Bluetooth Low Energy (BLE) is everywhere these days. If you fire up a scanner on your phone and walk around the neighborhood, we’d be willing to bet you’d pick up dozens if not hundreds of devices. By extension, from fitness bands to light bulbs, it’s equally likely that you’re going to want to talk to some of these BLE gadgets at some point. But how?

Well, watching this three part video series from [Stuart Patterson] would be a good start. He covers how to get a cheap nRF52480 BLE dongle configured for sniffing, pulling the packets out of the air with Wireshark, and perhaps most crucially, how to duplicate the commands coming from a device’s companion application on the ESP32.

The first video in the series is focused on getting a Windows box setup for BLE sniffing, so readers who aren’t currently living under Microsoft’s boot heel may want to skip ahead to the second installment. That’s where things really start heating up, as [Stuart] demonstrates how you can intercept commands being sent to the target device.

It’s worth noting that little attempt is made to actually decode what the commands mean. In this particular application, it’s enough to simply replay the commands using the ESP32’s BLE hardware, which is explained in the third video. Obviously this technique might not work on more advanced devices, but it should still give you a solid base to work from.

In the end, [Stuart] takes an LED lamp that could only be controlled with a smartphone application and turns it into something he can talk to on his own terms. Once the ESP32 can send commands to the lamp, it only takes a bit more code to spin up a web interface or REST API so you can control the device from your computer or other gadget on the network. While naturally the finer points will differ, this same overall workflow should allow you to get control of whatever BLE gizmo you’ve got your eye on.

 

Source: A Crash Course On Sniffing Bluetooth Low Energy | Hackaday

Several internet companies repelled DDOS attacks on Monday night. Among them are at least three Internet providers Freedom Internet, Tweak and Kabelnoord.

Web hosting company TransIP also faced a DDOS attack targeting so-called name servers on Monday.

While averting this attack and resolving its consequences, the company was hit by a second, more violent attack on the entire infrastructure.

It is not clear whether there is any link between the attacks.

Source: Nederlandse internetbedrijven getroffen door DDOS aanvallen – Emerce

The cracking of the expensive messaging app, called “Sky ECC,” was what allowed over 1,500 police officers across Belgium to be simultaneously deployed in at least 200 raids, many of which were centred around Antwerp and involved special forces.

Investigators succeeded in cracking Sky ECC at the end of last year, according to reporting by De Standaard, and as a result were able to sort through thousands of messages major criminals were sending each other over the course of a month.

Information gained from those conversations is what led to Tuesday’s historic operation, two years in the making.

[…]

Sky ECC became popular with drug criminals after its successor Encrochat was cracked in 2020 by French and Dutch investigators, who were able to intercept over 100 million messages sent via the app.

That led to over a hundred suspects being arrested in the Netherlands, uncovering a network of laboratories where crystal meth and other drugs were being produced and allowing police to seize 8,000 kilos of cocaine and almost €20 million.

A number of investigations are also still currently underway in Belgium based on the information from that cracking. While it led to panic among major criminal operations in the Netherlands, there wasn’t much of a reaction at the time in the Belgian underworld.

“Almost everyone in Antwerp switched from Encrochat to Sky two years ago,” a source told the Gazet van Antwerpen in July last year, adding that major Antwerp criminals in Dubai also used Sky ECC.

The company, which calls itself “the world’s most secure messaging app,” had previously said “hacking is impossible.” It defended its services, stating they “strongly believe that privacy is a fundamental human right.”

[…]

 

Source: Cracking of Sky CC app dealt major blow to organised crime

SITA, a data firm that works with some of the world’s largest airlines, announced Thursday that it had been the victim of a “highly sophisticated cyberattack,” the likes of which compromised information on hundreds of thousands of airline passengers all over the world.

The attack, which occurred in February, targeted data stored on SITA’s Passenger Service System servers, which are responsible for storing information related to transactions between carriers and customers. One of the things SITA does is act as a mechanism for data exchange between different airlines—helping to ensure that passenger “benefits can be used across different carriers” in a systematized fashion.

Understanding what specific data the hackers accessed is, at this point, a little tough—though it would appear that some of it was frequent flier information shared with SITA by members of the Star Alliance, the world’s largest global airline alliance.

An airline alliance is basically an industry consortium, and Star’s membership is comprised of some of the world’s most prominent airlines—including United Airlines, Lufthansa, Air Canada, and 23 others. Of those members, a number have already stepped forward to announce breaches in connection with the attack—and SITA itself would appear to have acknowledged that the affected parties are connected to alliance memberships.

[…]

So far, it would appear that the nature of the breach is more wide than deep. That is, a lot of people seem to have been affected, though in most cases the data that was being shared with SITA does not seem that extensive. In the case of Singapore Airlines, for instance, upwards of 500,000 people had their data compromised, though the data did not include things like member itineraries, passwords, or credit card information. The airline has stated:

Around 580,000 KrisFlyer and PPS members have been affected by the breach of the SITA PSS servers. The information involved is limited to the membership number and tier status and, in some cases, membership name, as this is the full extent of the frequent flyer data that Singapore Airlines shares with other Star Alliance member airlines for this data transfer.

[…]

Source: Hackers Looted Passenger Data From Some of the Biggest Airlines

Last week, Microsoft announced that the on-premises version of its widely used email and calendaring product Exchange had several previously undisclosed security flaws. These flaws, the company said, were being used by foreign threat actors to hack into the networks of U.S. businesses and governments, primarily to steal large troves of email data. Since then, the big question on everybody’s mind has been: Just how bad is this?

The short answer is: It’s pretty bad

So far, hack descriptors such as “crazy huge,” “astronomical,” and “unusually aggressive” seem to be right on the money. As a result of Exchange vulnerabilities, it is likely that tens of thousands of U.S.-based entities have had malicious backdoors implanted in their systems. Anonymous sources close to the Microsoft investigation have repeatedly told press outlets that somewhere around 30,000 American organizations have been compromised as a result of the security flaws (if correct, these numbers officially dwarf SolarWinds, which led to the compromise of about 18,000 entities domestically and nine federal agencies, according to the White House). The number of compromised entities worldwide could be much larger. A source recently told Bloomberg that there are “at least 60,000 known victims globally.”

Even more problematically, some researchers have said that, since the public disclosure of the Exchange vulnerabilities, it would appear that attacks on the product have only accelerated. Anton Ivanov, a threat research specialist at Kaspersky, said in an email that his team has seen an uptick in activity over the past week.

[…]

Microsoft Exchange Server comes in two formats, which has led to some confusion about what systems are at risk: there is an on-premises product and a software-as-a-service cloud product. The cloud product, Exchange Online, is said to be unaffected by the security flaws. As previously stated, it is the on-premises products that are being exploited. Other Microsoft email products are not thought to be vulnerable. As CISA has said, “neither the vulnerabilities nor the identified exploit activity is currently known to affect Microsoft 365 or Azure Cloud deployments.”

There are four vulnerabilities in on-premises Exchange Servers that are actively being exploited (see: here, here, here, and here). Three other security-associated vulnerabilities exist, but authorities say these have not seen active exploitation of these yet (see: here, here, and here.) Patches can be found at Microsoft’s website, though, as we’ll go over in more detail later, there have been some issues with proper deployment.

So far, Microsoft has primarily blamed a threat actor dubbed “HAFNIUM” for the intrusions into Exchange. HAFNIUM is said to be a state-sponsored group

[…]

security researchers say it is almost certain that other threat actors are also involved in the exploitation of the vulnerabilities. S

[…]

. “Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities,” said Red Canary researcher Katie Nickels on Saturday.

Who Is Getting Hit

Due to the widespread use of Exchange, many different types of entities are at-risk. Some large organizations—including the European Banking Authority—have already announced breaches.

[…]

As noted above, Microsoft has issued patches for the vulnerabilities—but these patches have had some problems. On Thursday, a Microsoft spokesperson noted that, in certain cases, the patches would appear to work but wouldn’t actually fix the vulnerability. A full break-down of that issue can be found on Microsoft’s website.

Organizations have been warned that they should not only be patching vulnerabilities but should also be investigating whether they have already been compromised. Microsoft has announced resources to help with that. It issued an update to its Safety Scanner (MSERT) tool which can help identify whether web shells have been deployed against Exchange servers. MSERT is an anti-malware tool that searches for, identifies, and removes malware on a system.

[…]

 

Source: The “Crazy Huge Hack” of Microsoft, Explained

A hacker group claims to have broken into the networks of cloud-based surveillance startup Verkada, gaining unfiltered access to thousands and thousands of live security camera feeds in the process.

The hack first gained public attention Tuesday afternoon, when a Twitter user who goes by the name “Tillie” began leaking purported images of the hack onto the internet: “ever wondered what a @Tesla warehouse looks like?” the hacker quipped, dangling a picture of what appears to be an industrial facility.

Tillie, who goes by the full name Tillie Kottmann and uses they/them pronouns, is allegedly part of an international hacker collective responsible for having breached Verkada, according to a report from Bloomberg. Once inside, the hackers were able to use the firm’s security feeds to peer into the internal workings of droves of organizations, including medical facilities, psychiatric hospitals, jails, schools and police departments, and even large companies like Tesla, Equinox and Cloudflare. The scope of the hack appears massive.

Among other things, Kottmann implied Tuesday that they could have used their access to Verkada to hack into the laptop of Cloudflare CEO Matthew Prince:

The hacker group has very noticeably courted public attention, calling the intrusion campaign “Operation Panopticon” and claiming they want to “end surveillance capitalism” by bringing attention to the ways in which ubiquitous surveillance dominates people’s lives.

[…]

According to Bloomberg, “Arson Cats” gained entry to the company via a pretty massive security blunder: The hackers discovered a password and username for a Verkada administrative account publicly exposed to the internet. In a Twitter message, Tillie reiterated this to Gizmodo, claiming that once they had compromised the administrator account (called a “super administrator”), they were able to hook into any of the 150,000 video feeds in Verkada’s library.

“The access we had allowed us to impersonate any user of the system and access their view of the platform,” said the hacker, further explaining that the “superadmin rights are also what granted us access to the root shell at the click of a button.”

[…]

Source: Hackers Target Surveillance Firm, Exposing Live Camera Feeds

n the latest in a string of “hits” on Russian dark web forums, the prominent crime site Maza appears to have been hacked by someone earlier this week.

This is kind of big news since Maza (previously called “Mazafaka”) has long been a destination for all assortment of criminal activity, including malware distribution, money laundering, carding (i.e., the selling of stolen credit card information), and lots of other bad behavior. The forum is considered “elite” and hard to join, and in the past, it has been a cesspool for some of the world’s most prolific cybercriminals.

Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.”

KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web, spurring fears among criminals that their identities might be exposed (oh, the irony). The validity of the data has been verified by threat intelligence firm Intel 471.

This hack comes shortly after similar attacks on two other Russian cybercrime forums, Verified and Exploit, that occurred earlier this year. It’s been noted that the successive targeting of such high-level forums is somewhat unusual.

[…]

Source: Hacker Forum Maza Hacked

According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings.

[…]

In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads.

The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success.

[…]

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”

“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.

If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text.

[…]

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.

The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.

According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.

“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

[…]

Source: Hackers exploit websites to give them excellent SEO before deploying malware | ZDNet

A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.

The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.

According to its website, the Spectre bug is a hardware design flaw in the architectures of Intel, AMD, and ARM processors that allows code running inside bad apps to break the isolation between different applications at the CPU level and then steal sensitive data from other apps running on the same system.

The vulnerability, which won a Pwnie Award in 2018 for one of the best security bug discoveries of the year, was considered a milestone moment in the evolution and history of the modern CPU.

Its discovery, along with the Meltdown bug, effectively forced CPU vendors to rethink their approach to designing processors, making it clear that they cannot focus on performance alone, to the detriment of data security.

[…]

But today, Voisin said he discovered new Spectre exploits—one for Windows and one for Linux—different from the ones before. In particular, Voisin said he found a Linux Spectre exploit capable of dumping the contents of /etc/shadow, a Linux file that stores details on OS user accounts.

Such behavior is clearly malicious; however, there is no evidence that the exploit was used in the wild, as it could have also been uploaded on VirusTotal by a penetration tester as well.

[…]

the most interesting part of Voisin’s discovery is in the last paragraph of his blog, where he hints that he may have discovered who may be behind this new Spectre exploit.

“Attribution is trivial and left as an exercise to the reader,” the French security researcher said in a mysterious ending.

But while Voisin did not want to name the exploit author, several people were not as shy. Security experts on both Twitter and news aggregation service HackerNews were quick to spot that the new Spectre exploit might be a module for CANVAS, a penetration testing tool developed by Immunity Inc.

[…]

Source: First Fully Weaponized Spectre Exploit Discovered Online | The Record by Recorded Future

When Twitter banned Donald Trump and a slew of other far-right users in January, many of them became digital refugees, migrating to sites like Parler and Gab to find a home that wouldn’t moderate their hate speech and disinformation. Days later, Parler was hacked, and then it was dropped by Amazon web hosting, knocking the site offline. Now Gab, which inherited some of Parler’s displaced users, has been badly hacked too. An enormous trove of its contents has been stolen—including what appears to be passwords and private communications.

On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as “JaXpArO and My Little Anonymous Revival Project” siphoned that data out of Gab’s backend databases in an effort to expose the platform’s largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump’s election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab’s public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. “It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content,” Best wrote in a text message interview with WIRED. “It’s another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6.”

DDoSecrets says it’s not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users’ individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.

Passwords for private groups are unencrypted, which Torba says the platform discloses to users when they create one. Individual user account passwords appear to be cryptographically hashed—a safeguard that may help prevent them from being compromised—but the level of security depends on the hashing scheme used and the strength of the underlying password.

[…]

According to DDoSecrets’ Best, the hacker says that they pulled out Gab’s data via a SQL injection vulnerability in the site—a common web bug in which a text field on a site doesn’t differentiate between a user’s input and commands in the site’s code, allowing a hacker to reach in and meddle with its backend SQL database.

[…]

Source: Far-Right Platform Gab Has Been Hacked—Including Private Data | WIRED

This is a comedy of bad security on the part of Gab.

Kia seems to be in quite a predicament. As we reported earlier today, the automaker’s online services appear to have been severed from the outside world, with customers unable to start their cars remotely via Kia’s apps or even log into the company’s financing website to pay their bills. All signs pointed to a potential cyberattack against Kia—ransomware most likely—and that’s exactly what a new report is claiming it is.A report by information security news site Bleeping Computer seems to solidify that theory, as the publication shared a screenshot of an alleged ransom note asking Kia for the hefty sum of $20,000,000 to decrypt its files.Screenshot: KiaThe infection is believed to be the work of a group called DoppelPaymer by Crowdstrike researchers in 2019. Such threat actors routinely hunt big game for large payouts, according to a security bulletin released by the FBI late last year. The note left behind mentions that the malware not only encrypted live data, but also the company’s backups, which more sophisticated attacks of this nature often do to prevent an easy restoration.To make matters worse, it also claims to have exfiltrated a large amount of data along with the hack which it says it will release within three weeks. It’s not clear what kind of data was exfiltrated by the attackers, however, the note claims that it was a “huge amount” of it, and the number of Kia’s online services that were affected does elude to the possibility of a broad net being cast into Kia’s network. In more simple terms, these alleged attackers stole a bunch of stuff out of Kia’s house and then locked the doors to some of the bedrooms inside. After reaching out to Kia multiple times, The Drive finally received an answer on the matter. A Kia spokesperson confirmed that Kia is “experiencing an extended systems outage,” though it does not mention the nature of the outage. It also downplays the ransomware attack allegations shared by Bleeping Computer.”Kia Motors America, Inc. is currently experiencing an extended systems outage,” a Kia spokesperson told The Drive via email. “Affected systems includetheKiaOwnersPortal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal interruption to our business.”The spokesperson added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”Having said that, the report on Bleeping Computer indicates detailed notes from these purported attackers. The attackers apparently used a Protonmail email address to communicate and display a web page on Tor, an encrypted peer-to-peer network that promotes anonymity, complete with an online chat function in case they need support to pay the ransom. At the time of this writing, the hackers were requesting 404.5412 Bitcoin, which equates to roughly $20.9 million. But the message also warns that as they take longer to pay, the fee goes up, ending in 600 Bitcoin ($31 million) should the automaker not pay up within nine days.Screenshots of the actual notes have been published by Bleeping Computer and can be viewed here. It’s also worth noting that DoppelPaymer is the same malware that was responsible for exfiltrating and encrypting data from Visser, a defense contractor and parts manufacturer for both Tesla and SpaceX, just last year.

Source: The Apparent Hackers Behind Kia’s Ransomware Attack Are Demanding Millions in Bitcoin

In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China—the result of code hidden in chips that handled the machines’ startup process.

In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site.

And in 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.

Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as they tried to counter each one and learn more about China’s capabilities.

[…]

Around early 2010, a Pentagon security team noticed unusual behavior in Supermicro servers in its unclassified networks.

Implant in the Startup Process

The machines turned out to be loaded with unauthorized instructions directing each one to secretly copy data about itself and its network and send that information to China, according to six former senior officials who described a confidential probe of the incident. The Pentagon found the implant in thousands of servers, one official said; another described it as “ubiquitous.”

Investigators attributed the rogue code to China’s intelligence agencies, the officials said. A former senior Pentagon official said there was “no ambiguity” in that attribution.

[…]

As military experts investigated the Pentagon breach, they determined that the malicious instructions guiding the Pentagon’s servers were hidden in the machines’ basic input-output system, or BIOS, part of any computer that tells it what to do at startup.

Two people with direct knowledge said the manipulation combined two pieces of code: The first was embedded in instructions that manage the order of the startup and can’t be easily erased or updated. That code fetched additional instructions that were tucked into the BIOS chip’s unused memory, where they were unlikely to be found even by security-conscious customers. When the server was turned on, the implant would load into the machine’s main memory, where it kept sending out data periodically.

Manufacturers like Supermicro typically license most of their BIOS code from third parties. But government experts determined that part of the implant resided in code customized by workers associated with Supermicro, according to six former U.S. officials briefed on the findings.

[…]

By 2014, investigators across the U.S. government were looking for any additional forms of manipulation—anything they might have missed, as one former Pentagon official put it. Within months, working with information provided by American intelligence agencies, the FBI found another type of altered equipment: malicious chips added to Supermicro motherboards.

Warnings Delivered

Government experts regarded the use of these devices as a significant advance in China’s hardware-hacking capabilities, according to seven former American officials who were briefed about them between 2014 and 2017. The chips injected only small amounts of code into the machines, opening a door for attackers, the officials said.

Small batches of motherboards with the added chips were detected over time, and many Supermicro products didn’t include them, two of the officials said.

[…]

“The agents said it was not a one-off case; they said this was impacting thousands of servers,” Kumar said of his own discussion with FBI agents.

It remains unclear how many companies were affected by the added-chip attack. Bloomberg’s 2018 story cited one official who put the number at almost 30, but no customer has acknowledged finding malicious chips on Supermicro motherboards.

Several executives who received warnings said the information contained too few details about how to find any rogue chips. Two former senior officials said technical details were kept classified.

[…]

“This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” Quinn said, recalling details provided by Air Force officials. The chip “was blended into the trace on a multilayered board,” he said.

“The attackers knew how that board was designed so it would pass” quality assurance tests, Quinn said.

[…]

Corporate investigators uncovered yet another way that Chinese hackers were exploiting Supermicro products. In 2014, executives at Intel traced a security breach in their network to a seemingly routine firmware update downloaded from Supermicro’s website.

[…]

A contact in the U.S. intelligence community alerted the company to the breach, according to a person familiar with the matter. The tip helped Intel investigators determine that the attackers were from a state-sponsored group known as APT 17.

APT 17 specializes in complex supply-chain attacks, and it often hits multiple targets to reach its intended victims, according to cybersecurity firms including Symantec and FireEye. In 2012, the group hacked the cybersecurity firm Bit9 in order to get to defense contractors protected by Bit9’s products.

Intel’s investigators found that a Supermicro server began communicating with APT 17 shortly after receiving a firmware patch from an update website that Supermicro had set up for customers. The firmware itself hadn’t been tampered with; the malware arrived as part of a ZIP file downloaded directly from the site, according to accounts of Intel’s presentation.

[…]

Breaches involving Supermicro’s update site continued after the Intel episode, according to two consultants who participated in corporate investigations and asked not to be named.

In incidents at two non-U.S. companies, one in 2015 and the other in 2018, attackers infected a single Supermicro server through the update site, according to a person who consulted on both cases. The companies were involved in the steel industry, according to the person, who declined to identify them, citing non-disclosure agreements. The chief suspect in the intrusions was China, the person said.

In 2018, a major U.S. contract manufacturer found malicious code in a BIOS update from the Supermicro site, according to a consultant who participated in that probe. The consultant declined to share the manufacturer’s name. Bloomberg reviewed portions of a report on the investigation.

It’s unclear whether the three companies informed Supermicro about their issues with the update site, and Supermicro didn’t respond to questions about them.

[…]

Source: Supermicro Hack: How China Exploited a U.S. Tech Supplier Over Years

The phone numbers (and corresponding site IDs) of some 500 million Facebook users now appear to be for sale on a dark web cybercrime forum.

The criminal or group of criminals responsible have constructed a Telegram bot to act as a search function for the data. Potential buyers can now use the bot to sift through the data to find phone numbers that correspond to user IDs—or vice versa—with the full information being unlocked after paying for query “credits.” Those credits start at $20 for a single search and get cheaper if bought in bulk.

The activity was discovered by Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, who posted about the scheme on his Twitter account, and reported by Joseph Cox, at Motherboard.

An insecure Facebook server containing account information on millions of users appears to be the source of the data for sale here—though that vulnerability was discovered by researchers in 2019 and Facebook has since fixed it. Gal has claimed that the vulnerability was exploited to create “a database containing the information 533m users across all countries.” (For reasons unknown, the bot itself only claims to sell information for users in 19 countries.)

Source: A Telegram Bot Is Selling Stolen Facebook User Info for $20 a Pop

Yay centralised databases

A London ad agency that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by a ransomware gang, The Register can reveal.

The7stars, based in London’s West End, filed [PDF] revenues of £379.36m up from £326m, gross billing of £426m and net profit of £2.1m for the year ended 31 March 2020.

In the same accounts filed with UK register Companies House, it boasted of its position as the “largest independently owned media agency in the UK by a significant factor”, making it a juicy target for the Clop ransomware extortionists.

The attack appears to have happened after 15 December, when The7stars’ annual return was prepared for filing with Companies House. While the document talks in length about its healthy financial performance, it mentions nothing about cyber risks or attacks.

Screenshots published on the Clop gang’s Tor website show scans of passports, invoices, what appears to be a photo from a staff party and, ironically, a “data protection agreement.”

Publication of stolen files on a ransomware crew’s website is typically an indicator that a ransom demand has been rebuffed, though more aggressive tactics seen in the last year include pre-emptive leaking of stolen data as an apparent incentive for marks to pay up quickly.

The agency’s client list includes Led Zeppelin’s former label Atlantic Records, Japanese motorbike maker Suzuki, and British train operating companies including Great Western Railway, among others. It is very unlikely that those companies will have been directly affected, though it appears Clop wants to give the impression that it has stolen commercially sensitive documents relating to The7stars’ clients.

[…]

Source: Clop ransomware gang clips sensitive files from Atlantic Records’ London ad agency The7stars, dumps them online • The Register

Millions of users of the dating site MeetMindful got some unpleasant news on Sunday. ZDNet reported that the hacker group ShinyHunters, the same group who leaked millions of user records for the company that listed the “Camp Auschwitz” shirts, has dumped what appears to be data from the dating site’s user database. The leak purportedly contains the sensitive information of more than 2.28 million of the site’s registered users.

[…]

According to ZDNet, the 1.2 gigabyte file was shared as a free download “on a publicly accessible hacking forum known for its trade in hacked databases.” It included troves of sensitive and identifiable user information, including real names, email addresses, city, state, and ZIP code details, birth dates, IP addresses, Facebook user IDs, and Facebook authentication tokens, among others. Messages, however, were not exposed.

[…]

According to its Crunchbase profile, MeetMindful is a dating site platform for “people who are into health, well-being, and mindfulness.” It was founded in 2013, is based in Denver, Colorado, and is still active.

Here’s where it starts to get a little strange, though. The site’s listed social media channels have been inactive for months, which is interesting considering that major dating apps have been growing during the pandemic. I mean, don’t they want to encourage their users to date (safely)? From the outside, the service seems like dead zone. Who knows though, it could be all the rage inside the site itself.

[…]

Source: Report: Hackers Leak Data of 2.28 Million MeetMindful Users

A shipment of laptops supplied to British schoolkids by the Department for Education to help them learn under lockdown came preloaded with malware, The Register can reveal.

The affected laptops, supplied to schools under the government’s Get Help With Technology (GHWT) scheme, which started last year, came bundled with the Gamarue malware – an old remote access worm from the 2010s.

The Register understands that a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware. A spokesperson for the manufacturer was not available for comment.

These devices have shipped over the past three to four weeks, though it is unclear how many of them are infected. It is believed the devices were imaged as they left the factory.

One source at a school told The Register that the machines in question seemed to have been manufactured in late 2019 and appeared to have been loaded with their DfE-specified software last year.

[…]

People familiar with the GHWT rollout told The Register that not all the machines in the batch phoned home, however.

The GeoBook 1Es are intended for use by schoolchildren isolating at home during the pandemic as well as in schools themselves.

The Reg understands that 77,000 GEO units have shipped so far under GHWT, with several thousand left to ship.

[…]

Sources told us reseller XMA sourced the kit but was not asked to configure it. It was among three resellers supplying the GHWT contract. Computacenter initially bagged an £87m contract to supply GHWT last year and was joined by IT resellers SCC UK and XMA later that year. XMA inked a 12-month contract worth £5.7m covering 26,449 devices, in October 2020. The £2.1m SCC deal, also inked that month, covers another 10,000 devices.

[…]

“When first run, W32/Gamarue-BJ connects to a C2 site to download updates and further instructions,” said Sophos.

The malware, well known to antivirus vendors since its inception in 2011, was also distributed in the mid-2010s by the Andromeda botnet. That was KO’d by an international coalition in 2017.

[…]

Source: Laptops given to British schoolkids came preloaded with malware and talked to Russia when booted • The Register

NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry.

In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observed this threat actor during various incident response engagements performed between October 2019 until April 2020. Our threat intelligence analysts noticed clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests.

In open source this actor is referred to as Chimera by CyCraft.

NCC Group and Fox-IT have seen this actor remain undetected, their dwell time, for up to three years. As such, if you were a victim, they might still be active in your network looking for your most recent crown jewels.

We contained and eradicated the threat from our client’s networks during incident response whilst our Managed Detection and Response (MDR) clients automatically received detection logic.

With this publication, NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set.

[…]

Source: Abusing cloud services to fly under the radar – Fox-IT International blog

An in depth analysis follows.

This is the kind of information that the Chinese government uses to find and kill foreign intelligence agents.

Hackers are exploiting a strange bug that lets a simple text string ‘corrupt’ your Windows 10 or Windows XP computer’s hard drive if you extract a ZIP file, open a specific folder, or even click on a Windows shortcut. The hacker adds the text string to a folder’s location, and the moment you open it, bam—hard drive issues.

Or so you might assume when you see a “restart to repair hard drive errors” warning appear in Windows 10. Odds are good that your data is actually fine, but you’ll still have to run chkdsk to be sure.

The bug was first discovered and disclosed by security researcher Jonas L, then Will Doorman of the CERT Coordination Center confirmed those findings. According to Doorman, the flaw is one of many similar issues in Windows 10 that have gone unaddressed for years. Worse, there are more ways to execute the attack beyond just opening a folder.

According to tests by Bleeping Computer, it appears the text string is effective even if a shortcut icon simply points to a location with the corrupting text. You don’t have to click on or open the file, either; just having it visible on your desktop is enough to execute the attack. The text string also works in ZIP files, HTML files, and URLs.

Microsoft is investigating the issue, but there’s no telling if or when a fix could show up. As a company spokesperson told The Verge:

“We are aware of this issue and will provide an update in a future release. The use of this technique relies on social engineering and as always we encourage our customers to practice good computing habits online, including exercising caution when opening unknown files, or accepting file transfers.”

In the meantime, don’t click on suspicious links or open unknown files. That said, this is an unusual bug that can be exploited in numerous ways, and it’s possible the text string could pop up in unexpected places.

Source: Beware This Text String That Can Crash Windows and ‘Corrupt’ Your Drive

n an update and white paper [PDF] released on Tuesday, FireEye warned that the hackers – which intelligence services and computer security outfits have concluded were state-sponsored Russians – had specifically targeted two groups of people: those with access to high-level information, and sysadmins.

But the targeting of those accounts will be difficult to detect, FireEye warned, because of the way they did it: forging the digital certificates and tokens used for authentication to look around networks without drawing much or any attention.

[…]

the paper gives a detailed rundown for how to search logs and what to look for to see if an account has been compromised, complete with step-by-step instructions for how to cut access and provide additional protection in future.

“When a credential that has been added to an application is used to login to Microsoft 365, it is recorded differently than an interactive user sign-in,” the paper notes. “In the Azure Portal these logins can be viewed by navigating to Sign-Ins under the Azure Active Directory blade and then clicking the service principal Sign-ins tab… Note that currently these sign-ins are not recorded in the Unified Audit Log.”

As for mitigation measures, FireEye suggests broadly: a review of all sysadmin accounts in particular to see if there are any “that have been configured or added to a specific service principal” and remove them, and then search for suspicious application credentials and remove them too.

Search and destroy

The biz has also released a free tool on GitHub it’s calling the Azure AD Investigator that will warn organizations if there are signs their networks were compromised via SolarWinds’ backdoored Orion software: there were an estimated 18,000 organizations potentially infected, SolarWinds warned last month; many of them government departments and Fortune 500 companies.

[…]

The report outlined the four “primary techniques” used by the hackers:

1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users. This bypassed various authentication requirements.
2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This essentially created a backdoor on the network.
3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator. This is the targeting of sysadmins.
4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

[…]

 

Source: FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion • The Register

While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments. After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

[…]

As the US Cybersecurity and Infrastructure Security Agency (CISA) stated, the adversary did not only rely on the SolarWinds supply-chain attack but indeed used additional means to compromise high-value targets by exploiting administrative or service credentials.

In 2019, a security researcher exposed a flaw with Azure Active Directory where one could escalate privileges by assigning credentials to applications. In September 2019, he found that the vulnerability still existed and essentially lead to backdoor access to principals’ credentials into Microsoft Graph and Azure AD Graph.

Third-party applications can be abused if an attacker with sufficient administrative privilege gains access to a tenant. A newly released CISA report reveals how threat actors may have obtained initial access by password guessing or password spraying in addition to exploiting administrative or service credentials. In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph.

For many organizations, securing Azure tenants may be a challenging task, especially when dealing with third-party applications or resellers. CrowdStrike has released a tool to help companies identify and mitigate risks in Azure Active Directory.

Source: Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments – Malwarebytes Labs | Malwarebytes Labs

Networking vendor Ubiquiti has written to its customers to advise them of a possible leak of their personal information.

“We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider,” the email opens, before adding: “We have no indication that there has been unauthorized activity with respect to any user’s account.”

But the mail, seen by The Reg and sent out within the past few hours, also says Ubiquiti “cannot be certain that user data has not been exposed,” and admits that if the unauthorized actors did get in, they’ll have been able to access users’ “name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted).”

Customers who stored their physical address and phone number in their account were advised that data may also have been accessed.

“As a precaution, we encourage you to change your password,” the mail states, adding that two-factor authentication is a very fine idea that customers should enable ASAP on their online accounts if it’s not already employed. A warning about password re-use across multiple sites is also offered.

[…]

Source: Ubiquiti iniquity: Wi-Fi box slinger warns hackers may have peeked at customers’ personal information • The Register

Maybe now these guys will start taking security seriously. The last I looked you could get to the admin password just by telnetting into the boxes password free.

Our laser-based injection attack Light Commands shows how microphones can respond to light as if it was sound. By simply modulating the amplitude of laser light, we can inject fully inaudible and invisible commands into microphones of smart speakers, phones, and tablets, across large distances and through glass windows.

In this talk, we will show:

1. How Light Commands works by exploiting a physical vulnerability of MEMS microphones,
2. How it’s possible to remotely inject and execute unauthorized commands on Alexa, Portal, Google, and Siri voice assistants
3. How the ecosystem of devices connected to these voice assistants, such as smart-locks, home switches, and even cars, fail under common security vulnerabilities (e.g. PIN bruteforcing) that make the attack more dangerous

Source: Light Commands: Hacking Voice Assistants with Lasers – Black Hat Europe 2020 | Briefings Schedule

Late last year, it was discovered that yet another set of IoT devices were being turned against their owners by malicious people. It would be a stretch to call these losers “hackers,” considering all they did was utilize credentials harvested from multiple security breaches to take control of poorly secured cameras made by Ring.

Password reuse is common and these trolls made the most of it. Streaming their exploits to paying users, the perpetrators shouted racist abuse at homeowners, talked to/taunted their children, and interrupted their sleep by blaring loud noises through the cameras’ mics.

This string of events landed Ring in court. Ring claims this isn’t the company’s fault since the credentials weren’t obtained from Ring itself. But Ring’s lax security standards allowed users to bypass two-factor authentication and, until recently, didn’t warn users of unrecognized login attempts or lock their accounts after a certain number of login failures.

There’s another insidious twist to this new form of online/offline abuse. And it’s caught the attention of the feds. The FBI says these cameras are now being combined with swatting to inflict additional misery on camera owners.

Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks. To gain access to the smart devices, offenders are likely taking advantage of customers who re-use their email passwords for their smart device. The offenders use stolen email passwords to log into the smart device and hijack features, including the live-stream camera and device speakers.

They then call emergency services to report a crime at the victims’ residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.

Combining two things people hate into one dangerous blend is someone’s idea of a good time. Two recent incidents involving hacked devices and swatting fortunately ended without anyone being killed by law enforcement.

One Florida woman was called by a “hacker” and told to go outside and see if the local SWAT team was there. She was met by police shortly afterwards who told her they’d received a call she’d been murdered by her husband. No raid happened but officers were showered with insults and obscenities by “hackers” via the compromised Ring doorbell/camera for failing to provide the entertainment the online assholes were seeking.

A similar incident happened in Virginia, with the “hacker” taunting both the family and officers as they investigated a fake suicide call.

Through the family’s four Ring cameras, a hacker screamed, “Help me!” as officers checked inside the home to make sure everyone was safe.

Back outside, the officers realized the intermittent screaming was coming from the home’s Ring cameras.

A man started talking to the officers through the cameras, saying he hacked the homeowner’s accounts and faked the 911 call.

[…]

Officer: “What is it that you need from us?”

Hacker: “Oh nothing, we were just [messing] around, after this we’ll log out, tell him to change his Yahoo password, his Ring password, and stop using the same passwords for the same [stuff].”

Chesapeake Police officers covered up the cameras and asked who was screaming. The hacker told officers it was him yelling for help, claiming he livestreamed the Ring cameras when officers arrived and charged people five dollars each to watch online.

So, that’s where we’re at, hellscape-wise. A nation full of devices that can be taken over by anyone with the right credentials and turned into entertainment for sociopaths. Of course, being better about locking down IoT devices won’t stop these same sociopaths from weaponizing local law enforcement agencies. Choosing a strong, unique password isn’t going to keep assholes from swatting people. It’s only going to deprive them of their ability to witness the potentially deadly results of their actions.

Source: FBI Warns Assholes Are Now Combining Compromised IoT Devices With Swatting Because That’s The Hell We Now Live In | Techdirt

The hackers who carried out a sophisticated cyberattack on US government agencies and on private companies were able to access Microsoft’s source code, the company said Thursday.

A Microsoft investigation turned up “unusual activity with a small number of internal accounts” and also revealed that “one account had been used to view source code in a number of source code repositories,” the company said in a blog post. Microsoft said that the account didn’t have the ability to modify code and that no company services or customer data was put at risk.

[…]

Source: Microsoft says SolarWinds hackers viewed source code – CNET

T-Mobile has announced a data breach exposing customers’ proprietary network information (CPNI), including phone numbers and call records.

Starting yesterday, T-Mobile began texting customers that a “security incident” exposed their account’s information.

According to T-Mobile, its security team recently discovered “malicious, unauthorized access” to their systems. After bringing in a cybersecurity firm to perform an investigation, T-Mobile found that threat actors gained access to the telecommunications information generated by customers, known as CPNI.

The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.

“Customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included phone number, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service,” T-Mobile stated in a data breach notification.

T-Mobile states that the data breach did not expose account holders’ names, physical addresses, email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

In a statement to BleepingComputer, T-Mobile stated that this breach affected a “small number of customers (less than 0.2%).”  T-Mobile has approximately 100 million customers, which equates to around 200,000 people affected by this breach.

[…]

Source: T-Mobile data breach exposed phone numbers, call records