As we head into another Northern Hemisphere pandemic winter and hope that things won’t be quite as bad this year, next summer seems an extremely long time away in the future. But it will be upon us sooner than we might think, and along with it will we hope come a resumption of full-scale hacker camps. One of the biggest will be in the Netherlands, where MCH 2022 will take lace at the end of July, and if you’re up to casting your minds ahead far enough for that then they’re inviting submissions to their Call for Participation. Their events are always a memorable and relaxed opportunity to spend a few days in the sun alongside several thousand other like-minded individuals, so we’d urge you to give it some consideration.

If you’ve never delivered a conference talk before then it can be a daunting prospect, but in fact a hacker camp can be an ideal place to give it a first try. Unlike a more traditional technology conference where most of the attendees file into the auditorium, at hacker camps there is so much else on offer that many talks are delivered to only that sub group of attendees for whom the subject is of real interest. So there is less of the huge auditorium of anonymous crowds about it, and more of the small and friendly crowd of fellow enthusiasts. The great thing about our community is that there are as many different interests within it as there are individuals, so whatever your product, specialism, or favourite hobby horse might be, you’ll find people at a hacker camp who’d like to hear what you have to say.

If you’re still seeking inspiration, of course you might find it by looking at the schedule from SHA, the last Dutch camp.

Source: Got Anything To Talk About? These Dutch Hackers Want You To Say It To Them | Hackaday

Someone recently hacked and attempted to extort Robinhood, the popular investment and trading platform, gaining access to millions of customers’ email addresses and full names in the process.

The platform revealed the security incident in a blog post published Monday, assuring users that nobody had lost any money as a result of the incident.

“An unauthorized third party obtained access to a limited amount of personal information for a portion of our customers,” the company revealed, while emphasizing that the breach had since been contained and that there had been “no financial loss to any customers.”

The incident, which took place on Nov. 3, was apparently the result of a social engineering scheme that targeted a customer support employee. The hacker convinced the employee that they were cleared to access “certain customer support systems,” and subsequently gained access to the email addresses of approximately 5 million customers and the full names of approximately 2 million customers, the company said.

For a much smaller subset of customers, the data breach was substantially more invasive: “We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed,” the company’s blog post says.

Afterward, the criminal attempted to extort the company with the information it had stolen.

[…]

Source: Robinhood Hack Compromises Millions of Customer Email Addresses

Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The incident, detected earlier today by blockchain security firms PeckShield and SlowMist, was confirmed by the Cream Finance team earlier today.

The attackers are believed to have found a vulnerability in the platform’s lending system —called flash loaning— and used it to steal all of Cream’s assets and tokens running on the Ethereum blockchain, according to blockchain security firm BlockSec, which also posted an explanation of the security flaw on Twitter earlier today.

Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX

— BlockSec (@BlockSecTeam) October 27, 2021

A breakdown of the stolen funds is available below, courtesy of the SlowMist team.

Roughly six hours after the attack, Cream Finance said it fixed the bug exploited in the hack with the help of cryptocurrency platform Yearn.

Even if the attacker’s initial wallet, used to exfiltrate a large chunk of the funds, has been identified, the funds have already been moved to new accounts, and there appears to be a small chance the stolen crypto can be tracked down and returned to the platform.

Third time’s a charm

Today’s hack marks the third time Cream Finance has been hacked this year after the company lost $37 million in February and another $29 million in August.

All attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, CipherTrace said in a report in August.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the same CipherTrace said in a report last year.

The Cream heist also marks the second-largest cryptocurrency hack this year after DeFi platform Poly Network lost $600 million in August. However, the individual behind the Poly hack eventually returned all the stolen funds two weeks later on the promise the company won’t seek charges.

Source: Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year – The Record by Recorded Future

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

Lionel Messi and Sergio Aguero data leaked on Twitter

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

Hacker has a copy of the data, plans to sell and leak it

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

[…]

Source: Hacker steals government ID database for Argentina’s entire population – The Record by Recorded Future

Yet again we see how centralised databases are such a good idea. And if countries are so terrible at protecting extremely sensitive data, how do you think weakening protections by allowing countries master key type access to encrypted data is going to make anything better for anyone?

[…]A hacker gang, […] has been infiltrating telecoms throughout the world to steal phone records, text messages, and associated metadata directly from carrier users.

That’s according to a new report from cybersecurity firm CrowdStrike, which published a technical analysis of the mysterious group’s hacking campaign on Tuesday. The report, which goes into a significant amount of detail, shows that the hackers behind the campaign have managed to infiltrate 13 different global telecoms in the span of just two years.

Researchers say that the group, which has been active since 2016, uses highly sophisticated hacking techniques and customized malware to infiltrate and embed within networks. Reuters reports that this has included exfiltrating “calling records and text messages” directly from carriers. Earlier research on the group suggests it has also been known to target managed service providers as an entry point into specific industries—such as finance and consulting.[…]

Source: Cybercrime Group Has Been Hacked Telecoms All Over the World

An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.

Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.

His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable’s radiations could then be picked up by the SDR (in Guri’s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.

Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.

“We could transmit both text and binary, and also achieve faster bit-rates,” acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.”

[…]

Source: LANtenna attack reveals Ethernet cable traffic contents • The Register

A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school’s airplanes. In some cases, planes that previously had maintenance issues had been “cleared” to fly, according to a police report. The hack, according to the school’s CEO, could have put pilots in danger.

Lauren Lide, a 26-year-old who used to work for the Melbourne Flight Training school, resigned from her position of Flight Operations Manager at the end of November of 2019, after the company fired her father. Months later, she allegedly hacked into the systems of her former company, deleting and changing records, in an apparent attempt to get back at her former employer, according to court records obtained by Motherboard.

[…]

Source: Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly

Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date.

Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States.

Dahan identified the target of the attack only as “an Azure customer in Europe.”

The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

Dahan said Microsoft successfully mitigated the attack without Azure going down.

Prior to Microsoft’s disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon’s AWS division mitigated in February 2020.

Dahan said the largest DDoS attack that hit Azure prior to the August attack was a 1 Tbps attack the company saw in Q3 2020, while this year, Azure didn’t see a DDoS attack over 625 Mbps all year.

Record for largest volumetric DDoS attack broken days later too

Just days after Microsoft mitigated this attack, a botnet called Meris broke another DDoS record — the record for the largest volumetric DDoS attack.

According to Qrator Labs, the operators of the Meris botnet launched a DDoS attack of 21.8 million requests per second (RPS) in early September. Sources told The Record last month that the attack targeted a Russian bank that was hosting its e-banking portal on Yandex Cloud servers.

Security firm Rostelecom-Solar sinkholed around a quarter of the Meris botnet later that month.

It is unclear if the Meris botnet was behind the attack detected and mitigated by Microsoft in August. An Azure spokesperson did not return a request for comment.

Source: Microsoft said it mitigated a 2.4 Tbps DDoS attack, the largest ever

Another day, another massive privacy breach nobody will do much about. This time it’s Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:

“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

As is par for the course for this kind of stuff, the actual breach is likely much worse than what’s first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn’t even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).

[…]

Source: Neiman Marcus Breach Exposes Data Of 4.6 Million Users | Techdirt

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

One anonymous company source told VGC that the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.

Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies.

[UPDATE: Twitch has confirmed the leak is authentic: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”]

he leaked Twitch data reportedly includes:

• The entirety of Twitch’s source code with commit history “going back to its early beginnings”
• Creator payout reports from 2019
• Mobile, desktop and console Twitch clients
• Proprietary SDKs and internal AWS services used by Twitch
• “Every other property that Twitch owns” including IGDB and CurseForge
• An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
• Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users enable two-factor authentication to be safe.

If you have a Twitch account, it’s recommended that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.

To turn on two-factor identification:

• Log on to Twitch, click your avatar and choose Settings
• Go to Security and Privacy, then scroll down to the Security setting
• Choose Edit Two-Factor Authentication to see if it’s already activated. If not, follow the instructions to turn it on (you’ll need your phone)

Source: The entirety of Twitch has reportedly been leaked | VGC

A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

The company, Syniverse, revealed in a filing dated September 27 with the U.S. Security and Exchange Commission that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers.”

A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records.

[…]

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.

[…]

“The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations and connections [daily],” Syniverse wrote in a recent press release.

“Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

[…]

Syniverse disclosed the breach in an August SEC filing as the company gearing to go public at a valuation of $2.85 billion via a merger with M3-Brigade Acquisition II Corp., a special purpose acquisition company (SPAC).

[…]

Source: Company That Routes Billions of Text Messages Quietly Says It Was Hacked

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.

Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores.

Malware subscribes users to premium SMS services

If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers.

Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over €30 ($35) per month, money that are later redirected into the GriftHorse operators’ pockets.

[…]

the two Zimperium researchers said that besides numbers, the GriftHorse coders also invested in their malware’s code quality, using a wide spectrum of websites, malicious apps, and developer personas to infect users and avoid detection for as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained.

“In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,”

GriftHorse is making millions in monthly profits

Based on what they’ve seen until now, the researchers estimated that the GriftHorse gang is currently making between €1.2 million and €3.5 million per month from their scheme ($1.5 million to $4 million per month).

[…]

Source: New GriftHorse malware has infected more than 10 million Android phones – The Record by Recorded Future

Epik’s massive data breach is already affecting lives. Today the Washington Post describes a real estate agent in Pompano Beach who urged buyers on Facebook to move to “the most beautiful State.” His name and personal details “were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com”. The real estate brokerage where he worked then dropped him as an agent. The brokerage’s owner told the Post they didn’t “want to be involved with anyone with thoughts or motives like that.”

“Some users appear to have relied on Epik to lead a double life,” the Post reports, “with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online.” (Alternate URL here.) Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed…. Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing “the detective work” trying to decipher who is behind a single extremist domain. The Epik data set, she said, “is like somebody has just handed you all the detective work — the names, the people behind the accounts…”

Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous….

Aubrey “Kirtaner” Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack’s origins but said it was fueled by hackers’ frustrations over Epik serving as a refuge for far-right extremists. “Everyone is tired of hate,” Cottle said. “There hasn’t been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now … the tide is turning, and there’s a swell moving back in their direction.”
Earlier in the week, the Post reported: Since the hack, Epik’s security protocols have been the target of ridicule among researchers, who’ve marveled at the site’s apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public… The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

Source: 110,000 Affected by Epik Breach – Including Those Who Trusted Epik to Hide Their Identity – Slashdot

A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online this week after hackers previously tried to sell it earlier this year in June.

The collection, obtained by The Record from a source, is currently being shared in private Telegram channels in the form of a torrent file containing approximately 187 GB of archived data.

The Record analyzed files from this collection and found the data to be authentic, with data points such as:

• LinkedIn profile names
• LinkedIn ID
• LinkedIn profile URL
• Location information (town, city, country)
• Email addresses

While the vast majority of the data points contained in the leak are already public information and pose no threat to LinkedIn users, the leak also contains email addresses that are not normally viewable to the public on the official LinkedIn site.

[…]

Source: Hackers leak LinkedIn 700 million data scrape – The Record by Recorded Future

The Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, was a big, destructive mess—one of the largest and most unwieldy of its kind in recent memory. But new information shows the FBI could have lightened the blow victims suffered but chose not to.

A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data—thus allowing them to get their businesses back up and running. However, instead of sharing it with them or Kaseya, the IT firm targeted by the attack, the bureau kept it a secret for approximately three weeks.

The feds reportedly did this because they were planning an operation to “disrupt” the hacker gang behind the attack—the Russia-based ransomware provider REvil—and didn’t want to tip their hand. However, before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.

[…]

Source: FBI Had REvil’s Kaseya Ransomware Decryption Key for Weeks: Report

Source: Alaska discloses ‘sophisticated’ nation-state cyberattack on health service – The Record by Recorded Future

A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer.

While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.

[…]

The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation.

[…]

Both posts lead to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to pressure ransomware victims to pay.

BleepingComputer’s analysis of this file shows that it contains VPN credentials for 498,908 users over 12,856 devices.

While we did not test if any of the leaked credentials were valid, BleepingComputer can confirm that all of the IP address we checked are Fortinet VPN servers.

Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.

[…]

Kremez told BleepingComputer that the Fortinet CVE-2018-13379 vulnerability was exploited to gather these credentials.

A source in the cybersecurity industry told BleepingComputer that they were able to legally verify that at least some of the leaked credentials were valid.

It is unclear why the threat actor released the credentials rather than using them for themselves, but it is believed to have been done to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation.

[…]

Source: Hackers leak passwords for 500,000 Fortinet VPN accounts

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

[…]

Source: FTC bans spyware maker SpyFone, and orders it to notify hacked victims | TechCrunch

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

[…]

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

[…]

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf of victims, when that option is available. For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

[…]

several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said. “I don’t know why they’re getting popped so heavily.”

[…]

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily – Krebs on Security

John Binns, a 21-year-old American who now lives in Turkey, told the Wall Street Journal that he was behind the T-Mobile security breach that affected more than 50 million people earlier this month.

The intrigue: Binns said he broke through the T-Mobile defenses after discovering an unprotected router exposed on the internet, after scanning the carrier’s internet addresses for weak spots using a publicly available tool.

• “I was panicking because I had access to something big,” he wrote in Telegram messages to the Journal. “Their security is awful.”
• “Generating noise was one goal,” Binns said. He declined to say whether he sold any of the information he stole, or whether he was paid for the hack.

The big picture: It was the third major data leak the network has disclosed in the last two years, per WSJ. T-Mobile is the second-largest U.S. mobile carrier, housing the data of around 90 million cellphones.

Background: Some of the information exposed in the breach included names, dates of birth, social security numbers and personal ID information. The breach is being investigated Seattle’s FBI office, according to the Journal.

Source: T-Mobile hacker explains how he breached carrier’s security – Axios

The remote code execution flaw, CVE-2021-35395, was seen in Mirai malware binaries by threat intel firm Radware, which “found that new malware binaries were published on both loaders leveraged in the campaign.”

Warning that the vuln had been included in Dark.IoT’s botnet “less than a week” after it was publicly disclosed, Radware said: “This vulnerability was recently disclosed by IoT Inspectors Research Lab on August 16th and impacts IoT devices manufactured by 65 vendors relying on the Realtek chipsets and SDK.”

The critical vuln, rated 9.8 on the CVSS scale, consists of multiple routes to cause buffer overflows (PDF from Realtek with details) in the web management interface provided by Realtek in its Jungle SDK for its router chipset. CVE-2021-35395 is a denial-of-service vuln; crafted inputs from an attacker can be used to crash the HTTP server running the management interface, and thus the router.

[…]

Rather than having the capability to develop its own exploits, Dark.IoT sits around waiting for white hats to publish proof-of-concepts for newly discovered vulns, and Smith said they incorporate those into their botnet within “days.”

[…]

While Realtek has patched the vulns in the SDK, vendors using its white-label tech now have to distribute patches for their branded devices and then users have to install them – all while Dark.IoT and other Mirai-based criminals are looking for exploitable devices.

[…]

Source: Mirai-style IoT botnet is now scanning for router-pwning critical vuln in Realtek kit • The Register

[…]

The Belarusian Cyber Partisans, as the hackers call themselves, have in recent weeks released portions of a huge data trove they say includes some of the country’s most secret police and government databases. The information contains lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system, according to interviews with the hackers and documents reviewed by Bloomberg News.

Among the pilfered documents are personal details about Lukashenko’s inner circle and intelligence officers. In addition, there are mortality statistics indicating that thousands more people in Belarus died from Covid-19 than the government has publicly acknowledged, the documents suggest.

In an interview and on social media, the hackers said they also sabotaged more than 240 surveillance cameras in Belarus and are preparing to shut down government computers with malicious software named X-App.

[…]

the data exposed by the Cyber Partisans showed “that officials knew they were targeting innocent people and used extra force with no reason.” As a result, he said, “more people are starting to not believe in propaganda” from state media outlets, which suppressed images of police violence during anti-government demonstrations last year.

[…]

The hackers have teamed up with a group named BYPOL, created by former Belarusian police officers, who defected following the disputed election of Lukashenko last year. Mass demonstrations followed the election, and some police officers were accused of torturing and beating hundreds of citizens in a brutal crackdown.

[…]

The wiretapped phone recordings obtained by the hackers revealed that Belarus’s interior ministry was spying on a wide range of people, including police officers—both senior and rank-and-file—as well as officials working with the prosecutor general, according to Azarau. The recordings also offer audio evidence of police commanders ordering violence against protesters, he said.

[…]

Earlier this year, an affiliate of the group obtained physical access to a Belarus government facility and broke into the computer network while inside, the spokesman said. That laid the groundwork for the group to later gain further access, compromising some of the ministry’s most sensitive databases, he said. The stolen material includes the archive of secretly recorded phone conversations, which amounts to between 1 million and 2 million minutes of audio, according to the spokesman.

[…]

The hackers joined together in September 2020, after the disputed election. Their initial actions were small and symbolic, according to screenshots viewed by Bloomberg News. They hacked state news websites and inserted videos showing scenes of police brutality. They compromised a police “most wanted” list, adding the names of Lukashenko and his former interior minister, Yury Karayeu, to the list. And they defaced government websites with the red and white national flags favored by protesters over the official Belarusian red and green flag.

Those initial breaches attracted other hackers to the Cyber Partisans’ cause, and as it has grown, the group has become bolder with the scope of its intrusions. The spokesman said its aims are to protect the sovereignty and independence of Belarus and ultimately to remove Lukashenko from power.

[…]

Names and addresses of government officials and alleged informants obtained by the hackers have been shared with Belarusian websites, including Blackmap.org, that seek to “name and shame” people cooperating with the regime and its efforts to suppress peaceful protests, according to Viačorka and the websites themselves.

[…]

Source: Belarus Hackers Seek to Overthrow Local Government – Bloomberg

[…]

When you plug in one of these Razer peripherals, Windows will automatically download Razer Synapse, the software that controls certain settings for your mouse or keyboard. Said Razer software has SYSTEM privileges, since it launches from a Windows process with SYSTEM privileges.

But that’s not where the vulnerability comes into play. Once you install the software, Windows’ setup wizard asks which folder you’d like to save it to. When you choose a new location for the folder, you’ll see a “Choose a Folder” prompt. Press Shift and right-click on that, and you can choose “Open PowerShell window here,” which will open a new PowerShell window.

Because this PowerShell window was launched from a process with SYSTEM privileges, the PowerShell window itself now has SYSTEM privileges. In effect, you’ve turned yourself into an admin on the machine, able to perform any command you can think of in the PowerShell window.

This vulnerability was first brought to light on Twitter by user jonhat, who tried contacting Razer about it first, to no avail. Razer did eventually follow up, confirming a patch is in the works. Until that patch is available, however, the company is inadvertently selling tools that make it easy to hack millions of computers.

[…]

Source: You Can Gain Admin Privileges to Any Windows Machine by Plugging in a Razer Mouse

A well-known threat actor with a long list of previous breaches is selling private data that was allegedly collected from 70 million AT&T customers. We analyzed the data and found it to include social security numbers, date of birth, and other private information. The hacker is asking $1 million for the entire database (direct sell) and has provided RestorePrivacy with exclusive information for this report.

Update: AT&T has initially denied the breach in a statement to RestorePrivacy. The hacker has responded by saying, “they will keep denying until I leak everything.”

Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers. The threat actor goes by the name of ShinyHunters and was also behind other previous exploits that affected Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.

The hacker posted the leak on an underground hacking forum earlier today, along with a sample of the data that we analyzed. The original post is below:

We examined the data for this report and also reached out to the hacker who posted it for sale.

70 million AT&T customers could be at risk

In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits, as we’ll examine more below.

While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:

• Name
• Phone number
• Physical address
• Email address
• Social security number
• Date of birth

Below is a screenshot from the sample of data available:

In addition to the data above, the hacker also has accessed encrypted data from customers that include social security numbers and date of birth. Here is a sample that we examined:

The data is currently being offered for $1 million USD for a direct sell (or flash sell) and $200,000 for access that is given to others. Assuming it is legit, this would be a very valuable breach as other threat actors can likely purchase and use the information for exploiting AT&T customers for financial gain.

Source: Exclusive: Hacker Selling Private Data Allegedly from 70 Million AT&T Customers | RestorePrivacy