The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position. After setting up a Skype interview, the employee was then asked to install a program called ApplicationPDF.exe on their computer, trendTIC reports. The program was reportedly explained to be part of the recruitment process and generated a standard application form. But it was not an application form, it was malware.

Because the malware was then installed on a company computer, the hackers reportedly received important info about the employee’s work computer, including username, hardware and OS, and proxy settings. With all that info, the hackers would then be able to later deliver a second-stage payload to the infected computer.

As for the link to North Korea, an analysis by security firm Flashpoint indicates the malware utilized PowerRatankba, a malicious toolkit associated with Lazarus Group, a hacking organization with ties to Pyongyang. If you haven’t heard of these guys, you’ve definitely heard of the stuff they’ve been up to. Also known as Hidden Cobra, the Lazarus Group is linked with the Sony hack in 2014 and the WannaCry 2.0 virus, which infected 230,000 computers in 150 countries in 2017. They’re also known for targeting major banking and financial institutions and have reportedly absconded with $571 million in cryptocurrency since January 2017.

The hack reportedly took place at the end of December, but it was only made public after Chilean Senator Felipe Harboe took to Twitter last week to blast Redbanc for keeping the breach secret. Redbanc later acknowledged the breach occurred in a statement, but the company failed to mention any details.

That said, there were some serious security 101 no-no’s committed by the Redbanc employee that we can all learn from. Mainly, it doesn’t matter how much you hate your current gig, you should be suspicious if a prospective employer asks you to download any program that asks for personal information. Also, for multiple common-sense reasons, maybe don’t do job interviews on your dedicated work computer. And while it’s hard these days not to take work home, for security reasons, you should definitely be more discerning about the programs you download onto a work-issued device. Sounds simple enough, but then again, it happened to this poor fellow.

[ZDNet]

Source: North Korean Hackers Gain Access to Chilean ATMs Through Skype

The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .

Korea’s Dong-A Ilbo reports that the targeted machines belonged to the ministry’s Defense Acquisition Program Administration, the office in charge of military procurement.

The report notes that the breached machines would have held information on purchases for things such as “next-generation fighter jets,” though the Administration noted that no confidential information was accessed by North Korea the yet-to-be identified infiltrators.

North Korea The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.

After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency’s intellectual property servers.

An investigation eventually unearthed the breach, and concluded that North Korea the mystery hackers did get into a number of machines but didn’t steal anything that would be of use to North Korea a hostile government .

The incident was disclosed earlier this week in a report from a South Korean politician.

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Dong-A Ilbo quotes Lthe politico as saying.

“Further investigation to find out if the source of attacks is North Korea or any other party.”

The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by North Korea an unknown group to infiltrate networks throughout the South Korean government in order to steal data.

The government says it is working on “extra countermeasures” to prevent future attacks by North Korea mystery foreign groups.

Source: South Korea says mystery hackers cracked advanced weapons servers • The Register

On December 28th, Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance:

The same IP also appeared in Shodan search results:

Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.

Each of the 202,730,434 records contained the details not only on the candidates’ skills and work experience but also on their personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.

 

See more details in the PDF factsheet

 

The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository (page is no longer available but it is still saved in Google cache)  which contained a web app source code with identical structural patterns as those used in the exposed resumes:

 

 

 

The tool named “data-import” (created 3 years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like bj.58.com and others.

 

 

It is unknown, whether it was an official application or illegal one used to collect all the applicants’ details, even those labeled as ‘private’.

Upon additional request, the security team of BJ.58.com did not confirm that the data originated from their source:

We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us.

It seems that the data is leaked from a third party who scrape data from many CV websites.

Shortly after my notification on Twitter, the database had been secured. It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline.

Source: No more privacy: 202 Million private resumes exposed – HackenProof Blog

A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone’s passcode screen to view photos, contacts, and even launch browser windows.

Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in possession of someone’s phone to receive a Skype call, answer it without unlocking the handset, and then view photos, look up contacts, send a message, and open the browser by tapping links in a sent message, all without ever unlocking the phone. This is handy for thieves, pranksters, prying partners, and so on. Here’s a video demonstrating the bypass…

Kunushevci, a 19-year-old bug researcher from Kosovo, said he was an everyday user of the Skype for Android app when he noticed that something appeared to be amiss with the way the VoIP app accessed files on the handset. Curious, he decided to put his white hat on, and take a closer look.

Source: Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass • The Register

Uploaded to Github on Thursday, a tool called Crashcast enables the almost instantaneous takeover all of Chromecast streaming devices left accessible online by mistake. This same misconfiguration issue was taken advantage of by the hacker duo Hacker Giraffe and j3ws3r earlier this week to broadcast a message in support of the YouTube star Felix Kjellberg, more widely known as PewDiePie, to thousands of Chromecast owners.

The prank was intended to draw attention, the hacker said, to the fact that thousands of Chromecast devices globally have been left exposed unnecessarily.

Hacker Giraffe, who not too long ago pulled a similar prank using internet-connected printers, said on Thursday that the backlash caused by the Chromecast high jinks led them to give up hacking. The fear of getting caught and prosecuted, the hacker wrote on Pastebin, was causing “all kinds of fears and panic attacks.”

“I just wanted to inform people of their vulnerable devices while supporting a YouTuber I liked. I never meant any harm, nor did I ever have any ill intentions,” they added.

But now a tool which accomplishes the same feat is accessible to virtually anyone, thanks to Amir Khashayar Mohammadi, a security and freelance researcher. Mohammadi tells Gizmodo, however, that the tool he’s released is merely a proof-of-concept uploaded to further research into the problem, and is not intended for people to use maliciously.

Luckily, the problem is a fairly benign one. The tool doesn’t allow for remote code execution, so forcing the device to play random YouTube videos is about all that can be accomplished. “You’re not necessarily hacking anything here,” says Mohammadi, who blogs and publishes papers on the website Spuz.me. “All you’re doing is issuing a cURL command which in this case tells the Chromecast to view a video.”

“There is no authentication or bypass, you’re actually doing what the Chromecast is intended to do, except the reason this works is because they’re all being exposed to the internet,” he continued, adding: “I mean honestly, why would anyone leave their Chromecast on the internet? It makes no sense. You’re literally asking for it.”

Source: Researcher Distributes Tool That Enables Mass-Hijacking of Google Chromecast Devices

A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.

The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.

“Equifax, however, failed to implement an adequate security program to protect this sensitive data,” the report reads.

“As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable.”

The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.

The report states that Equifax’s IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software

Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.

While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.

Lousy IT security by design

“In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” the committee found.

“In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”

What’s more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a “zero out of ten.”

A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.

“Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases,” the report noted.

“As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment.”

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn’t installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax’s failings than this one scapegoat.

To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®

Source: Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory • The Register

On Monday, the question and answer site Quora announced that a third-party was able to gain access to virtually every data point the company keeps on 100 million users. Even if you don’t recall having a Quora account, you might want to make sure.

In a blog post, Quora CEO Adam D’Angelo explained that the company first noticed the data breach on Friday and has since enlisted independent security researchers to help investigate what happened and mitigate the damage. D’Angelo said that affected users should be receiving an email that explains the situation, but if you have a Quora account, it’s probably a good idea to go ahead and change your password—especially if you reuse passwords. In all, the attackers were able to compromise a lot of data. Quora says that information includes:

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Fortunately, Quora says it has not stored any identifying information associated with anonymous inquiries and replies.

For users, the biggest immediate concern should be that part about hackers accessing “data imported from linked networks.” Quora allows users to sign in with Facebook or Google and it’s possible that personal information from one of those networks also made it into the wrong hands. We’ve asked all three companies for more details on exactly what was compromised but we did not receive an immediate reply.

We also asked Quora what type of cryptographic hashing method it uses. The hackers should only be able to figure out the password through brute-force guessing and that takes longer depending on the complexity of the hash.

The good news is that there’s no financial information associated with Quora users, the bad news is that the website is more like a social network than it might seem. People ask personal questions that could help draw a personality profile and others give answers that could do the same. Earlier this year, when Facebook admitted that it had lost control of 87 million users data, the general public was reminded that data breaches aren’t just about identity theft. In that case, a firm working for the 2016 Trump presidential campaign obtained access to the data, raising concerns that it was used for targeted political messaging. The firm has disputed the number of users’ data it obtained and maintains that none of the data was directly employed during the 2016 election.

For now, check your inbox for any notifications and you can read an FAQ here.

[Quora]

Source: Hack of 100 Million Quora Users Could Be Worse Than it Sounds

A Twitter user using the pseudonym of @TheHackerGiraffe has hacked over 50,000 printers to print out flyers telling people to subscribe to PewDiePie’s YouTube channel.

The messages have been sent out yesterday, November 29, and have caused quite the stirr among the users who received them, as they ended up on a bunch of places, from high-end multi-functional printers at large companies to small handheld receipt printers at gas stations and restaurants.

The only condition was that the printer was connected to the Internet, used old firmware, and had “printing” ports left exposed online.

The message the printers received was a simple one. It urged people to subscribe to PewDiePie’s YouTube channel in order for PewDiePie –a famous YouTuber from Sweden, real name Felix Kjellberg– to keep the crown of most subscribed to YouTube channel.

If this sounds …odd… it’s because over the past month, an Indian record label called T-Series has caught up and surpassed PewDiePie, once considered untouchable in terms of YouTube followers.

The Swedish Youtube star made a comeback after his fans banded together in various social media campaigns, but T-Series is catching up with PewDiePie again.

Source: Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie | ZDNet

More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play—often abbreviated as UPnP—to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets. In Wednesday’s blog post, the researchers wrote:

Source: Mass router hack exposes millions of devices to potent NSA exploit | Ars Technica

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Source: Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years

Computer science boffins have demonstrated a side-channel attack technique that bypasses recently-introduced privacy defenses, and makes even the Tor browser subject to tracking. The result: it is possible for malicious JavaScript in one web browser tab to spy on other open tabs, and work out which websites you’re visiting.

This information can be used to target adverts at you based on your interests, or otherwise work out the kind of stuff you’re into and collect it in safe-keeping for future reference.

Researchers Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom – from Ben-Gurion University of the Negev in Israel, the University of Adelaide in Australia, and Princeton University in the US – have devised a processor cache-based website fingerprinting attack that uses JavaScript for gathering data to identify visited websites.

The technique is described in a paper recently distributed through ArXiv called “Robust Website Fingerprinting Through the Cache Occupancy Channel.”

“The attack we demonstrated compromises ‘human secrets’: by finding out which websites a user accesses, it can teach the attacker things like a user’s sexual orientation, religious beliefs, political opinions, health conditions, etc.,” said Yossi Oren (Ben-Gurion University) and Yuval Yarom (University of Adelaide) in an email to The Register this week.

It’s thus not as serious as a remote attack technique that allows the execution of arbitrary code or exposes kernel memory, but Oren and Yarom speculate that there may be ways their browser fingerprinting method could be adapted to compromise computing secrets like encryption keys or vulnerable installed software.

Source: Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you’re visiting • The Register

People’s connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijacking attack.

That means folks in Texas, California, Ohio, and so on, firing up their browsers and software and connecting to Google and its services were instead talking to systems in Russia and China, and not servers belonging to the Silicon Valley giant. Netizens outside of America may also have been affected.

The Chocolate Factory confirmed that for a period on Monday afternoon, from 1312 to 1435 Pacific Time, connections to Google Cloud, its APIs, and websites were being diverted through IP addresses belonging to overseas ISPs. Sites and apps built on Google Cloud, such as Spotify, Nest, and Snapchat, were also brought down by the interception.

Specifically, network connectivity to Google was instead routed through TransTelekom in Russia (mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both nodes have since stopped resolving to IP addresses.

The black-hole effect meant Google and YouTube, and apps and sites that relied on Google Cloud, appeared to be offline to netizens. It is possible information not securely encrypted could have been intercepted by the aforementioned rogue nodes, however, our understanding is, due to the black-hole effect, it’s likely most if not all connections weren’t: TCP connections would fail to establish, and no information would be transferred. That’s the best case scenario, at least.

Source: OK Google, why was your web traffic hijacked and routed through China, Russia today? • The Register

UPDATE: Nigerian firm Main One Cable Co takes blame for routing Google traffic through China

This week, US Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries’ malware it has discovered.

CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack US systems: we may release your tools to the wider world.

“This is intended to be an enduring and ongoing information sharing effort, and it is not focused on any particular adversary,” Joseph R. Holstead, acting director of public affairs at CYBERCOM told Motherboard in an email.

On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Google-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code.

One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear.

Adam Meyers, vice president of intelligence at CrowdStrike said that the sample did appear new, but the company’s tools detected it as malicious upon first contact. Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Motherboard in an email that the sample “was known to Kaspersky Lab in late 2017,” and was used in attacks in Central Asia and Southeastern Europe at the time.

Source: The US Military Just Publicly Dumped Russian Government Malware Online – Motherboard

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.

[…]

Three hours after the public announcement of the security gap, Daemon Security CEO Michael Shirk replied with one line that overwrote shadow files on the system. Hickey did one better and fit the entire local privilege escalation exploit in one line.

Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro  Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Source: Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off.

“I did a little bit of digging because I was a little sketched out because I couldn’t really find even that the company existed,” Schoen told BuzzFeed News.

The We Purchase Apps website listed a location in New York, but the address appeared to be a residence. “And their phone number was British. It was just all over the place,” Schoen said.

It was all a bit weird, but nothing indicated he was about to see his app end up in the hands of an organization responsible for potentially hundreds of millions of dollars in ad fraud, and which has funneled money to a cabal of shell companies and people scattered across Israel, Serbia, Germany, Bulgaria, Malta, and elsewhere.

Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin.

“I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell.

A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.)

“A significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application.”

The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners.

But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.)

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.

“This is not your run-of-the-mill fraud scheme,” said Asaf Greiner, the CEO of Protected Media. “We are impressed with the complex methods that were used to build this fraud scheme and what’s equally as impressive is the ability of criminals to remain under the radar.”

Another fraud detection firm, Pixalate, first exposed one element of the scheme in June. At the time, it estimated that the fraud being committed by a single mobile app could generate $75 million a year in stolen ad revenue. After publishing its findings, Pixalate received an email from an anonymous person connected to the scheme who said the amount that’s been stolen was closer to 10 times that amount. The person also said the operation was so effective because it works “with the biggest partners [in digital advertising] to ensure the ongoing flow of advertisers and money.”

In total, the apps identified by BuzzFeed News have been installed on Android phones more than 115 million times, according to data from analytics service AppBrain. Most are games, but others include a flashlight app, a selfie app, and a healthy eating app. One app connected to the scheme, EverythingMe, has been installed more than 20 million times.

Once acquired, the apps continue to be maintained in order to keep real users happy and create the appearance of a thriving audience that serves as a cover for the cloned fake traffic. The apps are also spread among multiple shell companies to distribute earnings and conceal the size of the operation.

Source: How A Massive Ad Fraud Scheme Exploited Android Phones To Steal Millions Of Dollars

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government’s cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned.

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers’ voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don’t change that account’s default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user’s phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a “voice verification,” during which the WhatsApp service would call the user’s phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can’t or won’t answer his phone, that message would eventually land in the victim’s voicemail account.

Source: Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking | ZDNet

On 13 April 2018, with support from the Netherlands General Intelligence and Security Service and UK counterparts, the Netherlands Defence Intelligence and Security Service (DISS) disrupted a cyber operation being carried out by a Russian military intelligence (GRU) team. The Russian operation had targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

The 4 Russian intelligence officers at Schiphol Airport.

To conduct their operation, 4 Russian intelligence officers had set up specialised equipment in the vicinity of the OPCW offices and were preparing to hack into OPCW networks. As host country the Netherlands bears responsibility for ensuring the organisation’s security. In order to protect the security of the OPCW it therefore pre-empted the GRU operation and escorted the Russian intelligence officers out of the country. “The cyber operation targeting the OPCW is unacceptable. Our exposure of this Russian operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” said Defence Minister Ank Bijleveld in her response. “The OPCW is a respected international institution representing 193 nations around the globe and was established to rid the world of chemical weapons. The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”

Equipment

The 4 Russian intelligence officers entered the Netherlands via Schiphol Airport, travelling on diplomatic passports. They subsequently hired a car which they positioned in the parking lot of the Marriot Hotel in The Hague, which is adjacent to the OPCW offices.

Equipment was set up in the boot of the car with which the officers intended to hack into wifi networks and which was installed for the purpose of infiltrating the OPCW’s network. The antenna for this equipment lay hidden under a jacket on the rear shelf and the equipment was operational when DISS interrupted the operation.

Source: Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts—bypassing security measures and potentially giving them full control of both profiles and linked apps—has already stirred the threat of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.

The bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.) Facebook has not said whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.

Source: Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR

The site itself was compromised on Tuesday

A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.

According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.

That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.

The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found.

[…]

Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.

[…]

This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

[…]

There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.

Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.

Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.

“While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

Source: Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia) • The Register

Olle and his fellow cyber security consultant Pasi Saarinen recently discovered a new way to physically hack into PCs. According to their research, this method will work against nearly all modern computers. This includes laptops from some of the world’s biggest vendors like Dell, Lenovo, and even Apple.

And because these computers are everywhere, Olle and Pasi are sharing their research with companies like Microsoft, Apple and Intel, but also the public. The pair are presenting their research at the SEC-T conference in Sweden on September 13, and at Microsoft’s BlueHat v18 in the US on September 27.

[…]

Because cold boot attacks are nothing new, there have been developments to make them less effective. One safeguard created by the Trusted Computing Group (TCG) was to overwrite the contents of the RAM when the power was restored.

And that’s where Olle and Pasi’s research comes in. The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware. Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.

Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk.

Source: The Chilling Reality of Cold Boot Attacks – F-Secure Blog

In this writeup, I’ll describe a new technique to crack WPA PSK (Pre-Shared Key) passwords.

In order to make use of this new attack you need the following tools:

• hcxdumptool v4.2.0 or higher
• hcxtools v4.2.0 or higher
• hashcat v4.2.0 or higher

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:

• No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
• No more waiting for a complete 4-way handshake between the regular user and the AP
• No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
• No more eventual invalid passwords sent by the regular user
• No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
• No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
• No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string

Source: New attack on WPA/WPA2 using PMKID

Snapchat doesn’t just make messages disappear after a period of time. It also does the same to GitHub repositories — especially when they contain the company’s proprietary source code.

So, what happened? Well, let’s start from the beginning. A GitHub with the handle i5xx, believed to be from the village of Tando Bago in Pakistan’s southeastern Sindh province, created a GitHub repository called Source-Snapchat.

At the time of writing, the repo has been removed by GitHub following a DMCA request from Snap Inc

[…]

Four days ago, GitHub published a DMCA takedown request from Snap Inc., although it’s likely the request was filed much earlier. GitHub, like many other tech giants including Google, publishes information on DMCA takedown requests from the perspective of transparency.

[…]

To the question “Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online,” the Snap Inc representative wrote:

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”

The most fascinating part of this saga is that the leak doesn’t appear to be malicious, but rather comes from a researcher who found something, but wasn’t able to communicate his findings to the company.

According to several posts on a Twitter account believed to belong to i5xx, the researcher tried to contact SnapChat, but was unsuccessful.

“The problem we tried to communicate with you but did not succeed In that we decided [sic] Deploy source code,” wrote i5xx.

The account also threatened to re-upload the source code. “I will post it again until you reply :),” he said.

For what it’s worth, it’s pretty easy for security researchers to get in touch with Snap Inc. The company has an active account on HackerOne, where it runs a bug bounty program, and is extremely responsive.

According to HackerOne’s official statistics, the site replies to initial reports in 12 hours, and has paid out over $220,000 in bounties.

Source: Hacker swipes Snapchat’s source code, publishes it on GitHub

At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.

Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam. With his friend Vadym Iermolovych, he hacked Business Wire, stole Turchynov’s inside access to the site, and pushed the main Moscovite ringleader, known by the screen name eggPLC, to bring them in on the scheme. The hostile takeover meant Turchynov was forced to split his business. Now, there were three hackers in on the game.

Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.

Source: How a hacker network turned stolen press releases into $100 million – The Verge

A service named “Timehop” that claims it is “reinventing reminiscing” – in part by linking posts from other social networks – probably wishes it could go back in time and reinvent its own security, because it has just confessed to losing data describing 21 million members and can’t guarantee that the perps didn’t slurp private info from users’ social media accounts.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data,” the company wrote. “We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.”

Names and email addresses were lifted, as were “Keys that let Timehop read and show you your social media posts (but not private messages)”. Timehop has “deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.”

The breach also led to the loss of access tokens Timehop uses to access other social networks such as Twitter, Facebook and Instagram and the posts you’ve made there. Timehop swears blind that the tokens have been revoked and just won’t work any more.

But the company has also warned that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts” but has “no evidence that this actually happened.”

It can’t be as almost-comforting on the matter of purloined phone numbers, advising that for those who shared such data with the company “It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.” Oh thanks for that, Timehop. And thanks, also, for not using two-factor authentication, because that made the crack possible. “The breach occurred because an access credential to our cloud computing environment was compromised,” the company’s admitted. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

All of which leaves users in the same place as usual: with work to do, knowing that if their service providers had done their jobs properly they’d feel a lot safer.

Source: Nostalgic social network ‘Timehop’ loses data from 21 million users