Microsoft warned Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.

In a blog post, the company said that Thursday — around the same time that government agencies in Ukraine found their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organisations, all based in Ukraine,” Microsoft said.

The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end.

[…]

The code, as described by the company’s investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.

[…]

 

Source: Microsoft warns of destructive cyberattack on Ukrainian computer networks | bdnews24.com

The European Space Agency (ESA) is inviting applications from attackers who fancy having a crack at its OPS-SAT spacecraft.

It’s all in the name of ethical hacking, of course. The plan is to improve the resilience and security of space assets by understanding the threats dreamed up by security professionals and members of the public alike.

OPS-SAT has, according to ESA, “a flight computer 10 times more powerful than any current ESA spacecraft” and the CubeSat has been in orbit since 2019, providing a test bed for software experiments.

It is therefore the ideal candidate for l33t h4x0rs to turn their attention to, while ESA engineers ensure the environment is kept under control.

“The in-built robustness of OPS-SAT makes it the perfect flying platform for ethical hackers to demonstrate their skills in a safe but suitably realistic environment,” explained Dave Evans, OPS-SAT mission manager.

Ideas need to be submitted by 18 February and the successful applicants will be given controlled, technical access to OPS-SAT during the April CYSAT conference. It’ll be a challenge since teams will only have six-minute communication slots available with the satellite in which to unleash their creations.

Running code submitted by the public in space is not a particularly new concept – the AstroPi hardware on board the International Space Station (ISS) is a great example of such outreach.

However, the engagement with cybersecurity experts via the OPS-SAT demo will give space agencies an opportunity to learn what works – and what does not – from a security standpoint as satellites become ever more complicated and the surface area for attack grows.

Interestingly, ESA’s announcement had originally been made a month ago and then hurriedly pulled. Possibly because the original title “Hack an ESA spacecraft” caused at least one of the agency’s bosses to pass their morning caffeinated beverage through a nostril. Or, as an ESA insider put it, seek to “review” the emission.

Source: Hack our spacecraft, says ESA • The Register

[…]

The Federal Security Service (FSB), Russia’s domestic intelligence agency, said in a press release Friday that it had recently conducted raids at 25 residences across Moscow, Leningrad, Lipetsk, and St. Petersburg, where 14 members of the cybercriminal gang were arrested. During the raids, authorities seized more than 426 million rubles, $600,000, and €500,000, along with 20 luxury vehicles and hordes of computer equipment.

While the identities of the hackers have not been made public at this time, video provided by the FSB shows officers chasing and handcuffing various individuals, while also rifling through apartments.

[…]

REvil has been high on America’s shit-list ever since it carried out the massive Kaseya ransomware attack last summer. The attack used malicious software updates in the tech firm’s popular IT products to infect upwards of 1,500 different companies worldwide—including many in the U.S.

[…]

But the gang has also allegedly been involved in attacks on hardware manufacturer Acer, celebrity law firm Grubman Shire Meiselas & Sacks (they reportedly leaked 2.4 gigabytes of Lady Gaga’s legal documents), and Quanta, a prominent computer parts supplier that works for Apple, among other big names. It also conducted a disruptive ransomware attack on meat-processing giant JBS Foods last May, temporarily forcing the company to shut down a number of its food production sites. All in all, they’ve caused quite a lot of damage.

[…]

Some commentators have noted the odd timing of the FSB’s operation, however. The U.S. and Russia are currently experiencing severe tensions over the political situation in Ukraine—where some U.S. commentators have alleged that Russia is preparing for a military invasion. As such, the possibility that Russia has arrested REvil as a kind of bargaining tactic with the U.S. seems plausible to some. “I think being concerned about Russia’s ulterior motives is perfectly reasonable,” John Hultquist, vice president of threat intelligence at cyber firm Mandiant, recently told WIRED.

[…]

Source: Russia Arrests Members of Notorious Ransomware Gang REvil

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.

David Colombo explained in the thread that the flaw was “not a vulnerability in Tesla’s infrastructure. It’s the owner’s faults.” He claimed to be able to disable a car’s remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car’s exact location.

[…]

On a related note, early on Wednesday morning, a third-party Tesla app called TezLab reported that it saw the “simultaneous expiry of several thousand Tesla authentication tokens from Tesla’s side.” TezLab’s app makes use of Tesla APIs that allow apps to do things like log in to the car and enable or disable the anti-theft camera system, unlock the doors, open the windows, and so on.

Source: Teen hacker finds bug that lets him control 25+ Teslas remotely | Ars Technica

[…]

Commissioners told the court that all of Bernalillo County, which covers the US state of New Mexico’s largest city Albuquerque, had been affected by a January 5, 2022, ransomware attack, including the Metropolitan Detention Center (MDC) that houses some of the state’s incarcerated.

[…]

Over the phone, a spokesperson for the facility told The Register on Wednesday that services are still being repaired.

The attack took automatic security doors offline on January 5th, requiring officials to open doors manually with keys until that particular function could be revived.

Officials said in their filing that County-operated databases, servers, and internet service had been compromised. At MDC, this has meant limited access to email and no access to County wireless internet. This is particularly problematic, the officials say, because the MDC’s structure and location interferes with cellular service.

“One of the most concerning impacts of the cyber attack is that MDC is unable to access facility cameras,” they explained. “As of the evening of January 5th, there was no access to cameras within the facility.”

MDC instituted a temporary lockdown in response to the situation. Court-related video conferences are also not happening.

Several County databases at MDC are also believed to have been corrupted by the attack.

“The Incident Tracking System (ITS), the database in which MDC creates and houses all incident reports, including inmate fights, use of force, allegations of violations of the Prison Rape Elimination Act, is not currently available as it is suspected to be corrupted by the attack,” the filing states.

“Further, the Offender Management System (OMS) which MDC uses to store and access information about inmates including inmate account data is likewise unavailable at the present.”

[…]

The plaintiffs in the case have taken the opportunity to submit the statement [PDF] of a registered nurse who announced that she was quitting her job at MDC because of concerns about conditions there. The nurse, Taileigh Sanchez, describes dire staff shortages at MDC and problems with a new electronic medical records system, issues that have been made worse by the ransomware attack.

The attack denied access to current medical records, she said, which may have prevented some inmates from getting their medications.

Sanchez said she told supervisors about her concerns – which date back before the ransomware hit – but faced retaliation. “Even though I like my job, and have even been here 11 years, I will be resigning my full-time position effective immediately due to the safety concerns I have for our clientele and our staff,” she said in her declaration.

Source: Ransomware puts New Mexico prison in lockdown • The Register

The news comes via internal documents shared with The T-Mo Report, embedded below. They state that there was “unauthorized activity” on some customer accounts. That activity was either the viewing of customer proprietary network information (CPNI), an active SIM swap by a malicious actor, or both.

• 

• 

This comes just on the heels of a previous breach back in August. This time around, though, the damage appears to be much less severe. It seems only a small subset of customers are affected. There is no further detail about what exactly happened, with the documents simply saying that some info was leaked.

Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.

The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.

The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.

[…]

Source: [Update: T-Mobile Statement] Exclusive: T-Mobile Has Suffered Yet Another Data Breach

The United Kingdom’s National Crime Agency and National Cyber Crime Unit have uncovered a colossal trove of stolen passwords.

We know this because Troy Hunt, of Have I Been Pwned (HIBP) fame, yesterday announced the agency has handed them over to his service, which lets anyone conduct a secure search of stolen passwords to check if their credentials have been exposed.

The NCA shared 585,570,857 with HIBP, and Hunt said 225,665,425 were passwords that he hasn’t seen before in the 613 million credentials HIBP already stored before the NCA handed over this new batch.

The NCA sent Hunt a statement explaining how it found the passwords:

During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility. Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown.

The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain and could be accessed by other 3rd parties to commit further fraud or cyber offences.

The NCA’s statement to Hunt did not reveal the source of the password trove, or how it was discovered. Hunt did reveal the following were found among the newly compromised passwords.

• flamingo228
• Alexei2005
• 91177700
• 123Tests
• aganesq

Today’s release brings the total Pwned Passwords count to 847,223,402, a 38 percent increase over the last release. 5,579,399,834 occurrences of a compromised password are represented across HIBP.

[…]

Source: UK National Crime Agency finds 225 million previously unexposed passwords • The Register

[…] researchers managed to technically deconstruct just how one of the company’s notorious “zero-click” attacks work. Indeed, researchers with Google’s Project Zero published a detailed break-down that shows how an NSO exploit, dubbed “FORCEDENTRY,” can swiftly and silently take over a phone.

[…]

Initial details about it were captured by Citizen Lab, a research unit at the University of Toronto that has frequently published research related to NSO’s activities. Citizen Lab researchers managed to get ahold of phones that had been subjected to the company’s “zero-click” attacks and, in September, published initial research about how they worked. Around the same time, Apple announced it was suing NSO and also published security updates to patch the problems associated with the exploit.

Citizen Lab ultimately shared its findings with Google’s researchers who, as of last week, finally published their analysis of the attacks. As you might expect, it’s pretty incredible—and frightening—stuff.

[…]

Probably the most terrifying thing about FORCEDENTRY is that, according to Google’s researchers, the only thing necessary to hack a person was their phone number or their AppleID username.

Using one of those identifiers, the wielder of NSO’s exploit could quite easily compromise any device they wished. The attack process was simple: What appeared to be a GIF was texted to the victim’s phone via iMessage. However, the image in question was not actually a GIF; instead, it was a malicious PDF that had been dressed up with a .gif extension. Within the file was a highly sophisticated malicious payload that could hijack a vulnerability in Apple’s image processing software and use it to quickly take over valuable resources within the targeted device.

[…]

what FORCEDENTRY did was exploit a zero-day vulnerability within Apple’s image rendering library, CoreGraphics—the software that iOS uses to process on-device imagery and media. That vulnerability, officially tracked as CVE-2021-30860, is associated with an old piece of free, open-source code that iOS was apparently leveraging to encode and decode PDF files—the Xpdf implementation of JBIG2.

Here’s where the attack gets really wild, though. By exploiting the image processing vulnerability, FORCEDENTRY was able to get inside the targeted device and use the phone’s own memory to build a rudimentary virtual machine, basically a “computer within a computer.” From there, the machine could “bootstrap” NSO’s Pegasus malware from within, ultimately relaying data back to whoever had deployed the exploit.

[…]

The vulnerability related to this exploit was fixed in Apple’s iOS 14.8 update (issued in September), though some computer researchers have warned that if a person’s phone was compromised by Pegasus prior to the update, a patch may not do all that much to keep intruders out.

[…]

Source: How NSO Group’s iPhone-Hacking Exploit Works

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe.

“As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized,” the Cyberpolice Department of the National Police of Ukraine said.

“The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States”

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site’s name was not revealed in the press release).

On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info.

[…]

Source: Ukraine arrests 51 for selling data of 300 million people in US, EU

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.

The 0-day was tweeted along with a POC posted on GitHub. Since this vulnerability is still very new, there isn’t a CVE to track it yet. This has been published as CVE-2021-44228.

This post provides resources to help you understand the vulnerability and how to mitigate it for yourself.

Who is impacted?​

Many, many services are vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable.

Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach.

Many Open Source projects like the Minecraft server, Paper, have already begun patching their usage of log4j2.

Simply changing an iPhone’s name has been shown to trigger the vulnerability in Apple’s servers.

Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.

Affected Apache log4j2 Versions​

2.0 <= Apache log4j <= 2.14.1

Permanent Mitigation​

Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

The release can also be downloaded from the Apache Log4j Download page.

[…]

Source: Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package | LunaSec

You can find sites that have been exloited https://github.com/YfryTchsGD/Log4jAttackSurface

The US Federal Bureau of Investigation (FBI) says 49 organisations, including some in government, were hit by Cuba ransomware as of early November this year.

The attacks were spread across five “critical infrastructure”, which, besides government, included the financial, healthcare, manufacturing, and – as you’d expect – IT sectors. The Feds said late last week the threat actors are demanding $76m in ransoms and have already received at least $43.9m in payments.

The ransomware gang’s loader of choice, Hancitor, was the culprit, distributed via phishing emails, or via exploit of Microsoft Exchange vulnerabilities, compromised credentials, or Remote Desktop Protocol (RDP) tools. Hancitor – also known as Chanitor or Tordal – enables a CobaltStrike beacon as a service on the victim’s network using a legitimate Windows service like PowerShell.

[…]

Source: Cuba ransomware gang scores almost $44m from 49 victims: FBI • The Register

Cryptocurrency exchange BitMart has coughed to a large-scale security breach relating to ETH and BSC hot wallets. The company reckons that hackers made off with approximately $150m in assets.

Security and analytics outfit PeckShield put the figure at closer to $200m.

“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately 150 million USD,” BitMart said.

“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” it added.

Worryingly for customers, BitMart has blocked withdrawals until it has completed a “thorough security review” or, in the common metaphor, shut the stable door after the horse has bolted.

[…]

Source: $150m of digital assets stolen in BitMart security breach • The Register

Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.

Some of the tactics Mandiant has recently observed include:

• Compromise of multiple technology solutions, services, and reseller companies since 2020.
• Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
• Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
• Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
• Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
• Use of a new bespoke downloader we call CEELOADER.
• Abuse of multi-factor authentication leveraging “push” notifications on smartphones

In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.

The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.

[…]

Source: Suspected Russian Activity Targeting Government and Business Entities Around the Globe | Mandiant

Hackers are attacking business receipt printers to insert pro-labor messages, according to a report from Vice and posts on Reddit. “Are you being underpaid?”, reads one message and “How can the McDonald’s in Denmark pay their staff $22 an hour and still manage to sell a Big Mac for less than in America?” another states.

Numerous similar images have been posted on Reddit, Twitter and elsewhere. The messages vary, but most point readers toward the r/antiwork subreddit that recently became popular during the COVID-19 pandemic, as workers starting demanding more rights.

Some users suggested that the messages were fake, but a cybersecurity firm that monitors the internet told Vice that they’re legit. “Someone is… blast[ing] raw TCP data directly to printer services across the internet,” GreyNoise founder Andrew Morris told Vice. “Basically to every single device that has port TCP 9100 open, and print[ing] a pre-written document that references /r/antiwork with some workers rights/counter capitalist messaging.”

The individual[s] behind the attack are using 25 separate servers, according to Morris, so blocking one IP won’t necessarily stop the attacks. “A technical person is broadcasting print requests for a document containing workers rights messaging to all printers that are misconfigured to be exposed to the internet, and we’ve confirmed that it is printing successfully in some number of places,” he said.

[…]

Source: Someone is hacking receipt printers with ‘antiwork’ messages | Engadget

New research shows that someone has been running hundreds of malicious servers on the Tor network, potentially in an attempt to de-anonymize users and unmask their web activity. As first reported by The Record, the activity would appear to be emanating from one particular user who is persistent, sophisticated, and somehow has the resources to run droves of high-bandwidth servers for years on end.

[…]

The malicious servers were initially spotted by a security researcher who goes by the pseudonym “nusenu” and who operates their own node on the Tor network. On their Medium, nusenu writes that they first uncovered evidence of the threat actor—which they have dubbed “KAX17”—back in 2019. After doing further research into KAX17, they discovered that they had been active on the network as far back as 2017.

In essence, KAX appears to be running large segments of Tor’s network—potentially in the hopes of being able to track the path of specific web users and unmask them.

[…]

in the case of KAX17, the threat actor appears to be substantially better resourced than your average dark web malcontent: they have been running literally hundreds of malicious servers all over the world—activity that amounts to “running large fractions of the tor network,” nusenu writes. With that amount of activity, the chances that a Tor user’s circuit could be traced by KAX is relatively high, the researcher shows.

Indeed, according to nusenu’s research, KAX at one point had so many servers—some 900—that you had a 16 percent likelihood of using their relay as a first “hop” (i.e., node in your circuit) when you logged onto Tor. You had a 35 percent chance of using one of their relays during your 2nd “hop,” and a 5 percent chance of using them as an exit relay, nusenu writes.

There’s also evidence that the threat actor engaged in Tor forum discussions, during which they seem to have lobbied against administrative actions that would have removed their servers from the network.

[…]

Many of the threat actor’s servers were removed by the Tor directory authorities in October 2019. Then, just last month, authorities again removed a large number of relays that seemed suspicious and were tied to the threat actor. However, in both cases, the actor seems to have immediately bounced back and begun reconstituting, nusenu writes.

It’s unclear who might be behind all this, but it seems that, whoever they are, they have a lot of resources. “We have no evidence, that they are actually performing de-anonymization attacks, but they are in a position to do so,” nusenu writes. “The fact that someone runs such a large network fraction of relays…is enough to ring all kinds of alarm bells.”

“Their actions and motives are not well understood,” nusenu added.

Source: Someone Is Running Hundreds of Malicious Servers on Tor Network

Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.

The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.

The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology. Previously, a list of numbers with potential targets including some American officials surfaced in reporting on NSO, but it was not clear whether intrusions were always tried or succeeded.

Reuters could not determine who launched the latest cyberattacks.

NSO Group said in a statement on Thursday that it did not have any indication their tools were used but canceled access for the relevant customers and would investigate based on the Reuters inquiry.

[…]

Source: U.S. State Department phones hacked with Israeli company spyware – sources | Reuters

Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts.

The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.”

An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post. The haul amounted to $31 million worth of tokens on the Ethereum or Polygon blockchains, both of which are supported by the MonoX protocol.

Specifically, the hack used the same token as both the tokenIn and tokenOut, which are methods for exchanging the value of one token for another. MonoX updates prices after each swap by calculating new prices for both tokens. When the swap is completed, the price of tokenIn—that is, the token sent by the user—decreases and the price of tokenOut—or the token received by the user—increases.

By using the same token for both tokenIn and tokenOut, the hacker greatly inflated the price of the MONO token because the updating of the tokenOut overwrote the price update of the tokenIn. The hacker then exchanged the token for $31 million worth of tokens on the Ethereum and Polygon blockchains.

There’s no practical reason for exchanging a token for the same token, and therefore the software that conducts trades should never have allowed such transactions. Alas, it did, despite MonoX receiving three security audits this year.

[…]

Blockchain researcher Igor Igamberdiev took to Twitter to break down the makeup of the drained tokens. Tokens included $18.2 million in Wrapped Ethereum, $10.5 in MATIC tokens, and $2 million worth of WBTC. The haul also included smaller amounts of tokens for Wrapped Bitcoin, Chainlink, Unit Protocol, Aavegotchi, and Immutable X.

Only the latest DeFi hack

MonoX isn’t the only decentralized finance protocol to fall victim to a multimillion-dollar hack. In October, Indexed Finance said it lost about $16 million in a hack that exploited the way it rebalances index pools. Earlier this month, blockchain-analysis company Elliptic said so-called DeFi protocols have lost $12 billion to date due to theft and fraud. Losses in the first roughly 10 months of this year reached $10.5 billion, up from $1.5 billion in 2020.

[…]

Source: Really stupid “smart contract” bug let hackers steal $31 million in digital coin | Ars Technica

Finland is working to stop a flood of text messages of an unknown origin that are spreading malware.

The messages with malicious links to malware called FluBot number in the millions, according to Aino-Maria Vayrynen, information security specialist at the National Cyber Security Centre. Telia Co AB, the country’s second-biggest telecommunications operator, has intercepted some hundreds of thousands of messages.

“The malware attack is extremely exceptional and very worrying,” Teemu Makela, chief information security officer at Elisa Oyj, the largest telecoms operator, said by phone. “Considerable numbers of text messages are flying around.”

The messages started beeping of Finns’ mobiles late last week, prompting the National Cyber Security Centre to issue a “severe alert.” The campaign is worse than a previous bout of activity in the summer, Antti Turunen, fraud manager at Telia, said.

Many of the messages claim that the recipient has received a voice mail, asking them to open a link. On Android devices, that brings up a prompt that requests user to allow installation of an application that contains the malware, and on Apple Inc.’s iPhones users are taken to other fraudulent material on the website, authorities said.

[…]

Source: Malware Attack Via Millions of Text Messages Spreads in Finland – Bloomberg

Don’t click on linkbait!

GoDaddy has admitted to America’s financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.

In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an “unauthorized third-party” had been roaming around part of its Managed WordPress service, which essentially stores and hosts people’s websites.

[…]

Those infosec sleuths, we’re told, found evidence that an intruder had been inside part of GoDaddy’s website provisioning system, described by Comes as a “legacy code base,” since September 6, gaining access using a “compromised password.”

The miscreant was able to view up to 1.2 million customer email addresses and customer ID numbers, and the administrative passwords generated for WordPress instances when they were provisioned. Any such passwords unchanged since the break-in have been reset.

According to GoDaddy, the sFTP and database usernames and passwords of active user accounts were accessible, too, and these have been reset as well.

“For a subset of active customers, the SSL private key was exposed,” Comes added. “We are in the process of issuing and installing new certificates for those customers.” GoDaddy has not responded to a request for further details and exact numbers of users affected.

[…]

Source: GoDaddy Managed WordPress compromised, user data exposed • The Register

A Canadian teenager has been arrested for allegedly stealing $37 million worth of cryptocurrency ($46M Canadian) via a SIM swap scam, making it the largest virtual cash heist affecting a single person yet, according to police.

Together with the FBI and the US Secret Service Electronic Crimes Task Force, Hamilton Police in the Canadian province of Ontario launched a joint probe to investigate the breach of a US resident’s mobile phone account.

The victim was reportedly targeted with a SIM swap attack – their phone number was hijacked and ported to a different phone belonging to the attacker. The miscreant was then able to enter personal accounts via two-factor authentication requests and obtain details of the victim’s cryptocurrency wallet. From there, millions of dollars were siphoned off, it’s claimed.

“The joint investigation revealed that some of the stolen cryptocurrency was used to purchase an online username that was considered to be rare in the gaming community,” according to a statement from Hamilton Police.

“This transaction led investigators to uncover the account holder of the rare username,” it confirmed.

The teen was arrested for theft and possession of property. Police have seized over $5.5 million worth of cryptocurrencies in the case so far.

Source: Canadian teen arrested for stealing $36.5m of cryptocurrency • The Register

A 36-year-old man from Portage, Michigan, was arrested on Thursday for allegedly renting thousands of textbooks from Amazon and selling them rather than returning them.

[…]

Also indicted were three alleged co-conspirators: Gregory Mark Gleesing, 43, and Lovedeep Singh Dhanoa, 25, both from Portage, Michigan, and Paul Steven Larson, 32, from Kalamazoo, Michigan

From January 2016 through March 2021, according to the indictment, Talsma rented textbooks from the Amazon Rental program in order to sell them for a profit. The indictment describes what occurred as “a sophisticated fraud scheme.”

Talsma allegedly disguised his identity by creating multiple customer accounts with different names, mailing addresses, email addresses, and phone numbers. He supposedly did so to bypass the 15 book limit Amazon placed on textbook rentals.

His alleged fraud scheme involved using Amazon gift cards to rent the textbooks and prepaid MyVanilla Visa cards with minimal credit balances to cover the buyout price charged for books not returned.

[…]

made sure that the MyVanilla Visa cards did not have sufficient credit balances, or any balance at all, when the textbook rentals were past due so that Amazon could not collect the book buyout price from those cards.”

[…]

As the scheme progressed, the indictment says, Talsma “recruited individuals, including defendants Gregory Mark Gleesing, Lovedeep Singh Dhanoa, and Paul Steven Larson, and other individuals known to the grand jury, to allow him to use their names and mailing addresses to further continue receiving rental textbooks in amounts well above the fifteen-book limit.”

Talsma would call Amazon’s customer service department and claim that instead of the textbooks ordered, he had received other items that could not be returned by mail, like flammable objects. Or he would claim he never received any textbooks, in the hope Amazon would credit him for unreceived goods and forget about the rental. And later, he is said to have taught Gleesing, Dhanoa, and Larson to do the same.

Titles taken included “Compensation,” by Jerry Newman, Barry Gerhart, and George Milkovich, which lists a Buyout Price of $172.05, and “Economics,” by Campbell McConnell, Stanley Brue, and Sean Flynn, which lists a Buyout Price of $108.00.

The scheme appears to have been fairly successful: The indictment says the four alleged scammers stole 14,000 textbooks worth over $1.5m.

[…]

Source: Amazon textbook rental service scammed for $1.5m • The Register

The FBI appears to have been used as a pawn in a fight between hackers and security researchers. According to Bleeping Computer, the FBI has confirmed intruders compromised its email servers early today (November 13th) to send fake messages claiming recipients had fallen prone to data breaches. The emails tried to pin the non-existent attacks on Vinny Troia, the leader of dark web security firms NightLion and Shadowbyte.

The non-profit intelligence organization Spamhaus quickly shed light on the bogus messages. The attackers used legitimate FBI systems to conduct the attack, using email addresses scraped from a database for the American Registry for Internet Numbers (ARIN), among other sources. Over 100,000 addresses received the fake emails in at least two waves.

The FBI described the hack as an “ongoing situation” and didn’t initially have more details to share. It asked email recipients to report messages like these to the bureau’s Internet Crime Complaint Center or the Cybersecurity and Infrastructure Security Agency. Troia told Bleeping Computer he believed the perpetrators might be linked to “Pompomourin,” a persona that has attacked the researcher in the past.

[…]

Source: FBI email servers were hacked to target a security researcher | Engadget

This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers. In August 2021, we disclosed to Microsoft a new vulnerability in Cosmos DB that ultimately allowed us to retrieve numerous internal keys that can be used to manage the service, following this high-level workflow:

1. Set up a Jupyter Notebook container on your Azure Cosmos DB
2. Run any C# code to obtain root privileges
3. Remove firewall rules set locally on the container in order to gain unrestricted network access
4. Query WireServer to obtain information about installed extensions, certificates and their corresponding private keys
5. Connect to the local Service Fabric, list all running applications, and obtain the Primary Key to other customers’ databases
6. Access Service Fabric instances of multiple regions over the internet

In this post we walk you through every step of the way, to the point where we even gained administrative access to some of the magic that powers Azure.

[…]

Conclusion

We managed to gain unauthorized access to customers’ Azure Cosmos DB instances by taking advantage of a chain of misconfigurations in the Jupyter Notebook Container feature of Cosmos DB. We were able to prove access to thousands of companies’ Cosmos DB Instances (database, notebook environment, notebook storage) with full admin control via multiple authentication tokens and API keys. Among the affected customers are many Fortune 500 companies. We also managed to gain access to the underlying infrastructure that runs Cosmos DB and we were able to prove that this access can be maintained outside of the vulnerable application—over the internet. Overall, we think that this is as close as it gets to a “Service Takeover”.

Disclosure Timeline

August 09 2021 – Wiz Research Team first exploited the bug and gained unauthorized access to Cosmos DB accounts.
August 11 2021 – Wiz Research Team confirmed intersection with Wiz customers.
August 12 2021 – Wiz Research Team sent the advisory to Microsoft.
August 14 2021 – Wiz Research Team observed that the vulnerable feature has been disabled.
August 16 2021 – Microsoft Security Response Center (MSRC) confirmed the reported behavior (MSRC Case 66805).
August 16 2021 – Wiz Research Team observed that some obtained credentials have been revoked.
August 17 2021 – MSRC awarded $40,000 bounty for the report.
August 23 2021 – MSRC confirmed that several thousand customers were affected.
August 23 2021 – MSRC and Wiz Research Team discussed public disclosure strategy.
August 25 2021 – Public disclosure.

Source: ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough | Wiz Blog

The blog post is well worth reading