A dark web carding market named ‘BidenCash’ has released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud.

Carding is the trafficking and use of credit cards stolen through point-of-sale malware, magecart attacks on websites, or information-stealing malware.

BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move.

Now, the market’s operators decided to promote the site with a much more massive dump in the same fashion that the similar platform ‘All World Cards’ did in August 2021.

[…]

The freely circulating file contains a mix of “fresh” cards expiring between 2023 and 2026 from around the world, but most entries appear to be from the United States.

The dump of 1.2 million credit cards includes the following credit card and associated personal information:

• Card number
• Expiration date
• CVV number
• Holder’s name
• Bank name
• Card type, status, and class
• Holder’s address, state, and ZIP
• Email address
• SSN
• Phone number

Not all the above details are available for all 1.2 million records, but most entries seen by BleepingComputer contain over 70% of the data types.

The “special event” offer was first spotted Friday by Italian security researchers at D3Lab, who monitors carding sites on the dark web.

The analysts claim these cards mainly come from web skimmers, which are malicious scripts injected into checkout pages of hacked e-commerce sites that steal submitted credit card and customer information.

[…]

BleepingComputer has discussed the authenticity with analysts at D3Lab, who confirmed that the data is real with several Italian banks, so the leaked entries correspond to real cards and cardholders.

However, many of the entries were recycled from previous collections, like the one  ‘All World Cards’ gave away for free last year.

From the data D3Labs has examined so far, about 30% appear to be fresh, so if this applies roughly to the entire dump, at least 350,000 cards would still be valid.

Of the Italian cards, roughly 50% have already been blocked due to the issuing banks having detected fraudulent activity, which means that the actually usable entries in the leaked collection may be as low as 10%.

[…]

Source: Darkweb market BidenCash gives away 1.2 million credit cards for free – Bleeping Computer

Researchers at the Synopsys Cybersecurity Research Center (CyRC) have discovered an availability vulnerability in the IKEA TRÅDFRI smart lighting system. An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI bulb blink, and if they replay (i.e. resend) the same frame multiple times, the bulb performs a factory reset. This causes the bulb to lose configuration information about the Zigbee network and current brightness level. After this attack, all lights are on with full brightness, and a user cannot control the bulbs with either the IKEA Home Smart app or the TRÅDFRI remote control.

The malformed Zigbee frame is an unauthenticated broadcast message, which means all vulnerable devices within radio range are affected.

To recover from this attack, a user could add each bulb manually back to the network. However, an attacker could reproduce the attack at any time.

CVE-2022-39064 is related to another vulnerability, CVE-2022-39065, which also affects availability in the IKEA TRÅDFRI smart lighting system. Read our latest blog post to learn more.

Source: CyRC Vulnerability Advisory: CVE-2022-39064 IKEA TRÅDFRI smart lighting | Synopsys

Iran state TV was apparently hacked Saturday, with its usual broadcast footage of muttering geriatric clerics replaced by a masked face followed by a picture of Supreme Leader Ali Khamenei with a target over his head, the sound of a gunshot, and chants of “Women, Life, Freedom!”

BBC News identifies the pirate broadcaster as Adalat Ali”, or Ali’s Justice, from social media links in the footage, which also included photographs of women killed in recent protests across the country.

Saturday’s TV news bulletin was interrupted at about 18:00 local time with images which included Iran’s supreme leader with a target on his head, photos of Ms Amini and three other women killed in recent protests. One of the captions read “join us and rise up”, whilst another said “our youths’ blood is dripping off your paws”. The interruption lasted only a few seconds before being cut off.

BREAKING: Islamic Republic’s state-owned TV network hacked during a Khamenei address and the message: “The blood of our youth is dripping from your fingers.” Another message displayed: Rise up and Join Us.#مهسا_امینی#MahsaAmini pic.twitter.com/GliPMHUgJo

— Masih Alinejad (@AlinejadMasih) October 8, 2022

Source: Protestors hack Iran state TV live on air | Boing Boing

[…]

The alleged hacker – who threatened to sell the data unless a ransom was paid – took names, birth dates, phone numbers, addresses, and passport, healthcare and drivers’ license details from Optus, the country’s second-largest telecommunications company.

Of the 10 million people whose data was exposed, almost 3 million had crucial identity documents accessed.

Across the country, current and former customers have been rushing to change their official documents as the US Federal Bureau of Investigation joined Australia’s police, cybersecurity, and spy agencies to investigate the breach.

The Australian government is looking at overhauling privacy laws after it emerged that Optus – a subsidiary of global telecommunications firm Singtel – had kept private information for years, even after customers had cancelled their contracts.

It is also considering a European Union-style system of financial penalties for companies that fail to protect their customers.

An error-riddled message from someone claiming to be the culprit and calling themselves “Optusdata” demanded a relatively modest US$1m ransom for the data.

[…]

That demand was followed by a threat to release the records of 10,000 peopleper day until the money was paid. A batch of 10,000 files was later published online.

As Optus and the federal government dealt with the fallout, the alleged hacker had a change of mind and offered their “deepest apology”.

“Too many eyes,” they said. “We will not sale data to anyone. We cant if we even want to: personally deleted data.”

Optus chief Kelly Bayer Rosmarin initially claimed the company had fallen prey to a sophisticated attack and said the associated IP address was “out of Europe”. She said police were “all over” the apparent release of information and told ABC radio that the security breach was “not as being portrayed”.’

Experts have said Optus had an application programming interface (API) online that did not need authorisation or authentication to access customer data. “Any user could have requested any other user’s information,” Corey J Ball, senior manager of cyber security consulting for Moss Adams, said.

[…]

Optus ‘left the window open’

The cyber security minister, Clare O’Neill, has questioned why Optus had held on to that much personal information for so long.

She also scoffed at the idea the hack was sophisticated.

“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” she told the ABC. “We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”

[…]

Asked about Rosmarin’s comments that the attack was sophisticated, O’Neill said: “Well, it wasn’t.”

On Friday, prime minister Anthony Albanese said what had happened was “unacceptable”. He said Optus had agreed to pay for replacement passports for those affected.

“Australian companies should do everything they can to protect your data,” Albanese said.

“That’s why we’re also reviewing the Privacy Act – and we’re committed to making privacy laws stronger.”

[…]

Australia currently has a $2.2m limit on corporate penalties, and there are calls for harsher penalties to encourage companies to do everything they can to protect consumers.

In the EU, the General Data Protection Regulation means companies are liable for up to 4% of the company’s revenue. Optus’s revenue last financial year was more than $7bn.

[…]

Source: The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle | Optus | The Guardian

If the government has no legal incentive to tighten security and privacy, then companies won’t invest in it.

For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild.

Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play.

“The idea that you can compromise one machine and from there have the ability to control virtual machines en masse is huge,” says Mandiant consultant Alex Marvi. And even closely watching the processes of a target virtual machine, he says, an observer would in many cases see only “side effects” of the intrusion, given that the malware carrying out that spying had infected a part of the system entirely outside its operating system.

[…]

In a technical writeup, Mandiant describes how the hackers corrupted victims’ virtualization setups by installing a malicious version of VMware’s software installation bundle to replace the legitimate version. That allowed them to hide two different backdoors, which Mandiant calls VirtualPita and VirtualPie, in VMware’s hypervisor program known as ESXi. Those backdoors let the hackers surveil and run their own commands on virtual machines managed by the infected hypervisor. Mandiant notes that the hackers didn’t actually exploit any patchable vulnerability in VMware’s software, but instead used administrator-level access to the ESXi hypervisors to plant their spy tools. That admin access suggests that their virtualization hacking served as a persistence technique, allowing them to hide their espionage more effectively long-term after gaining initial access to the victims’ network through other means.

[…]

Source: Mystery Hackers Are ‘Hyperjacking’ Targets for Insidious Spying | WIRED

Following one of the biggest data breaches in Australian history, the government of Australia is planning to get stricter on requirements for disclosure of cyber attacks. From a report: On Monday, Prime Minister Anthony Albanese told Australian radio station 4BC that the government intended to overhaul privacy legislation so that any company suffering a data breach was required to share details with banks about customers who had potentially been affected in an effort to minimize fraud. Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.

The policy announcement was made in the wake of a huge data breach last week, which affected Australia’s second-largest telecom company, Optus. Hackers managed to access a vast amount of potentially sensitive information on up to 9.8 million Optus customers — close to 40 percent of the Australian population. Leaked data included name, date of birth, address, contact information, and in some cases, driver’s license or passport ID numbers. Reporting from ABC News Australia suggested the breach may have resulted from an improperly secured API that Optus developed to comply with regulations around providing users multifactor authentication options.

Source: Australia To Overhaul Privacy Laws After Massive Data Breach – Slashdot

The listing allegedly includes 350 million Ask.FM user records, with the threat actor also offering 607 repositories plus their Gitlab, Jira, and Confluence databases. Ask.FM is a question and answer network launched in June 2010, with over 215 million registered users.

“I’m selling the users database of Ask.fm and ask.com. For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases.”

The posting also includes a list of repositories, sample git, and sample user data, as well as mentions of the fields in the database: user_id, username, mail, hash, salt, fbid, twitterid, vkid, fbuid, iguid. It appears that Ask.FM is using the weak hashing algorithm SHA1 for passwords, putting them at risk of being cracked and exposed to threat actors.

[…]

In response to DataBreaches, the user who posted the database – Data – explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14.

Data also suggested that Ask.FM knew about the breach as early as back in 2020.

Source: Ask.FM database with 350m user records allegedly sold online | Cybernews

Fintech startup Revolut has confirmed it was hit by a highly targeted cyberattack that allowed hackers to access the personal details of tens of thousands of customers.

Revolut spokesperson Michael Bodansky told TechCrunch that an “unauthorized third party obtained access to the details of a small percentage (0.16%) of our customers for a short period of time.” Revolut discovered the malicious access late on September 11 and isolated the attack by the following morning.

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected,” Bodansky said. “Customers who have not received an email have not been impacted.”

Revolut, which has a banking license in Lithuania, wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure to the authorities in Lithuania, first spotted by Bleeping Computer, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.

Revolut also declined to say what types of data were accessed but told TechCrunch that no funds were accessed or stolen in the incident. In a message sent to affected customers posted to Reddit, the company said that “no card details, PINs or passwords were accessed.” However, the breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses and phone numbers.

The disclosure states that the threat actor used social engineering methods to gain access to the Revolut database, which typically involves persuading an employee to hand over sensitive information such as their password. This has become a popular tactic in recent attacks against a number of well-known companies, including Twilio, Mailchimp and Okta.

[…]

Source: Revolut confirms cyberattack exposed personal data of tens of thousands of users | TechCrunch

Take-Two is definitely not having a good time of it. Following the weekend’s colossal leak of GTA VI, its septimana horribilis continues with the fresh news that its 2K Games support services have been hacked, and customers are now being sent out phishing scams.

Posting to the official 2K Support Twitter account, 2K explained that its help desk platform had been hacked, and the invader made off with a whole bunch of customer emails. It says it “became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers.”

[…]

2K has taken its “support portal” offline while they try to figure out what the heck happened, which isn’t a great look, especially in the week of NBA 2K23‘s release. The statement says, “We will issue a notice when you can resume interacting with official 2K help desk emails,” which is…not a foolproof method. Firstly, it gives the impression that there might be a time when a previously unread phishing email would be safe to click on, and secondly, it hardly reaches people who’ve received the email, who aren’t fortunate enough to have noticed the tweet (or read the press coverage).

Meanwhile, those with open tickets are getting told, at the time of writing, that 2K doesn’t “have estimates on when you’ll receive a reply,” with the somewhat ironic suggestion that they, “stay tuned via email.”

Read More: NBA 2K23: The Kotaku Review

For those that think they may have already fallen for the phishing scam, 2K recommends that people reset all passwords, enable multi-factor authentication (but avoid text message-based verification!), clog up their PCs with anti-virus software, and “check your account settings to see if any forwarding rules have been added or changed on your personal email accounts.”

There’s further cause for concern when you notice that one customer recognized that a likely hack had occurred some ten hours before the statement was released, but was fobbed off by the official account. The original customer replied almost nine hours before the hack was confirmed, saying, “at this point its very clear that you guys got hacked on support things related.. make a statement already before the damage is too big.”

Many replies to the statement are from bereft customers, claiming to have lost their accounts, or seen money removed from their games. Many more are from people who clicked on the links in the emails, but now don’t know if they’ve caused any harm to their devices or account, and are not getting clear answers.

[…]

Source: GTA Publisher Take-Two’s Bad Week Gets Worse With Disaster Hack

Evgeny Gaevoy, the founder and chief executive of Wintermute, disclosed in a series of tweets that the firm’s decentralized finance operations had been hacked, but centralized finance and over the counter verticals aren’t affected.

He said that Wintermute — which counts Lightspeed Venture Partners, Pantera Capital and Fidelity’s Avon among its backers — remains solvent with “twice over that amount in equity left.” He assured lenders that if they wish to recall their loans, Wintermute will honor that.

“If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after,” he wrote.

“Out of 90 assets that has been hacked only two have been for notional over $1 million (and none more than $2.5M), so there shouldn’t be a major selloff of any sort. We will communicate with both affected teams asap.”

Wintermute provides liquidity on over 50 exchanges and trading platforms including Binance, Coinbase, FTX, Kraken as well as decentralized platforms Dydx and Uniswap. It’s also an active investor, having backed startups including Nomad, HashFlow and Ondo Finance.

Gaevoy or Wintermute did not disclose when the hack took place or the how the attackers were able to succeed, and whether it has alerted the law enforcement. TechCrunch has reached out to Wintermute for more details.

Wintermute is the latest in a growing list of crypto firms to have suffered a hack in recent months. Hackers stole over $190 million from cross-chain messaging protocol Nomad just last month. Axis Infinity’s Ronin Bridge lost over $600 million in a hack this April, and Harmony’s Horizon bridge was drained of $100 million in June. More than $1.3 billion were lost in DeFi hack last year, according to crypto auditing platform Certik.

Source: Crypto market maker Wintermute loses $160 million in DeFi hack | TechCrunch

[…]

In real life, high-quality combination locks are not vulnerable to such simple attacks, but cheap ones can often be bypassed with a minimum of effort. Some are so simple that this process can even be automated, as [Mew463] has shown by building a machine that can open a Master combination lock in less than a minute.

The operating principle is based on research by Samy Kamkar from a couple of years ago. For certain types of Master locks, the combination can be found by applying a small amount of pressure on the shackle and searching for locations on the dial where its movement becomes heavier. A simple algorithm can then be used to completely determine the first and third numbers, and find a list of just eight candidates for the second number.

[Mew463]’s machine automates this process by turning the dial with a stepper motor and pulling on the shackle using a servo and a rack-and-pinion system. A magnetic encoder is mounted on the stepper motor to determine when the motor stalls, while the servo has its internal position encoder brought out as a means of detecting how far the shackle has moved. All of this is controlled by an Arduino Nano mounted on a custom PCB together with a TMC2208 stepper driver.

The machine does its job smoothly and quickly, as you can see in the (silent) video embedded below. All design files are available on the project’s GitHub page, so if you’ve got a drawer full of these locks without combinations, here’s your chance to make them sort-of-useful again. After all, these locks’ vulnerabilities have a long history, and we’ve even seen automated crackers before.

 

Source: Robot Opens Master Combination Locks In Less Than A Minute | Hackaday

In a security alert updated on Monday, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals are actively exploiting five vulnerabilities in the Zimbra Collaboration Suite (ZCS) to break into both government and private-sector networks. The agencies have provided fresh detection signatures to help admins identify intruders abusing these flaws.

[…]

The five CVE-listed bugs being exploited include CVE-2022-27924, which Zimbra patched in May and received a 7.5 out of 10 CVSS score. This high-severity bug can be used by an unauthenticated user to ultimately steal email account credentials in cleartext form with no user interaction.

SonarSource security researchers discovered the flaw in March, and published a detailed technical analysis that explained how an attacker could inject arbitrary memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries, allowing them to steal account credentials.

In June, the security biz publicly released proof-of-concept (POC) exploits for this vulnerability. “Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks,” the Feds warned.

Another high-severity vulnerability, CVE-2022-27925, which also received a 7.4 CVSS rating, could allow an authenticated user with admin privileges to upload arbitrary files, thus leading to directory traversal. When combined with CVE-2022-37042, CVE-2022-27925 could be exploited without valid administrative credentials, according to researchers from Volexity, which reported more than 1,000 Zimbra email servers had been compromised in attacks chaining the two vulnerabilities.

Further big problems found

CVE-2022-37042 is a critical remote authentication bypass vulnerability that received a 9.8 CVSS rating. Zimbra issued fixes for both of these bugs in late July.

CVE-2022-30333 is a 7.5 rated high-severity flaw in RARLAB UnRAR, used by Zimbra, before 6.12 on Linux and Unix-flavored systems that allows miscreants to write to files during an extract operation.

“In the case of Zimbra, successful exploitation gives an attacker access to every single email sent and received on a compromised email server. They can silently backdoor login functionalities and steal the credentials of an organization’s users,” according to SonarSource, which discovered the bug. “With this access, it is likely that they can escalate their access to even more sensitive, internal services of an organization.”

To fix this issue, Zimbra made configuration changes to use the 7zip program instead of UnRAR.

We’re told that a miscreant is selling an exploit kit for CVE-2022-30333, and there’s also a Metasploit module that creates a RAR file, which then can be emailed to a Zimbra server to exploit this flaw.

The fifth known Zimbra vulnerability under active exploit, CVE-2022-24682, is a medium severity cross-site scripting bug that allows crooks to steal session cookie files. Volexity discovered this one, too, and Zimbra patched it in February.

[…]

Source: US government really hopes you’ve patched your Zimbra server • The Register

[…]

A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University’s Cyber Security Research Labs, detail new methods for transmitting data ultrasonically to smartphone gyroscopes and sending Morse code signals via LEDs on network interface cards (NICs).

Dubbed Gairoscope and EtherLED respectively, the two exploits are the latest in a long line of research from Guri, who has previously developed air gap exfiltration methods, including stealing data by reading the radio frequency of networking cables, using RAM buses to transmit data electromagnetically, and doing the same with power supplies.

[…]

The problem with phone gyroscopes is that, unlike microphones that are generally visibly activated, Gyroscopes can be “used by many types of applications to ease the graphical interfaces, and users may approve their access without suspicion,” Guri wrote in the paper.

Additionally, Guri cites a lack of visual indicator in iOS and Android that the gyroscope is being used and the fact that smartphone gyroscopes can be accessed from a browser using JavaScript, meaning – in theory – that no actual malware need be installed on the device to execute the attack.

Using his method, Guri was able to achieve speeds of up to eight bits per second at a max distance of eight meters, which the paper claims is faster than other established covert acoustic methods. Guri demonstrated the attack in a video showing an Android app detecting and decoding a message typed on a computer monitor within a few seconds of it being typed.

NICing data from LEDs

The second attack Guri reported on was EtherLED, which uses the familiar green-and-amber lights on network interface cards to transmit data in Morse code. As opposed to similar attacks that rely on exploiting lights on keyboards, hard drives and the brightness of monitors, Guri said Ethernet LEDs are “a threat that has not been studied before, theoretically or technically.”

In this case, the lights being used is the novel element. As with other optical exfiltration techniques, EtherLED requires a visual line of sight, and as such is limited by the placement of existing hackable cameras that can spot the infected NIC and whether the lights face an outside window where someone could place a drone or other camera capable of picking up the blinks and decoding them.

Additionally, mitigations like covering NIC lights with black tape still apply.

[…]

It’s easy to dismiss attacks against air-gapped systems as rare instances targeted against specific types of targets. While uncommon, attacks against such systems can be devastating.

[…]

Guri cites Stuxnet, a joint operation between the US and Israel to destroy Iranian nuclear enrichment systems, as a successful air gap infiltration. In addition, “several attacks on air-gapped facilities such as the power utilities and nuclear power plants have been publicized in recent years,” Guri wrote.

[…]

Source: Smartphone gyroscopes threaten air-gapped systems • The Register

Binance Chief Communications Officer Patrick Hillmann wrote in a blog post last week that internet scammers had been using deepfake technology to copy his image during video meetings. He started to catch on to this trend when he received messages from the leadership of various crypto projects thanking him for meetings he never attended.

Hillmann shared one screenshot of messages sent over LinkedIn with one supposed project leader telling the Binance exec somebody had impersonated his hologram. The communications officer wrote that a team of hackers had used old interviews found online to create a deepfake of him. Hillmann added that “Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough to fool several highly intelligent crypto community members.”

[…]

Source: Hackers Use Deepfakes of Binance Exec to Scam Crypto Projects

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organizations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cybersecurity firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” researchers wrote in their blog Thursday. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

[…]

the hackers first went after companies that were users of Okta, the identity and access management firm that provides single sign-on services to platforms all across the web. Using the toolkit, the threat actor sent SMS phishing messages to victims that were styled to look just like the ID authentication pages provided by Okta. Thinking that they were engaging in a normal security procedure, victims would enter their information—including username, password, and multi-factor authentication code.

After they entered this information, the data was then secretly funneled to a Telegram account controlled by the cybercriminals. From there, the threat actor could use the Okta credentials to log into the organizations that the victims worked for. The network access was subsequently abused to steal company data and engage in more sophisticated supply chain attacks that targeted the broader corporate ecosystems that the firms were a part of.

[…]

Source: Oktatapus Hack Stole 10,000 Logins From 130 Different Orgs

Electronics giant Samsung has confirmed a data breach affecting customers’ personal information.

In a brief notice, Samsung said it discovered the security incident in late-July and that an “unauthorized third party acquired information from some of Samsung’s U.S. systems.” The company said it determined customer data was compromised on August 4.

Samsung said Social Security numbers and credit card numbers were not affected, but some customer information — name, contact and demographic information, date of birth, and product registration information — was taken.

“The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter,” said the statement.

Samsung spokesperson Chris Langlois told TechCrunch by email via crisis communications firm Edelman that demographic data relates to customer information used for marketing and advertising, but didn’t specify what types of data this includes. Langlois added that registration data, provided by customers in order to access support and warranty information, includes product purchase date, model, and device ID.

Langlois declined to say how many customers were affected or why it took Samsung more than a month to notify customers about the breach, which was announced just hours ahead of a U.S. holiday weekend marking Labor Day.

[…]

This is the second time Samsung has confirmed a data breach this year. In March, the company admitted that the Lapsus$ hacking group — the same group that infiltrated Nvidia, Microsoft and T-Mobile — obtained and leaked almost 200 gigabytes of confidential data, including source code for various technologies and algorithms for biometric unlock operations.

Source: Samsung says customer data stolen in July data breach | TechCrunch

The security breach at Twilio earlier this month affected at least one high-value customer, Signal, and led to the exposure of the phone number and SMS registration codes for 1,900 users of the encrypted messaging service, it confirmed.

However, Signal – considered one of the better secured of all the encrypted messaging apps – claims the attacker would not have been able to access the message history, contact lists, profile information, or other personal data associated with these user accounts. The non-profit organization said in a security note on its site that it has identified and is notifying the 1,900 users directly, and prompting them to re-register Signal on their devices.

The company had already come under fire for its practice of SMS verification in the past, something which has rebounded in the wake of the disclosure.

According to Signal, Twilio provides SMS verification services for its platform. Twilio provides messaging, call center and two-factor authentication services, among others, to about 256,000 customers altogether – although it said in an earlier incident report about the breach that only 125 of its customers had data “accessed by malicious actors for a limited period of time.”

The news that Signal was one of the 125 has raised questions about the identity of other Twilio customers, especially as the encrypted comms platform is known for its transparency. Others may be less forthcoming.

According to Signal’s security note, when Twilio was hit by a phishing attack earlier this month, this may potentially have led to the phone numbers of 1,900 Signal users being revealed as registered to a Signal account. The encryption app platform added that the users’ SMS verification codes were also exposed.

It appears that during the window of time that the attacker had access to Twilio’s customer support systems, it would have been possible for them to attempt to re-register the phone numbers they had accessed, transferring the Signal account to another device under their own control, using the SMS verification code. It also stresses that the attacker no longer has this access, and that the attack had been shut down by Twilio.

Intriguingly, Signal states that the attacker explicitly searched for three phone numbers among the 1,900 accessed, and the organization has since received a report from one of those three users that their account was indeed re-registered and hijacked.

[…]

Source: Twilio attacker ‘explicitly’ looked for 3 Signal numbers

Services offering Video-Ident allow users to prove their identity to them by transmitting video showing themselves and an identity document for verification by an operator or by software. Once identified, individuals can proceed to sign up for cell phone contracts, create electronic signatures which are legally binding throughout the EU (QES), apply for credit and open bank accounts – or access their German personal health record (ePA).

A specially devised choreography designed to reveal circumstancial evidence such as visible security holograms or facial expressions is supposed to answer two critical questions in every Video-Ident session: Is the identity document genuine? Is the person in front of the camera genuine? Video-Ident service providers claim that their solutions reliably detect fraud attempts.

Open source software and a little watercolour

Martin Tschirsich, a security researcher with the CCC, demonstrates the failure to keep that promise in his report published today (all links refer to sources in German). In 2019 Tschirsich had already demonstrated how unauthorized individuals could acquire German medical insurance cards as well as special doctors’ and clinics’ electronic ID cards.

[…]

Links and further information

• Chaos Computer Club: Attack on Video-Ident
• gematik press release, 9. August 2022
• 35C3-Vortrag: Circumventing video identification using augmented reality
• As early as 2019, glaring security vulnerabilities were discovered in Telematik, which could be used to forge e.g. doctor’s IDs at will.
• CCC-Meldung von 2013: Trügerische Sicherheit: Der elektronische Personalausweis
• BfDI: 29. Tätigkeitsbericht für den Datenschutz und die Informationsfreiheit 2020, 7.11 Videoidentverfahren: Aktuelle Grundsatzentscheidung des BfDI mit Ausstrahlwirkung für viele Bereiche

Source: CCC | Chaos Computer Club hacks Video-Ident

According to cyber security firm Volexity, the threat research team has found the North Korean ‘SharpTongue’ group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn’t need your Gmail login credentials at all.

Instead, it “directly inspects and exfiltrates data” from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware’s internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google GOOG +1.9% Chrome, Microsoft MSFT +1.5% Edge, and a South Korean client called Whale.

CISA says Kimsuky hackers ‘most likely tasked by North Korean regime’

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is “most likely tasked by the North Korean regime with a global intelligence gathering mission.”

While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often ” work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea.”

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn’t attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it.

The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be.

[…]

Source: New Gmail Attack Bypasses Passwords And 2FA To Read All Email

Hackers had access to dashboards used to remotely manage and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy, a cybersecurity startup told TechCrunch.

Wiseasy is a brand you might not have heard of, but it’s a popular Android-based payment terminal maker used in restaurants, hotels, retail outlets and schools across the Asia-Pacific region. Through its Wisecloud cloud service, Wiseeasy can remotely manage, configure and update customer terminals over the internet.

But Wiseasy employee passwords used for accessing Wiseasy’s cloud dashboards — including an “admin” account — were found on a dark web marketplace actively used by cybercriminals, according to the startup.

Youssef Mohamed, chief technology officer at pen-testing and dark web monitoring startup Buguard, told TechCrunch that the passwords were stolen by malware on the employee’s computers. Mohamed said two cloud dashboards were exposed, but neither were protected with basic security features, like two-factor authentication, and allowed hackers to access nearly 140,000 Wiseasy payment terminals around the world.

[…]

Buguard said it first contacted Wiseasy about the compromised dashboards in early July, but efforts to disclose the compromise were met with meetings with executives that were later canceled without warning, and according to Mohamed, the company declined to say if or when the cloud dashboards would be secured.

Screenshots of the dashboards seen by TechCrunch show an “admin” user with remote access to Wiseasy payment terminals, including the ability to lock the device and remotely install and remove apps. The dashboard also allowed anyone to view names, phone numbers, email addresses and access permissions for Wiseasy dashboard users, including the ability to add new users.

Another dashboard view also shows the Wi-Fi name and plaintext password of the network that payment terminals are connected to.

Mohamed said anyone with access to the dashboards could control Wiseasy payment terminals and make configuration changes.

[…]

Source: Hackers stole passwords for accessing 140,000 payment terminals | TechCrunch

For a little over 12 hours on 26-27 July, a network operated by Russia’s Rostelecom started announcing routes for part of Apple’s network. The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network. Apple Engineering appears to have been successful in reducing the impact, and eventually Rostelecom stopped sending the false route announcements. This event demonstrated, though, how Apple could further protect its networks by using Route Origin Authorizations (ROAs).

We are not aware of any information yet from Apple that indicates what, if any, Apple services were affected. We also have not seen any information from Rostelecom about whether this was a configuration mistake or a deliberate action.

Let’s dig into what we know so far about what happened, and how Route Origin Authorization (ROA) can help prevent these kinds of events.

Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.

When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes. This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 17.70.96.0/21 to direct traffic toward AS714.

It is not clear what AS12389 was doing, as it announced the same prefix at the same time with AS prepend as well.

In the absence of any credible data to filter out any possible hijack attempts, the route announced by AS12389 was propagated across the globe. The incident was picked up by BGPstream.com (Cisco Works) and GRIP Internet Intel (GA Tech).

Our route collectors in Sydney and Singapore also picked up these routes originated from AS12389:

BGP4MP_ET|07/26/22 21:25:10.065207|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3257 1273 12389 12389 12389 12389|IGP 

BGP4MP_ET|07/26/22 21:25:11.211901|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 7474 7473 12389|IGP 

BGP4MP_ET|07/26/22 21:25:12.022767|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 17819 4826 12389|IGP 

BGP4MP_ET|07/26/22 21:29:06.885842|A|169.254.169.254|64515|17.70.96.0/19|64515 65534 20473 3491 1273 12389|IGP

Apple must have received the alert too. Whatever mitigation techniques they tried didn’t stop the Rostelecom announcement and so Apple announced the more specific route. As per the BGP path selection process, the longest-matching route is preferred first. Prefix length supersedes all other route attributes. Apple started announcing 17.70.96.0/21 to direct traffic toward AS714.

[…]

Source: For 12 Hours, Was Part of Apple Engineering’s Network Hijacked by Russia’s Rostelecom? – MANRS

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.

Exotic, yes. Rare, no.

On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

 

While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.

[…]

Source: Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica

The United States’ federal court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.”

That quote comes from congressional representative Jerrold Lewis Nadler, who uttered them on Thursday in his introductory remarks to a House Committee on the Judiciary hearing conducting oversight of the Department of Justice National Security Division (NSD).

Nadler segued into the mention of the breach after mentioning the NSD’s efforts to defend America against external actors that seek to attack its system of government. He commenced his remarks on the attack at the 4:40 mark in the video below:

The rep’s remarks appear to refer to the January 2021 disclosure by James C. Duff, who at the time served as secretary of the Judicial Conference of the United States, of “an apparent compromise” of confidentiality in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF).

That incident may have exploited vulnerabilities in CM/ECF and “greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings.”

Such documents are filed by the US government in cases that touch on national security, and therefore represent valuable intelligence.

The star witness at the hearing, assistant attorney general for National Security Matthew Olsen, said the Department of Justice continues to investigate the matter, adding the attack has not impacted his unit’s work.

But Olsen was unable – or unwilling – to describe the incident in detail.

However, a report in Politico quoted an unnamed aide as saying “the sweeping impact it may have had on the operation of the Department of Justice is staggering.”

For now, the extent of that impact, and its cause, are not known.

The nature of the vulnerability and the methods used to exploit it are also unknown, but Nadler suggested it is not related to the SolarWinds attack that the Judiciary has already acknowledged.

Olsen said he would update the Committee with further information once that’s possible. Representatives in the hearing indicated they await those details with considerable interest.

Source: US court system suffered ‘incredibly significant attack’ • The Register