According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings.

[…]

In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads.

The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success.

[…]

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”

“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.

If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text.

[…]

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.

The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.

According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.

“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

[…]

Source: Hackers exploit websites to give them excellent SEO before deploying malware | ZDNet

A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.

The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.

According to its website, the Spectre bug is a hardware design flaw in the architectures of Intel, AMD, and ARM processors that allows code running inside bad apps to break the isolation between different applications at the CPU level and then steal sensitive data from other apps running on the same system.

The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU.

Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security.

[…]

But today, Voisin said he discovered new Spectre exploits—one for Windows and one for Linux—different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Such behavior is clearly malicious; however, there is no evidence that the exploit was used in the wild, as it could have also been uploaded on VirusTotal by a penetration tester as well.

[…]

the most interesting part of Voisin’s discovery is in the last paragraph of his blog, where he hints that he may have discovered who may be behind this new Spectre exploit.

“Attribution is trivial and left as an exercise to the reader,” the French security researcher said in a mysterious ending.

But while Voisin did not want to name the exploit author, several people were not as shy. Security experts on both Twitter and news aggregation service HackerNews were quick to spot that the new Spectre exploit might be a module for CANVAS, a penetration testing tool developed by Immunity Inc.

[…]

Source: First Fully Weaponized Spectre Exploit Discovered Online | The Record by Recorded Future

When Twitter banned Donald Trump and a slew of other far-right users in January, many of them became digital refugees, migrating to sites like Parler and Gab to find a home that wouldn’t moderate their hate speech and disinformation. Days later, Parler was hacked, and then it was dropped by Amazon web hosting, knocking the site offline. Now Gab, which inherited some of Parler’s displaced users, has been badly hacked too. An enormous trove of its contents has been stolen—including what appears to be passwords and private communications.

On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as “JaXpArO and My Little Anonymous Revival Project” siphoned that data out of Gab’s backend databases in an effort to expose the platform’s largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump’s election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab’s public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. “It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content,” Best wrote in a text message interview with WIRED. “It’s another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6.”

DDoSecrets says it’s not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users’ individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.

Passwords for private groups are unencrypted, which Torba says the platform discloses to users when they create one. Individual user account passwords appear to be cryptographically hashed—a safeguard that may help prevent them from being compromised—but the level of security depends on the hashing scheme used and the strength of the underlying password.

[…]

According to DDoSecrets’ Best, the hacker says that they pulled out Gab’s data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn’t differentiate between a user’s input and commands in the site’s code, allowing a hacker to reach in and meddle with its backend SQL database.

[…]

Source: Far-Right Platform Gab Has Been Hacked—Including Private Data | WIRED

This is a comedy of bad security on the part of Gab.

Kia seems to be in quite a predicament. As we reported earlier today, the automaker’s online services appear to have been severed from the outside world, with customers unable to start their cars remotely via Kia’s apps or even log into the company’s financing website to pay their bills. All signs pointed to a potential cyberattack against Kia—ransomware most likely—and that’s exactly what a new report is claiming it is.A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.Screenshot: KiaThe infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company’s backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks. It’s not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a “huge amount” of it, and the number of Kia’s online services that were affected does elude to the possibility of a broad net being cast into Kia’s network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia’s house and then locked the doors to some of the bedrooms inside. After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is “experiencing an extended systems outage,” though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.”Kia Motors America, Inc. is currently experiencing an extended systems outage,” a Kia spokesperson told The Drive via email. “Affected systems includetheKiaOwnersPortal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business.”The spokesperson added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It’s also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Source: The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China—the result of code hidden in chips that handled the machines’ startup process.

In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site.

And in 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.

Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as they tried to counter each one and learn more about China’s capabilities.

[…]

Around early 2010, a Pentagon security team noticed unusual behavior in Supermicro servers in its unclassified networks.

Implant in the Startup Process

The machines turned out to be loaded with unauthorized instructions directing each one to secretly copy data about itself and its network and send that information to China, according to six former senior officials who described a confidential probe of the incident. The Pentagon found the implant in thousands of servers, one official said; another described it as “ubiquitous.”

Investigators attributed the rogue code to China’s intelligence agencies, the officials said. A former senior Pentagon official said there was “no ambiguity” in that attribution.

[…]

As military experts investigated the Pentagon breach, they determined that the malicious instructions guiding the Pentagon’s servers were hidden in the machines’ basic input-output system, or BIOS, part of any computer that tells it what to do at startup.

Two people with direct knowledge said the manipulation combined two pieces of code: The first was embedded in instructions that manage the order of the startup and can’t be easily erased or updated. That code fetched additional instructions that were tucked into the BIOS chip’s unused memory, where they were unlikely to be found even by security-conscious customers. When the server was turned on, the implant would load into the machine’s main memory, where it kept sending out data periodically.

Manufacturers like Supermicro typically license most of their BIOS code from third parties. But government experts determined that part of the implant resided in code customized by workers associated with Supermicro, according to six former U.S. officials briefed on the findings.

[…]

By 2014, investigators across the U.S. government were looking for any additional forms of manipulation—anything they might have missed, as one former Pentagon official put it. Within months, working with information provided by American intelligence agencies, the FBI found another type of altered equipment: malicious chips added to Supermicro motherboards.

Warnings Delivered

Government experts regarded the use of these devices as a significant advance in China’s hardware-hacking capabilities, according to seven former American officials who were briefed about them between 2014 and 2017. The chips injected only small amounts of code into the machines, opening a door for attackers, the officials said.

Small batches of motherboards with the added chips were detected over time, and many Supermicro products didn’t include them, two of the officials said.

[…]

“The agents said it was not a one-off case; they said this was impacting thousands of servers,” Kumar said of his own discussion with FBI agents.

It remains unclear how many companies were affected by the added-chip attack. Bloomberg’s 2018 story cited one official who put the number at almost 30, but no customer has acknowledged finding malicious chips on Supermicro motherboards.

Several executives who received warnings said the information contained too few details about how to find any rogue chips. Two former senior officials said technical details were kept classified.

[…]

“This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” Quinn said, recalling details provided by Air Force officials. The chip “was blended into the trace on a multilayered board,” he said.

“The attackers knew how that board was designed so it would pass” quality assurance tests, Quinn said.

[…]

Corporate investigators uncovered yet another way that Chinese hackers were exploiting Supermicro products. In 2014, executives at Intel traced a security breach in their network to a seemingly routine firmware update downloaded from Supermicro’s website.

[…]

A contact in the U.S. intelligence community alerted the company to the breach, according to a person familiar with the matter. The tip helped Intel investigators determine that the attackers were from a state-sponsored group known as APT 17.

APT 17 specializes in complex supply-chain attacks, and it often hits multiple targets to reach its intended victims, according to cybersecurity firms including Symantec and FireEye. In 2012, the group hacked the cybersecurity firm Bit9 in order to get to defense contractors protected by Bit9’s products.

Intel’s investigators found that a Supermicro server began communicating with APT 17 shortly after receiving a firmware patch from an update website that Supermicro had set up for customers. The firmware itself hadn’t been tampered with; the malware arrived as part of a ZIP file downloaded directly from the site, according to accounts of Intel’s presentation.

[…]

Breaches involving Supermicro’s update site continued after the Intel episode, according to two consultants who participated in corporate investigations and asked not to be named.

In incidents at two non-U.S. companies, one in 2015 and the other in 2018, attackers infected a single Supermicro server through the update site, according to a person who consulted on both cases. The companies were involved in the steel industry, according to the person, who declined to identify them, citing non-disclosure agreements. The chief suspect in the intrusions was China, the person said.

In 2018, a major U.S. contract manufacturer found malicious code in a BIOS update from the Supermicro site, according to a consultant who participated in that probe. The consultant declined to share the manufacturer’s name. Bloomberg reviewed portions of a report on the investigation.

It’s unclear whether the three companies informed Supermicro about their issues with the update site, and Supermicro didn’t respond to questions about them.

[…]

Source: Supermicro Hack: How China Exploited a U.S. Tech Supplier Over Years

The phone numbers (and corresponding site IDs) of some 500 million Facebook users now appear to be for sale on a dark web cybercrime forum.

The criminal or group of criminals responsible have constructed a Telegram bot to act as a search function for the data. Potential buyers can now use the bot to sift through the data to find phone numbers that correspond to user IDs—or vice versa—with the full information being unlocked after paying for query “credits.” Those credits start at $20 for a single search and get cheaper if bought in bulk.

The activity was discovered by Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who posted about the scheme on his Twitter account, and reported by Joseph Cox, at Motherboard.

An insecure Facebook server containing account information on millions of users appears to be the source of the data for sale here—though that vulnerability was discovered by researchers in 2019 and Facebook has since fixed it. Gal has claimed that the vulnerability was exploited to create “a database containing the information 533m users across all countries.” (For reasons unknown, the bot itself only claims to sell information for users in 19 countries.)

Source: A Telegram Bot Is Selling Stolen Facebook User Info for $20 a Pop

Yay centralised databases

A London ad agency that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by a ransomware gang, The Register can reveal.

The7stars, based in London’s West End, filed [PDF] revenues of £379.36m up from £326m, gross billing of £426m and net profit of £2.1m for the year ended 31 March 2020.

In the same accounts filed with UK register Companies House, it boasted of its position as the “largest independently owned media agency in the UK by a significant factor”, making it a juicy target for the Clop ransomware extortionists.

The attack appears to have happened after 15 December, when The7stars’ annual return was prepared for filing with Companies House. While the document talks in length about its healthy financial performance, it mentions nothing about cyber risks or attacks.

Screenshots published on the Clop gang’s Tor website show scans of passports, invoices, what appears to be a photo from a staff party and, ironically, a “data protection agreement.”

Publication of stolen files on a ransomware crew’s website is typically an indicator that a ransom demand has been rebuffed, though more aggressive tactics seen in the last year include pre-emptive leaking of stolen data as an apparent incentive for marks to pay up quickly.

The agency’s client list includes Led Zeppelin’s former label Atlantic Records, Japanese motorbike maker Suzuki, and British train operating companies including Great Western Railway, among others. It is very unlikely that those companies will have been directly affected, though it appears Clop wants to give the impression that it has stolen commercially sensitive documents relating to The7stars’ clients.

[…]

Source: Clop ransomware gang clips sensitive files from Atlantic Records’ London ad agency The7stars, dumps them online • The Register

Millions of users of the dating site MeetMindful got some unpleasant news on Sunday. ZDNet reported that the hacker group ShinyHunters, the same group who leaked millions of user records for the company that listed the “Camp Auschwitz” shirts, has dumped what appears to be data from the dating site’s user database. The leak purportedly contains the sensitive information of more than 2.28 million of the site’s registered users.

[…]

According to ZDNet, the 1.2 gigabyte file was shared as a free download “on a publicly accessible hacking forum known for its trade in hacked databases.” It included troves of sensitive and identifiable user information, including real names, email addresses, city, state, and ZIP code details, birth dates, IP addresses, Facebook user IDs, and Facebook authentication tokens, among others. Messages, however, were not exposed.

[…]

According to its Crunchbase profile, MeetMindful is a dating site platform for “people who are into health, well-being, and mindfulness.” It was founded in 2013, is based in Denver, Colorado, and is still active.

Here’s where it starts to get a little strange, though. The site’s listed social media channels have been inactive for months, which is interesting considering that major dating apps have been growing during the pandemic. I mean, don’t they want to encourage their users to date (safely)? From the outside, the service seems like dead zone. Who knows though, it could be all the rage inside the site itself.

[…]

Source: Report: Hackers Leak Data of 2.28 Million MeetMindful Users

A shipment of laptops supplied to British schoolkids by the Department for Education to help them learn under lockdown came preloaded with malware, The Register can reveal.

The affected laptops, supplied to schools under the government’s Get Help With Technology (GHWT) scheme, which started last year, came bundled with the Gamarue malware – an old remote access worm from the 2010s.

The Register understands that a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware. A spokesperson for the manufacturer was not available for comment.

These devices have shipped over the past three to four weeks, though it is unclear how many of them are infected. It is believed the devices were imaged as they left the factory.

One source at a school told The Register that the machines in question seemed to have been manufactured in late 2019 and appeared to have been loaded with their DfE-specified software last year.

[…]

People familiar with the GHWT rollout told The Register that not all the machines in the batch phoned home, however.

The GeoBook 1Es are intended for use by schoolchildren isolating at home during the pandemic as well as in schools themselves.

The Reg understands that 77,000 GEO units have shipped so far under GHWT, with several thousand left to ship.

[…]

Sources told us reseller XMA sourced the kit but was not asked to configure it. It was among three resellers supplying the GHWT contract. Computacenter initially bagged an £87m contract to supply GHWT last year and was joined by IT resellers SCC UK and XMA later that year. XMA inked a 12-month contract worth £5.7m covering 26,449 devices, in October 2020. The £2.1m SCC deal, also inked that month, covers another 10,000 devices.

[…]

“When first run, W32/Gamarue-BJ connects to a C2 site to download updates and further instructions,” said Sophos.

The malware, well known to antivirus vendors since its inception in 2011, was also distributed in the mid-2010s by the Andromeda botnet. That was KO’d by an international coalition in 2017.

[…]

Source: Laptops given to British schoolkids came preloaded with malware and talked to Russia when booted • The Register

NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry.

In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. Our threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests.

In open source this actor is referred to as Chimera by CyCraft.

NCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if you were a victim, they might still be active in your network looking for your most recent crown jewels.

We contained and eradicated the threat from our client’s networks during incident response whilst our Managed Detection and Response (MDR) clients automatically received detection logic.

With this publication, NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set.

[…]

Source: Abusing cloud services to fly under the radar – Fox-IT International blog

An in depth analysis follows.

This is the kind of information that the Chinese government uses to find and kill foreign intelligence agents.

Hackers are exploiting a strange bug that lets a simple text string ‘corrupt’ your Windows 10 or Windows XP computer’s hard drive if you extract a ZIP file, open a specific folder, or even click on a Windows shortcut. The hacker adds the text string to a folder’s location, and the moment you open it, bam—hard drive issues.

Or so you might assume when you see a “restart to repair hard drive errors” warning appear in Windows 10. Odds are good that your data is actually fine, but you’ll still have to run chkdsk to be sure.

The bug was first discovered and disclosed by security researcher Jonas L, then Will Doorman of the CERT Coordination Center confirmed those findings. According to Doorman, the flaw is one of many similar issues in Windows 10 that have gone unaddressed for years. Worse, there are more ways to execute the attack beyond just opening a folder.

According to tests by Bleeping Computer, it appears the text string is effective even if a shortcut icon simply points to a location with the corrupting text. You don’t have to click on or open the file, either; just having it visible on your desktop is enough to execute the attack. The text string also works in ZIP files, HTML files, and URLs.

Microsoft is investigating the issue, but there’s no telling if or when a fix could show up. As a company spokesperson told The Verge:

“We are aware of this issue and will provide an update in a future release. The use of this technique relies on social engineering and as always we encourage our customers to practice good computing habits online, including exercising caution when opening unknown files, or accepting file transfers.”

In the meantime, don’t click on suspicious links or open unknown files. That said, this is an unusual bug that can be exploited in numerous ways, and it’s possible the text string could pop up in unexpected places.

Source: Beware This Text String That Can Crash Windows and ‘Corrupt’ Your Drive

n an update and white paper [PDF] released on Tuesday, FireEye warned that the hackers – which intelligence services and computer security outfits have concluded were state-sponsored Russians – had specifically targeted two groups of people: those with access to high-level information, and sysadmins.

But the targeting of those accounts will be difficult to detect, FireEye warned, because of the way they did it: forging the digital certificates and tokens used for authentication to look around networks without drawing much or any attention.

[…]

the paper gives a detailed rundown for how to search logs and what to look for to see if an account has been compromised, complete with step-by-step instructions for how to cut access and provide additional protection in future.

“When a credential that has been added to an application is used to login to Microsoft 365, it is recorded differently than an interactive user sign-in,” the paper notes. “In the Azure Portal these logins can be viewed by navigating to Sign-Ins under the Azure Active Directory blade and then clicking the service principal Sign-ins tab… Note that currently these sign-ins are not recorded in the Unified Audit Log.”

As for mitigation measures, FireEye suggests broadly: a review of all sysadmin accounts in particular to see if there are any “that have been configured or added to a specific service principal” and remove them, and then search for suspicious application credentials and remove them too.

Search and destroy

The biz has also released a free tool on GitHub it’s calling the Azure AD Investigator that will warn organizations if there are signs their networks were compromised via SolarWinds’ backdoored Orion software: there were an estimated 18,000 organizations potentially infected, SolarWinds warned last month; many of them government departments and Fortune 500 companies.

[…]

The report outlined the four “primary techniques” used by the hackers:

1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users. This bypassed various authentication requirements.
2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This essentially created a backdoor on the network.
3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator. This is the targeting of sysadmins.
4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

[…]

 

Source: FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion • The Register

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

[…]

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Source: Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments – Malwarebytes Labs | Malwarebytes Labs

Networking vendor Ubiquiti has written to its customers to advise them of a possible leak of their personal information.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider,” the email opens, before adding: “We have no indication that there has been unauthorized activity with respect to any user’s account.”

But the mail, seen by The Reg and sent out within the past few hours, also says Ubiquiti “cannot be certain that user data has not been exposed,” and admits that if the unauthorized actors did get in, they’ll have been able to access users’ “name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted).”

Customers who stored their physical address and phone number in their account were advised that data may also have been accessed.

“As a precaution, we encourage you to change your password,” the mail states, adding that two-factor authentication is a very fine idea that customers should enable ASAP on their online accounts if it’s not already employed. A warning about password re-use across multiple sites is also offered.

[…]

Source: Ubiquiti iniquity: Wi-Fi box slinger warns hackers may have peeked at customers’ personal information • The Register

Maybe now these guys will start taking security seriously. The last I looked you could get to the admin password just by telnetting into the boxes password free.

Our laser-based injection attack Light Commands shows how microphones can respond to light as if it was sound. By simply modulating the amplitude of laser light, we can inject fully inaudible and invisible commands into microphones of smart speakers, phones, and tablets, across large distances and through glass windows.

In this talk, we will show:

1. How Light Commands works by exploiting a physical vulnerability of MEMS microphones,
2. How it’s possible to remotely inject and execute unauthorized commands on Alexa, Portal, Google, and Siri voice assistants
3. How the ecosystem of devices connected to these voice assistants, such as smart-locks, home switches, and even cars, fail under common security vulnerabilities (e.g. PIN bruteforcing) that make the attack more dangerous

Source: Light Commands: Hacking Voice Assistants with Lasers – Black Hat Europe 2020 | Briefings Schedule

Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers “hackers,” considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.

Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras’ mics.

This string of events landed Ring in court. Ring claims this isn’t the company’s fault since the credentials weren’t obtained from Ring itself. But Ring’s lax security standards allowed users to bypass two-factor authentication and, until recently, didn’t warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.

There’s another insidious twist to this new form of online/offline abuse. And it’s caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.

Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.

They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.

Combining two things people hate into one dangerous blend is someone’s idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.

One Florida woman was called by a “hacker” and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they’d received a call she’d been murdered by her husband. No raid happened but officers were showered with insults and obscenities by “hackers” via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.

A similar incident happened in Virginia, with the “hacker” taunting both the family and officers as they investigated a fake suicide call.

Through the family’s four Ring cameras, a hacker screamed, “Help me!” as officers checked inside the home to make sure everyone was safe.

Back outside, the officers realized the intermittent screaming was coming from the home’s Ring cameras.

A man started talking to the officers through the cameras, saying he hacked the homeowner’s accounts and faked the 911 call.

[…]

Officer: “What is it that you need from us?”

Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff].”

Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.

So, that’s where we’re at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won’t stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn’t going to keep assholes from swatting people. It’s only going to deprive them of their ability to witness the potentially deadly results of their actions.

Source: FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That’s The Hell We Now Live In | Techdirt

The hackers who carried out a sophisticated cyberattack on US government agencies and on private companies were able to access Microsoft’s source code, the company said Thursday.

A Microsoft investigation turned up “unusual activity with a small number of internal accounts” and also revealed that “one account had been used to view source code in a number of source code repositories,” the company said in a blog post. Microsoft said that the account didn’t have the ability to modify code and that no company services or customer data was put at risk.

[…]

Source: Microsoft says SolarWinds hackers viewed source code – CNET

T-Mobile has announced a data breach exposing customers’ proprietary network information (CPNI), including phone numbers and call records.

Starting yesterday, T-Mobile began texting customers that a “security incident” exposed their account’s information.

According to T-Mobile, its security team recently discovered “malicious, unauthorized access” to their systems. After bringing in a cybersecurity firm to perform an investigation, T-Mobile found that threat actors gained access to the telecommunications information generated by customers, known as CPNI.

The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.

“Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service,” T-Mobile stated in a data breach notification.

T-Mobile states that the data breach did not expose account holders’ names, physical addresses, email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

In a statement to BleepingComputer, T-Mobile stated that this breach affected a “small number of customers (less than 0.2%).”  T-Mobile has approximately 100 million customers, which equates to around 200,000 people affected by this breach.

[…]

Source: T-Mobile data breach exposed phone numbers, call records

Ticketmaster and its parent company, Live Nation, have agreed to pay out $10 million dollars to a competitor after admitting to hiring a former employee to hack into the rival company’s computer network.

According to a statement issued by the Justice Department on Wednesday, the five criminal counts facing Ticketmaster stemmed from a plot to infiltrate the computer system of ticket-seller rival CrowdSurge in a self-described attempt to “cut [the company] off at the knees.”

“Ticketmaster employees repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” acting US attorney Seth DuCharme said in the statement. “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers.”

The hacking plot was first reported in 2017, shortly after CrowdSurge filed an antitrust lawsuit against Live Nation. At some point prior to that filing, Live Nation had apparently recruited an employee named Stephen Mead, whom the company had poached from CrowdSurge in 2013, to turn on his former employer, offering data analytics and insider secrets to top executives in an attempt to hobble the competitor.

Mead’s knowledge of his former employer’s passwords was so extensive that it enabled him to log in to the company’s backend during a 2014 Live Nation summit, where he reportedly offered executives a “product review” of CrowdSurge’s operations and led a demonstration of the smaller company’s internal systems.

In a statement to The Verge, a Ticketmaster spokesperson said that the company was satisfied with the terms of the settlement, and stressed that both Mead and Zeeshan Zaidi — Ticketmaster’s former general manager of artist services — had both been terminated as a result of an investigation into the wrongdoing.

Source: Ticketmaster To Pay $10 million After Illegally Hacking Rival’s System

A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit.

The attack, discovered by security firm ESET and detailed in a report named “Operation SignSight,” targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.

Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate.

The VGCA doesn’t only issue these digital certificates but also provides ready-made and user-friendly “client apps” that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.

But ESET says that sometime this year, hackers broke into the agency’s website, located at ca.gov.vn, and inserted malware inside two of the VGCA client apps offered for download on the site.

The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client apps for Windows users.

ESET says that between July 23 and August 5, this year, the two files contained a backdoor trojan named PhantomNet, also known as Smanager.

The malware wasn’t very complex but was merely a wireframe for more potent plugins, researchers said.

Known plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps.

The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.

[…]

PantomNet victims also discovered in the Philippines

ESET said that it also found victims infected with the PhantomNet backdoor in the Philippines but was unable to say how these users got infected. Another delivery mechanism is suspected.

The Slovak security firm didn’t formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.

The VGCA incident marks the fifth major supply chain attack this year after the likes of:

• SolarWinds – Russian hackers compromised the update mechanism of the SolarWinds Orion app and infected the internal networks of thousands of companies across the glove with the Sunburst malware.
• Able Desktop – Chinese hackers have compromised the update mechanism of a chat app used by hundreds of Mongolian government agencies.
• GoldenSpy – A Chinese bank had been forcing foreign companies activating in China to install a backdoored tax software toolkit.
• Wizvera VeraPort – North Korean hackers compromised the Wizvera VeraPort system to deliver malware to South Korean users.

Source: Vietnam targeted in complex supply chain attack | ZDNet

Dozens of people who say they were subjected to death threats, racial slurs, and blackmail after their in-home Ring smart cameras were hacked are suing the company over “horrific” invasions of privacy.

A new class action lawsuit, which combines a number of cases filed in recent years, alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices. Ring provides home security in the form of smart cameras that are often installed on doorbells or inside people’s homes.

The suit against Ring builds on previous cases, joining together complaints filed by more than 30 people in 15 families who say their devices were hacked and used to harass them. In response to these attacks, Ring “blamed the victims, and offered inadequate responses and spurious explanations”, the suit alleges. The plaintiffs also claim the company has also failed to adequately update its security measures in the aftermath of such hacks.

[…]

The suit outlines examples of hackers taking over Ring cameras, screaming obscenities, demanding ransoms, and threatening murder and sexual assault.

One Ring user says he was asked through his camera as he watched TV one night, “What are you watching?” Another alleges his children were addressed by an unknown hacker through the device, who commented on their basketball play and encouraged them to approach the camera.

In one case, an older woman at an assisted living facility was allegedly told “tonight you die” and sexually harassed through the camera. Due to the distress caused by the hack she ultimately had to move back in with her family, feeling unsafe in the facility where she once lived.

[…]

Repeatedly, Ring blamed victims for not using sufficiently strong passwords, the suit claims. It says Ring should have required users to establish complicated passwords when setting up the devices and implement two-factor authentication, which adds a second layer of security using a second form of identification, such as a phone number.

However, as the lawsuit alleges, Ring was hacked in 2019 – meaning the stolen credentials from that breach may have been used to get into users’ cameras. That means the hacks that Ring has allegedly blamed on customers may have been caused by Ring itself. A spokesperson said the company did not comment on ongoing litigation.

The lawsuit also cites research from the Electronic Frontier Foundation and others that Ring violates user privacy by using a number of third-party trackers on its app.

The suit said that, at present, Ring “has not sufficiently improved its security practices or responded adequately to the ongoing threats its products pose to its customers”. Security and privacy experts have also criticized Ring’s response.

[…]

In addition to hacking concerns, Ring has faced increasing criticism for its growing surveillance partnership with police forces. Ring has now created law enforcement partnerships, which allow users to send footage and photos to police, in more than 1,300 cities.

“Ring’s surveillance-based business model is fundamentally incompatible with civil rights and democracy,” Greer said. “These devices, and the thinking behind them, should be melted down and never spoken of again.”

Source: Dozens sue Amazon’s Ring after camera hack leads to threats and racial slurs | Amazon | The Guardian

Earlier this month, the book industry website Publishers Marketplace announced that Little, Brown would be publishing “Re-Entry,” a novel by James Hannaham about a transgender woman paroled from a men’s prison. The book would be edited by Ben George.

Two days later, Mr. Hannaham got an email from Mr. George, asking him to send the latest draft of his manuscript. The email came to an address on Mr. Hannaham’s website that he rarely uses, so he opened up his usual account, attached the document, typed in Mr. George’s email address and a little note, and hit send.

“Then Ben called me,” Mr. Hannaham said, “to say, ‘That wasn’t me.’”

Mr. Hannaham was just one of countless targets in a mysterious international phishing scam that has been tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts. It isn’t clear who the thief or thieves are, or even how they might profit from the scheme. High-profile authors like Margaret Atwood and Ian McEwan have been targeted, along with celebrities like Ethan Hawke. But short story collections and works by little-known debut writers have been attacked as well, even though they would have no obvious value on the black market.

In fact, the manuscripts do not appear to wind up on the black market at all, or anywhere on the dark web, and no ransoms have been demanded. When copies of the manuscripts get out, they just seem to vanish. So why is this happening?

[…]

Whoever the thief is, he or she knows how publishing works, and has mapped out the connections between authors and the constellation of agents, publishers and editors who would have access to their material. This person understands the path a manuscript takes from submission to publication, and is at ease with insider lingo like “ms” instead of manuscript.

Emails are tailored so they appear to be sent by a particular agent writing to one of her authors, or an editor contacting a scout, with tiny changes made to the domain names — like penguinrandornhouse.com instead of penguinrandomhouse.com, an “rn” in place of an “m” — that are masked, and so only visible when the target hits reply.

“They know who our clients are, they know how we interact with our clients, where sub-agents fit in and where primary agents fit in,” said Catherine Eccles, owner of a literary scouting agency in London. “They’re very, very good.”

This phishing exercise began at least three years ago, and has targeted authors, agents and publishers in places like Sweden, Taiwan, Israel and Italy. This year, the volume of these emails exploded in the United States, reaching even higher levels in the fall around the time of the Frankfurt Book Fair, which, like most everything else this year, was held online.

[…]

Often, these phishing emails make use of public information, like book deals announced online, including on social media. Ms. Sweeney’s second book, however, hadn’t yet been announced anywhere, but the phisher knew about it in detail, down to Ms. Sweeney’s deadline and the names of the novel’s main characters.

[…]

Ms. Sweeney’s first book was a best seller, so she, like well-known authors Jo Nesbo and Michael J. Fox, may be an obvious choice. But the scammer has also requested experimental novels, short story collections and recently sold books by first-time authors. Meanwhile, Bob Woodward’s book “Rage,” which came out in September, was never targeted, Mr. Woodward said.

“If this were just targeting the John Grishams and the J.K. Rowlings, you could come up with a different theory,” said Dan Strone, chief executive of the literary agency Trident Media Group. “But when you’re talking about the value of a debut author, there is literally no immediate value in putting it on the internet, because nobody has heard of this person.”

One of the leading theories in the publishing world, which is rife with speculation over the thefts, is that they are the work of someone in the literary scouting community. Scouts arrange for the sale of book rights to international publishers as well as to film and television producers, and what their clients pay for is early access to information — so an unedited manuscript, for example, would have value to them.

“The pattern it resembles is what I do,” said Kelly Farber, a literary scout, “which is I get everything.”

Cybercriminals regularly trade pirated movies and books on the dark web, alongside stolen passwords and Social Security numbers. Yet a broad search of dark web channels, like the Pirate Warez website, an underground forum for pirated goods, didn’t yield anything meaningful when searching for “manuscripts,” “unpublished” or “upcoming book,” or the titles of several purloined manuscripts.

[…]

Apparently nobody has posted them online out of spite or tried to entice eager fans to turn over their credit card information in exchange for an early glimpse. There have been no ransom demands of the authors by extortionists threatening to dump the authors’ years of work online if they don’t pay up. In this absence, and with no clear monetization strategy to the thief’s or thieves’ efforts, cybersecurity experts have been left scratching their heads.

[…]

“The trouble they went to — fabricating conversations with trusted people and sort of acting as if they are filling in the target on those conversations to grant themselves credibility — definitely demonstrates very specific targeting, and probably more effort than we see in most phishing emails,” said Roman Sannikov, a threat analyst at Recorded Future whom The Times asked to review the emails.

[…]

Source: Why on Earth Is Someone Stealing Unpublished Book Manuscripts? – The New York Times

Journalists appear to have fallen prone to a particularly sophisticated digital espionage campaign. According to the Guardian, Citizen Lab has discovered that operators using NSO Group software, nicknamed Kismet, hacked the iPhones of 37 journalists (most from Al Jazeera) using an iMessage vulnerability that had been present for roughly a year. The zero-click attacks left no trace and would have allowed access to passwords, microphone audio and even snapping photos.

The exact motivations aren’t clear, but there were four operators that appear to have origins in Saudi Arabia and the United Arab Emirates and, in at least two cases, acted on the government’s behalf. One victim, Al Araby’s Rania Dridi, believed she might have been a target due to her discussions of women’s rights and her link to an outspoken critic of Saudi Arabia and the UAE. One target reportedly received spyware links like those used to snoop on UAE activist Ahmed Mansoor in 2016.

The exploit doesn’t appear to work in iOS 14.

Source: iPhone security flaw let spies hack dozens of Al Jazeera journalists | Engadget

A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company’s products earlier this year, according to a security research blog by Microsoft.

“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the blog said.

Security experts told Reuters this second effort is known as “SUPERNOVA.” It is a piece of malware that imitates SolarWinds’ Orion product but it is not “digitally signed” like the other attack, suggesting this second group of hackers did not share access to the network management company’s internal systems.

It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file’s compile times.

The new finding shows how more than one sophisticated hacking group viewed SolarWinds, an Austin, Texas-based company that was not a household name until this month, as an important gateway to penetrate other targets.

Source: Second hacking team was targeting SolarWinds at time of big breach | Reuters

Microsoft Blog: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call.

“We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” he said. “We manage everyone’s network gear.”

Now that dominance has become a liability – an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers.

On Monday, SolarWinds confirmed that Orion – its flagship network management software – had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.

[…]

Cybersecurity experts are still struggling to understand the scope of the damage.

The malicious updates – sent between March and June, when America was hunkering down to weather the first wave of coronavirus infections – was “perfect timing for a perfect storm,” said Kim Peretti, who co-chairs Atlanta-based law firm Alston & Bird’s cybersecurity preparedness and response team.

Assessing the damage would be difficult, she said.

“We may not know the true impact for many months, if not more – if not ever,” she said.

The impact on SolarWinds was more immediate. U.S. officials ordered anyone running Orion to immediately disconnect it. The company’s stock has tumbled more than 23% from $23.50 on Friday – before Reuters broke the news of the breach – to $18.06 on Tuesday.

[…]

One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”

[…]

Source: Hackers used SolarWinds’ dominance against it in sprawling spy campaign | Reuters