Services offering Video-Ident allow users to prove their identity to them by transmitting video showing themselves and an identity document for verification by an operator or by software. Once identified, individuals can proceed to sign up for cell phone contracts, create electronic signatures which are legally binding throughout the EU (QES), apply for credit and open bank accounts – or access their German personal health record (ePA).

A specially devised choreography designed to reveal circumstancial evidence such as visible security holograms or facial expressions is supposed to answer two critical questions in every Video-Ident session: Is the identity document genuine? Is the person in front of the camera genuine? Video-Ident service providers claim that their solutions reliably detect fraud attempts.

Open source software and a little watercolour

Martin Tschirsich, a security researcher with the CCC, demonstrates the failure to keep that promise in his report published today (all links refer to sources in German). In 2019 Tschirsich had already demonstrated how unauthorized individuals could acquire German medical insurance cards as well as special doctors’ and clinics’ electronic ID cards.

[…]

Links and further information

• Chaos Computer Club: Attack on Video-Ident
• gematik press release, 9. August 2022
• 35C3-Vortrag: Circumventing video identification using augmented reality
• As early as 2019, glaring security vulnerabilities were discovered in Telematik, which could be used to forge e.g. doctor’s IDs at will.
• CCC-Meldung von 2013: Trügerische Sicherheit: Der elektronische Personalausweis
• BfDI: 29. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit 2020, 7.11 Videoidentverfahren: Aktuelle Grundsatzentscheidung des BfDI mit Ausstrahlwirkung für viele Bereiche

Source: CCC | Chaos Computer Club hacks Video-Ident

According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google GOOG +1.9% Chrome, Microsoft MSFT +1.5% Edge, and a South Korean client called Whale.

CISA says Kimsuky hackers ‘most likely tasked by North Korean regime’

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”

While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.

The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.

[…]

Source: New Gmail Attack Bypasses Passwords And 2FA To Read All Email

Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.

Wiseasy is a brand you might not have heard of, but it’s a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region. Through its Wisecloud cloud service, Wiseeasy can remotely manage, configure and update customer terminals over the internet.

But Wiseasy employee passwords used for accessing Wiseasy’s cloud dashboards — including an “admin” account — were found on a dark web marketplace actively used by cybercriminals, according to the startup.

Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, told TechCrunch that the passwords were stolen by malware on the employee’s computers. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, like two-factor authentication, and allowed hackers to access nearly 140,000 Wiseasy payment terminals around the world.

[…]

Buguard said it first contacted Wiseasy about the compromised dashboards in early July, but efforts to disclose the compromise were met with meetings with executives that were later canceled without warning, and according to Mohamed, the company declined to say if or when the cloud dashboards would be secured.

Screenshots of the dashboards seen by TechCrunch show an “admin” user with remote access to Wiseasy payment terminals, including the ability to lock the device and remotely install and remove apps. The dashboard also allowed anyone to view names, phone numbers, email addresses and access permissions for Wiseasy dashboard users, including the ability to add new users.

Another dashboard view also shows the Wi-Fi name and plaintext password of the network that payment terminals are connected to.

Mohamed said anyone with access to the dashboards could control Wiseasy payment terminals and make configuration changes.

[…]

Source: Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

For a little over 12 hours on 26-27 July, a network operated by Russia’s Rostelecom started announcing routes for part of Apple’s network. The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network. Apple Engineering appears to have been successful in reducing the impact, and eventually Rostelecom stopped sending the false route announcements. This event demonstrated, though, how Apple could further protect its networks by using Route Origin Authorizations (ROAs).

We are not aware of any information yet from Apple that indicates what, if any, Apple services were affected. We also have not seen any information from Rostelecom about whether this was a configuration mistake or a deliberate action.

Let’s dig into what we know so far about what happened, and how Route Origin Authorization (ROA) can help prevent these kinds of events.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.

When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes. This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 17.70.96.0/21 to direct traffic toward AS714.

It is not clear what AS12389 was doing, as it announced the same prefix at the same time with AS prepend as well.

In the absence of any credible data to filter out any possible hijack attempts, the route announced by AS12389 was propagated across the globe. The incident was picked up by BGPstream.com (Cisco Works) and GRIP Internet Intel (GA Tech).

Our route collectors in Sydney and Singapore also picked up these routes originated from AS12389:

BGP4MP_ET|07/26/22 21:25:10.065207|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3257 1273 12389 12389 12389 12389|IGP 

BGP4MP_ET|07/26/22 21:25:11.211901|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 7474 7473 12389|IGP 

BGP4MP_ET|07/26/22 21:25:12.022767|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 4826 12389|IGP 

BGP4MP_ET|07/26/22 21:29:06.885842|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3491 1273 12389|IGP

Apple must have received the alert too. Whatever mitigation techniques they tried didn’t stop the Rostelecom announcement and so Apple announced the more specific route. As per the BGP path selection process, the longest-matching route is preferred first. Prefix length supersedes all other route attributes. Apple started announcing 17.70.96.0/21 to direct traffic toward AS714.

[…]

Source: For 12 Hours, Was Part of Apple Engineering’s Network Hijacked by Russia’s Rostelecom? – MANRS

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Exotic, yes. Rare, no.

On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

 

While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.

[…]

Source: Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

The United States’ federal court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.”

That quote comes from congressional representative Jerrold Lewis Nadler, who uttered them on Thursday in his introductory remarks to a House Committee on the Judiciary hearing conducting oversight of the Department of Justice National Security Division (NSD).

Nadler segued into the mention of the breach after mentioning the NSD’s efforts to defend America against external actors that seek to attack its system of government. He commenced his remarks on the attack at the 4:40 mark in the video below:

The rep’s remarks appear to refer to the January 2021 disclosure by James C. Duff, who at the time served as secretary of the Judicial Conference of the United States, of “an apparent compromise” of confidentiality in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF).

That incident may have exploited vulnerabilities in CM/ECF and “greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings.”

Such documents are filed by the US government in cases that touch on national security, and therefore represent valuable intelligence.

The star witness at the hearing, assistant attorney general for National Security Matthew Olsen, said the Department of Justice continues to investigate the matter, adding the attack has not impacted his unit’s work.

But Olsen was unable – or unwilling – to describe the incident in detail.

However, a report in Politico quoted an unnamed aide as saying “the sweeping impact it may have had on the operation of the Department of Justice is staggering.”

For now, the extent of that impact, and its cause, are not known.

The nature of the vulnerability and the methods used to exploit it are also unknown, but Nadler suggested it is not related to the SolarWinds attack that the Judiciary has already acknowledged.

Olsen said he would update the Committee with further information once that’s possible. Representatives in the hearing indicated they await those details with considerable interest.

Source: US court system suffered ‘incredibly significant attack’ • The Register

The Car Last summer I bought a 2021 Hyundai Ioniq SEL. It is a nice fuel-efficient hybrid with a decent amount of features like wireless Android Auto/Apple CarPlay, wireless phone charging, heated seats, & a sunroof. One thing I particularly liked about this vehicle was the In-Vehicle Infotainment (IVI) system. As I mentioned before it had wireless Android Auto which seemed to be uncommon in this price range, and it had pretty nice, smooth animations in its menus which told me the CPU/GPU in it wasn’t completely underpowered, or at least the software it was running wasn’t super bloated.

Source: howIHackedMyCar :: Programming With Style

All three parts are very worth reading

[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.

In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.

This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.

Source: Hacker Liberates Hyundai Head Unit, Writes Custom Apps | Hackaday

[…]

researchers have shown that it’s possible to clone these devices, as reported by Hackster.io.

The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.

With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.

As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.

[…]

Source: Apple AirTags Hacked And Cloned With Voltage Glitching | Hackaday

The US Supreme Court justices who overturned Roe v. Wade last month may have been doxxed – had their personal information including physical and IP addresses, and credit card info revealed – according to threat intel firm Cybersixgill.

As expected, the fallout from the controversial ruling, which reversed the court’s 1973 decision that federally protected access to abortion, has been immense, creating deep ripples across the cybersphere where data privacy concerns abound.

[…]

In a twist on using personal data for questionable purposes, it appears some hacktivists are taking matters into their own hands and seemingly leaked private information about five conservative Supremes: Justices Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett, according to research published today by Cybersixgill’s security research lead Dov Lerner.

Although Chief Justice John Roberts voted with the majority, the doxxers didn’t expose his personal data.

Lerner, who told The Register he found the doxes on “various dark web forums,” said the “most notable” dox happened on June 30, and alleges to include physical addresses, IP addresses, and credit card information, including CVV (which the doxers called “little funny 3 numbers on the back”) and expiration date.

[…]

Source: Supremes ‘doxxed’ after overturning Roe v Wade • The Register

Maybe this is an expression of the right to bear arms.

Posing as a scholar, a Chinese woman spent years writing alternative accounts of medieval Russian history on Chinese Wikipedia, conjuring imaginary states, battles, and aristocrats in one of the largest hoaxes on the open-source platform.

The scam was exposed last month by Chinese novelist Yifan, who was researching for a book when he came upon an article on the Kashin silver mine.

Discovered by Russian peasants in 1344, the Wikipedia entry goes, the mine engaged more than 40,000 slaves and freedmen, providing a remarkable source of wealth for the Russian principality of Tver in the 14th and 15th centuries as well as subsequent regimes. The geological composition of the soil, the structure of the mine, and even the refining process were fleshed out in detail in the entry.

Yifan thought he’d found interesting material for a novel. Little did he know he’d stumbled upon an entire fictitious world constructed by a user known as Zhemao. It was one of 206 articles she has written on Chinese Wikipedia since 2019, weaving facts into fiction in an elaborate scheme that went uncaught for years and tested the limits of crowdsourced platforms’ ability to verify information and fend off bad actors.

[…]

Yifan was tipped off when he ran the silver mine story by Russian speakers and fact-checked Zhemao’s references, only to find that the pages or versions of the books she cited did not exist. People he consulted also called out her lengthy entries on ancient conflicts between Slavic states, which could not be found in Russian historical records. “They were so rich in details they put English and Russian Wikipedia to shame,” Yifan wrote on Zhihu, a Chinese site similar to Quora, where he shared his discovery last month and caused a stir.

The scale of the scam came to light after a group of volunteer editors and other Wikipedians, such as Yip, combed through her past contributions to nearly 300 articles.

One of her longest articles was almost the length of “The Great Gatsby.” With the formal, authoritative tone of an encyclopedia, it detailed three Tartar uprisings in the 17th century that left a lasting impact on Russia, complete with a map she made. In another entry, she shared rare images of ancient coins, which she claimed to have obtained from a Russian archaeological team.

[…]

Source: A Bored Chinese Housewife Spent Years Falsifying Russian History on Wikipedia

Brilliant – and she’s not the only one!

[…]

Joshua Schulte was convicted of sending the CIA’s “Vault 7” cyber-warfare tools to the whistle-blowing platform. He had denied the allegations.

The 2017 leak of some 8,761 documents revealed how intelligence officers hacked smartphones overseas and turned them into listening devices.

Prosecutors said the leak was one of the most “brazen” in US history.

Damian Williams, the US attorney for the Southern District of New York, said Mr Schulte’s actions had “a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm”.

Mr Schulte, who represented himself at the trial in Manhattan federal court, now faces decades in prison. He also faces a separate trial on charges of possessing images and videos of child abuse, to which he has pleaded not guilty.

After joining the CIA in 2010, Mr Schulte soon achieved the organisation’s highest security clearance. He went on to work at the agency’s headquarters in Langley, Virginia, designing a suite of programmes used to hack computers, iPhones and Android phones and even smart TVs.

Prosecutors alleged in 2016 that he transmitted the stolen information to Wikileaks and then lied to FBI agents about his role in the leak.

They added that he was seemingly motivated by anger over a workplace dispute in which his employer ignored his complaints. The software engineer had been struggling to meet deadlines and Assistant US Attorney Michael Lockard said one of his projects was so far behind schedule that he had earned the nickname “Drifting Deadline”.

The prosecutors said he wanted to punish those he perceived to have wronged him and said in “carrying out that revenge, he caused enormous damage to this country’s national security”.

But Mr Schulte said the government had no evidence that he was motivated by revenge and called the argument “pure fantasy”. In his closing argument, he claimed that “hundreds of people had access” to the leaked files and that “hundreds of people could have stolen it”.

“The government’s case is riddled with reasonable doubt,” he added.

[…]

Source: Joshua Schulte: Former CIA hacker convicted of ‘brazen’ data leak – BBC News

Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner’s key fob. Dubbed “Rolling Pwn,” the attack allows any individual to “eavesdrop” on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner’s knowledge.

Despite Honda’s dispute that the technology in its key fobs “would not allow the vulnerability,” The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.

The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a “window,” When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.

This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

A similar vulnerability was discovered late last year and added to the Common Vulnerabilities and Exposures database (CVE-2021-46145), and again this year for other Honda-branded vehicles (CVE-2022-27254). However, Honda has yet to address the issue publicly, or with any of the security researchers who have reported it. In fact, when the security researchers responsible for the latest vulnerability reached out to Honda to disclose the bug, they said they were instead told to call customer service rather than submit a bug report through an official channel.

[…]

Source: I Tried the Honda Key Fob Hack on My Own Car. It Totally Worked

Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data, including guests’ credit card information.

The incident, first reported by Databreaches.net, is said to have happened in June when an unnamed hacking group claimed they used social engineering to trick an employee at a Marriott hotel in Maryland into giving them access to their computer.

[…]

Marriott said the hotel chain identified, and was investigating, the incident before the threat actor contacted the company in an extortion attempt, which Marriott said it did not pay.

The group claiming responsibility for the attack say the stolen data includes guests’ credit card information and confidential information about both guests and employees. Samples of the data provided to Databreaches.net purport to show reservation logs for airline crew members from January 2022 and names and other details of guests, as well as credit card information used to make bookings.

However, Marriott told TechCrunch that its investigation determined that the data accessed “primarily contained non-sensitive internal business files regarding the operation of the property.”

The company said that it is preparing to notify 300-400 individuals regarding the incident, and has already notified relevant law enforcement agencies.

This isn’t the first time Marriott has suffered a significant data breach. Hackers breached the hotel chain in 2014 to access almost 340 million guest records worldwide — an incident that went undetected until September 2018 and led to a £14.4 million ($24 million) fine from the U.K.’s Information Commissioner’s Office. In January 2020, Marriott was hacked again in a separate incident that affected around 5.2 million guests.

[…]

Source: Hotel giant Marriott confirms yet another data breach | TechCrunch

A hacker has claimed to have procured a trove of personal information from the Shanghai police on one billion Chinese citizens, which tech experts say, if true, would be one of the biggest data breaches in history.

The anonymous internet user, identified as “ChinaDan,” posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin BTC=, equivalent to about $200,000.

“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen,” the post said.

“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”

Source: Hacker claims to have stolen data of 1bn Chinese from police – Nikkei Asia

Yay big centralised databases

[…]

At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found.

The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020.

The data comes from two providers of email services the spies used to execute their espionage campaigns. The providers gave the news agency access to the material after it inquired about the hackers’ use of their services; they offered the sensitive data on condition of anonymity.

Reuters then vetted the authenticity of the email data with six sets of experts. Scylla Intel, a boutique cyber investigations firm, analyzed the emails, as did researchers from British defense contractor BAE, U.S. cybersecurity firm Mandiant, and technology companies Linkedin, Microsoft and Google.

Each firm independently confirmed the database showed Indian hacking-for-hire activity by comparing it against data they had previously gathered about the hackers’ techniques. Three of the teams, at Mandiant, Google and LinkedIn, provided a closer analysis, finding the spying was linked to three Indian companies – one that Gupta founded, one that used to employ him and one he collaborated with.

“We assess with high confidence that this data set represents a good picture of the ongoing operations of Indian hack-for-hire firms,” said Shane Huntley, head of Google’s cyber threat analysis team.

Reuters reached out to every person in the database – sending requests for comment to each email address – and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way.

The targets’ lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found.

[…]

Source: How mercenary hackers sway litigation battles

It’s an elaborate article with many examples. Well worth the read

An employee of OpenSea’s email delivery vendor Customer.io “misused” their access to download and share OpenSea users’ and newsletter subscribers’ email addresses “with an unauthorized external party,” Head of Security Cory Hardman warned on Wednesday.

“If you have shared your email with OpenSea in the past, you should assume you were impacted,” Hardman continued.

To be clear: that is a whole lot of email addresses.

OpenSea is basically a virtual super-mall where people buy and sell non-fungible tokens — essentially an electronic receipt on a blockchain for some type of digital asset, like art, music or collectibles. In other words: nothing, which many, including Bill Gates, consider a very foolish purchase indeed.

OpenSea claims to be the largest NFT marketplace, and it boasts a transaction volume of over $20 billion and more than 600,000 users, all of which presumably provided their email addresses at one point.

Plus, there’s likely more that simply subscribed to the online bazaar’s email list.

[…]

Source: OpenSea says rogue insider leaked customers’ email addresses • The Register

[…]researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

[…]

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

[…]

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker’s infrastructure.

This graphic illustrates the steps listed involved.

The threat actors also disguised the landing page of a control server to look like this:

The researchers wrote:

Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.

 

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018.

[…]

Source: A wide range of routers are under attack by new, unusually sophisticated malware | Ars Technica

[…]

The South Korean titan was said to have unfairly goosed Galaxy Note 3 phone benchmarks in 2013, and faced with similar allegations about the Galaxy S4 in 2018 settled that matter for $13.4 million.

This time Samsung has allegedly fudged the results for its televisions, specifically the S95B QD-OLED and QN95B Neo OLED LCD TVs.

These accusations were raised this month by YouTube channel HDTVTest on the S95B, and by reviews site FlatpanelsHD on the QN95B. The claims boils down to Samsung allegedly using an algorithm to detect when benchmarking software was running on the set and adjusting the color and artificially boosting luminance by up to 80 percent during the test to make the equipment look better in reviews.

According to the FlatpanelsHD report, those levels of brightness can’t be sustained during normal use without damaging the TV’s backlight panel.

An algorithm to detect and hoodwink benchmarking software is just what Samsung was accused of employing in those earlier examples.

[…]

Source: Samsung accused of cheating on hardware benchmarks – again • The Register

If you’ve been following the latest news on government surveillance scandals around the world, the name Pegasus may have popped up in your feed. It’s a complex story, so we’ve put together an infographic explainer that covers all the basics.

How does Pegasus work? Check. Which world leaders were targeted? Check. Astonishing subscription costs? Check. Gasp. Check. Our infographic should help you understand why NSO’s Pegasus software is in the news so much.

Check it out below, or download it in full here.

Source: What Is Pegasus? All About the Infamous Software (Infographic) – CyberGhost Privacy Hub

General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history.

The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards

[…]

In addition to the reward points theft, the incident also exposed a significant amount of user information. GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:

• first and last name
• personal email address
• home address
• username
• phone number
• last known and saved favorite location
• OnStar package (if applicable)
• family members’ avatars and photos
• profile picture
• search and destination information
• reward card activity
• fraudulently redeemed reward points

[…]

Source: GM Discloses Data Breach of Cars’ Locations, Mileage, Service