[…]

The attack, dubbed TBONE, involves exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. An attacker can exploit these flaws to take full control of the infotainment system of a Tesla without any user interaction.

A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. However, the researchers explained, “This attack does not yield drive control of the car though.”

They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models.

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann said.

Tesla patched the vulnerabilities with an update pushed out in October 2020, and it has reportedly stopped using ConnMan. Intel was also informed since the company was the original developer of ConnMan, but the researchers said the chipmaker believed it was not its responsibility.

[…]

Source: Tesla Car Hacked Remotely From Drone via Zero-Click Exploit | SecurityWeek.Com

China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.

The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices. The company announced Tuesday how users can check to see if they were affected but said the software update to prevent the risk to users won’t go out until May.

The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program.

In all three campaigns, the hackers first used those programs to hack into victims’ computer networks, then created backdoors to spy on them for months, if not longer.

The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, said in a warning Tuesday evening the latest hacking campaign is currently “affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations.”

[…]

Source: China behind another hack as U.S. cybersecurity issues mount

Passwordstate, the enterprise password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its clients for approximately 28 hours. The hack was carried out through an upgrade feature for the password manager and potentially harvested the passwords of those who carried out upgrades.

On Friday, Click Studios issued an incident management advisory about the hack. It explained that the initial vulnerability was related to its upgrade director—which points the in-place update to the appropriate version of the software on the company’s content distribution network—on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll,” from a download network not controlled by Click Studios.

Once the malicious file was loaded, it set off a process that extracted information about the computer system as well as data stored in Passwordstate, including URLs, usernames and passwords. The information was then posted to the hackers’ content distribution network.

According to the company, the vulnerability has been addressed and eliminated. Click Studios said that only customers who performed in-place updates between Tuesday, April 20 at 4:33 p.m. ET and Thursday, April 22 at 8:30 p.m. ET are believed to be affected. Customers who carried out manual upgrades of Passwordstate are not compromised.

[…]

Source: Passwordstate Hacked, Exposing Users’ Passwords for 28 Hours

I didn’t expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

[…]

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him

[…]

“Welcome to create an account if you want to mess with it, literally anyone can sign up,”

[…]

This also doesn’t rely on SS7 exploitation, where more sophisticated attackers tap into the telecom industry’s backbone to intercept messages on the fly. What Lucky225 did with Sakari is easier to pull off and requires less technical skill or knowledge. Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.

[…]

“I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers. (Cyber security company Okey Systems, where Lucky225 is Director of Information, has released a tool that companies and consumers can use to detect this attack and other types of phone number takeovers).

[…]

“Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns,” the company’s website reads.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

[…]

In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.

[…]

Source: A Hacker Got All My Texts for $16

[…]

A recent breach has prompted fears of another SolarWinds-style hack that could have ramifications for numerous large companies. Reuters reports that federal officials are investigating a hack at Codecov, a code testing firm with 29,000 customers that include Proctor & Gamble, the Washington Post and tech companies like Atlassian and GoDaddy. The intrusion appears to have lasted for months, putting clients at risk.

Codecov said that attackers exploited a flaw in a Docker image creation process to make “periodic, unauthorized” changes to the company’s Bash Uploader script starting on January 31st. The modifications gave the hackers power to export customer info and send it to an outside server. However, Codecov only learned of the incident on April 1st.

[…]

Source: US investigates code testing hack that could affect thousands of companies | Engadget

Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.

Source: Bash Uploader Security Update | Codecov

Australian security firm Azimuth has been identified as the experts who managed to crack a mass shooter’s iPhone that was at the center of an encryption standoff between the FBI and Apple.

Until this week it had largely been assumed that Israeli outfit Cellebrite was hired to forcibly unlock an encrypted iPhone 5C used by Syed Farook – who in 2015 shot and killed colleagues at a work event in San Bernardino, California, claiming inspiration from ISIS.

Efforts by law enforcement to unlock and pore over Farook’s phone were unsuccessful, leading to the FBI taking Apple to court to force it to crack its own software to reveal the device’s contents. The Feds got an order from a judge instructing Apple to effectively break its own security to give agents access to the locked and encrypted handset.

But Apple heavily and publicly resisted, leading to a legal showdown that resulted in increasing alarm in the technology industry. Before the courts were forced to resolve the issue of access to encrypted data, however, the FBI announced it had found a way into the phone and dropped the case.

It later emerged the Feds had paid $900,000 to get into the phone… which had nothing of value on it. That isn’t too surprising since it was Farook’s work phone, after all.

[…]

Source: Report: Aussie biz Azimuth cracked San Bernardino shooter’s iPhone, ending Apple-FBI privacy standoff • The Register

Webshop Allekabels has leaked private data and passwords of millions of Dutch people. It may be the largest password data breach in the Netherlands ever.

Allekabels’ stolen database, containing the private data of some 3.6 million people, was put up for sale on a hacker forum at the end of January for a sum of 15,000 euros. Audio and computer cables are available for purchase via Allekabels, as well as suspension brackets and antennas.

RTL Nieuws has viewed and verified the stolen data.

This totals some 2.6 million unique email addresses linked to names, home addresses, telephone numbers, dates of birth and encrypted passwords.

At least 109,000 IBAN numbers of Allekabels customers were also stolen and traded.

[…]

Source: Miljoenen wachtwoorden op straat door hack webshop Allekabels.nl – Emerce

Russia’s infamous APT 29, aka Cozy Bear, was behind the SolarWinds Orion attack, the US and UK governments said today as America slapped sanctions on Russian infosec companies as well as expelling diplomats from that country’s US embassy.

One of the sanctioned companies is Positive Technologies, familiar in the West for, among other things, in-depth research exposing vulnerabilities in Intel’s hardware security architecture.

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon.

The compromise saw Russian state intelligence operatives carefully compromise the build systems of SolarWinds’ network monitoring software Orion to distribute a backdoor into its 18,000 customers. Those customers included the UK and US governments, among many others

“The Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of US government and private sector networks,” said the US Treasury.

The American attribution was echoed by the British government with Foreign Secretary Dominic Raab saying in a statement: “We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.”

The US Defence Department added: “Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.”

The NCSC also said in a public statement that “the overall impact on the UK of the SVR’s exploitation of this software is low.” Government departments have refused to even talk about the impact of the Orion compromise despite it being in widespread use around Whitehall and further afield, lending credibility to the notion that UK.gov was more widely hit by the breach than it wants to admit.

[…]

Other sanctioned outfits included ERA Technopolis, aka Pasit; Neobit, an infosec firm which was also the alma mater for a Russian spy who sneaked into Microsoft back in 2010; the Russian state compsci research institution; and a Russian business called Advanced System Technology AO.

US persons are banned from doing business with any of the above.

Source: It was Russia wot did it: SolarWinds hack was done by Kremlin’s APT29 crew, say UK and US • The Register

The FBI deleted web shells installed by criminals on hundreds of Microsoft Exchange servers across the United States, it was revealed on Tuesday.

The Feds were given approval by the courts to carry out the deletions, which occurred without first warning the servers’ owners, following the discovery and exploitation of critical vulnerabilities in the enterprise software.

Shortly after Microsoft raised the alarm early last month over the security holes in Exchange and provided fixes for the vulnerabilities, miscreants swarmed to exploit the programming blunders and hijack unpatched installations. (Certain groups were even breaking in Exchange servers via the holes before their existence was public knowledge.)

The FBI found hundreds of such compromised deployments with backdoors installed by one cyber-gang in particular, leading to agents asking the courts to allow them to go in and delete the malicious code. The court approved the action and the document was unsealed this week, 30 days later.

“Although many infected system owners successfully removed the web shells from thousands of computers, others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the Justice Department noted in an announcement. “Today’s operation removed one early hacking group’s remaining web shells, which could have been used to maintain and escalate persistent, unauthorized access to US networks.”

The FBI deleted the shells by issuing a command through the web shell to the server “which was designed to cause the server to delete only the web shell (identified by its unique file path),” it said. Critically, however, the Feds did not touch the servers themselves and so they remain unpatched and open to infiltration.

[…]

Source: FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins • The Register

What I very much like about this is that they got a court order approving the behaviour before going out and doing it.

Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What was leaked?

The leaked database contains a variety of user-related information from Clubhouse profiles, including:

• User ID
• Name
• Photo URL
• Username
• Twitter handle
• Instagram handle
• Number of followers
• Number of people followed by the user
• Account creation date
• Invited by user profile name

[…]

Source: Clubhouse Data Leak – 1.3M SQL Database Leaked Online | CyberNews

I am surprised they have this many users. Clubhouse has a massive PR department but isn’t really relevant…

It’s possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there’s no solution for this issue.

This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can’t verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours.

Here’s where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp “verifies” this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account.

[…]

The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, and was first reported by Forbes. The results are disturbing, but at the very least, this method can’t be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed.

[…]

Source: Your WhatsApp account can be suspended by anyone who has your phone number

We updated our personal data leak checker database with more than 780,000 email addresses associated with this leak. Use it to find out if your LinkedIn profile has been scraped by the threat actors.

Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn.

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.

The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.

To see if your email address has been exposed in this data leak or other security breaches, use our personal data leak checker with a library of 15+ billion breached records.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.

The author of the post claims that the data was scraped from LinkedIn. Our investigation team was able to confirm this by looking at the samples provided on the hacker forum. However, it’s unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies.

We asked LinkedIn if they could confirm that the leak was genuine, and whether they have alerted their users and clients, but we have received no reply from the company at the time of writing this report.

What was leaked?

Based on the samples we saw from the leaked files, they appear to contain a variety of mostly professional information from LinkedIn profiles, including:

• LinkedIn IDs
• Full names
• Email addresses
• Phone numbers
• Genders
• Links to LinkedIn profiles
• Links to other social media profiles
• Professional titles and other work-related data

[…]

Source: Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof | CyberNews

damnit, this happend in 2012 and 2016 too!

British clothes retailer Fatface has infuriated some customers by telling them “an unauthorised third party” gained access to systems holding their data earlier this year, and then asking them to keep news of the blunder to themselves.

Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: “You will notice the Fatface email is marked as confidential. This annoyed me.”

Chief exec Liz Evans wrote in an email titled “Strictly private and confidential – Notice of security incident” sent to users yesterday:

—–

Please do keep this email and the information included within it strictly private and confidential.

What happened?

On 17 January 2021, FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation… [and] determined that an unauthorised third party had gained access to certain systems operated by us during a limited period of time earlier the same month….

Some of your personal data may have been involved in the incident. This could include some or all of the below listed categories of information relating to you.

• First name and surname.
• Email address.
• Address details.
• Partial payment card information by way of the last 4 digits and expiry date.

Please rest assured that full payment card information was not compromised. We have been working with the relevant authorities and external security experts to ensure a comprehensive response to the incident. In addition, we have notified the Information Commissioner’s Office in the UK and other law enforcement authorities of this incident.

We have taken various additional steps to further strengthen the security of our systems. Please rest assured that our systems are secure, our website remains fully operational and FatFace is a safe place to shop, both in store (when we can reopen our shops) and online.

—-

Quite reasonably, customers quickly took to social media to ask where they could find “a public statement on your data breach,” why it had waited so long to inform customers, why the mail was marked “confidential” and whether it was genuine. All were directed to kindly “DM” the firm’s social media handler.

It also noted that it would be giving recipients “access to a complimentary Experian Identity Plus membership… purely out of an abundance of caution and not because we consider your data specifically to be at risk.”

It did not detail how many people had been affected. The firm has “200 stores across the UK and Ireland” – doing particularly well in seaside areas – and offers international shipping, although its website currently says this is unavailable.

[…]

Source: Clothes retailer Fatface: Someone’s broken in and accessed your personal data, including partial card payment details… Don’t tell anyone • The Register

I guess they don’t have to notify anyone now that the UK is out of the EU and doesn’t have to conform to GDPR rules…

Watch out, firearm lovers. The subtly-named guns.com, a place where Americans can go to pick out whatever stylish boomstick they like and have it shipped straight to their neck of the woods, seems to have a pretty awful data breach on its hands.

Back in January, a hacker temporarily disabled the company’s website, interfering with the site’s retail operations and forcing the weapons peddler to apologize to its confused customers for the whole debacle.

Guns.com has claimed that this attack was meant to prevent the “business from operating”—and that there is “no indication” of any attempt to steal data. However, this assessment may be wrong.

This week a large cache of files allegedly taken from the site appeared on the popular dark web site Raid Forums. In fact, an anonymous user offered Guns.com’s entire kit and caboodle—allegedly everything from troves of consumer and administrative data to the site’s stolen source code—free to all comers.

The data dump shows substantial gun buyer information, including user IDs, full names, email addresses, phone numbers, hashed passwords, and, most alarmingly, physical addresses—including city, state, and zip code information. The site data has been viewed by Gizmodo and it was originally reported on by Hackread.

The dump also seems to show access to information about many of the firearms providers that sell through the platform (the site acts as a location for sellers as much as for buyers), and Hackread reports that an excel file within the data tranche shows “sensitive login details of Guns.com including its administrator’s WordPress, MYSQL, and Cloud (Azure) credentials,” though it’s unclear if this is recent information. We also found back-end code for a Laravel-powered version of the site although it isn’t clear what platform the retailer is currently using.

[…]

Source: Guns.Com Got Hacked

Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

 

Source: A Crash Course On Sniffing Bluetooth Low Energy | Hackaday

Several internet companies repelled DDOS attacks on Monday night. Among them are at least three Internet providers Freedom Internet, Tweak and Kabelnoord.

Web hosting company TransIP also faced a DDOS attack targeting so-called name servers on Monday.

While averting this attack and resolving its consequences, the company was hit by a second, more violent attack on the entire infrastructure.

It is not clear whether there is any link between the attacks.

Source: Nederlandse internetbedrijven getroffen door DDOS aanvallen – Emerce

The cracking of the expensive messaging app, called “Sky ECC,” was what allowed over 1,500 police officers across Belgium to be simultaneously deployed in at least 200 raids, many of which were centred around Antwerp and involved special forces.

Investigators succeeded in cracking Sky ECC at the end of last year, according to reporting by De Standaard, and as a result were able to sort through thousands of messages major criminals were sending each other over the course of a month.

Information gained from those conversations is what led to Tuesday’s historic operation, two years in the making.

[…]

Sky ECC became popular with drug criminals after its successor Encrochat was cracked in 2020 by French and Dutch investigators, who were able to intercept over 100 million messages sent via the app.

That led to over a hundred suspects being arrested in the Netherlands, uncovering a network of laboratories where crystal meth and other drugs were being produced and allowing police to seize 8,000 kilos of cocaine and almost €20 million.

A number of investigations are also still currently underway in Belgium based on the information from that cracking. While it led to panic among major criminal operations in the Netherlands, there wasn’t much of a reaction at the time in the Belgian underworld.

“Almost everyone in Antwerp switched from Encrochat to Sky two years ago,” a source told the Gazet van Antwerpen in July last year, adding that major Antwerp criminals in Dubai also used Sky ECC.

The company, which calls itself “the world’s most secure messaging app,” had previously said “hacking is impossible.” It defended its services, stating they “strongly believe that privacy is a fundamental human right.”

[…]

 

Source: Cracking of Sky CC app dealt major blow to organised crime

SITA, a data firm that works with some of the world’s largest airlines, announced Thursday that it had been the victim of a “highly sophisticated cyberattack,” the likes of which compromised information on hundreds of thousands of airline passengers all over the world.

The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, which are responsible for storing information related to transactions between carriers and customers. One of the things SITA does is act as a mechanism for data exchange between different airlines—helping to ensure that passenger “benefits can be used across different carriers” in a systematized fashion.

Understanding what specific data the hackers accessed is, at this point, a little tough—though it would appear that some of it was frequent flier information shared with SITA by members of the Star Alliance, the world’s largest global airline alliance.

An airline alliance is basically an industry consortium, and Star’s membership is comprised of some of the world’s most prominent airlines—including United Airlines, Lufthansa, Air Canada, and 23 others. Of those members, a number have already stepped forward to announce breaches in connection with the attack—and SITA itself would appear to have acknowledged that the affected parties are connected to alliance memberships.

[…]

So far, it would appear that the nature of the breach is more wide than deep. That is, a lot of people seem to have been affected, though in most cases the data that was being shared with SITA does not seem that extensive. In the case of Singapore Airlines, for instance, upwards of 500,000 people had their data compromised, though the data did not include things like member itineraries, passwords, or credit card information. The airline has stated:

Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers. The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.

[…]

Source: Hackers Looted Passenger Data From Some of the Biggest Airlines

Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?

The short answer is: It’s pretty bad

So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”

Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.

[…]

Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”

There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.

So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group

[…]

security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. S

[…]

. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.

Who Is Getting Hit

Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches.

[…]

As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.

Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.

[…]

 

Source: The “Crazy Huge Hack” of Microsoft, Explained

A hacker group claims to have broken into the networks of cloud-based surveillance startup Verkada, gaining unfiltered access to thousands and thousands of live security camera feeds in the process.

The hack first gained public attention Tuesday afternoon, when a Twitter user who goes by the name “Tillie” began leaking purported images of the hack onto the internet: “ever wondered what a @Tesla warehouse looks like?” the hacker quipped, dangling a picture of what appears to be an industrial facility.

Tillie, who goes by the full name Tillie Kottmann and uses they/them pronouns, is allegedly part of an international hacker collective responsible for having breached Verkada, according to a report from Bloomberg. Once inside, the hackers were able to use the firm’s security feeds to peer into the internal workings of droves of organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare. The scope of the hack appears massive.

Among other things, Kottmann implied Tuesday that they could have used their access to Verkada to hack into the laptop of Cloudflare CEO Matthew Prince:

The hacker group has very noticeably courted public attention, calling the intrusion campaign “Operation Panopticon” and claiming they want to “end surveillance capitalism” by bringing attention to the ways in which ubiquitous surveillance dominates people’s lives.

[…]

According to Bloomberg, “Arson Cats” gained entry to the company via a pretty massive security blunder: The hackers discovered a password and username for a Verkada administrative account publicly exposed to the internet. In a Twitter message, Tillie reiterated this to Gizmodo, claiming that once they had compromised the administrator account (called a “super administrator”), they were able to hook into any of the 150,000 video feeds in Verkada’s library.

“The access we had allowed us to impersonate any user of the system and access their view of the platform,” said the hacker, further explaining that the “superadmin rights are also what granted us access to the root shell at the click of a button.”

[…]

Source: Hackers Target Surveillance Firm, Exposing Live Camera Feeds

n the latest in a string of “hits” on Russian dark web forums, the prominent crime site Maza appears to have been hacked by someone earlier this week.

This is kind of big news since Maza (previously called “Mazafaka”) has long been a destination for all assortment of criminal activity, including malware distribution, money laundering, carding (i.e., the selling of stolen credit card information), and lots of other bad behavior. The forum is considered “elite” and hard to join, and in the past, it has been a cesspool for some of the world’s most prolific cybercriminals.

Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.”

KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web, spurring fears among criminals that their identities might be exposed (oh, the irony). The validity of the data has been verified by threat intelligence firm Intel 471.

This hack comes shortly after similar attacks on two other Russian cybercrime forums, Verified and Exploit, that occurred earlier this year. It’s been noted that the successive targeting of such high-level forums is somewhat unusual.

[…]

Source: Hacker Forum Maza Hacked

According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings.

[…]

In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads.

The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success.

[…]

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”

“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.

If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text.

[…]

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.

The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.

According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.

“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

[…]

Source: Hackers exploit websites to give them excellent SEO before deploying malware | ZDNet

A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.

The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.

According to its website, the Spectre bug is a hardware design flaw in the architectures of Intel, AMD, and ARM processors that allows code running inside bad apps to break the isolation between different applications at the CPU level and then steal sensitive data from other apps running on the same system.

The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU.

Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security.

[…]

But today, Voisin said he discovered new Spectre exploits—one for Windows and one for Linux—different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Such behavior is clearly malicious; however, there is no evidence that the exploit was used in the wild, as it could have also been uploaded on VirusTotal by a penetration tester as well.

[…]

the most interesting part of Voisin’s discovery is in the last paragraph of his blog, where he hints that he may have discovered who may be behind this new Spectre exploit.

“Attribution is trivial and left as an exercise to the reader,” the French security researcher said in a mysterious ending.

But while Voisin did not want to name the exploit author, several people were not as shy. Security experts on both Twitter and news aggregation service HackerNews were quick to spot that the new Spectre exploit might be a module for CANVAS, a penetration testing tool developed by Immunity Inc.

[…]

Source: First Fully Weaponized Spectre Exploit Discovered Online | The Record by Recorded Future

When Twitter banned Donald Trump and a slew of other far-right users in January, many of them became digital refugees, migrating to sites like Parler and Gab to find a home that wouldn’t moderate their hate speech and disinformation. Days later, Parler was hacked, and then it was dropped by Amazon web hosting, knocking the site offline. Now Gab, which inherited some of Parler’s displaced users, has been badly hacked too. An enormous trove of its contents has been stolen—including what appears to be passwords and private communications.

On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as “JaXpArO and My Little Anonymous Revival Project” siphoned that data out of Gab’s backend databases in an effort to expose the platform’s largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump’s election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab’s public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. “It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content,” Best wrote in a text message interview with WIRED. “It’s another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6.”

DDoSecrets says it’s not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users’ individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.

Passwords for private groups are unencrypted, which Torba says the platform discloses to users when they create one. Individual user account passwords appear to be cryptographically hashed—a safeguard that may help prevent them from being compromised—but the level of security depends on the hashing scheme used and the strength of the underlying password.

[…]

According to DDoSecrets’ Best, the hacker says that they pulled out Gab’s data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn’t differentiate between a user’s input and commands in the site’s code, allowing a hacker to reach in and meddle with its backend SQL database.

[…]

Source: Far-Right Platform Gab Has Been Hacked—Including Private Data | WIRED

This is a comedy of bad security on the part of Gab.

Kia seems to be in quite a predicament. As we reported earlier today, the automaker’s online services appear to have been severed from the outside world, with customers unable to start their cars remotely via Kia’s apps or even log into the company’s financing website to pay their bills. All signs pointed to a potential cyberattack against Kia—ransomware most likely—and that’s exactly what a new report is claiming it is.A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.Screenshot: KiaThe infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company’s backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks. It’s not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a “huge amount” of it, and the number of Kia’s online services that were affected does elude to the possibility of a broad net being cast into Kia’s network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia’s house and then locked the doors to some of the bedrooms inside. After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is “experiencing an extended systems outage,” though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.”Kia Motors America, Inc. is currently experiencing an extended systems outage,” a Kia spokesperson told The Drive via email. “Affected systems includetheKiaOwnersPortal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business.”The spokesperson added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It’s also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Source: The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin