On Wednesday, security firm FireEye released a report on a disinformation-focused group it’s calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they’ve posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.

That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,” says John Hultquist, director of intelligence at FireEye. “And they’re pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they’re on, and then they go in and spread the link to the story.”

[…]

the company’s analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye’s Hultquist points out that the campaign doesn’t seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement.

Nor would it be the first time that Russian hackers planted fake news stories; in 2017, US intelligence agencies concluded that Russian hackers breached Qatar’s state news agency and planted a fake news story designed to embarrass the country’s leader and cause a rift with the US, though US intelligence never confirmed the Kremlin’s involvement.

“We can’t concretely tie it to Russia at this time, but it’s certainly in line with their interests,” Hultquist says of the Ghostwriter campaign. “It wouldn’t be a surprise to me if this is where the evidence leads us.”

Source: Hackers Broke Into Real News Sites to Plant Fake Stories | WIRED

On Tuesday, the US Department of Justice charged two Chinese nationals with allegedly hacking hundreds of organizations and individuals in America and elsewhere to steal confidential corporate secrets on behalf of Beijing for more than a decade.

The pilfered files are said to be worth hundreds of millions of dollars, and in some cases, it is claimed, the pair tried to extort money out of their victims: pay up, or the trade secrets leak.

The targeted organizations are said to include a British AI and cancer research biz, an Australian defense contractor, a South Korean shipbuilder and engineering giant, German software makers, American pharmaceutical, software, and defense corporations, and the US Dept of Energy’s Hanford site.

Assistant Attorney General John Demers and other US officials held a press conference on Tuesday to unseal the 11-count indictment [PDF], returned by a grand jury on July 7, against Li Xiaoyu, 34, and Dong Jiazhi, 33.

“The campaign targeted intellectual property and confidential business information held by the private sector, including COVID-19-related treatment, testing, and vaccines,” said Demers in prepared remarks.

“The hackers also targeted the online accounts of non-governmental organizations and individual dissidents, clergy, and democratic and human rights activists in the United States, China, Hong Kong, and abroad.”

According to the indictment, Li and Dong, former classmates at an electrical engineering college in Chengdu, China, have been hacking into high tech manufacturing, civil, industrial, and medical engineering firms, software companies of all sorts, solar companies, and pharmaceuticals, among others, since 2009.

The US claims that the two accused worked both for themselves and with the backing of the Chinese government’s Ministry of State Security. This assistance included being supplied with zero-day vulnerabilities exploits to facilitate their intrusion.

But often their hacking sprees, it’s alleged, involved the exploitation of publicly known vulnerabilities. The accused hackers are said to have used a program called China Chopper to install web shells to execute commands on victims’ networks and exfiltrate documents. The duo also uploaded password-stealing malware, it is claimed.

The pilfered data, it’s claimed, was often packed up on the RAR archive files that were concealed through the use of innocuous file names and common file extensions like .jpg. The hackers are said to have frequently used the recycle bin on Windows machines to store and move files because administrators are less likely to look there.

Adding insult to injury

“The defendants stole hundreds of millions of dollars’ worth of trade secrets, intellectual property, and other valuable business information,” the indictment says.

“At least once, they returned to a victim from which they had stolen valuable source code to attempt an extortion – threatening to publish on the internet, and thereby destroy the value of, the victim’s intellectual property unless a ransom was paid.”

The indictment also accuses the pair of providing Chinese authorities with the passwords of email accounts belonging to Chinese dissidents and to academics in the US and other countries.

Recently, Li and Dong are said to have been researching vulnerabilities in the networks of biotech firms involved in COVID-19 vaccine research. It’s claimed they have gone after organizations and individuals in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom.

“China’s anti-competitive behavior and flagrant disregard for their promises not to engage in cyber-enabled intellectual property theft is not just a domestic issue; it is a global issue,” said Demers.

The defendants have each been charged with one count of conspiracy to commit computer fraud, theft of trade secrets, wire fraud, and unauthorized access of a computer, and with seven counts of aggravated identity theft.

China has no extradition treaty with the US, and relations between two countries are not particularly cordial at the moment, which makes it highly unlikely either of the two defendants will ever appear in a US courtroom unless they get really stupid crossing borders. That seems unlikely now.

Source: Bad: US govt says Chinese duo hacked, stole blueprints from just about everyone. Also bad: They extorted cash • The Register

Twitter has admitted that the naughty folk who hijacked verified accounts last week read a portion of hacked users’ direct messages.

Among the 36 Twitter users whose direct messages (DMs), email addresses and phone numbers were definitely accessed by account hijackers last week was one Dutch politician, the microblogging platform said overnight.

“We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed,” Twitter said in an updated post.

The hack happened after an individual or persons unknown gained access to Twitter’s administrative tools, allegedly after bribing a company insider.

As we reported last week, a number of Twitter accounts belonging to high-profile individuals were compromised. Those accounts all have blue ticks, indicating that they really do belong to whomever’s name and mugshot they bear.

Source: Twitter hack latest: Up to 36 compromised accounts had their private messages read – including a Dutch politician’s • The Register

In a study published by Xuanwu Labs (which is owned by Chinese tech giant Tencent), researchers detailed the BadPower hack which works by manipulating the firmware inside fast charge power adapters.

Normally, when a phone is connected to a power brick with support for fast charging, the phone and the power adapter communicate with each other to determine the proper amount of electricity that can be sent to the phone without damaging the device—the more juice the power adapter can send, the faster it can charge the phone.

However, by hacking the fast charging firmware built into a power adapter, Xuanwu Labs demonstrated that bad actors could potentially manipulate the power brick into sending more electricity than a phone can handle, thereby overheating the phone, melting internal components, or as Xuanwu Labs discovered, setting the device on fire.

After confirming the results of the research, Xuanwu labs decided to test BadPower by loading it onto 35 different power bricks (out of 234 available models currently on sale) and discovered that 18 of those chargers (made by eight different vendors) were susceptible to the attack.

To make matters worse, if BadPower is used to hack a power brick, there would be no external signs or easy ways of detecting that the device had been tampered with. Fortunately, for now, it will require the bad actor to have physical access to the power adapter. The researchers at Xuanwu claimed hacking a power adapter was as simple as connecting it to a portable, custom-designed rig that can upload malicious code to the power brick in a just a few seconds. And in some cases, the researchers were able to upload BadPower just by connecting a power adapter to an infected phone or laptop.

Source: BadPower Attack Can Trick Power Bricks into Starting a Fire

Russian hackers at the state’s FSB spy agency have been caught breaking into Western institutions working on potential vaccines for the COVID-19 coronavirus in hope of stealing said research. That’s according to the British National Cyber Security Centre and America’s NSA today.

The Kremlin-backed APT29 crew, also known by a variety of other names such as Cozy Bear, Iron Hemlock, or The Dukes, depending on which threat intel company you’re talking to that week, is believed by most reputable analysts to be a wholly owned subsidiary of the FSB, modern-day successor to the infamous Soviet KGB.

NCSC ops director Paul Chichester said in a statement: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.”

Foreign Secretary Dominic Raab added: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

NCSC and its international chums say they are 95 per cent confident that the attacks they investigated came from Russia. By abusing publicly known vulnerabilities, including those in Citrix and popular VPN products, the Russians were able to gain access to targeted networks. Once inside they deploy a custom malware named WellMess or WellMail, it’s claimed.

“WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods,” said NCSC in its advisory [PDF complete with IOCs and detection rules].

WellMail uses SMTP port 25 to communicate, runs commands or scripts, and uploads its findings to a hard-coded command and control server using TLS encryption. Both pieces of malware are written in Go, the open source language devised by Google. The report neatly summarizes the situation:

Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.

Intriguingly, NCSC – along with the US CISA and Canada’s Communications Security Establishment – also said APT29 was deploying a custom malware it named SoreFang against products from Chinese enterprise networking biz Sangfor. However, it cautioned that Sangfor was already a target for other malicious folk before APT29 got wind of it and so not all attacks against Sangfor kit were necessarily proof of state-level espionage.

Today’s attribution follows on from warnings back in May that nameless-but-nefarious bods were targeting those same coronavirus research institutions. In light of today’s news, it could be argued that that public shot across the FSB’s bows didn’t do much to stop the digital attacks.

“This also demonstrates that Iron Hemlock (aka APT29, Cozy Bear) is a very capable threat actor that conducts low visibility operations over an extended period, since at least 2018 in this case, while attracting minimal publicity,” Rafe Pilling, a researcher at infosec biz Secureworks, told The Register.

“Every time we see this group emerge in public they are using novel malware and tradecraft. A strong focus on operational security prompts constant change, a stark contrast to some of their comrades in other parts of government and the military.”

He added that it’s not just Russia doing the hacking, although Vladimir Putin’s nation is at the forefront of today’s report: “The NCSC report emphasises that the global interest in COVID-19 is driving an intelligence collection agenda for Russia, as well as nations like Iran, that has previously been identified targeting COVID-19 related research,” he opined.

“The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research.”

Meanwhile, Mandiant Threat Intelligence’s John Hultquist said in a statement that APT29 tended to stay below the radar and steal data, making today’s attribution all the more eye-catching for espionage watchers.

“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,” he explained. “Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”

Back in 2015 Fireeye observed APT29 deploying a Twitter-dependent malware strain it called Hammertoss, while last year Eset spotted the same hackers quietly targeting EU nations’ foreign offices and embassies. It seems the state-backed threat is never all that far away

Source: FYI Russia is totally hacking the West’s labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies • The Register

The Central Intelligence Agency has conducted a series of covert cyber operations against Iran and other targets since winning a secret victory in 2018 when President Trump signed what amounts to a sweeping authorization for such activities, according to former U.S. officials with direct knowledge of the matter.

The secret authorization, known as a presidential finding, gives the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations. The finding allows the CIA to more easily authorize its own covert cyber operations, rather than requiring the agency to get approval from the White House.

Unlike previous presidential findings that have focused on a specific foreign policy objective or outcome — such as preventing Iran from becoming a nuclear power — this directive, driven by the National Security Council and crafted by the CIA, focuses more broadly on a capability: covert action in cyberspace.

The “very aggressive” finding “gave the agency very specific authorities to really take the fight offensively to a handful of adversarial countries,” said a former U.S. government official. These countries include Russia, China, Iran and North Korea — which are mentioned directly in the document — but the finding potentially applies to others as well, according to another former official. “The White House wanted a vehicle to strike back,” said the second former official. “And this was the way to do it.”

The CIA’s new powers are not about hacking to collect intelligence. Instead, they open the way for the agency to launch offensive cyber operations with the aim of producing disruption — like cutting off electricity or compromising an intelligence operation by dumping documents online — as well as destruction, similar to the U.S.-Israeli 2009 Stuxnet attack, which destroyed centrifuges that Iran used to enrich uranium gas for its nuclear program.

The finding has made it easier for the CIA to damage adversaries’ critical infrastructure, such as petrochemical plants, and to engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized, in which tranches of stolen documents or data are leaked to journalists or posted on the internet. It has also freed the agency to conduct disruptive operations against organizations that were largely off limits previously, such as banks and other financial institutions.

Another key change with the finding is it lessened the evidentiary requirements that limited the CIA’s ability to conduct covert cyber operations against entities like media organizations, charities, religious institutions or businesses believed to be working on behalf of adversaries’ foreign intelligence services, as well as individuals affiliated with these organizations, according to former officials.

“Before, you would need years of signals and dozens of pages of intelligence to show that this thing is a de facto arm of the government,” a former official told Yahoo News. Now, “as long as you can show that it vaguely looks like the charity is working on behalf of that government, then you’re good.”

The CIA has wasted no time in exercising the new freedoms won under Trump. Since the finding was signed two years ago, the agency has carried out at least a dozen operations that were on its wish list, according to this former official. “This has been a combination of destructive things — stuff is on fire and exploding — and also public dissemination of data: leaking or things that look like leaking.”

Some CIA officials greeted the new finding as a needed reform that allows the agency to act more nimbly. “People were doing backflips in the hallways [when it was signed],” said another former U.S. official.

But critics, including some former U.S. officials, see a potentially dangerous attenuation of intelligence oversight, which could have unintended consequences and even put people’s lives at risk, according to former officials.

The involvement of U.S. intelligence agencies in hack-and-dump activities also raises uncomfortable comparisons for some former officials. “Our government is basically turning into f****ing WikiLeaks, [using] secure communications on the dark web with dissidents, hacking and dumping,” said one such former official.

The CIA declined to comment or respond to an extensive list of questions from Yahoo News. The National Security Council did not respond to multiple written requests for comment.

[…]

Source: Secret Trump order gives CIA more powers to launch cyberattacks

Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits’ accounts – and suggested it all kicked off after its staff fell for social engineering.

Judging from leaked screenshots of Twitter’s internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to gain direct or indirect access to an administration panel used by Twitter employees to configure accounts, by tricking or coercing the social network’s staff.

From there, the crooks were, at least in some cases, seemingly able to change the registered email addresses of celebrities, corporations, crypto-coin exchanges, publications, and politicians’ accounts – think Apple, Uber, Bill Gates, Elon Musk, Joe Biden, and so on – to an inbox they controlled, requested password resets, and logged in to tweet Bitcoin scams to millions of followers. The miscreants may have been able to disable multi-factor authentication from the inside, too.

According to Vice, hackers boasted they had a paid mole inside Twitter who did all the dirty work for them. The social network’s spokespeople said it was still investigating exactly how it all went down.

Twitter’s support account spelled out its side of the story so far this evening:

We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.

— Twitter Support (@TwitterSupport) July 16, 2020

We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.

— Twitter Support (@TwitterSupport) July 16, 2020

We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.

— Twitter Support (@TwitterSupport) July 16, 2020

Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.

— Twitter Support (@TwitterSupport) July 16, 2020

The Twitter accounts of both The Register and your humble hack’s brother Anthony Sharwood are verified by the avian network. Both were unable to tweet once Twitter discovered the incident and both received no direct communication from Twitter about the status of our accounts nor any details of whether the incident posed a risk to personal data.

But not all functionality was removed. Sharwood the younger said he was able to send direct messages during the incident. “I sent a guy a DM to apologise that I couldn’t respond to a tweet,” he said.

Indeed, The Register‘s own verified account couldn’t tweet, but could send direct messages as well as retweet and like other tweets.

[…]

The hijackers used their ill-gotten access to post tweets in which celebrities promised to double users’ Bitcoin balances as an act of philanthropy – and more than $100,000 in cryptocurrency was transferred by hopefuls with no sign of any payback. That’s probably a better result than putting incendiary remarks in the mouth of a world leader with millions of followers, though. Or more-than-usually incendiary in the case of a certain US President

Source: Twitter says hack of key staff led to celebrity, politician, biz account hijack mega-spree • The Register

The Russian hacker accused of raiding LinkedIn, Dropbox and Formspring, and obtaining data on 213 million user accounts, has been found guilty.

On Friday, Yevgeniy Nikulin was convicted [PDF] by a San Francisco jury of committing computer intrusion, data theft, and other charges [PDF] relating to the databases he broke into and siphoned off in 2012.

The jury reckoned Nikulin probably swiped the LinkedIn account details, all 117 million of them, for commercial gain, though they didn’t think greed played a role in his theft of 28 million account records from Formspring and 68 million from Dropbox. The Linkedin info was put up for sale, and leaked online along with the Dropbox data and at least a portion of the Formspring haul. The data contained usernames, email addresses, and hashed passwords.

The prosecution outlined how Nikulin had stolen the login credentials of employees at a bunch of US tech firms, and then used them to access back-end systems before downloading vast amounts of personal data that he later sold. Much of the case rested on persuading the jury that various pseudonyms used by the hacker were, in fact, Nikulin.

Despite the unanimous jury decision, it was far from certain Nikulin would be found guilty, with district judge William Alsup repeatedly criticizing the prosecution’s case, at one point calling it “gobbledygook,” and the next day “mumbo jumbo,” as prosecutors tried to connect Nikulin to a wider hacking conspiracy.

Nikulin’s defense team argued the only solid evidence connecting him to the hacker was a document provided by the Russian government whose reliability it questioned, arguing that Nikulin had been set up by the Russians, who were feeding misinformation. Nikulin himself may have been hacked, his lawyer argued.

The FBI in response said that it had tracked Nikulin down to his Moscow apartment by following the hacker’s IP addresses and then confirmed it was him by observing his communications with others. As one example, an FBI agent testified that the hacker, using the alias “dex.007”, had told another hacker that he was going to buy himself a $25,000 watch for his 25th birthday. Nikulin turned 25 the day afterwards, said the agent.

Flash the cash… then dash

It was Nikulin’s ostentatious taste that finally led to his downfall. He was a wanted man, and Interpol, at the request of the US, had issued a Red Notice for his arrest. He attracted the attention of the Czech police when he visited Prague in 2016 with his girlfriend, driving around in a flashy car and spending liberally. The cops nabbed him in a restaurant.

Despite having been arrested four years ago, the trial has been dogged by delays; first by Russian authorities who tried to prevent him being extradited to America, and then following a lengthy dispute over whether he was mentally fit to stand trial.

When the trial finally began, it was almost immediately put on hold due to the coronavirus outbreak and was nearly abandoned after jury members made it plain they were uncomfortable spending the whole day in a confined space.

Source: Guilty: Russian miscreant who hacked LinkedIn, Dropbox, Formspring, stole 200-million-plus account records • The Register

Hackers infiltrated Collabera, siphoned off at least some employees’ personal information, and infected the US-based IT consultancy giant’s systems with ransomware.

We understand this swiped data included workers’ names, addresses, contact and social security numbers, dates of birth, employment benefits, and passport and immigration visa details. Basically, everything needed for identity theft. The recruitment’n’staffing biz, which employs more than 16,000 people globally and banks hundreds of millions of dollars a year in sales, does not believe the lifted records have been used for fraud.

Collabera could not be reached for comment, though El Reg has seen a copy of the internal memo sent to staff disclosing the details of the leak. File-scrambling malware was detected on the IT consultants’ network on June 8, and within a couple of days, it emerged at least some data had been stolen, according to the business.

Source: Collabera hacked: IT staffing’n’services giant hit by ransomware, employee personal data stolen • The Register

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

A partial screenshot of the BlueLeaks data cache.

In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

“Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

[…]

---

22
Jun 20

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

A partial screenshot of the BlueLeaks data cache.

In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

“Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.

“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA wrote. “Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

Source: ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments — Krebs on Security

Social media research group Graphika published today a 120-page report [PDF] unmasking a new Russian information operation of which very little has been known so far.

Codenamed Secondary Infektion, the group is different from the Internet Research Agency (IRA), the Sankt Petersburg company (troll farm) that has interfered in the US 2016 presidential election.

Graphika says this new and separate group has been operating since 2014 and has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America.

The research team says it  first learned of the group from reports published by Reddit and Facebook last year, along with previous research done by the Atlantic Council’s Digital Forensic Research Lab.

Graphika says that based on previous research, they’ve now tracked down more than 2,500 pieces of content the Secondary group Infektion has posted online since early 2014.

According to Graphika’s analysis, most of the group’s content has followed nine primary themes:

• Ukraine as a failed state or unreliable partner
• The United States and NATO as aggressive and interfering in other countries
• Europe as weak and divided
• Critics of the Russian government as morally corrupt, alcoholic, or otherwise mentally unstable
• Muslims as aggressive invaders
• The Russian government as the victim of Western hypocrisy or plots
• Western elections as rigged and candidates who criticized the Kremlin as unelectable
• Turkey as an aggressive and destabilizing state
• World sporting bodies and competitions as unfair, unprofessional, and Russophobic

Graphika says that most of this content has been aimed at attacking classic Russian political rivals like Ukraine, the US, Poland, and Germany, but also other countries where Russian influence came under attack, at one point or another.

Graphika said the group didn’t publish only in English, but also adapted to each target and published content in its local language. In total, researchers found content posted in seven languages.

Unlike the IRA, which was primarily focused on creating division at the level of regular citizens, Secondary Infektion’s primary role appears to been to influence decisions at the highest level of foreign governments.

This was done by attempting to influence political decisions by creating fake narratives, pitting Western countries against each other, and by embarrassing anti-Russian politicians using fake articles and forged documents.

“The ‘leaks’ typically exposed some dramatic geopolitical scandal, such as a prominent Kremlin critic’s corrupt dealings or secret American plans to overthrow pro-Kremlin governments around the world,” the Graphika team said today.

The group had operations going during the US presidential elections in 2016, the French elections in 2017, and in Sweden in 2018, but election interferene was never the group’s primary target.

Graphika said the group “aimed to exacerbate divisions between countries, trying to set Poles against Germans, Germans against Americans, Americans against Britons, and absolutely everyone against Ukrainians.”

Secondary Infektion liked blogs more than social media

Furthermore, another way in which Secondary Infektion differed from the more well-known IRA was that while the IRA was mostly active on social media networks, the Secodanry Infektion gang had a broader reach, with a lot of its content being published on blogs and news  sites.

Graphika said it found content published on more than 300 platforms, from social media giants such as Facebook, Twitter, YouTube, and Reddit to blogging platforms like WordPress and Medium, but also niche discussion forums in Pakistan and Australia.

Graphika researchers also said Secondary Infektion was more advanced than the IRA. Unlike the sloppy IRA operators who were easily traced back to an exact building in Sankt Petersburg, Russia, the mystery about Secondary Infektion’s real identity remains unsolved.

“[Secondary Infektion’s] identity is the single most pressing question to emerge from this study,” the Graphika team wrote in its report today.

Researchers said the group managed to keep its identity secret because they paid very close attention to operational security (OpSec). Graphika says Secondary Infektion agents employed single-use burner accounts for almost everything they posted online, abandoning each account in less than an hour after promoting their content.

This approach has made it more difficult for the group to build a dedicated audience but has allowed it to orchestrate high-impact operations for years, without giving away their infrastructure, modus operandi, and goals.

With its identity still a secret, the group is expected to continue operating and sowing conflict between Russia’s rivals.

Source: Super secretive Russian disinfo operation discovered dating back to 2014 | ZDNet

Threat intel researchers have uncovered a phishing and malware campaign that targeted “a large European aerospace company” and which was run by the same North Koreans behind the hack of Sony Pictures.

While there are quite a few European aerospace firms, Slovakian infosec biz ESET was more concerned with the phishing ‘n’ malware campaign it detected on behalf of its unnamed client.

Branded “Operation Interception” by ESET, the researchers claimed the “highly targeted cyberattacks” were being spread by North Korean baddies Lazarus Group, who were behind the 2014 hack of Sony’s American entertainment business.

The threat group’s latest detected campaign involved targeting aerospace folk via LinkedIn, said the infoseccers. ESET researcher Jean-Ian Boutin explained: “In our case they were impersonating Collins Aerospace and General Dynamics (GD), two organisations in the same vertical as the targeted European organisations,”. He said the Norks were targeting people who worked in “sales, marketing, tech, general admin” roles.

Collins and GD are two of the bigger names in North American aerospace; among other things, Collins makes avionic instruments and software while GD has fingers in pies ranging from the F-16 fighter jet through Gulfstream corporate aircraft, US Navy submarines and armoured vehicles. As bait dangled before honest people hoping to take a major step forwards in an aerospace career, these two companies were tempting lures.

“The [job] offer seemed too good to be true,” said Boutin as he explained the Lazarus ruse to The Reg. “Maybe [the recipient’s] career could take off in a big way?”

Once into a target’s network the criminals would try to brute-force any Active Directory admin accounts they could find, as well as exfiltrate data by bundling it into a RAR archive and trying to upload it to a Dropbox account.

After the victim had been suitably reeled in, Lazarus would try to induce them to download a password-protected RAR archive “containing a LNK file.” Once clicked, that LNK file appeared to the victim to download a PDF containing job information. In the background, however, it also downloaded a malicious EXE that created a bunch of folders and set a Windows scheduled task to run a remote script every so often.

ESET illustration showing the Lazarus Group attack progression

The attackers were most insistent that the victim only respond to their job offer on a Windows machine running Internet Explorer. Once in, they resorted to PowerShell – taking advantage of the fact that “the logging of executed PowerShell commands is disabled by default,” although evidence was found that the Lazarus crew went through the connected domain to enumerate all Active Directory accounts before trying to brute-force their way into admin accounts.

To avoid Windows security features blocking their malware, Lazarus also signed their code using a certificate first issued to 16:20 Software LLC, an American firm said by ESET to have been incorporated in May 2010.

Among other clues linking the malware’s components back to North Korea, Boutin said his team had seen build timestamps “added by the compiler showing when the executable was compiled” which neatly cross-referenced with normal office hours for East Asia. Corroborating that were some “host fingerprinting” techniques which uncovered various digital fragments “similar to backdoors the Lazarus Group is known to use,” as Boutin put it.

What made the lure so sneaky was the fact it was targeting potential jobseekers looking to leave their current employer, a fact that Boutin speculated may have made some victims less likely to report it to their current employer’s cybersecurity teams.

Lazarus Group was last seen in public after it was caught sniffing around macOS with a trojan targeting users of Apple’s desktop operating system. ®

Source: From the crew behind the Sony Pictures hack comes Operation Interception: An aerospace cyber-attack thriller

The list of sophisticated eavesdropping techniques has grown steadily over years: wiretaps, hacked phones, bugs in the wall—even bouncing lasers off of a building’s glass to pick up conversations inside. Now add another tool for audio spies: Any light bulb in a room that might be visible from a window.

Researchers from Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science today revealed a new technique for long-distance eavesdropping they call “lamphone.” They say it allows anyone with a laptop and less than a thousand dollars of equipment—just a telescope and a $400 electro-optical sensor—to listen in on any sounds in a room that’s hundreds of feet away in real-time, simply by observing the minuscule vibrations those sounds create on the glass surface of a light bulb inside. By measuring the tiny changes in light output from the bulb that those vibrations cause, the researchers show that a spy can pick up sound clearly enough to discern the contents of conversations or even recognize a piece of music.

“Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room,” says Ben Nassi, a security researcher at Ben-Gurion who developed the technique with fellow researchers Yaron Pirutin and Boris Zadov, and who plans to present their findings at the Black Hat security conference in August. “You just need line of sight to a hanging bulb, and this is it.”

In their experiments, the researchers placed a series of telescopes around 80 feet away from a target office’s light bulb, and put each telescope’s eyepiece in front of a Thorlabs PDA100A2 electro-optical sensor. They then used an analog-to-digital converter to convert the electrical signals from that sensor to digital information. While they played music and speech recordings in the faraway room, they fed the information picked up by their set-up to a laptop, which analyzed the readings.

The researchers found that the tiny vibrations of the light bulb in response to sound—movements that they measured at as little as a few hundred microns—registered as a measurable changes in the light their sensor picked up through each telescope. After processing the signal through software to filter out noise, they were able to reconstruct recordings of the sounds inside the room with remarkable fidelity: They showed, for instance, that they could reproduce an audible snippet of a speech from President Donald Trump well enough for it to be transcribed by Google’s Cloud Speech API. They also generated a recording of the Beatles’ “Let It Be” clear enough that the name-that-tune app Shazam could instantly recognize it.

The technique nonetheless has some limitations. In their tests, the researchers used a hanging bulb, and it’s not clear if a bulb mounted in a fixed lamp or a ceiling fixture would vibrate enough to derive the same sort of audio signal. The voice and music recordings they used in their demonstrations were also louder than the average human conversation, with speakers turned to their maximum volume. But the team points out that they also used a relatively cheap electro-optical sensor and analog-to-digital converter, and could have upgraded to a more expensive one to pick up quieter conversations. LED bulbs also offer a signal-to-noise ratio that’s about 6.3 times that of an incandescent bulb and 70 times a fluorescent one.

Source: Spies Can Eavesdrop by Watching a Light Bulb’s Vibrations  | WIRED

New Delhi-based BellTroX InfoTech Services targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the United States including private equity giant KKR and short seller Muddy Waters, according to three former employees, outside researchers, and a trail of online evidence.

Aspects of BellTroX’s hacking spree aimed at American targets are currently under investigation by U.S. law enforcement, five people familiar with the matter told Reuters. The U.S. Department of Justice declined to comment.

Reuters does not know the identity of BellTroX’s clients. In a telephone interview, the company’s owner, Sumit Gupta, declined to disclose who had hired him and denied any wrongdoing.

Muddy Waters founder Carson Block said he was “disappointed, but not surprised, to learn that we were likely targeted for hacking by a client of BellTroX.” KKR declined to comment.

Researchers at internet watchdog group Citizen Lab, who spent more than two years mapping out the infrastructure used by the hackers, released a report here on Tuesday saying they had “high confidence” that BellTroX employees were behind the espionage campaign.

“This is one of the largest spy-for-hire operations ever exposed,” said Citizen Lab researcher John Scott-Railton.

Although they receive a fraction of the attention devoted to state-sponsored espionage groups or headline-grabbing heists, “cyber mercenary” services are widely used, he said. “Our investigation found that no sector is immune.”

A cache of data reviewed by Reuters provides insight into the operation, detailing tens of thousands of malicious messages designed to trick victims into giving up their passwords that were sent by BellTroX between 2013 and 2020. The data was supplied on condition of anonymity by online service providers used by the hackers after Reuters alerted the firms to unusual patterns of activity on their platforms.

The data is effectively a digital hit list showing who was targeted and when. Reuters validated the data by checking it against emails received by the targets.

On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, did not respond to messages or declined comment.

Reuters was not able to establish how many of the hacking attempts were successful.

BellTroX’s Gupta was charged in a 2015 hacking case in which two U.S. private investigators admitted to paying him to hack the accounts of marketing executives. Gupta was declared a fugitive in 2017, although the U.S. Justice Department declined to comment on the current status of the case or whether an extradition request had been issued.

Speaking by phone from his home in New Delhi, Gupta denied hacking and said he had never been contacted by law enforcement. He said he had only ever helped private investigators download messages from email inboxes after they provided him with login details.

Source: Exclusive: Obscure Indian cyber firm spied on politicians, investors worldwide – Reuters

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.

As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.

Today emails from the company began arriving with customers. One seen by The Register read:

Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020. Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.

We are very sorry this has happened.

It also warned victims to be on their guard against phishing attacks by miscreants using the stolen records, especially if any “unsolicited communications” arrived appearing to be from Easyjet or its package holidays arm.

Perhaps to avoid spam filters triggered by too many links, the message mentioned, but did not link to, a blog post from the Information Commissioner’s Office titled, “Stay one step ahead of the scammers,” as well as one from the National Cyber Security Centre, published last year, headed: “Phishing attacks: dealing with suspicious emails and messages.”

There was no mention in the message to customers of compensation being paid as a result of the hack. Neither, when El Reg asked earlier this week, did Easyjet address the question of compo or credit monitoring services.

Source: It wasn’t just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims • The Register

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It’s about a data breach with almost 90GB of personal information in it across tens of millions of records – including mine. Here’s what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this:

The global unique identifier beginning with “db8151dd” features heavily on these first lines hence the name I’ve given the breach. I’ve had to give it this name because frankly, I’ve absolutely no idea where it came from, nor does anyone else I’ve worked on with this.

It’s mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn’t a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I’ve interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn’t someone I’d expect to see a strong association with and I couldn’t see any other similar folks. But it’s the next class of data in there which makes this particularly interesting and I’m just going to quote a few snippets here:

Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.

Met at the 6th National Pro Bono Conference in Ottawa in September 2016

Met on 15-17 October 2001 in Vancouver for the Luscar/Obed/Coal Valley arbitration.

It feels like a CRM. These are records of engagement the likes you’d capture in order to later call back to who had been met where and what they’d done. It wasn’t just simple day to day business interaction stuff either, there was also this:

But then there’s also a bunch of legal summaries, for example “CASE CLOSING SUMMARY ON USA V. [redacted]” and “10/3/11 detention hrg in court 20 min plus travel split with [redacted]”— Troy Hunt (@troyhunt) February 23, 2020

But nowhere – absolutely nowhere – was there any indication of where the data had originated from. The closest I could get to that at all was the occurrence of the following comments which appeared over and over again:

This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.

Exported from Microsoft Outlook (Do not delete)

Contact Created By Evercontact

Evercontact did actually reach out and we discussed the breach privately but it got us no closer to a source. I communicated with multiple infosec journalists (one of whose own personal data was also in the breach) and still, we got no closer. Over the last 3 months I kept coming back to this incident time and time again, looking at the data with fresh eyes and each time, coming up empty. And just before you ask, no, cloud providers won’t disclose which customer owns an asset but they will reach out to those with unsecured assets.

Today is the end of the road for this breach investigation and I’ve just loaded all 22,802,117 email addresses into Have I Been Pwned.  Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming “yes”:

If I have a MASSIVE spam list full of personal data being sold to spammers, should I load it into @haveibeenpwned?— Troy Hunt (@troyhunt) November 15, 2016

So, mark me down for another data breach of my own personal info. There’s nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I’ll be writing a blog post like this.

Edit 1: No, I don’t load complete and individual records into HIBP, only email addresses. As such, only the presence of an address is searchable, the data associated with the address is not stored nor retrievable.

Edit 2: No, I can’t manually trawl through 100M+ records and extract yours out.

Edit 3: Thanks to some community sleuthing, the origin of this breach has now been identified as the Covve contacts app. Their public disclosure is in that link and they’ve also been in contact with regulators and had a couple of phone calls with myself.

Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.

Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.

The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER login nodes,” shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.

The bwHPC, the organization that coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany, also announced on Monday that five of its high-performance computing clusters had to be shut down due to similar “security incidents.” This included:

• The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
• The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
• The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
• The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University

Reports continued on Wednesday when security researcher Felix von Leitner claimed in a blog post that a supercomputer housed in Barcelona, Spain, was also impacted by a security issue and had been shut down as a result.

More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.

The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.” And so has the Technical University in Dresden, which announced they had to shut down their Taurus supercomputer as well.

New incidents also came to light today, on Saturday. German scientist Robert Helling published an analysis on the malware that infected a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also shut down external access to its supercomputer infrastructure following a “cyber-incident” and “until having restored a safe environment.”

Attackers gained  access via compromise SSH logins

None of the organizations above published any details about the intrusions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents.

The malware samples were reviewed earlier today by Cado Security, a US-based cyber-security firm. The company said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials.

The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland.

Chris Doman, Co-Founder of Cado Security, told ZDNet today that while there is no official evidence to confirm that all the intrusions have been carried out by the same group, evidence like similar malware file names and network indicators suggests this might be the same threat actor.

According to Doman’s analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.

[…]

Source: Supercomputers hacked across Europe to mine cryptocurrency | ZDNet

Hackers are threatening to release 756GB of A-list celebs’ contracts, recording deals, and other personal info allegedly stolen from a New York law firm.

The miscreants have seemingly got their hands on confidential agreements, private correspondence, contact details, and other information belonging to superstars, including Madonna, Christina Aguilera, Sir Elton John, Run DMC, Bruce Springsteen, Barbra Streisand, and Lady Gaga, and their representatives.

The data was swiped by the REvil, aka Sodinokibi, malware-slinging gang best known for taking down Travelex, infosec biz Emsisoft’s Brett Callow told The Register.

A Tor-hidden website belonging to REvil, which lists dozens of organizations compromised by the crew, includes screenshots of folders, a non-disclosure agreement, Madonna’s 2019-2020 tour arrangements, and Aguilera’s music rights as proof of its cyber-heist.

The gang claims to have hacked entertainment law firm Grubman Shire Meiselas & Sacks, based in the Big Apple, and siphoned its documents.

The law firm could not be reached for comment. We assume they were otherwise occupied. Their website right now just shows its logo whereas as recently as May 8, it listed its clients and staff.

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list,” reported showbiz industry mag Variety, which was also tipped off by Emsisoft.

The law firm also represents big name personalities in TV, film, and sport, and media and online giants, from Kate Upton and Robert De Niro to Sony, Spotify, Vice, and EMI. It is assumed the swiped data was partially leaked to encourage the lawyers to cough up a ransom demand – or the rest of the information would spill onto the dark web. ®

Updated to add

Grubman Shire Meiselas & Sacks have said they were hacked, and in a statement said: “We can confirm that we’ve been victimised by a cyber-attack. We have notified our clients and our staff. We have hired the world’s experts who specialise in this area, and we are working around the clock to address these matters.”

Source: Papa don’t breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm ‘hack’ • The Register

Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.

We have developed a free and open-source tool, Spycheck, to determine if your system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.

[…]

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Users are therefore strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool we have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

[…]

The Thunderspy vulnerabilities have been discovered and reported by Björn Ruytenberg. Please cite this work as:

Björn Ruytenberg. Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf

Source: Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

[…]

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.

[…]

The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

Source: Hackers hide web skimmer behind a website’s favicon | ZDNet

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

• Customer full names
• Home addresses (city, region, street name)
• National identification (CNIC) numbers
• Mobile phone numbers
• Landline numbers
• Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Christopher Bouzy, the founder of bot tracking platform Bot Sentinel, conducted a Twitter analysis for Business Insider and found bots and trolls are using hashtags like #ReOpenNC, #ReopenAmericaNow, #StopTheMadness, #ENDTHESHUTDOWN, and #OperationGridlock to spread disinformation. According to Bouzy, the bots and trolls are spreading conspiracy theories about Democrats wanting to hurt the economy to make Trump look bad, Democrats trying to take away people’s civil liberties, and Democrats trying to prevent people from voting. The accounts are also using false data to underplay the threat of the coronavirus.

[…]

“Inauthentic accounts are amplifying disinformation and inaccurate statistics and sharing false information as a reason to reopen the country,” Bouzy says. “Many of these accounts are also spreading bizarre conspiracy theories about Democrats using COVID-19 as a way to take away American freedoms and prevent Americans from voting.”

[…]

“Inauthentic accounts are downplaying the seriousness of COVID-19, and they sharing inaccurate information about the mortality rate of the virus. The problem is significant because many of these inauthentic accounts are retweeted by other larger accounts, which increases their reach and visibility.”

According to the New York Times, Chinese operatives spread claims on social media in mid-March that the Trump administration was going to lock down the entire country and enforce this lockdown with soldiers on the streets. The White House’s National Security Council later tweeted that these claims were false. That was just some of the disinformation that’s been spread on social media by inauthentic sources.

[…]

Brooke Binkowski, managing editor of the fact-checking website Truth or Fiction and former managing editor of Snopes, tells Business Insider that the media has been struggling with its coverage of the protests, which she says are “completely inauthentic and coordinated.”

“Journalists are largely missing that fact in their bids to find ‘other sides to the story,'” Binkowski says.

[…]

She believes that the disinformation is being spread by trolls and bots but also by “useful idiots.”

“Empowering violent extremists is a very old method for collapsing unstable states,” Binkowski says. “This is the end result of weaponized disinformation — it’s doing its job. It would have been the virus or it would have been something like a fire, or a hurricane, or an earthquake. But disinformation purveyors are nothing if not opportunistic.”

Source: Trolls, bots flooding social media with anti-quarantine disinformation – Business Insider

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky’s antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be “clean” at the time of installation and only later add all their malicious features in an update. “We think this is the main strategy for these guys,” says Firsh. In some cases, those malicious payloads also appeared to exploit “root” privileges that allowed them to override Android’s permission system, which requires apps to ask for a user’s consent before accessing data like contacts and text messages. Kaspersky says it wasn’t able to find the actual code that the apps would use to hack Android’s operating system and gain those privileges.

Source: How Spies Snuck Malware Into the Google Play Store—Again and Again | WIRED

In a filing released on Thursday in federal court in Oakland, California, lawyers representing the social media giant alleged that NSO Group had used a network of remote servers in California to hack into phones and devices that were used by attorneys, journalists, human rights activists, government officials and others.

NSO Group has argued that Facebook’s case against it should be thrown out on the grounds that the court has no jurisdiction over its operations. In a 13 May legal document, lawyers representing NSO Group said that the company had no offices or employees in California and “do no business of any kind there.”

NSO has also argued that it has no role in operating the spyware and is limited to “providing advice and technical support to assist customers in setting up” the technology.

John Scott-Railton, a senior researcher at the Citizen Lab at the University Of Toronto’s Munk School, said evidence presented by Facebook on Thursday indicated NSO Group was in a position to “look over its customer’s shoulders” and monitor who its government clients were targeting.

“This is a gut punch to years of NSO’s claims that it can’t see what its customers are doing,” said Scott-Railton. He said it also shows that the Israeli company “probably knows a lot more about what its customers do than it would like to admit.”

NSO’s spyware, known as Pegasus, can gather information about a mobile phone’s location, access its camera, microphone and internal hard drive, and covertly record emails, phone calls and text messages. Researchers have accused the company of supplying its technology to countries that have used it to spy on dissidents, journalists and other critics.

A representative for NSO Group said its products are “used to stop terrorism, curb violent crime, and save lives.”

“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the representative said, adding that a response to Facebook’s legal filing was forthcoming.

In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices. It’s unclear whether NSO Group’s software was used to target people within the U.S.. The company has previously stated that its technology “cannot be used on U.S. phone numbers.”

Facebook accused NSO Group of reverse-engineering WhatsApp, using an unauthorized program to access WhatsApp’s servers and deploying its spyware against approximately 1,400 targets. NSO Group was then able to “covertly transmit malicious code through WhatsApp servers and inject” spyware onto people’s devices without their knowledge, according to the Facebook’s legal filings.

“Defendants had no authority to access WhatsApp’s servers with an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp users,” Facebook alleged in the Thursday filing. “That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking” under the Computer Fraud and Abuse Act.

Source: Facebook Accuses NSO Group of Using U.S. Servers for Spying – Bloomberg