KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian

[…]

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.

[…]

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that mostly have favorable relations with the Kremlin. The full exclusion list in DarkSide (published by Cybereason) is below:

Image: Cybereason.

Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

[…]

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

[…]

Cybercriminals are notoriously responsive to defenses which cut into their profitability, so why wouldn’t the bad guys just change things up and start ignoring the language check? Well, they certainly can and maybe even will do that (a recent version of DarkSide analyzed by Mandiant did not perform the system language check).

But doing so increases the risk to their personal safety and fortunes by some non-trivial amount

[…]

Source: Try This One Weird Trick Russian Hackers Hate – Krebs on Security

DarkSide, the hacker group behind the recent Colonial Pipeline ransomware attack, received a total of $90 million in bitcoin ransom payments before shutting down last week, according to new research.

Colonial Pipeline was hit with a devastating cyberattack earlier this month that forced the company to shut down approximately 5,500 miles of pipeline in the United States, crippling gas delivery systems in Southeastern states. The FBI blamed the attack on DarkSide, a cybercriminal gang believed to be based in Eastern Europe, and Colonial reportedly paid a $5 million ransom to the group.

[…]

In a blog post Tuesday, Elliptic said DarkSide and its affiliates bagged at least $90 million in bitcoin ransom payments over the past nine months from 47 victims. The average payment from organizations was likely $1.9 million, Elliptic said.

[…]

Of the $90 million total haul, $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates, according to Elliptic. The majority of the funds are being sent to crypto exchanges, where they can be converted into fiat money, Elliptic said.

[…]

Source: Colonial Pipeline hackers Darkside received $90 million in bitcoin: Report

A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments.

“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers,” said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets.

“Now these servers are unavailable via SSH, and the hosting panels are blocked,” said the Darkside operator while also complaining that the web hosting provider refused to cooperate.

In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims.

The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.

Takedown?

This sudden development comes after US authorities announced their intention to go after the gang.

[…]

Or exit scam?

But Smilyanets warns that the group’s announcement could also be a ruse, as no announcement has yet been made by US officials.

The group could be taking advantage of President Biden’s statements as cover to shut down its infrastructure and run away with its affiliate’s money without paying their cuts—a tactic known as an “exit scam” on the cybercriminal underground.

[…]

The news that Darkside lost control of its servers and that a major cybercrime forum was banning ransomware ads, all happening within a span of hours of each other, also had an effect on REvil, arguably considered today’s biggest ransomware operation.

In a post quoting Darkside’s (now-deleted) statement, REvil spokesperson Unknown made an announcement of their own and said they also plan to stop advertising their Ransomware-as-a-Service platform and “go private”—a term used by cybercrime gangs to describe their intention to work with a small group of known and trusted collaborators only.

Additionally, the REvil group also said that it plans to stop attacking sensitive social sectors like healthcare, educational institutes, and the government networks of any country, which it believes could draw unwanted attention to its operation, such as the attention Darkside is getting right now.

In the case of any of such attacks carried out by any of its collaborators, REvil said they plan to provide a free decryption key to victims and stop working with the misbehaving affiliate.

Furthermore, hours after REvil’s announcement, the operators of the Avaddon ransomware also announced similar updates to their program, with the same clause barring ransomware groups from attacking government entities, healthcare orgs, and educational institutes.

While we may never know who or what is driving these changes among ransomware gangs, it is pretty clear that the Colonial Pipeline attack and its aftermath appears to have broken the camel’s back, and US authorities have started applying some sort of pressure on these groups.

Source: Darkside ransomware gang says it lost control of its servers & money a day after Biden threat | The Record by Recorded Future

One of the USA’s largest oil pipelines has been shut by ransomware, leading the nation’s Federal Motor Carrier Safety Administration to issue a regional emergency declaration permitting the transport of fuel by road.

The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the USA’s East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil.

It’s been offline since May 7, according to a company statement, due to what the outfit described as “… a cybersecurity attack [that] involves ransomware.”

It added: “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

[…]

In a statement on May 10 fingering the culprits of the attack, the FBI said “the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation.”

Meanwhile, on its Tor-hidden website, the Darkside crew seems to regret the attention it has drawn from Uncle Sam. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” it wrote.

Source: US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day • The Register

[…]

The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.

A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. However, the researchers explained, “This attack does not yield drive control of the car though.”

They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models.

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann said.

Tesla patched the vulnerabilities with an update pushed out in October 2020, and it has reportedly stopped using ConnMan. Intel was also informed since the company was the original developer of ConnMan, but the researchers said the chipmaker believed it was not its responsibility.

[…]

Source: Tesla Car Hacked Remotely From Drone via Zero-Click Exploit | SecurityWeek.Com

China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.

The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices. The company announced Tuesday how users can check to see if they were affected but said the software update to prevent the risk to users won’t go out until May.

The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program.

In all three campaigns, the hackers first used those programs to hack into victims’ computer networks, then created backdoors to spy on them for months, if not longer.

The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, said in a warning Tuesday evening the latest hacking campaign is currently “affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations.”

[…]

Source: China behind another hack as U.S. cybersecurity issues mount

Passwordstate, the enterprise password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its clients for approximately 28 hours. The hack was carried out through an upgrade feature for the password manager and potentially harvested the passwords of those who carried out upgrades.

On Friday, Click Studios issued an incident management advisory about the hack. It explained that the initial vulnerability was related to its upgrade director—which points the in-place update to the appropriate version of the software on the company’s content distribution network—on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll,” from a download network not controlled by Click Studios.

Once the malicious file was loaded, it set off a process that extracted information about the computer system as well as data stored in Passwordstate, including URLs, usernames and passwords. The information was then posted to the hackers’ content distribution network.

According to the company, the vulnerability has been addressed and eliminated. Click Studios said that only customers who performed in-place updates between Tuesday, April 20 at 4:33 p.m. ET and Thursday, April 22 at 8:30 p.m. ET are believed to be affected. Customers who carried out manual upgrades of Passwordstate are not compromised.

[…]

Source: Passwordstate Hacked, Exposing Users’ Passwords for 28 Hours

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

[…]

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him

[…]

“Welcome to create an account if you want to mess with it, literally anyone can sign up,”

[…]

This also doesn’t rely on SS7 exploitation, where more sophisticated attackers tap into the telecom industry’s backbone to intercept messages on the fly. What Lucky225 did with Sakari is easier to pull off and requires less technical skill or knowledge. Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.

[…]

“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers. (Cyber security company Okey Systems, where Lucky225 is Director of Information, has released a tool that companies and consumers can use to detect this attack and other types of phone number takeovers).

[…]

“Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns,” the company’s website reads.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

[…]

In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.

[…]

Source: A Hacker Got All My Texts for $16

[…]

A recent breach has prompted fears of another SolarWinds-style hack that could have ramifications for numerous large companies. Reuters reports that federal officials are investigating a hack at Codecov, a code testing firm with 29,000 customers that include Proctor & Gamble, the Washington Post and tech companies like Atlassian and GoDaddy. The intrusion appears to have lasted for months, putting clients at risk.

Codecov said that attackers exploited a flaw in a Docker image creation process to make “periodic, unauthorized” changes to the company’s Bash Uploader script starting on January 31st. The modifications gave the hackers power to export customer info and send it to an outside server. However, Codecov only learned of the incident on April 1st.

[…]

Source: US investigates code testing hack that could affect thousands of companies | Engadget

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

Source: Bash Uploader Security Update | Codecov

Australian security firm Azimuth has been identified as the experts who managed to crack a mass shooter’s iPhone that was at the center of an encryption standoff between the FBI and Apple.

Until this week it had largely been assumed that Israeli outfit Cellebrite was hired to forcibly unlock an encrypted iPhone 5C used by Syed Farook – who in 2015 shot and killed colleagues at a work event in San Bernardino, California, claiming inspiration from ISIS.

Efforts by law enforcement to unlock and pore over Farook’s phone were unsuccessful, leading to the FBI taking Apple to court to force it to crack its own software to reveal the device’s contents. The Feds got an order from a judge instructing Apple to effectively break its own security to give agents access to the locked and encrypted handset.

But Apple heavily and publicly resisted, leading to a legal showdown that resulted in increasing alarm in the technology industry. Before the courts were forced to resolve the issue of access to encrypted data, however, the FBI announced it had found a way into the phone and dropped the case.

It later emerged the Feds had paid $900,000 to get into the phone… which had nothing of value on it. That isn’t too surprising since it was Farook’s work phone, after all.

[…]

Source: Report: Aussie biz Azimuth cracked San Bernardino shooter’s iPhone, ending Apple-FBI privacy standoff • The Register

Webshop Allekabels has leaked private data and passwords of millions of Dutch people. It may be the largest password data breach in the Netherlands ever.

Allekabels’ stolen database, containing the private data of some 3.6 million people, was put up for sale on a hacker forum at the end of January for a sum of 15,000 euros. Audio and computer cables are available for purchase via Allekabels, as well as suspension brackets and antennas.

RTL Nieuws has viewed and verified the stolen data.

This totals some 2.6 million unique email addresses linked to names, home addresses, telephone numbers, dates of birth and encrypted passwords.

At least 109,000 IBAN numbers of Allekabels customers were also stolen and traded.

[…]

Source: Miljoenen wachtwoorden op straat door hack webshop Allekabels.nl – Emerce

Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country’s US embassy.

One of the sanctioned companies is Positive Technologies, familiar in the West for, among other things, in-depth research exposing vulnerabilities in Intel’s hardware security architecture.

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon.

The compromise saw Russian state intelligence operatives carefully compromise the build systems of SolarWinds’ network monitoring software Orion to distribute a backdoor into its 18,000 customers. Those customers included the UK and US governments, among many others

“The Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks,” said the US Treasury.

The American attribution was echoed by the British government with Foreign Secretary Dominic Raab saying in a statement: “We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.”

The US Defence Department added: “Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.”

The NCSC also said in a public statement that “the overall impact on the UK of the SVR’s exploitation of this software is low.” Government departments have refused to even talk about the impact of the Orion compromise despite it being in widespread use around Whitehall and further afield, lending credibility to the notion that UK.gov was more widely hit by the breach than it wants to admit.

[…]

Other sanctioned outfits included ERA Technopolis, aka Pasit; Neobit, an infosec firm which was also the alma mater for a Russian spy who sneaked into Microsoft back in 2010; the Russian state compsci research institution; and a Russian business called Advanced System Technology AO.

US persons are banned from doing business with any of the above.

Source: It was Russia wot did it: SolarWinds hack was done by Kremlin’s APT29 crew, say UK and US • The Register

The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday.

The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers’ owners, following the discovery and exploitation of critical vulnerabilities in the enterprise software.

Shortly after Microsoft raised the alarm early last month over the security holes in Exchange and provided fixes for the vulnerabilities, miscreants swarmed to exploit the programming blunders and hijack unpatched installations. (Certain groups were even breaking in Exchange servers via the holes before their existence was public knowledge.)

The FBI found hundreds of such compromised deployments with backdoors installed by one cyber-gang in particular, leading to agents asking the courts to allow them to go in and delete the malicious code. The court approved the action and the document was unsealed this week, 30 days later.

“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the Justice Department noted in an announcement. “Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

The FBI deleted the shells by issuing a command through the web shell to the server “which was designed to cause the server to delete only the web shell (identified by its unique file path),” it said. Critically, however, the Feds did not touch the servers themselves and so they remain unpatched and open to infiltration.

[…]

Source: FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins • The Register

What I very much like about this is that they got a court order approving the behaviour before going out and doing it.

Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What was leaked?

The leaked database contains a variety of user-related information from Clubhouse profiles, including:

• User ID
• Name
• Photo URL
• Username
• Twitter handle
• Instagram handle
• Number of followers
• Number of people followed by the user
• Account creation date
• Invited by user profile name

[…]

Source: Clubhouse Data Leak – 1.3M SQL Database Leaked Online | CyberNews

I am surprised they have this many users. Clubhouse has a massive PR department but isn’t really relevant…

It’s possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there’s no solution for this issue.

This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.

Here’s where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.

[…]

The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The results are disturbing, but at the very least, this method can’t be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.

[…]

Source: Your WhatsApp account can be suspended by anyone who has your phone number

We updated our personal data leak checker database with more than 780,000 email addresses associated with this leak. Use it to find out if your LinkedIn profile has been scraped by the threat actors.

Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn.

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.

The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.

To see if your email address has been exposed in this data leak or other security breaches, use our personal data leak checker with a library of 15+ billion breached records.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.

The author of the post claims that the data was scraped from LinkedIn. Our investigation team was able to confirm this by looking at the samples provided on the hacker forum. However, it’s unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies.

We asked LinkedIn if they could confirm that the leak was genuine, and whether they have alerted their users and clients, but we have received no reply from the company at the time of writing this report.

What was leaked?

Based on the samples we saw from the leaked files, they appear to contain a variety of mostly professional information from LinkedIn profiles, including:

• LinkedIn IDs
• Full names
• Email addresses
• Phone numbers
• Genders
• Links to LinkedIn profiles
• Links to other social media profiles
• Professional titles and other work-related data

[…]

Source: Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof | CyberNews

damnit, this happend in 2012 and 2016 too!

British clothes retailer Fatface has infuriated some customers by telling them “an unauthorised third party” gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves.

Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: “You will notice the Fatface email is marked as confidential. This annoyed me.”

Chief exec Liz Evans wrote in an email titled “Strictly private and confidential – Notice of security incident” sent to users yesterday:

—–

Please do keep this email and the information included within it strictly private and confidential.

What happened?

On 17 January 2021, FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation… [and] determined that an unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month….

Some of your personal data may have been involved in the incident. This could include some or all of the below listed categories of information relating to you.

• First name and surname.
• Email address.
• Address details.
• Partial payment card information by way of the last 4 digits and expiry date.

Please rest assured that full payment card information was not compromised. We have been working with the relevant authorities and external security experts to ensure a comprehensive response to the incident. In addition, we have notified the Information Commissioner’s Office in the UK and other law enforcement authorities of this incident.

We have taken various additional steps to further strengthen the security of our systems. Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.

—-

Quite reasonably, customers quickly took to social media to ask where they could find “a public statement on your data breach,” why it had waited so long to inform customers, why the mail was marked “confidential” and whether it was genuine. All were directed to kindly “DM” the firm’s social media handler.

It also noted that it would be giving recipients “access to a complimentary Experian Identity Plus membership… purely out of an abundance of caution and not because we consider your data specifically to be at risk.”

It did not detail how many people had been affected. The firm has “200 stores across the UK and Ireland” – doing particularly well in seaside areas – and offers international shipping, although its website currently says this is unavailable.

[…]

Source: Clothes retailer Fatface: Someone’s broken in and accessed your personal data, including partial card payment details… Don’t tell anyone • The Register

I guess they don’t have to notify anyone now that the UK is out of the EU and doesn’t have to conform to GDPR rules…

Watch out, firearm lovers. The subtly-named guns.com, a place where Americans can go to pick out whatever stylish boomstick they like and have it shipped straight to their neck of the woods, seems to have a pretty awful data breach on its hands.

Back in January, a hacker temporarily disabled the company’s website, interfering with the site’s retail operations and forcing the weapons peddler to apologize to its confused customers for the whole debacle.

Guns.com has claimed that this attack was meant to prevent the “business from operating”—and that there is “no indication” of any attempt to steal data. However, this assessment may be wrong.

This week a large cache of files allegedly taken from the site appeared on the popular dark web site Raid Forums. In fact, an anonymous user offered Guns.com’s entire kit and caboodle—allegedly everything from troves of consumer and administrative data to the site’s stolen source code—free to all comers.

The data dump shows substantial gun buyer information, including user IDs, full names, email addresses, phone numbers, hashed passwords, and, most alarmingly, physical addresses—including city, state, and zip code information. The site data has been viewed by Gizmodo and it was originally reported on by Hackread.

The dump also seems to show access to information about many of the firearms providers that sell through the platform (the site acts as a location for sellers as much as for buyers), and Hackread reports that an excel file within the data tranche shows “sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials,” though it’s unclear if this is recent information. We also found back-end code for a Laravel-powered version of the site although it isn’t clear what platform the retailer is currently using.

[…]

Source: Guns.Com Got Hacked

Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

 

Source: A Crash Course On Sniffing Bluetooth Low Energy | Hackaday

Several internet companies repelled DDOS attacks on Monday night. Among them are at least three Internet providers Freedom Internet, Tweak and Kabelnoord.

Web hosting company TransIP also faced a DDOS attack targeting so-called name servers on Monday.

While averting this attack and resolving its consequences, the company was hit by a second, more violent attack on the entire infrastructure.

It is not clear whether there is any link between the attacks.

Source: Nederlandse internetbedrijven getroffen door DDOS aanvallen – Emerce

The cracking of the expensive messaging app, called “Sky ECC,” was what allowed over 1,500 police officers across Belgium to be simultaneously deployed in at least 200 raids, many of which were centred around Antwerp and involved special forces.

Investigators succeeded in cracking Sky ECC at the end of last year, according to reporting by De Standaard, and as a result were able to sort through thousands of messages major criminals were sending each other over the course of a month.

Information gained from those conversations is what led to Tuesday’s historic operation, two years in the making.

[…]

Sky ECC became popular with drug criminals after its successor Encrochat was cracked in 2020 by French and Dutch investigators, who were able to intercept over 100 million messages sent via the app.

That led to over a hundred suspects being arrested in the Netherlands, uncovering a network of laboratories where crystal meth and other drugs were being produced and allowing police to seize 8,000 kilos of cocaine and almost €20 million.

A number of investigations are also still currently underway in Belgium based on the information from that cracking. While it led to panic among major criminal operations in the Netherlands, there wasn’t much of a reaction at the time in the Belgian underworld.

“Almost everyone in Antwerp switched from Encrochat to Sky two years ago,” a source told the Gazet van Antwerpen in July last year, adding that major Antwerp criminals in Dubai also used Sky ECC.

The company, which calls itself “the world’s most secure messaging app,” had previously said “hacking is impossible.” It defended its services, stating they “strongly believe that privacy is a fundamental human right.”

[…]

 

Source: Cracking of Sky CC app dealt major blow to organised crime

SITA, a data firm that works with some of the world’s largest airlines, announced Thursday that it had been the victim of a “highly sophisticated cyberattack,” the likes of which compromised information on hundreds of thousands of airline passengers all over the world.

The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, which are responsible for storing information related to transactions between carriers and customers. One of the things SITA does is act as a mechanism for data exchange between different airlines—helping to ensure that passenger “benefits can be used across different carriers” in a systematized fashion.

Understanding what specific data the hackers accessed is, at this point, a little tough—though it would appear that some of it was frequent flier information shared with SITA by members of the Star Alliance, the world’s largest global airline alliance.

An airline alliance is basically an industry consortium, and Star’s membership is comprised of some of the world’s most prominent airlines—including United Airlines, Lufthansa, Air Canada, and 23 others. Of those members, a number have already stepped forward to announce breaches in connection with the attack—and SITA itself would appear to have acknowledged that the affected parties are connected to alliance memberships.

[…]

So far, it would appear that the nature of the breach is more wide than deep. That is, a lot of people seem to have been affected, though in most cases the data that was being shared with SITA does not seem that extensive. In the case of Singapore Airlines, for instance, upwards of 500,000 people had their data compromised, though the data did not include things like member itineraries, passwords, or credit card information. The airline has stated:

Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers. The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.

[…]

Source: Hackers Looted Passenger Data From Some of the Biggest Airlines

Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?

The short answer is: It’s pretty bad

So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”

Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.

[…]

Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”

There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.

So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group

[…]

security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. S

[…]

. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.

Who Is Getting Hit

Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches.

[…]

As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.

Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.

[…]

 

Source: The “Crazy Huge Hack” of Microsoft, Explained

A hacker group claims to have broken into the networks of cloud-based surveillance startup Verkada, gaining unfiltered access to thousands and thousands of live security camera feeds in the process.

The hack first gained public attention Tuesday afternoon, when a Twitter user who goes by the name “Tillie” began leaking purported images of the hack onto the internet: “ever wondered what a @Tesla warehouse looks like?” the hacker quipped, dangling a picture of what appears to be an industrial facility.

Tillie, who goes by the full name Tillie Kottmann and uses they/them pronouns, is allegedly part of an international hacker collective responsible for having breached Verkada, according to a report from Bloomberg. Once inside, the hackers were able to use the firm’s security feeds to peer into the internal workings of droves of organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare. The scope of the hack appears massive.

Among other things, Kottmann implied Tuesday that they could have used their access to Verkada to hack into the laptop of Cloudflare CEO Matthew Prince:

The hacker group has very noticeably courted public attention, calling the intrusion campaign “Operation Panopticon” and claiming they want to “end surveillance capitalism” by bringing attention to the ways in which ubiquitous surveillance dominates people’s lives.

[…]

According to Bloomberg, “Arson Cats” gained entry to the company via a pretty massive security blunder: The hackers discovered a password and username for a Verkada administrative account publicly exposed to the internet. In a Twitter message, Tillie reiterated this to Gizmodo, claiming that once they had compromised the administrator account (called a “super administrator”), they were able to hook into any of the 150,000 video feeds in Verkada’s library.

“The access we had allowed us to impersonate any user of the system and access their view of the platform,” said the hacker, further explaining that the “superadmin rights are also what granted us access to the root shell at the click of a button.”

[…]

Source: Hackers Target Surveillance Firm, Exposing Live Camera Feeds

n the latest in a string of “hits” on Russian dark web forums, the prominent crime site Maza appears to have been hacked by someone earlier this week.

This is kind of big news since Maza (previously called “Mazafaka”) has long been a destination for all assortment of criminal activity, including malware distribution, money laundering, carding (i.e., the selling of stolen credit card information), and lots of other bad behavior. The forum is considered “elite” and hard to join, and in the past, it has been a cesspool for some of the world’s most prolific cybercriminals.

Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.”

KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web, spurring fears among criminals that their identities might be exposed (oh, the irony). The validity of the data has been verified by threat intelligence firm Intel 471.

This hack comes shortly after similar attacks on two other Russian cybercrime forums, Verified and Exploit, that occurred earlier this year. It’s been noted that the successive targeting of such high-level forums is somewhat unusual.

[…]

Source: Hacker Forum Maza Hacked