers with malicious software named X-App.

[…]

the data exposed by the Cyber Partisans showed “that officials knew they were targeting innocent people and used extra force with no reason.” As a result, he said, “more people are starting to not believe in propaganda” from state media outlets, which suppressed images of police violence during anti-government demonstrations last year.

[…]

The hackers have teamed up with a group named BYPOL, created by former Belarusian police officers, who defected following the disputed election of Lukashenko last year. Mass demonstrations followed the election, and some police officers were accused of torturing and beating hundreds of citizens in a brutal crackdown.

[…]

The wiretapped phone recordings obtained by the hackers revealed that Belarus’s interior ministry was spying on a wide range of people, including police officers—both senior and rank-and-file—as well as officials working with the prosecutor general, according to Azarau. The recordings also offer audio evidence of police commanders ordering violence against protesters, he said.

[…]

Earlier this year, an affiliate of the group obtained physical access to a Belarus government facility and broke into the computer network while inside, the spokesman said. That laid the groundwork for the group to later gain further access, compromising some of the ministry’s most sensitive databases, he said. The stolen material includes the archive of secretly recorded phone conversations, which amounts to between 1 million and 2 million minutes of audio, according to the spokesman.

[…]

The hackers joined together in September 2020, after the disputed election. Their initial actions were small and symbolic, according to screenshots viewed by Bloomberg News. They hacked state news websites and inserted videos showing scenes of police brutality. They compromised a police “most wanted” list, adding the names of Lukashenko and his former interior minister, Yury Karayeu, to the list. And they defaced government websites with the red and white national flags favored by protesters over the official Belarusian red and green flag.

Those initial breaches attracted other hackers to the Cyber Partisans’ cause, and as it has grown, the group has become bolder with the scope of its intrusions. The spokesman said its aims are to protect the sovereignty and independence of Belarus and ultimately to remove Lukashenko from power.

[…]

Names and addresses of government officials and alleged informants obtained by the hackers have been shared with Belarusian websites, including Blackmap.org, that seek to “name and shame” people cooperating with the regime and its efforts to suppress peaceful protests, according to Viačorka and the websites themselves.

[…]

Source: Belarus Hackers Seek to Overthrow Local Government – Bloomberg

[…]

When you plug in one of these Razer peripherals, Windows will automatically download Razer Synapse, the software that controls certain settings for your mouse or keyboard. Said Razer software has SYSTEM privileges, since it launches from a Windows process with SYSTEM privileges.

But that’s not where the vulnerability comes into play. Once you install the software, Windows’ setup wizard asks which folder you’d like to save it to. When you choose a new location for the folder, you’ll see a “Choose a Folder” prompt. Press Shift and right-click on that, and you can choose “Open PowerShell window here,” which will open a new PowerShell window.

Because this PowerShell window was launched from a process with SYSTEM privileges, the PowerShell window itself now has SYSTEM privileges. In effect, you’ve turned yourself into an admin on the machine, able to perform any command you can think of in the PowerShell window.

This vulnerability was first brought to light on Twitter by user jonhat, who tried contacting Razer about it first, to no avail. Razer did eventually follow up, confirming a patch is in the works. Until that patch is available, however, the company is inadvertently selling tools that make it easy to hack millions of computers.

[…]

Source: You Can Gain Admin Privileges to Any Windows Machine by Plugging in a Razer Mouse

A well-known threat actor with a long list of previous breaches is selling private data that was allegedly collected from 70 million AT&T customers. We analyzed the data and found it to include social security numbers, date of birth, and other private information. The hacker is asking $1 million for the entire database (direct sell) and has provided RestorePrivacy with exclusive information for this report.

Update: AT&T has initially denied the breach in a statement to RestorePrivacy. The hacker has responded by saying, “they will keep denying until I leak everything.”

Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers. The threat actor goes by the name of ShinyHunters and was also behind other previous exploits that affected Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.

The hacker posted the leak on an underground hacking forum earlier today, along with a sample of the data that we analyzed. The original post is below:

We examined the data for this report and also reached out to the hacker who posted it for sale.

70 million AT&T customers could be at risk

In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits, as we’ll examine more below.

While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:

• Name
• Phone number
• Physical address
• Email address
• Social security number
• Date of birth

Below is a screenshot from the sample of data available:

In addition to the data above, the hacker also has accessed encrypted data from customers that include social security numbers and date of birth. Here is a sample that we examined:

The data is currently being offered for $1 million USD for a direct sell (or flash sell) and $200,000 for access that is given to others. Assuming it is legit, this would be a very valuable breach as other threat actors can likely purchase and use the information for exploiting AT&T customers for financial gain.

Source: Exclusive: Hacker Selling Private Data Allegedly from 70 Million AT&T Customers | RestorePrivacy

Authored by computer scientists from the University of Maryland and the University of Colorado Boulder, the research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.

Making matters worse, researchers said the amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of carrying out a DDoS attack known to date and very likely to be abused in the future.

[…]

“DDoS reflective amplification attack.”

This happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker (thanks to a technique known as IP spoofing).

The technique effectively allows attackers to reflect/bounce and amplify traffic towards a victim via an intermediary point.

[…]

The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic.

Middleboxes usually include the likes of firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) systems.

The research team said they found that instead of trying to replicate the entire three-way handshake in a TCP connection, they could send a combination of non-standard packet sequences to the middlebox that would trick it into thinking the TCP handshake has finished and allow it to process the connection.

[…]

Under normal circumstances, this wouldn’t be an issue, but if the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect.

Following extensive experiments that began last year, the research team said that the best TCP DDoS vectors appeared to be websites typically blocked by nation-state censorship systems or by enterprise policies.

Attackers would send a malformed sequence of TCP packets to a middlebox (firewall, DPI box, etc.) that tried to connect to pornography or gambling sites, and the middlebox would reply with an HTML block page that it would send to victims that wouldn’t even reside on their internal networks—thanks to IP spoofing.

[…]

Bock said the research team scanned the entire IPv4 internet address space 35 different times to discover and index middleboxes that would amplify TCP DDoS attacks.

In total, the team said they found 200 million IPv4 addresses corresponding to networking middleboxes that could be abused for attacks.

Most UDP protocols typically have an amplification factor of between 2 and 10, with very few protocols sometimes reaching 100 or more.

“We found hundreds of thousands of IP addresses that offer [TCP] amplification factors greater than 100×,” Bock and his team said, highlighting how a very large number of networking middleboxes could be abused for DDoS attacks far larger than the UDP protocols with the best amplification factors known to date.

Furthermore, the research team also found thousands of IP addresses that had amplification factors in the range of thousands and even up to 100,000,000, a number thought to be inconceivable for such attacks.

[…]

Bock told The Record they contacted several country-level Computer Emergency Readiness Teams (CERT) to coordinate the disclosure of their findings, including CERT teams in China, Egypt, India, Iran, Oman, Qatar, Russia, Saudi Arabia, South Korea, the United Arab Emirates, and the United States, where most censorship systems or middlebox vendors are based.

The team also notified companies in the DDoS mitigation field, which are most likely to see and have to deal with these attacks in the immediate future.

“We also reached out to several middlebox vendors and manufacturers, including Check Point, Cisco, F5, Fortinet, Juniper, Netscout, Palo Alto, SonicWall, and Sucuri,” the team said.

[…]

the research team also plans to release scripts and tools that network administrators can use to test their firewalls, DPI boxes, and other middleboxes and see if their devices are contributing to this problem. These tools will be available later today via this GitHub repository.

[…]

Additional technical details are available in a research paper titled “Weaponizing Middleboxes for TCP Reflected Amplification” [PDF]. The paper was presented today at the USENIX security conference, where it also received the Distinguished Paper Award.

Source: Firewalls and middleboxes can be weaponized for gigantic DDoS attacks – The Record by Recorded Future

[…]

Russian mobsters, Chinese hackers and Nigerian scammers have used stolen identities to plunder tens of billions of dollars in Covid benefits, spiriting the money overseas in a massive transfer of wealth from U.S. taxpayers, officials and experts say. And they say it is still happening.

Among the ripest targets for the cybertheft have been jobless programs. The federal government cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 million to $400 billion — at least half of which went to foreign criminals, law enforcement officials say.

Those staggering sums dwarf, even on the low end, what the federal government spends every year on intelligence collection, food stamps or K-12 education.

“This is perhaps the single biggest organized fraud heist we’ve ever seen,” said security researcher Armen Najarian of the firm RSA, who tracked a Nigerian fraud ring as it allegedly siphoned millions of dollars out of more than a dozen states.

Jeremy Sheridan, who directs the office of investigations at the Secret Service, called it “the largest fraud scheme that I’ve ever encountered.”

“Due to the volume and pace at which these funds were made available and a lot of the requirements that were lifted in order to release them, criminals seized on that opportunity and were very, very successful — and continue to be successful,” he said.

While the enormous scope of Covid relief fraud has been clear for some time, scant attention has been paid to the role of organized foreign criminal groups, who move taxpayer money overseas via laundering schemes involving payment apps and “money mules,” law enforcement officials said.

“This is like letting people just walk right into Fort Knox and take the gold, and nobody even asked any questions,” said Blake Hall, the CEO of ID.me, which has contracts with 27 states to verify identities.

Officials and analysts say both domestic and foreign fraudsters took advantage of an already weak system of unemployment verification maintained by the states, which has been flagged for years by federal watchdogs. Adding to the vulnerability, states made it easier to apply for Covid benefits online during the pandemic, and officials felt pressure to expedite processing. The federal government also rolled out new benefits for contractors and gig workers that required no employer verification.

In that environment, crooks were easily able to impersonate jobless Americans using stolen identity information for sale in bulk in the dark corners of the internet. The data — birthdates, Social Security numbers, addresses and other private information — have accumulated online for years through huge data breaches, including hacks of Yahoo, LinkedIn, Facebook, Marriott and Experian.

At home, prison inmates and drug gangs got in on the action. But experts say the best-organized efforts came from abroad, with criminals from nearly every country swooping in to steal on an industrial scale.

[…]

Under the Pandemic Unemployment Assistance program for gig workers and contractors, people could apply for retroactive relief, claiming months of joblessness with no employer verification possible. In some cases, that meant checks or debit cards worth $20,000, Hall said.

“Organized crime has never had an opportunity where any American’s identity could be converted into $20,000, and it became their Super Bowl,” he said. “And these states were not equipped to do identity verification, certainly not remote identity verification. And in the first few months and still today, organized crime has just made these states a target.”

[…]

The investigative journalism site ProPublica calculated last month that from March to December 2020, the number of jobless claims added up to about two-thirds of the country’s labor force, when the actual unemployment rate was 23 percent. Although some people lose jobs more than once in a given year, that alone could not account for the vast disparity.

The thievery continues. Maryland, for example, in June detected more than half a million potentially fraudulent unemployment claims in May and June alone. Most of the attempts were blocked, but experts say that nationwide, many are still getting through.

The Biden administration has acknowledged the problem and blamed it on the Trump administration.

[…]

In a memo in February, the inspector general reported that as of December, 22 of 54 state and territorial workforce agencies were still not following its repeated recommendation to join a national data exchange to check Social Security numbers. And in July, the inspector general reported that the national association of state workforce agencies had not been sharing fraud data as required by federal regulations.

Twenty states failed to perform all the required database identity checks, and 44 states did not perform all recommended ones, the inspector general found.

“The states have been chronically underfunded for years — they’re running 1980s technology,” Hall said.

[…]

The FBI has opened about 2,000 investigations, Greenberg said, but it has recovered just $100 million. The Secret Service, which focuses on cyber and economic crimes, has clawed back $1.3 billion. But the vast majority of the pilfered funds are gone for good, experts say, including tens of billions of dollars sent out of the country through money-moving applications such as Cash.app.

[…]

One of the few examples in which analysts have pointed the finger at a specific foreign group involves a Nigerian fraud ring dubbed Scattered Canary by security researchers. The group had been committing cyberfraud for years when the pandemic benefits presented a ripe target, Najarian said.

[…]

Scattered Canary took advantage of a quirk in Google’s system. Gmail does not recognize dots in email addresses — John.Doe@gmail.com and JohnDoe@gmail.com are routed to the same account. But state unemployment systems treated them as distinct email addresses.

Exploiting that trait, the group was able to create dozens of fraudulent state unemployment accounts that funneled benefits to the same email address, according to research by Najarian and others at Agari.

In April and May of 2020, Scattered Canary filed at least 174 fraudulent claims for unemployment benefits with the state of Washington, Agari found — each claim eligible to receive up to $790 a week, for a total of $20,540 over 26 weeks. With the addition of the $600-per-week Covid supplement, the maximum potential loss was $4.7 million for those claims alone, Agari found.

[…]

Source: ‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits

T-Mobile confirmed hackers gained access to the telecom giant’s systems in an announcement published Monday.

The move comes after Motherboard reported that T-Mobile was investigating a post on an underground forum offering for sale Social Security Numbers and other private data. The forum post at the time didn’t name T-Mobile, but the seller told Motherboard the data came from T-Mobile servers.

[…]

Source: T-Mobile Confirms It Was Hacked

Hackers have returned nearly half of the $600 million they stole in what’s likely to be one of the biggest cryptocurrency thefts ever.

The cybercriminals exploited a vulnerability in Poly Network, a platform that looks to connect different blockchains so that they can work together.

Poly Network disclosed the attack Tuesday and asked to establish communication with the hackers, urging them to “return the hacked assets.”

[…]

In a strange turn of events Wednesday, the hackers began returning some of the funds they stole.

They sent a message to Poly Network embedded in a cryptocurrency transaction saying they were “ready to return” the funds. The DeFi platform responded requesting the money be sent to three crypto addresses.

As of 7 a.m. London time, more than $4.8 million had been returned to the Poly Network addresses. By 11 a.m. ET, about $258 million had been sent back.

[…]

Source: Cryptocurrency theft: Hackers steal $600 million in Poly Network hack

Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday’s attack struck each chain consecutively, with the Poly team identifying three addresses where stolen assets were transferred.

At the time that Poly tweeted news of the attack, the three addresses collectively held more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin (WBTC, -1.45%), wrapped ether (ETH, -0.7%) and shiba inu (SHIB), blockchain scanning platforms show.

[…]

About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address into liquidity pool Curve.fi, records show. The transaction was rejected.

Meanwhile, close to $100 million has been moved out of the Binance Smart Chain address in the past 30 minutes and deposited into liquidity pool Ellipsis Finance.

[…]

BlockSec, a China-based blockchain security firm, said in an initial attack analysis report that the hack may be triggered by the leak of a private key that was used to sign the cross-chain message.

But it also added that another possible reason is a potential bug during Poly’s singing process that may have been “abused” to sign the message.

According to another China-based blockchain security firm, Slowmist, the attackers’ original funds were in monero (XMR, -2.9%), a privacy-centric cryptocurrency, and were then exchanged for BNB, ETH, MATIC (+0.86%) and a few other tokens.

The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains. The finding was supported by Slowmist’s partners, including China-based exchange Hoo.

“Based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack,” Slowmist wrote.

[…]

The Poly Network incident shows how nascent cross-chain protocols are particularly vulnerable to attacks. In July, cross-chain liquidity protocol Thorchain suffered two exploits in two weeks. Rari Capital, another cross-chain DeFi protocol, was hit by an attack in May, losing funds worth nearly $11 million in ETH.

[…]

Source: Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost – CoinDesk

The hackers who breached Electronic Arts last month have released the entire cache of stolen data after failing to extort the company and later sell the stolen files to a third-party buyer.

The data, dumped on an underground cybercrime forum on Monday, July 26, is now being widely distributed on torrent sites.

According to a copy of the dump obtained by The Record, the leaked files contain the source code of the FIFA 21 soccer game, including tools to support the company’s server-side services.

[…]

 

Source: Hackers leak full EA data after failed extortion attempt – The Record by Recorded Future