Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.

The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.

The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.

You can see Mysk’s demonstration of the attack in the video below.

Cybersecurity: Can a Tesla stop phishing and social engineering attacks?

According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.

“This means with a leaked email and password, an owner could lose their Tesla vehicle.

[…]

Source: Want to Steal a Tesla? Try Using a Flipper Zero

An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user’s finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.” This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

[…]

the PrintListener paper says that “finger-swiping friction sounds can be captured by attackers online with a high possibility.” The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name – PrintListener.

[…]

Source: Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks | Tom’s Hardware

Nearly half the citizens of France have had their data exposed in a massive security breach at two third-party healthcare payment servicers, the French data privacy watchdog disclosed last week.

Payments outfits Viamedis and Almerys both experienced breaches of their systems in late January, the National Commission on Informatics and Liberty (CNIL) revealed, leading to the theft of data belonging to more than 33 million customers. Affected data on customers and their families includes dates of birth, marital status, social security numbers and insurance information. No banking info, medical data or contact information was compromised, the CNIL added.

[…]

Viamedis was reportedly compromised through a phishing attack that targeted healthcare professionals, and used credentials stolen from such professionals to gain access to its systems. Almerys didn’t disclose how its compromise occurred, but it’s possible the ingress was similar in nature – it admitted the attacker gained access through a portal used by healthcare providers.

[…]

Source: 33m French citizens data stolen in healthcare billing breach

An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds.

In our own tests, OnlyFake created a highly convincing California driver’s license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes.

[…]

 

Source: Inside the Underground Site Where ‘Neural Networks’ Churn Out Fake IDs

Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for the espionage-focused intrusion.

Specialists from the Netherlands’ Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) were called in to investigate an intrusion at an MOD network last year, uncovering a previously unseen malware they’re calling Coathanger.

The name, authorities said, was conjured up based on the “peculiar phrase” displayed by the malware when encrypting the configuration on disk: “She took his coat and hung it up.”

A deep dive into Coathanger’s code revealed the remote access trojan (RAT) was purpose-built for Fortinet’s FortiGate next-generation firewalls (NGFWs) and the initial access to the MoD’s network was gained through exploiting CVE-2022-42475.

According to the MIVD and AIVD, the RAT operates outside of traditional detection measures and acts as a second-stage malware, mainly to establish persistent access for attackers, surviving reboots and firmware upgrades.

Even fully patched FortiGate devices could still have Coathanger installed if they were compromised before upgrading.

In the cybersecurity advisory published today, authorities said the malware was highly stealthy and difficult to detect using default FortiGate CLI commands, since Coathanger hooks most system calls that could identify it as malicious.

They also made clear that Coathanger is definitely different from BOLDMOVE, another RAT targeting FortiGate appliances.

“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said defense minister Kajsa Ollongren in an automatically translated statement. “In this way, we increase international resilience against this type of cyber espionage.”

The advisory also noted that Dutch authorities had previously spotted Coathanger present on other victims’ networks too, prior to the incident at the MOD.

As for attribution, MIVD and AIVD said they can pin Coathanger to Chinese state-sponsored attackers with “high confidence.”

“MIVD and AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies,” the advisory reads.

The attackers responsible for the attack were known for conducting “wide and opportunistic” scans for exposed FortiGate appliances vulnerable to CVE-2022-42475 and then exploiting it using an obfuscated connection.

After gaining an initial foothold inside the network, which was used by the MOD’s research and development division, the attackers performed reconnaissance and stole a list of user accounts from the Active Directory server.

Not much else was said about the attacker’s activity, other than the fact that the overall impact of the intrusion was limited thanks to the MOD’s network segmentation.

For those worried about whether Chinese cyberspies are lurking in their firewall, the Joint Signal Cyber Unit of the Netherlands (JCSU-NL) published a full list of indicators of compromise (IOCs) and various detection methods on its GitHub page.

The collection of materials includes YARA rules, a JA3 hash, CLI commands, file checksums, and more. The authorities said each detection method should be seen as independent and used together since some focus on general IOCs and others were developed to spot Coathanger activity specifically.

If there is evidence of compromise, it’s possible other hosts that are reachable by the FortiGate device are also compromised. There is also an increased likelihood that attackers may perform hands-on-keyboard attacks.

Affected users should isolate their device immediately, collect and review logs, and consider calling in third-party digital forensics specialists, the advisory reads. Victims should also inform their country’s cybersecurity authority: NCSC, CISA, etc.

The only way to remove Coathanger from an infected device is to completely reformat the device, before reinstalling and reconfiguring it.

Whiffs of China’s involvement in CVE-2022-42475 exploits have long been suspected, but for the first time they’re confirmed today.

First disclosed in December 2022, a month later Fortinet said it was aware that the vulnerability was tied to the breach of a government or government-related organization that had been infected with custom-made malware.

At the time, no fingers were officially pointed other than the fact that this custom malware was compiled on a machine in the UTC+8 timezone, so realistically it was most likely going to be either China or Russia.

China was also accused of being behind exploits of separate Fortinet bug in March, again using bespoke malware for the purposes of cyber espionage. ®

Source: Netherlands reveals Chinese spies attacked its defense dept • The Register

Web security company Cloudflare on Thursday revealed that a threat actor used stolen credentials to gain access to some of its internal systems.

The incident was discovered on November 23, nine days after the threat actor, believed to be state-sponsored, used credentials compromised in the October 2023 Okta hack to access Cloudflare’s internal wiki and bug database.

The stolen login information, an access token and three service account credentials, were not rotated following the Okta incident, allowing the attackers to probe and perform reconnaissance of Cloudflare systems starting November 14, the security firm explains.

According to Cloudflare, the attackers managed to access an AWS environment, as well as Atlassian Jira and Confluence, but network segmentation prevented them from accessing its Okta instance and the Cloudflare dashboard.

With access to the Atlassian suite, the threat actor started looking for information on the Cloudflare network, searching the wiki for “things like remote access, secret, client-secret, openconnect, cloudflared, and token”. In total, 36 Jira tickets and 202 wiki pages were accessed.

On November 16, the attackers created an Atlassian account to gain persistent access to the environment, and on November 20 returned to verify that they still had access.

On November 22, the threat actor installed the Sliver Adversary Emulation Framework, gaining persistent access to the Atlassian server, which was then used to move laterally. They attempted to access a non-production console server at a São Paulo, Brazil, data center that is not yet operational.

The attackers viewed 120 code repositories and downloaded 76 of them to the Atlassian server, but did not exfiltrate them.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes. A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves,” Cloudflare notes.

The attackers used a Smartsheet service account to access Cloudflare’s Atlassian suite, and the account was terminated on November 23, within 35 minutes after the unauthorized access was identified. The user account created by the attacker was found and deactivated 48 minutes later.

Cloudflare says it also put in place firewall rules to block the attackers’ known IP addresses and that the Sliver Adversary Emulation Framework was removed on November 24.

[…]

The goal of the attack, Cloudflare says, was to obtain information on the company’s infrastructure, likely to gain a deeper foothold. CrowdStrike performed a separate investigation into the incident, but discovered no evidence of additional compromise.

“We are confident that between our investigation and CrowdStrike’s, we fully understand the threat actor’s actions and that they were limited to the systems on which we saw their activity,” Cloudflare notes.

Source: Cloudflare Hacked by Suspected State-Sponsored Threat Actor  – SecurityWeek

[…] The ESP32 Marauder is a suite of WiFi/Bluetooth offensive and defensive tools created for the ESP32 and was originally inspired by Spacehuhn’s esp8266_deauther project. The tool itself serves as a portable device used to test and analyze WiFi and Bluetooth devices.

[…]

Do It Yourself

If you would like to create your own ESP32 Marauder, check out Getting Started.

Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service.

The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware.

Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

[…]

This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services.

This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data.

The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September.

Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people.

Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person’s device

[…]

“Here’s the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum,” explained a blog post by Hunt.

“Whilst this post dates back almost 4 months, it hadn’t come across my radar until now and inevitably, also hadn’t been sent to the aforementioned tech company.”

“They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list.”

According to Hunt, the Naz.API dataset consists of 319 files totaling 104GB and containing 70,840,771 unique email addresses.

However, while there are close to 71 million unique emails, for each email address, there are likely many other records for the different sites’ credentials were stolen from.

Hunt says the Naz.API data is likely old, as it contained one of his and other HIBP subscribers’ passwords that were used in the past. Hunt says his password was used in 2011, meaning that some of the data is over 13 years old.

To check if your credentials are in the Naz.API dataset, you can perform a search at Have I Been Pwned. If your email is found to be associated with Naz.API, the site will warn you, indicating that your computer was infected with information-stealing malware at one point.

[…]

Source: Have I Been Pwned adds 71 million emails from Naz.API stolen account list

VF Corporation, parent company of clothes and footwear brands including Vans and North Face, says 35.5 million customers were impacted in some way when criminals broke into their systems in December.

The announcement was made in a Thursday 8-K/A filing with the Securities and Exchange Commission (SEC), and we’re only left to speculate about what kind of information the attackers may have scrambled away with.

The parent company of fashion labels, which also include Supreme, Timberland, and Dickies did, however, confirm the type of data that couldn’t have been accessed.

VF Corp said that customers’ social security numbers (SSNs), bank account information, and payment card information remain uncompromised as these are not stored in its IT systems.

There’s also no evidence to suggest that consumer passwords were accessed, it confirmed, although it did caveat this with “the investigation remains ongoing”.

If you want to really look between the lines of the document’s wording, you’ll see that VF Corp explicitly said SSNs, financial information, and passwords – all excluded from potential compromise – were all explicitly defined as being consumer-related specifically.

The same goes for the number of individuals affected – 35.5 million “individual consumers” had their personal information stolen.

[…]

When the attack was first disclosed, the clothes seller said its ability to fulfill orders was affected, but online and retail stores were still up and running as normal.

This week’s filing said the company’s ability to replenish retail stores’ inventory was affected and combined with the fulfillment issues. This led to customer order cancellations and reduced demand across some of its brands’ e-commerce sites.

“Since the filing of the original report, while VF is still experiencing minor residual impacts from the cyber incident, VF has resumed retail store inventory replenishment and product order fulfillment, and is caught up on fulfilling orders that were delayed as a result of the cyber incident,” the filing reads.

“Since the filing of the original report, VF has substantially restored the IT systems and data that were impacted by the cyber incident, but continues to work through minor operational impacts.”

The attack on VF Corp is suspected to have involved ransomware. The filings mention parts of its IT systems being encrypted, and the AlphV/BlackCat gang claimed the attack days after its disclosure, but the company has not confirmed this to be the case.

[…]

Source: Thieves steal 35.5M customers’ data from Vans sneakers maker • The Register

The real question here is why on earth these guys were holding so many customers information? And in a centralised system?

After intruders broke into Seattle’s Fred Hutchinson Cancer Center’s IT network in November and stole medical records – everything from Social Security numbers to diagnoses and lab results – miscreants threatened to turn on the patients themselves directly.

The idea being, it seems, that those patients and the media coverage from any swatting will put pressure on the US hospital to pay up and end the extortion. Other crews do similar when attacking IT service provider: they don’t just extort the suppliers, they also threaten or further extort customers of those providers.

[…]

The cancer center, which operates more than 10 clinics in Washington’s Puget Sound region, declined to answer additional comments about the threats.

Another health network in Oklahoma — Integris Health, which operates a network of 15 hospitals and 43 clinics — last month notified patients about a similar “cyber event” in which criminals may have accessed personal data. Shortly after, some of these patients reported receiving emails from miscreants threatening to sell their information on the dark web.

[…]

Sam Rubin, VP of Unit 42 Consulting at Palo Alto Networks, told The Register his team hadn’t seen any swatting attempts by extortion crews in 2023, though the shift in tactics seems likely.

“But I’m not surprised at all,” he added, about the reports of Seattle cancer patients potentially receiving these types of threats.

“If you look over the past couple of years, we’ve seen this continuing evolution of escalating extortion tactics,” Rubin said. “If you go back in time, it was just encryption.”

Over the past year, Unit 42 has seen cybercriminals send threatening texts to the spouse of a CEO whose organization was being extorted, Rubin added, again piling on the pressure for payment. The consulting and incident response unit has also witnessed miscreants sending flowers to a victim company’s executive team, and issuing ransom demands via printers connected to the affected firm’s network.

“We had another one where the victim organization decided not to pay, but then the ransomware actors went on to harass customers of that organization,”

[…]

Meanwhile, ransomware attacks against critical infrastructure including hospitals become more frequent. Emsisoft reported 46 infections against US hospitals networks last year alone, up from 25 in 2022. In total, at least 141 hospitals were infected, and at least 32 of the 46 networks had data — including protected health information — stolen.

It’s bad enough that these attacks have diverted ambulances and postponed critical care for patients, and now the criminals are inflicting even more pain on people. Last year this included leaking breast cancer patients’ nudes. Swatting seems to be the next, albeit abhorrent, step.

Source: Swatting: The new normal in ransomware extortion tactics • The Register