Russian software disguised as American finds its way into U.S. Army, CDC apps

Thousands of smartphone applications in Apple (AAPL.O) and Google’s (GOOGL.O) online stores contain computer code developed by a technology company, Pushwoosh, that presents itself as based in the United States, but is actually Russian, Reuters has found.

[…]

The U.S. Army said it had removed an app containing Pushwoosh code in March because of the same concerns. That app was used by soldiers at one of the country’s main combat training bases.

[…]

According to company documents publicly filed in Russia and reviewed by Reuters, Pushwoosh is headquartered in the Siberian town of Novosibirsk, where it is registered as a software company that also carries out data processing. It employs around 40 people and reported revenue of 143,270,000 rubles ($2.4 mln) last year. Pushwoosh is registered with the Russian government to pay taxes in Russia.

On social media and in U.S. regulatory filings, however, it presents itself as a U.S. company, based at various times in California, Maryland and Washington, D.C., Reuters found.

Pushwoosh provides code and data processing support for software developers, enabling them to profile the online activity of smartphone app users and send tailor-made push notifications from Pushwoosh servers.

On its website, Pushwoosh says it does not collect sensitive information, and Reuters found no evidence Pushwoosh mishandled user data. Russian authorities, however, have compelled local companies to hand over user data to domestic security agencies.

Pushwoosh’s founder, Max Konev, told Reuters in a September email that the company had not tried to mask its Russian origins. “I am proud to be Russian and I would never hide this.”

He said the company “has no connection with the Russian government of any kind” and stores its data in the United States and Germany.

Cybersecurity experts said storing data overseas would not prevent Russian intelligence agencies from compelling a Russian firm to cede access to that data, however.

[…]

Pushwoosh code was installed in the apps of a wide array of international companies, influential non-profits and government agencies from global consumer goods company Unilever Plc (ULVR.L) and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.

[…]

Pushwoosh code has been embedded into almost 8,000 apps in the Google and Apple app stores, according to Appfigures, an app intelligence website. Pushwoosh’s website says it has more than 2.3 billion devices listed in its database.

“Pushwoosh collects user data including precise geolocation, on sensitive and governmental apps, which could allow for invasive tracking at scale,” said Jerome Dangu, co-founder of Confiant, a firm that tracks misuse of data collected in online advertising supply chains.

[…]

Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law.

Instead, Pushwoosh listed an address in Union City, California as its principal place of business from 2014 to 2016. That address does not exist, according to Union City officials.

Pushwoosh used LinkedIn accounts purportedly belonging to two Washington, D.C.-based executives named Mary Brown and Noah O’Shea to solicit sales. But neither Brown nor O’Shea are real people, Reuters found.

[…]

Source: Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps | Reuters

Medibank: Hackers release abortion data after stealing Australian medical records

Hackers who stole customer data from Australia’s largest health insurer Medibank have released a file of pregnancy terminations.

It follows Medibank’s refusal to pay a ransom for the data, supported by the Australian government.

Medibank urged the public to not seek out the files, which contain the names of policy holders rather than patients.

CEO David Koczkaro warned that the data release could stop people from seeking medical attention.

Terminations can occur for a range of reasons including non-viable pregnancy, miscarriages and complications.

“These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care,” he said.

The data of 9.7 million Medibank customers was stolen last month – the latest in a string of major data breaches in Australian companies in recent months.

The hackers this week published their first tranche of information after Medibank refused to pay a $10m (£8.7m; A$15.6m) ransom – about $1 for every customer.

Some Australians say they have been targeted by scammers after their medical details were posted online.

Former tennis champion Todd Woodbridge – who is recovering from a heart attack – said he had been pestered by calls from scammers who had known which hospital he had been in.

[…]

The files included people’s health claims data – including medical procedure history – as well as names, addresses, birthdates and government ID numbers.

[…]

Source: Medibank: Hackers release abortion data after stealing Australian medical records – BBC News

Doxxing abortion patients – that’s pretty damn low. Go take out big evil businesses.

Suspected Kremlin hack on Liz Truss’s mobile sparks security clampdown

Spy chiefs have ordered ministers to stop using their personal phones to conduct government business following a suspected Kremlin hack on Liz Truss’s mobile.

A Whitehall source said all ministers involved in national security would be expected to attend fresh training with the security services this week ‘to ensure everyone is aware how this material should be handled’.

Ministers will be warned they should never use their personal mobile phones to conduct Government business as they are likely to be the target of hostile states such as Russia, China, North Korea and Iran.

Pauline Neville-Jones, former chairman of Britain’s joint intelligence committee, yesterday said she was ‘not at all tolerant of the notion that it’s OK for ministers to use private mobile phones’.

The warnings follow astonishing revelations in yesterday’s Mail on Sunday that Miss Truss’s personal mobile was spied on by hackers thought to be working for Moscow while she was foreign secretary.

Spy chiefs have ordered ministers to stop using their personal phones to conduct government business following a suspected Kremlin hack on Liz Truss¿s mobile

Spy chiefs have ordered ministers to stop using their personal phones to conduct government business following a suspected Kremlin hack on Liz Truss’s mobile

The hack was discovered during the Tory leadership contest in the summer, but a news blackout was ordered by Boris Johnson and Cabinet Secretary Simon Case. Even MPs and officials with top level security clearance were kept in the dark.

Miss Truss is said to have been so worried about the potential damage to her leadership bid that she ‘had trouble sleeping’ until the news was suppressed.

Messages dating back up to a year are thought to have been downloaded, including highly sensitive discussions with fellow foreign ministers about issues such as arms shipments to Ukraine.

Hacked messages are said to have included private criticisms of Mr Johnson by Miss Truss and Kwasi Kwarteng, potentially opening them up to blackmail attempts at a time when they were both senior ministers in his government.

Parliamentary sources yesterday said the shocking incident was now likely to be investigated by the Intelligence and Security Committee, which oversees the work of the security services.

[…]

Source: Suspected Kremlin hack on Liz Truss’s mobile sparks security clampdown  | Daily Mail Online

Australia’s Medibank says data of 4 mln customers accessed by hacker

Medibank Private Ltd (MPL.AX), Australia’s biggest health insurer, said on Wednesday a cyber hack had compromised data of all of its of its nearly 4 million customers, as it warned of a A$25 million to A$35 million ($16 million to $22.3 million) hit to first-half earnings.

It said on Wednesday that all personal and significant amounts of health claims data of all its customers were compromised in the breach reported this month, a day after it warned the number of customers affected would grow. read more

Shares in the company fell more than 14%, its biggest one-day slide since listing in 2014.

Medibank, which covers one-sixth of Australians, said the estimated cost did not include further potential remediation or regulatory expenses.

“Our investigation has now established that this criminal has accessed all our private health insurance customers’ personal data and significant amounts of their health claims data,” chief executive David Koczkar said in a statement. “I apologise unreservedly to our customers. This is a terrible crime – this is a crime designed to cause maximum harm to the most vulnerable members of our community.”

The company reiterated that its IT systems had not been encrypted by ransomware to date and that it would continue to monitor for any further suspicious activity.

“Everywhere we have identified a breach, it is now closed,” John Goodall, Medibank’s top technology executive, told an analyst call on Wednesday.

[…]

Source: Australia’s Medibank says data of 4 mln customers accessed by hacker | Reuters

Crooks use POS malware to steal 167,000 credit card numbers from shops with open VNC + RDP ports

Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals.

The backend command-and-control (C2) server that operates the MajikPOS and Treasure Hunter malware remains active, according to Group-IB’s Nikolay Shelekhov and Said Khamchiev, and “the number of victims keeps growing,” they said this week.

[…]

The MajikPOS and Treasure Hunter malware infect Windows POS terminals and scan the devices to exploit the moments when card data is read and stored in plain text in memory. Treasure Hunter in particular performs this so-called RAM scraping: it pores over the memory of processes running on the register for magnetic-stripe data freshly swiped from a shopper’s bank card during payment. MajikPOS also scans infected PCs for card data. This info is then beamed back to the malware operators’ C2 server.

MajikPOS and Treasure Hunter

Of the two POS malware strains used in this campaign, MajikPOS is the newest, first seen targeting POS devices in 2017. The malware operators likely started with Treasure Hunter, and then paired it with the newer MajikPOS due to the latter’s more advanced features.

This includes “a more visually appealing control panel, an encrypted communication channel with C2, [and] more structured logs,” compared to Treasure Hunter, according to Group-IB. “MajikPOS database tables contain information about the infected device’s geolocation, operation system name, and hardware identification number.”

[…]

Treasure Hunter first appeared in 2014 before the source code was leaked on a Russian-speaking forum. Its primary use is RAM scraping, and is likely installed the same way as MajikPOS.

Today both MajikPOS and Treasure Hunter can be bought and sold on nefarious marketplaces.

In a months-long investigation, Group-IB analyzed about 77,400 card dumps from the MajikPOS panel and another 90,000 from the Treasure Hunter panel, the researchers wrote. Almost all — 97 percent or 75,455 — of the cards compromised by MajikPOS were issued by US banks with the remaining 3 percent distributed around the world.

The Treasure Hunter panel told a similar story with 96 percent (86,411) issued in the US.

[…]

Source: Crooks use POS malware to steal 167,000 credit card numbers • The Register

Shein Owner Fined $1.9 Million For Failing To Notify 39 Million Users of Data Breach – Slashdot

Zoetop, the firm that owns Shein and its sister brand Romwe, has been fined (PDF) $1.9 million by New York for failing to properly disclose a data breach from 2018.

TechCrunch reports: A cybersecurity attack that originated in 2018 resulted in the theft of 39 million Shein account credentials, including those of more than 375,000 New York residents, according to the AG’s announcement. An investigation by the AG’s office found that Zoetop only contacted “a fraction” of the 39 million compromised accounts, and for the vast majority of the users impacted, the firm failed to even alert them that their login credentials had been stolen. The AG’s office also concluded that Zoetop’s public statements about the data breach were misleading. In one instance, the firm falsely stated that only 6.42 million consumers had been impacted and that it was in the process of informing all the impacted users.

https://m.slashdot.org/story/405939

A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.

Carding is the trafficking and use of credit cards stolen through point-of-sale malwaremagecart attacks on websites, or information-stealing malware.

BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move.

Now, the market’s operators decided to promote the site with a much more massive dump in the same fashion that the similar platform ‘All World Cards’ did in August 2021.

[…]

The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States.

Heatmap reflecting the global exposure, and focus in U.S.
Heatmap reflecting the global exposure, and focus in the U.S. (Cyble)

The dump of 1.2 million credit cards includes the following credit card and associated personal information:

  • Card number
  • Expiration date
  • CVV number
  • Holder’s name
  • Bank name
  • Card type, status, and class
  • Holder’s address, state, and ZIP
  • Email address
  • SSN
  • Phone number

Not all the above details are available for all 1.2 million records, but most entries seen by BleepingComputer contain over 70% of the data types.

The “special event” offer was first spotted Friday by Italian security researchers at D3Lab, who monitors carding sites on the dark web.

d3labs-tweet

The analysts claim these cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites that steal submitted credit card and customer information.

[…]

BleepingComputer has discussed the authenticity with analysts at D3Lab, who confirmed that the data is real with several Italian banks, so the leaked entries correspond to real cards and cardholders.

However, many of the entries were recycled from previous collections, like the one  ‘All World Cards’ gave away for free last year.

From the data D3Labs has examined so far, about 30% appear to be fresh, so if this applies roughly to the entire dump, at least 350,000 cards would still be valid.

Of the Italian cards, roughly 50% have already been blocked due to the issuing banks having detected fraudulent activity, which means that the actually usable entries in the leaked collection may be as low as 10%.

[…]

Source: Darkweb market BidenCash gives away 1.2 million credit cards for free – Bleeping Computer

IKEA TRÅDFRI smart lighting hacked to blink and reset

Researchers at the Synopsys Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.

The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.

To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.

CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.

Source: CyRC Vulnerability Advisory: CVE-2022-39064 IKEA TRÅDFRI smart lighting | Synopsys

Protestors hack Iran state TV live on air

Iran state TV was apparently hacked Saturday, with its usual broadcast footage of muttering geriatric clerics replaced by a masked face followed by a picture of Supreme Leader Ali Khamenei with a target over his head, the sound of a gunshot, and chants of “Women, Life, Freedom!”

BBC News identifies the pirate broadcaster as Adalat Ali”, or Ali’s Justice, from social media links in the footage, which also included photographs of women killed in recent protests across the country.

Saturday’s TV news bulletin was interrupted at about 18:00 local time with images which included Iran’s supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. One of the captions read “join us and rise up”, whilst another said “our youths’ blood is dripping off your paws”. The interruption lasted only a few seconds before being cut off.

Source: Protestors hack Iran state TV live on air | Boing Boing

Australian Optus telco data debacle gets worse and worse – non-existent security and no govt regulation

[…]

The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.

Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.

Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.

The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.

It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.

An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.

[…]

That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.

As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.

“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”

Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’

Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.

[…]

Optus ‘left the window open’

The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.

She also scoffed at the idea the hack was sophisticated.

“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

[…]

Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”

On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.

“Australian companies should do everything they can to protect your data,” Albanese said.

“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”

[…]

Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.

In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.

[…]

Source: The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle | Optus | The Guardian

If the government has no legal incentive to tighten security and privacy, then companies won’t invest in it.

Hackers Are Hypervisor Hijacking in the wild now

For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

“The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

[…]

In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.

[…]

Source: Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying | WIRED

Australia To Overhaul Privacy Laws After Optus data breach exposes 40% of AU population

Following one of the biggest data breaches in Australian history, the government of Australia is planning to get stricter on requirements for disclosure of cyber attacks. From a report: On Monday, Prime Minister Anthony Albanese told Australian radio station 4BC that the government intended to overhaul privacy legislation so that any company suffering a data breach was required to share details with banks about customers who had potentially been affected in an effort to minimize fraud. Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.

The policy announcement was made in the wake of a huge data breach last week, which affected Australia’s second-largest telecom company, Optus. Hackers managed to access a vast amount of potentially sensitive information on up to 9.8 million Optus customers — close to 40 percent of the Australian population. Leaked data included name, date of birth, address, contact information, and in some cases, driver’s license or passport ID numbers. Reporting from ABC News Australia suggested the breach may have resulted from an improperly secured API that Optus developed to comply with regulations around providing users multifactor authentication options.

Source: Australia To Overhaul Privacy Laws After Massive Data Breach – Slashdot

Ask.FM database with 350m user records allegedly sold online

The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users.

“I’m selling the users database of Ask.fm and ask.com. For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases.”

Ask.FM hack

The posting also includes a list of repositories, sample git, and sample user data, as well as mentions of the fields in the database: user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid. It appears that Ask.FM is using the weak hashing algorithm SHA1 for passwords, putting them at risk of being cracked and exposed to threat actors.

[…]

In response to DataBreaches, the user who posted the database – Data – explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14.

Data also suggested that Ask.FM knew about the breach as early as back in 2020.

Source: Ask.FM database with 350m user records allegedly sold online | Cybernews

Revolut banking confirms cyberattack exposed personal data of tens of thousands of users

Fintech startup Revolut has confirmed it was hit by a highly targeted cyberattack that allowed hackers to access the personal details of tens of thousands of customers.

Revolut spokesperson Michael Bodansky told TechCrunch that an “unauthorized third party obtained access to the details of a small percentage (0.16%) of our customers for a short period of time.” Revolut discovered the malicious access late on September 11 and isolated the attack by the following morning.

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected,” Bodansky said. “Customers who have not received an email have not been impacted.”

Revolut, which has a banking license in Lithuania, wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure to the authorities in Lithuania, first spotted by Bleeping Computer, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.

Revolut also declined to say what types of data were accessed but told TechCrunch that no funds were accessed or stolen in the incident. In a message sent to affected customers posted to Reddit, the company said that “no card details, PINs or passwords were accessed.” However, the breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses and phone numbers.

The disclosure states that the threat actor used social engineering methods to gain access to the Revolut database, which typically involves persuading an employee to hand over sensitive information such as their password. This has become a popular tactic in recent attacks against a number of well-known companies, including TwilioMailchimp and Okta.

[…]

Source: Revolut confirms cyberattack exposed personal data of tens of thousands of users | TechCrunch

GTA Publisher Take-Two’s Bad Week Gets Worse With Disaster Hack

Take-Two is definitely not having a good time of it. Following the weekend’s colossal leak of GTA VI, its septimana horribilis continues with the fresh news that its 2K Games support services have been hacked, and customers are now being sent out phishing scams.

Posting to the official 2K Support Twitter account, 2K explained that its help desk platform had been hacked, and the invader made off with a whole bunch of customer emails. It says it “became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers.”

[…]

2K has taken its “support portal” offline while they try to figure out what the heck happened, which isn’t a great look, especially in the week of NBA 2K23‘s release. The statement says, “We will issue a notice when you can resume interacting with official 2K help desk emails,” which is…not a foolproof method. Firstly, it gives the impression that there might be a time when a previously unread phishing email would be safe to click on, and secondly, it hardly reaches people who’ve received the email, who aren’t fortunate enough to have noticed the tweet (or read the press coverage).

Meanwhile, those with open tickets are getting told, at the time of writing, that 2K doesn’t “have estimates on when you’ll receive a reply,” with the somewhat ironic suggestion that they, “stay tuned via email.”

Read More: NBA 2K23: The Kotaku Review

For those that think they may have already fallen for the phishing scam, 2K recommends that people reset all passwords, enable multi-factor authentication (but avoid text message-based verification!), clog up their PCs with anti-virus software, and “check your account settings to see if any forwarding rules have been added or changed on your personal email accounts.”

There’s further cause for concern when you notice that one customer recognized that a likely hack had occurred some ten hours before the statement was released, but was fobbed off by the official account. The original customer replied almost nine hours before the hack was confirmed, saying, “at this point its very clear that you guys got hacked on support things related.. make a statement already before the damage is too big.”

Many replies to the statement are from bereft customers, claiming to have lost their accounts, or seen money removed from their games. Many more are from people who clicked on the links in the emails, but now don’t know if they’ve caused any harm to their devices or account, and are not getting clear answers.

[…]

Source: GTA Publisher Take-Two’s Bad Week Gets Worse With Disaster Hack

Crypto market maker Wintermute loses $160 million in DeFi hack

Evgeny Gaevoy, the founder and chief executive of Wintermute, disclosed in a series of tweets that the firm’s decentralized finance operations had been hacked, but centralized finance and over the counter verticals aren’t affected.

He said that Wintermute — which counts Lightspeed Venture Partners, Pantera Capital and Fidelity’s Avon among its backers — remains solvent with “twice over that amount in equity left.” He assured lenders that if they wish to recall their loans, Wintermute will honor that.

“If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after,” he wrote.

“Out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M), so there shouldn’t be a major selloff of any sort. We will communicate with both affected teams asap.”

Wintermute provides liquidity on over 50 exchanges and trading platforms including Binance, Coinbase, FTX, Kraken as well as decentralized platforms Dydx and Uniswap. It’s also an active investor, having backed startups including Nomad, HashFlow and Ondo Finance.

Gaevoy or Wintermute did not disclose when the hack took place or the how the attackers were able to succeed, and whether it has alerted the law enforcement. TechCrunch has reached out to Wintermute for more details.

Wintermute is the latest in a growing list of crypto firms to have suffered a hack in recent months. Hackers stole over $190 million from cross-chain messaging protocol Nomad just last month. Axis Infinity’s Ronin Bridge lost over $600 million in a hack this April, and Harmony’s Horizon bridge was drained of $100 million in June. More than $1.3 billion were lost in DeFi hack last year, according to crypto auditing platform Certik.

Source: Crypto market maker Wintermute loses $160 million in DeFi hack | TechCrunch

Robot Opens Master Combination Locks In Less Than A Minute

[…]

In real life, high-quality combination locks are not vulnerable to such simple attacks, but cheap ones can often be bypassed with a minimum of effort. Some are so simple that this process can even be automated, as [Mew463] has shown by building a machine that can open a Master combination lock in less than a minute.

A machine that holds a combination padlock and turns its dialThe operating principle is based on research by Samy Kamkar from a couple of years ago. For certain types of Master locks, the combination can be found by applying a small amount of pressure on the shackle and searching for locations on the dial where its movement becomes heavier. A simple algorithm can then be used to completely determine the first and third numbers, and find a list of just eight candidates for the second number.

[Mew463]’s machine automates this process by turning the dial with a stepper motor and pulling on the shackle using a servo and a rack-and-pinion system. A magnetic encoder is mounted on the stepper motor to determine when the motor stalls, while the servo has its internal position encoder brought out as a means of detecting how far the shackle has moved. All of this is controlled by an Arduino Nano mounted on a custom PCB together with a TMC2208 stepper driver.

The machine does its job smoothly and quickly, as you can see in the (silent) video embedded below. All design files are available on the project’s GitHub page, so if you’ve got a drawer full of these locks without combinations, here’s your chance to make them sort-of-useful again. After all, these locks’ vulnerabilities have a long history, and we’ve even seen automated crackers before.

 

Source: Robot Opens Master Combination Locks In Less Than A Minute | Hackaday

Have you patched your Zimbra server – actively exploited hacks

In a security alert updated on Monday, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite (ZCS) to break into both government and private-sector networks. The agencies have provided fresh detection signatures to help admins identify intruders abusing these flaws.

[…]

The five CVE-listed bugs being exploited include CVE-2022-27924, which Zimbra patched in May and received a 7.5 out of 10 CVSS score. This high-severity bug can be used by an unauthenticated user to ultimately steal email account credentials in cleartext form with no user interaction.

SonarSource security researchers discovered the flaw in March, and published a detailed technical analysis that explained how an attacker could inject arbitrary memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries, allowing them to steal account credentials.

In June, the security biz publicly released proof-of-concept (POC) exploits for this vulnerability. “Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks,” the Feds warned.

Another high-severity vulnerability, CVE-2022-27925, which also received a 7.4 CVSS rating, could allow an authenticated user with admin privileges to upload arbitrary files, thus leading to directory traversal. When combined with CVE-2022-37042, CVE-2022-27925 could be exploited without valid administrative credentials, according to researchers from Volexity, which reported more than 1,000 Zimbra email servers had been compromised in attacks chaining the two vulnerabilities.

Further big problems found

CVE-2022-37042 is a critical remote authentication bypass vulnerability that received a 9.8 CVSS rating. Zimbra issued fixes for both of these bugs in late July.

CVE-2022-30333 is a 7.5 rated high-severity flaw in RARLAB UnRAR, used by Zimbra, before 6.12 on Linux and Unix-flavored systems that allows miscreants to write to files during an extract operation.

“In the case of Zimbra, successful exploitation gives an attacker access to every single email sent and received on a compromised email server. They can silently backdoor login functionalities and steal the credentials of an organization’s users,” according to SonarSource, which discovered the bug. “With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization.”

To fix this issue, Zimbra made configuration changes to use the 7zip program instead of UnRAR.

We’re told that a miscreant is selling an exploit kit for CVE-2022-30333, and there’s also a Metasploit module that creates a RAR file, which then can be emailed to a Zimbra server to exploit this flaw.

The fifth known Zimbra vulnerability under active exploit, CVE-2022-24682, is a medium severity cross-site scripting bug that allows crooks to steal session cookie files. Volexity discovered this one, too, and Zimbra patched it in February.

[…]

Source: US government really hopes you’ve patched your Zimbra server • The Register

Smartphone gyroscopes and LED threaten air-gapped systems

[…]

A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University’s Cyber Security Research Labs, detail new methods for transmitting data ultrasonically to smartphone gyroscopes and sending Morse code signals via LEDs on network interface cards (NICs).

Dubbed Gairoscope and EtherLED respectively, the two exploits are the latest in a long line of research from Guri, who has previously developed air gap exfiltration methods, including stealing data by reading the radio frequency of networking cables, using RAM buses to transmit data electromagnetically, and doing the same with power supplies.

[…]

The problem with phone gyroscopes is that, unlike microphones that are generally visibly activated, Gyroscopes can be “used by many types of applications to ease the graphical interfaces, and users may approve their access without suspicion,” Guri wrote in the paper.

Additionally, Guri cites a lack of visual indicator in iOS and Android that the gyroscope is being used and the fact that smartphone gyroscopes can be accessed from a browser using JavaScript, meaning – in theory – that no actual malware need be installed on the device to execute the attack.

Using his method, Guri was able to achieve speeds of up to eight bits per second at a max distance of eight meters, which the paper claims is faster than other established covert acoustic methods. Guri demonstrated the attack in a video showing an Android app detecting and decoding a message typed on a computer monitor within a few seconds of it being typed.

NICing data from LEDs

The second attack Guri reported on was EtherLED, which uses the familiar green-and-amber lights on network interface cards to transmit data in Morse code. As opposed to similar attacks that rely on exploiting lights on keyboards, hard drives and the brightness of monitors, Guri said Ethernet LEDs are “a threat that has not been studied before, theoretically or technically.”

In this case, the lights being used is the novel element. As with other optical exfiltration techniques, EtherLED requires a visual line of sight, and as such is limited by the placement of existing hackable cameras that can spot the infected NIC and whether the lights face an outside window where someone could place a drone or other camera capable of picking up the blinks and decoding them.

Additionally, mitigations like covering NIC lights with black tape still apply.

[…]

It’s easy to dismiss attacks against air-gapped systems as rare instances targeted against specific types of targets. While uncommon, attacks against such systems can be devastating.

[…]

Guri cites Stuxnet, a joint operation between the US and Israel to destroy Iranian nuclear enrichment systems, as a successful air gap infiltration. In addition, “several attacks on air-gapped facilities such as the power utilities and nuclear power plants have been publicized in recent years,” Guri wrote.

[…]

Source: Smartphone gyroscopes threaten air-gapped systems • The Register

Hackers Use Deepfakes of Binance Exec to Scam Crypto Projects

Binance Chief Communications Officer Patrick Hillmann wrote in a blog post last week that internet scammers had been using deepfake technology to copy his image during video meetings. He started to catch on to this trend when he received messages from the leadership of various crypto projects thanking him for meetings he never attended.

Hillmann shared one screenshot of messages sent over LinkedIn with one supposed project leader telling the Binance exec somebody had impersonated his hologram. The communications officer wrote that a team of hackers had used old interviews found online to create a deepfake of him. Hillmann added that “Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members.”

[…]

Source: Hackers Use Deepfakes of Binance Exec to Scam Crypto Projects

Oktatapus Hack Stole 10,000 Logins From 130 Different Orgs

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organizations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cybersecurity firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” researchers wrote in their blog Thursday. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

[…]

the hackers first went after companies that were users of Okta, the identity and access management firm that provides single sign-on services to platforms all across the web. Using the toolkit, the threat actor sent SMS phishing messages to victims that were styled to look just like the ID authentication pages provided by Okta. Thinking that they were engaging in a normal security procedure, victims would enter their information—including username, password, and multi-factor authentication code.

After they entered this information, the data was then secretly funneled to a Telegram account controlled by the cybercriminals. From there, the threat actor could use the Okta credentials to log into the organizations that the victims worked for. The network access was subsequently abused to steal company data and engage in more sophisticated supply chain attacks that targeted the broader corporate ecosystems that the firms were a part of.

[…]

Source: Oktatapus Hack Stole 10,000 Logins From 130 Different Orgs

Samsung says customer data stolen in July data breach – again

Electronics giant Samsung has confirmed a data breach affecting customers’ personal information.

In a brief notice, Samsung said it discovered the security incident in late-July and that an “unauthorized third party acquired information from some of Samsung’s U.S. systems.” The company said it determined customer data was compromised on August 4.

Samsung said Social Security numbers and credit card numbers were not affected, but some customer information — name, contact and demographic information, date of birth, and product registration information — was taken.

“The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter,” said the statement.

Samsung spokesperson Chris Langlois told TechCrunch by email via crisis communications firm Edelman that demographic data relates to customer information used for marketing and advertising, but didn’t specify what types of data this includes. Langlois added that registration data, provided by customers in order to access support and warranty information, includes product purchase date, model, and device ID.

Langlois declined to say how many customers were affected or why it took Samsung more than a month to notify customers about the breach, which was announced just hours ahead of a U.S. holiday weekend marking Labor Day.

[…]

This is the second time Samsung has confirmed a data breach this year. In March, the company admitted that the Lapsus$ hacking group — the same group that infiltrated Nvidia, Microsoft and T-Mobile — obtained and leaked almost 200 gigabytes of confidential data, including source code for various technologies and algorithms for biometric unlock operations.

Source: Samsung says customer data stolen in July data breach | TechCrunch

Twilio SMS service attacker ‘explicitly’ looked for 3 Signal numbers

The security breach at Twilio earlier this month affected at least one high-value customer, Signal, and led to the exposure of the phone number and SMS registration codes for 1,900 users of the encrypted messaging service, it confirmed.

However, Signal – considered one of the better secured of all the encrypted messaging apps – claims the attacker would not have been able to access the message history, contact lists, profile information, or other personal data associated with these user accounts. The non-profit organization said in a security note on its site that it has identified and is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.

The company had already come under fire for its practice of SMS verification in the past, something which has rebounded in the wake of the disclosure.

According to Signal, Twilio provides SMS verification services for its platform. Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers altogether – although it said in an earlier incident report about the breach that only 125 of its customers had data “accessed by malicious actors for a limited period of time.”

The news that Signal was one of the 125 has raised questions about the identity of other Twilio customers, especially as the encrypted comms platform is known for its transparency. Others may be less forthcoming.

According to Signal’s security note, when Twilio was hit by a phishing attack earlier this month, this may potentially have led to the phone numbers of 1,900 Signal users being revealed as registered to a Signal account. The encryption app platform added that the users’ SMS verification codes were also exposed.

It appears that during the window of time that the attacker had access to Twilio’s customer support systems, it would have been possible for them to attempt to re-register the phone numbers they had accessed, transferring the Signal account to another device under their own control, using the SMS verification code. It also stresses that the attacker no longer has this access, and that the attack had been shut down by Twilio.

Intriguingly, Signal states that the attacker explicitly searched for three phone numbers among the 1,900 accessed, and the organization has since received a report from one of those three users that their account was indeed re-registered and hijacked.

[…]

Source: Twilio attacker ‘explicitly’ looked for 3 Signal numbers

Video-Ident hacked by CCC

Services offering Video-Ident allow users to prove their identity to them by transmitting video showing themselves and an identity document for verification by an operator or by software. Once identified, individuals can proceed to sign up for cell phone contracts, create electronic signatures which are legally binding throughout the EU (QES), apply for credit and open bank accounts – or access their German personal health record (ePA).

A specially devised choreography designed to reveal circumstancial evidence such as visible security holograms or facial expressions is supposed to answer two critical questions in every Video-Ident session: Is the identity document genuine? Is the person in front of the camera genuine? Video-Ident service providers claim that their solutions reliably detect fraud attempts.

Open source software and a little watercolour

Martin Tschirsich, a security researcher with the CCC, demonstrates the failure to keep that promise in his report published today (all links refer to sources in German). In 2019 Tschirsich had already demonstrated how unauthorized individuals could acquire German medical insurance cards as well as special doctors’ and clinics’ electronic ID cards.

[…]

Links and further information

Source: CCC | Chaos Computer Club hacks Video-Ident

Cryptocurrency firm Nomad offers 10% bounty to hackers who stole $190 million

Hackers recently stole $190 million from cryptocurrency cross-chain token platform Nomad, and now the company says it will pay a bounty to the thieves if they return those assets.

Nomad says it will pay the hackers an amount that is worth up to 10% of the stolen funds and call off its lawyers after the money is returned to an official “recovery wallet.” It will also consider the cyberthieves to be ethical — or “white hat” — hackers.

The initial theft happened earlier this week when Nomad’s routing systems were being upgraded, which allowed attackers to spoof messages and copy and paste transactions. Nomad’s bridge was zapped quickly in what one researcher called a ““frenzied free-for-all.”

​​The exploit is the seventh major incident to target a bridge in 2022, and it is the eighth largest cryptocurrency theft of all time, according to blockchain analysis firm Elliptic. Added together, over a dozen unique hacks have occurred in 2022, with more than $2 billion stolen from cross-chain bridges like Nomad.

Nomad’s willingness to work with the intruders

Elliptic said there were 40 hackers involved in the Nomad incident, and the company appears to want to make the return of its money as much of a win-win as possible.

For anyone to qualify for the bounty, the only caveats Nomad has is that the hackers have to return at least 90% of the total funds they hacked, use Ethereum as the currency, use Anchorage Digital (a nationally regulated custodian bank), and do it in a “timely” fashion. The company didn’t give a specific number of days or weeks as a deadline, but it said it will continue to work with its online community, blockchain analysis firms, and law enforcement to guarantee that all funds are returned.

[…]

Source: Cryptocurrency firm Nomad offers 10% bounty to hackers who stole $190 million