This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
260 Comments
Tomi Engdahl says:
Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges
Says customer data wasn’t touched, doesn’t say much about being rooted
https://www.theregister.com/AMP/2021/04/01/ubiquiti_data_breach/?__twitter_impression=true
Wi-Fi kit-slinger Ubiquiti has suggested the attacker that accessed some of its cloud-hosted systems in January 2021 may have made off with source code and employee logins, not the customer data it initially warned could be in peril.
News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.”
An update on Wednesday this week stated an investigation by outside experts “identified no evidence that customer information was accessed, or even targeted,” however.
Ubiquiti has not said when the external experts decided customer data was untouched. Which leaves the company in the interesting position of perhaps knowing its core IP has leaked, and not disclosing that, while also knowing that customer data is safe and not disclosing that, either.
The update on Wednesday was published two days after Krebs On Security reported that it has seen a letter from a whistleblower to the European Data Protection Supervisor that alleges Ubiquiti has not told the whole truth about the incident.
Krebs said the letter described the attack on Ubiquiti as “catastrophically worse than reported.”
Backdoors were apparently stashed in the servers, too, and, as Ubiquiti acknowledged this week, a ransom was demanded to keep quiet about the break-in.
If Ubiquiti staff credentials were obtained, as even Ubiquiti itself now suggests, the attackers could have comfortably gained “access to customers’ devices deployed in corporations and homes around the world,” as the whistleblower’s letter put it.
Tomi Engdahl says:
Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’
Updated: The source alleges the January security incident was severely downplayed.
https://www.zdnet.com/article/whistleblower-claims-ubiquiti-networks-data-breach-was-catastrophic/?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm
Tomi Engdahl says:
Hacked companies had backup plans. But they didn’t print them out before the attack.
New NCSC chief says businesses need to take cybersecurity more seriously.
https://www.zdnet.com/article/hacked-companies-had-backup-plans-but-didnt-print-them-out-why-cybersecurity-still-isnt-being-taken-seriously/
Tomi Engdahl says:
https://thehackernews.com/2021/04/hackers-using-windows-os-feature-to.html
Tomi Engdahl says:
https://prosoundhq.com/how-many-watts-does-an-amp-need-for-gigging/
Tomi Engdahl says:
Let’s see what comes out of this.
533 million Facebook users’ phone numbers and personal data have been leaked online
https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4?r=US&IR=T
The personal data of over 500 million Facebook users has been posted online in a low-level hacking forum.
The data includes phone numbers, full names, location, email address, and biographical information.
Security researchers warn that the data could be used by hackers to impersonate people and commit fraud.
A user in a low level hacking forum has published the phone numbers and personal data of hundreds of millions of Facebook users for free online.
The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.
Now, the entire dataset has been posted on the hacking forum for free, making it widely available to anyone with rudimentary data skills.
It’s not the first time that a huge number of Facebook users’ phone numbers have been found exposed online. A vulnerability that was uncovered in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.
Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.
Tomi Engdahl says:
https://www.facebook.com/637758527/posts/10158243549453528/
Jos tämä pitää paikkaansa 533 miljoonaa Facebook-tiliä on vuodettu ilmaiseksi nettiin. Mukana on nimen lisäksi mm. puhelinnumero (jos sellaisen olet FB:lle kertonut) ja perustietosi, mm. suhdestatuksesi, sijaintisi ja edellinen sijaintisi. Todella hienoa, varsinkin jos tarkoituksena on kerätä maailman suurin “puhelinluettelo” tai tehdä identiteettivarkauksia. Kai muistit laittaa Facebookin tietoihin oikean syntymäpäiväsi, jotta rosvoilla olisi sekin tieto sinusta?
Suomessa uhreiksi näyttäisi joutuneen 1381569 käyttäjää.
https://mobile.twitter.com/UnderTheBreach/status/1378314424239460352
Tomi Engdahl says:
https://www.engadget.com/facebook-533-million-user-personal-data-leak-180156777.html
Tomi Engdahl says:
Facebook data on 533 million users posted online
Data posted on a cybercrime forum includes phone numbers, Facebook IDs, birth dates, gender and location.
https://www.zdnet.com/article/facebook-data-on-533-million-users-posted-online/
Tomi Engdahl says:
Todennäköisesti juuri sinun Facebook-tietosi on vuodettu, mutta voit silti nukkua yösi rauhassa: 7 kysymystä ja vastausta tietovuodosta
Lähiaikoina kannattaa varoa huijaripuheluita.
https://yle.fi/uutiset/3-11870066?origin=rss
Tomi Engdahl says:
https://www.iltalehti.fi/tietoturva/a/9833f042-72e7-4e24-b47c-3e8b67a4aa33
https://www.zdnet.com/article/facebook-data-on-533-million-users-posted-online/
Tomi Engdahl says:
About 50 percent of Finnish Facebook users
Facebookin vuonna 2019 varastettuja tietoja julkaistu – mukana 1,4 miljoonan suomalaisen tiedot
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/facebookin-vuonna-2019-varastettuja-tietoja-julkaistu-mukana-14-miljoonan-suomalaisen
Tomi Engdahl says:
https://www.engadget.com/facebook-533-million-user-personal-data-leak-180156777.html
https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4
Tomi Engdahl says:
https://www.theguardian.com/technology/2021/apr/05/facebook-data-leak-2021-breach-check-australia-users?CMP=fb_a-technology_b-gdntech
Tomi Engdahl says:
AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack
Again?
https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html
AMD has confirmed that a microarchitecture optimization inside Zen 3 CPUs can be exploited in a similar fashion to the Spectre vulnerabilities that plagued Intel CPUs a few generations ago. Disabling the optimization is possible, but will carry a performance penalty that AMD doesn’t believe is worth it for all but the most critical deployments of the processors.
Update (April 5): Even though AMD was confident enough in not recommending a majority of their customers to disable Predictive Store Forwarding (PSF) for security reasons, Phoronix ran dozens of tests during the weekend using a Ryzen 7 5800X especifically benchmarking for the Zen 3 PSF vulnerability. They conclude that “the geometric mean of all those results was less than a half percent performance loss when disabling this new Zen 3 feature,” or in other words, the performance impact is negligible.
Tomi Engdahl says:
Imagine your data center backup generator kicks in during power outage … and catches fire. Well, it happened
WebNX facility falls offline in blaze, takes customers down with it
https://www.theregister.com/AMP/2021/04/06/webnx_data_fire/?__twitter_impression=true
A power outage kicked off a fire in web hosting biz WebNX’s Ogden data center in Utah on Sunday, knocking the facility offline temporarily and leaving several servers in need of a rebuild.
Kevin Brown, Fire Marshal for the US city’s Fire Department told The Register in a phone interview that firefighters responded to a call on Sunday evening. The fire, he said, “originated in a generator in the building and spread to several servers.”
Tomi Engdahl says:
“One of the tips I can give you when it comes to cyber security is that you should be careful to ensure that contact details you publish actually belong to you,”
Their ‘next job could be in cyber’: UK Cyber Security Council launches itself by pointing world+dog to domain it doesn’t own
Shouting cyber cyber cyber, mega mega fail thing
https://www.theregister.com/2021/04/06/uk_cybersecurity_council_domain_fail_launch/
The UK Cyber Security Council announced itself to the public realm last week by touting a domain it doesn’t own. Helpfully, internet jokesters then bought up variations on the official address.
All very worthy and important. When British infosec folk noticed that the official press release mentioned an email address for ukcybersecurity[.]org[.]uk, however, everything started unravelling.
Why? Because the UK Cyber Security Council didn’t own ukcybersecurity[.]org[.]uk. Nobody did – until Adrian Kennard bought it and pointed it at his personal blog, where he dispensed some gentle advice to the new org.
“One of the tips I can give you when it comes to cyber security is that you should be careful to ensure that contact details you publish actually belong to you,” wrote Kennard, who runs a UK ISP, adding: “It took a while to stop laughing at the irony first, but now, yes, the UK Cyber Security Council are welcome to ukcybersecurity.org.uk. They can email me at [email protected] for more information (be nice).”
So far nobody’s asked for the domain, Kennard told The Register – though there were a couple of attempts to register GPG keys for the address which he said weren’t by him. This could have been serious had an actual fraudster got hold of the domain: they would then be able to present themselves as an authenticated representative of UKCSC.
In its marketing fluff UKCSC declared it will deliver “thought leadership, career tools and education resources to the cyber security sector and those seeking a career in the industry, alongside helping influence government, industry and academia with the aim of developing and promoting UK cyber security excellence globally and growing the skills base.”
Tomi Engdahl says:
European Commission, other EU orgs recently hit by cyber-attack
https://www.bleepingcomputer.com/news/security/european-commission-other-eu-orgs-recently-hit-by-cyber-attack/
The European Commission and several other European Union organizations
were hit by a cyberattack in March, according to a European Commission
spokesperson. No “major information breach” was detected so far,
although forensic analysis of the intrusion attempts is still in the
initial phase, and no conclusive information is available.
Tomi Engdahl says:
Malicious Cyber Activity Targeting Critical SAP Applications
https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications
SAP systems running outdated or misconfigured software are exposed to
increased risks of malicious attacks. On April 6 2021, security
researchers from Onapsis, in coordination with SAP, released an alert
detailing observed threat actor activity and techniques that could
lead to full control of unsecured SAP applications.
Tomi Engdahl says:
Have I Been Pwned adds search for leaked Facebook phone numbers
https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-search-for-leaked-facebook-phone-numbers/
Facebook users can now use the Have I Been Pwned data breach
notification site to check if their phone number was exposed in the
social site’s recent data leak. For example, if you wanted to check if
your phone number was part of the Facebook data leak, you would need
to use a search in the format ’19175555555.’ If you are in the UK, you
would need to include your country code as well, so a searchable phone
number format would be ‘+442071838750.’. Hunt states that the + symbol
is optional and will be stripped when searching, as shown below.
Tomi Engdahl says:
Facebook data leak now under EU data regulator investigation
https://www.bleepingcomputer.com/news/security/facebook-data-leak-now-under-eu-data-regulator-investigation/
Ireland’s Data Protection Commission (DPC) is investigating a massive
data leak concerning a database containing personal information
belonging to more than 530 million Facebook users. “Because the
scraping took place prior to GDPR, Facebook chose not to notify this
as a personal data breach under GDPR.”
Tomi Engdahl says:
Teemu teki suomalaisille Facebook-vuodon uhreille sivuston, jota
viranomaiset eivät suosittele käytettävän kymmeniä tuhansia kävijöitä
https://www.is.fi/digitoday/tietoturva/art-2000007903051.html
Pääsiäisenä julki tulleen suuren Facebook-vuodon osallisille on
pystytetty anonyymi verkkopalvelu, jossa voi tarkistaa, onko oma
puhelinnumero ja mahdollisesti muitakin Facebook-tietoja päätynyt
verkkoon. “Sen käyttö ei ole Kyberturvallisuuskeskuksen mielestä
järkevää.”. “Hetken mielijohteesta en suosittele lataamaan
tietovuodossa vuodettuja tietoja ja laittamaan niitä internetiin
saataville.”
Tomi Engdahl says:
Facebookin vastaus tietovuotoon ällistyttää luuleeko yhtiö, että
syntymäaika vanhentuu?
https://www.tivi.fi/uutiset/tv/67e36cd6-8c95-45ae-92e7-d5e6473ee083
Facebook tuntuu käsittämättömän välinpitämättömältä, vaikka yli 500
miljoonan käyttäjän henkilökohtaisia tietoja liikkuu netissä.
Facebookilta on kysytty kommenttia jättimäisestä tietovuodosta. Mark
Zuckerbergin edustaja kommentoi The Registerille vain, että kyse on
vuoden 2019 tiedoista, ja että vuoto raportoitiin ja haavoittuvuus
korjattiin jo tuolloin.
Tomi Engdahl says:
Check you own the website before you send out the press release
https://grahamcluley.com/check-you-own-the-website-before-you-send-out-the-press-release/
The end of last month saw the official launch of the UK Cyber Security
Council, a government-backed consortium with a mandate to boost career
opportunities and professional standards in the cybersecurity sector,
attract more talent, and increase diversity in the industry. To the
casual reader that looks fine. And maybe some journalists will have
emailed [email protected] or even tried to visit the UK
Cyber Security Council’s website at ukcybersecurity.org.uk. Not only
did the email address not work but actually no-one had registered the
ukcybersecurity.org.uk domain at all.
Tomi Engdahl says:
Microsoft Defender for Endpoint now supports Windows 10 Arm devices
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-endpoint-now-supports-windows-10-arm-devices/
Microsoft today announced that Microsoft Defender for Endpoint, the
enterprise version of its Defender antivirus, now comes with support
for Windows 10 on Arm devices. Defender for Endpoint’s functionality
and capabilities are identical on devices Windows 10 on Arm devices,
providing everything from the onboarding experience to device
inventory, response actions, advanced hunting, alerts, and more.
Tomi Engdahl says:
Facebook Says Hackers ‘Scraped’ Data of 533 Million Users in 2019 Leak
https://www.securityweek.com/facebook-says-hackers-scraped-data-533-million-users-2019-leak
Facebook said Tuesday that hackers “scraped” personal data of some half-billion users back in 2019 by taking advantage of a feature designed to help people easily find friends using contact lists.
A trove of information about more than 530 million Facebook users was shared over the weekend at a hacker forum, prompting the leading social network to explain what happened and call on people to be vigilant about privacy settings.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Facebook product management director Mike Clark said in a post.
“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.”
https://about.fb.com/news/2021/04/facts-on-news-reports-about-facebook-data/
Tomi Engdahl says:
APT Group Using Voice Changing Software in Spear-Phishing Campaign
https://www.securityweek.com/apt-group-using-voice-changing-software-spear-phishing-campaign
A sub-group of the ‘Molerats’ threat-actor has been using voice-changing software to successfully trick targets into installing malware, according to a warning from Cado Security.
The Molerats hacking group, also tagged as Gaza Hackers Team, Gaza Cybergang, DustySky, Extreme Jackal, and Moonlight, has been active since at least 2012, mainly targeting entities in the Middle East, but also launching attacks against targets in Europe and the United States.
Cado Security says that APT-C-23, believed to be part of Molerats, typically uses social engineering to trick victims into installing malware, and was previously observed impersonating women in attacks that leveraged social media sites to target soldiers in the Israel Defence Forces.
Tomi Engdahl says:
Threat Actors Quick to Target (Patched) SAP Vulnerabilities
https://www.securityweek.com/threat-actors-quick-target-patched-sap-vulnerabilities
Tomi Engdahl says:
Senators Press for More on SolarWinds Hack After AP Report
https://www.securityweek.com/senators-press-more-solarwinds-hack-after-ap-report
Key lawmakers said Tuesday they’re concerned they’ve been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what’s known as the SolarWinds hack.
In letters to top officials, Sens. Gary Peters and Rob Portman said recent reporting by The Associated Press “raised the troubling possibility that some federal agencies did not fully report” the extent of the breach to Congress.
“Time and again this committee has discussed the challenges of defending against sophisticated, well-resourced, and patient cyber adversaries. Nevertheless, the fact remains that despite significant investments in cyber defenses, the federal government did not initially detect this cyberattack,” the senators wrote. Peters, a Democrat from Michigan, chairs the Senate Homeland Security and Governmental Affairs Committee. Portman, of Ohio, is the top Republican.
Tomi Engdahl says:
Lily Hay Newman / Wired:
Facebook says the leaked 533M records are a different data set that attackers created by abusing a flaw in a Facebook contacts import feature, not by hacking — The company’s explanations have been confusing and inconsistent, but there are finally some answers.
What Really Caused Facebook’s 500M-User Data Leak?
The company’s explanations have been confusing and inconsistent, but there are finally some answers.
https://www.wired.com/story/facebook-data-leak-500-million-users-phone-numbers/
Since Saturday, a massive trove of Facebook data has circulated publicly, splashing information from roughly 533 million Facebook users across the internet. The data includes things like profile names, Facebook ID numbers, email addresses, and phone numbers. It’s all the kind of information that may already have been leaked or scraped from some other source, but it’s yet another resource that links all that data together—and ties it to each victim—presenting tidy profiles to scammers, phishers, and spammers on a silver platter.
Facebook’s initial response was simply that the data was previously reported on in 2019 and that the company patched the underlying vulnerability in August of that year. Old news. But a closer look at where, exactly, this data comes from produces a much murkier picture. In fact, the data, which first appeared on the criminal dark web in 2019, came from a breach that Facebook did not disclose in any significant detail at the time and only fully acknowledged Tuesday evening in a blog post attributed to product management director Mike Clark.
One source of the confusion was that Facebook has had any number of breaches and exposures from which this data could have originated. Was it the 540 million records—including Facebook IDs, comments, likes, and reaction data—exposed by a third party and disclosed by the security firm UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of phone numbers, names, and Facebook IDs, scraped from the social network by bad actors before a 2018 Facebook policy change, that were exposed publicly and reported by TechCrunch in September 2019? Did it have something to do with the Cambridge Analytica third-party data sharing scandal of 2018? Or was this somehow related to the massive 2018 Facebook data breach that compromised access tokens and virtually all personal data from about 30 million users?
In fact, the answer appears to be none of the above. As Facebook eventually explained in background comments to WIRED and in its Tuesday blog, the recently public trove of 533 million records is an entirely different data set that attackers created by abusing a flaw in a Facebook address book contacts import feature. Facebook says it patched the vulnerability in August 2019, but it’s unclear how many times the bug was exploited before then. The information from more than 500 million Facebook users in more than 106 countries contains Facebook IDs, phone numbers, and other information about early Facebook users like Mark Zuckerburg and US secretary of Transportation Pete Buttigieg, as well as the European Union commissioner for data protection, Didier Reynders.
You can check whether your phone number or email address were exposed in the leak by checking the breach tracking site HaveIBeenPwned. For the service, founder Troy Hunt reconciled and ingested two different versions of the data set that have been floating around.
“When there’s a vacuum of information from the organization that’s implicated, everyone speculates, and there’s confusion,” Hunt says.
“They’re kind of stuck now, because they apparently didn’t do any disclosure or notification.”
Ashkan Soltani, Former FTC chief technologist
“At what point did Facebook say, ‘We had a bug in our system, and we added a fix, and therefore users might be affected’?” says former Federal Trade Commission chief technologist Ashkan Soltani. “I don’t remember ever seeing Facebook say that. And they’re kind of stuck now, because they apparently didn’t do any disclosure or notification.”
The Irish Data Protection Commission said in a statement on Tuesday that it “received no proactive communication from Facebook” regarding the breach.
“Previous data sets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website, which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone look-up functionality,” according to the timeline the commission put together. “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR. The newly published data set seems to comprise the original 2018 (pre GDPR) data set and combined with additional records, which may be from a later period.”
Facebook says it did not notify users about the 2019 contact importer exploitation precisely because there are so many troves of semipublic user data—taken from Facebook itself and other companies—out in the world.
Additionally, attackers needed to supply phone numbers and manipulate the feature to spit out the corresponding name and other data associated with it for the exploit to work, which Facebook argues means that it did not expose the phone numbers itself.
Phone numbers used to be public in phone books and often still are, but as they’ve evolved to be ubiquitous identifiers, linking you to different parts of your digital life, they’ve taken on new significance and potential value to attackers. They even play a role in sensitive authentication, by being the path through which you might receive two-factor authentication codes over SMS or a phone call in which you provide information to confirm your identity. The idea that phone numbers are now critical to your digital security is not at all new.
“It’s a fallacy to think that a breach isn’t serious just because it doesn’t have passwords in it or other maximally sensitive data,” says Zack Allen, director of threat intelligence at the security firm ZeroFox. “It’s also a fallacy to say that a situation isn’t that bad just because it’s old data. And furthermore, phone numbers scare the crap out of me as a form of authentication, which unfortunately is how they’re often used these days.”
Tomi Engdahl says:
BuzzFeed News:
Report: employees at 1,803 public agencies in the US used Clearview AI for ~340K facial recognition searches without informing the public or their departments — A controversial facial recognition tool designed for policing has been quietly deployed across the country with little to no public oversight.
https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition?scrolla=5eb6d68b7fedc32c19ef33b4
Tomi Engdahl says:
Bloomberg:
EU says a number of institutions, including the European Commission, were hit by a significant cyberattack last week, although no data breach has been detected
European Institutions Were Targeted in a Cyber-Attack Last Week
https://www.bloomberg.com/news/articles/2021-04-06/european-institutions-were-targeted-in-a-cyber-attack-last-week
A range of European Union institutions including the European Commission were hit by a significant cyber-attack last week.
A spokesperson for the commission said that a number of EU bodies “experienced an IT security incident in their IT infrastructure.” The spokesperson said forensic analysis of the incident is still in its initial phase and that it’s too early to provide any conclusive information about the nature of the attack.
“We are working closely with CERT-EU, the Computer Emergency Response Team for all EU institutions, bodies and agencies and the vendor of the affected IT solution,” the spokesperson said. “Thus far, no major information breach was detected.”
The attack was serious enough for senior officials at the commission to be alerted, according to a person familiar with the matter. The same person said the incident was bigger than the usual attacks that regularly hit the EU. Another EU official said that staff had recently been warned about potential phishing attempts.
Tomi Engdahl says:
[1270] Same Garbage, Different Name… A Common Problem
https://www.youtube.com/watch?v=405iFLvPsH8
LPL playing 3D Whack-A-Mole on disposable company names… and their locks.
The fact that a mallet hit pops the shackle makes me think you might be able to just yank those cheap locks off things with moderate strength.
Tomi Engdahl says:
Elizabeth Culliford / Reuters:
Facebook says it did not notify users about the 2019 data leak affecting 533M accounts at the time and doesn’t plan to do so now — (Reuters) – Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently …
Facebook does not plan to notify half-billion users affected by data leak
https://www.reuters.com/article/us-facebook-data-leak-idUSKBN2BU2ZY
Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.
Business Insider reported last week that phone numbers and other details from user profiles were available in a public database. Facebook said in a blog post on Tuesday that “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for synching contacts.
The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified. He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time.
Tomi Engdahl says:
Politico:
Data of EU privacy chief Didier Reynders, Luxembourg PM Xavier Bettel, and dozens of EU officials found among Facebook’s leaked data set of 533M records
EU privacy chief victim of Facebook data leak
https://www.politico.eu/article/eu-leaders-facebook-data-leak-cybersecurity-didier-reynders/
Didier Reynders, Luxembourg PM Xavier Bettel among European leaders whose data was leaked online.
EU Justice Commissioner Didier Reynders, Luxembourg Prime Minister Xavier Bettel and dozens of EU officials have all been caught up in a Facebook data leak that was released onto a public forum and is circulating widely.
Their data was part of the 533 million records including phone numbers, Facebook IDs, full names and birthdates that was discovered on Saturday and is circulating on online forums for free.
A dataset of Belgian and Luxembourgish victims seen by POLITICO also contained phone numbers of dozens of EU officials, including European Commission cabinet members, EU diplomats and staff. POLITICO verified the authenticity of several officials’ details — including reaching Reynders and Bettel directly on their phones — on Tuesday.
When contacted by POLITICO, Bettel said he was aware that his details had appeared online.
Germany’s chief federal privacy regulator Ulrich Kelber also suggested on Twitter he received scam messages as a consequence of the leak.
Tomi Engdahl says:
Senators Press for More on SolarWinds Hack After AP Report
https://www.securityweek.com/senators-press-more-solarwinds-hack-after-ap-report
Key lawmakers said Tuesday they’re concerned they’ve been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what’s known as the SolarWinds hack.
In letters to top officials, Sens. Gary Peters and Rob Portman said recent reporting by The Associated Press “raised the troubling possibility that some federal agencies did not fully report” the extent of the breach to Congress.
The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. But an inquiry by the AP found new details about the breach at DHS and other agencies, including the Energy Department, where hackers accessed top officials’ schedules.
The AP interviewed more than a dozen current and former U.S. government officials, who spoke on the condition of anonymity because of the confidential nature of the ongoing investigation into the hack.
Tomi Engdahl says:
Google Patches Critical Code Execution Vulnerability in Android
https://www.securityweek.com/google-patches-critical-code-execution-vulnerability-android
The April 2021 Android security bulletin published this week by Google describes more than 30 vulnerabilities in the mobile operating system, including a remote code execution flaw in the System component.
Tracked as CVE-2021-0430 and affecting Android 10 and 11, the code execution vulnerability is deemed critical severity. The bug was patched as part of the 2021-04-01 security patch level.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains in its advisory.
https://source.android.com/security/bulletin/2021-04-01
Tomi Engdahl says:
Microsoft’s Windows 10, Exchange, and Teams hacked at Pwn2Own
https://www.bleepingcomputer.com/news/security/microsofts-windows-10-exchange-and-teams-hacked-at-pwn2own/
During the first day of Pwn2Own 2021, contestants won $440, 000 after
successfully exploiting previously unknown vulnerabilities to hack
Microsoft’s Windows 10 OS, the Exchange mail server, and the Teams
communication platform. The first to fall was Microsoft Exchange in
the Server category after the Devcore team achieved remote code
execution on an Exchange server by chaining together an authentication
bypass and a local privilege escalation.
Tomi Engdahl says:
New wormable Android malware poses as Netflix to hijack WhatsApp
sessions
https://www.zdnet.com/article/new-android-malware-poses-as-netflix-to-hijack-whatsapp-sessions/
A new variant of Android malware has been discovered in an app on
Google Play that entices users by promising free Netflix
subscriptions.. On Wednesday, Check Point Research (CPR) said the
“wormable” mobile malware was discovered in the Google Play Store, the
official repository for Android apps. The malicious software, dubbed
“FlixOnline, ” disguises itself as a legitimate Netflix application
and appears to focus on targeting the WhatsApp messaging application.
Tomi Engdahl says:
Facebook Says It’s Your Fault That Hackers Got Half a Billion User
Phone Numbers
https://www.vice.com/en/article/88awzp/facebook-says-its-your-fault-that-hackers-got-half-a-billion-user-phone-numbers
A database containing the stolen phone numbers of more than half a
billion Facebook users is being freely traded online. A blog post
titled “The Facts on News Reports About Facebook Data, ” published
Tuesday evening, is designed to silence the growing criticism the
company is facing for failing to protect the phone numbers and other
personal information of 533 million users after. a database containing
that information was shared for free in low level hacking forums over
the weekend, as first reported by Business Insider.
Tomi Engdahl says:
Update on PHP source code compromise: User database leak suspected
https://www.theregister.com/2021/04/07/update_on_php_source_code/
PHP maintainer Nikita Popov has posted an update concerning how the
source code was compromised and malicious code inserted blaming a user
database leak rather than a problem with the server itself. The PHP
code repository was compromised late last month with the insertion of
code that, if left in place, would have enabled a backdoor into any
web server running it. The code was initially committed in the name of
Rasmus Lerdorf, creator of PHP, and after it was removed, recommitted
under Popov’s name.
Tomi Engdahl says:
Pankkitunnuksesi yritetään kaapata varo yhteydenottoa: mieheltä katosi
300 000 euroa
https://www.iltalehti.fi/tietoturva/a/7fd7bac6-feed-49dc-8bfa-8ea50657e801
Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus
varoittaa verkkopankkitunnuksien kalastelukampanjasta. Rikolliset
lähettävät suomalaisille sekä teksti- että sähköpostiviestejä, jotka
on naamioitu pankeilta saapuneiksi. ltalehti kertoi tammikuussa, miten
poliisi tutkii tapausta, jossa suomalaismieheltä oli huijattu Nordean
nimissä lähes 300 000 euroa. Kyseinen mies oli saanut “Nordealta”
sähköpostiviestin, jossa oli pyydetty allekirjoittamaan
luottamuksellinen asiakirja. Todellisuudessa mies täytti
pankkitietonsa kalastelusivustolle.
Tomi Engdahl says:
Critical Auth Bypass Bug Found in VMware Data Center Security Product
https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html
A critical vulnerability in the VMware Carbon Black Cloud Workload
appliance could be exploited to bypass authentication and take control
of vulnerable systems. Tracked as CVE-2021-21982, the flaw is rated
9.1 out of a maximum of 10 in the CVSS scoring system and affects all
versions of the product prior to 1.0.1.
Tomi Engdahl says:
REvil ransomware now changes password to auto-login in Safe Mode
https://www.bleepingcomputer.com/news/security/revil-ransomware-now-changes-password-to-auto-login-in-safe-mode/
A recent change to the REvil ransomware allows the threat actors to
automate file encryption via Safe Mode after changing Windows
passwords.
Tomi Engdahl says:
Another supply-chain attack? Android maker Gigaset injects malware
into victims’ phones via poisoned update
https://www.theregister.com/2021/04/07/gigaset_supply_chain_malware_android_phones/
Android smartphones from Gigaset have been infected by malware direct
from the manufacturer in what appears to be a supply-chain attack. The
Trojan, once downloaded and installed on a victim’s device via a
poisoned software update from the vendor, is capable of opening
browser windows, fetching more malicious apps, and sending people text
messages to further spread the malware, say researchers and users.
Tomi Engdahl says:
Tech support scammers lure victims with fake antivirus billing emails
https://www.bleepingcomputer.com/news/security/tech-support-scammers-lure-victims-with-fake-antivirus-billing-emails/
The emails pretend to be billing notices from Norton Lifelock,
Microsoft, and McAfee that state the recipient will be charged between
$350 to $399 for a three-year subscription unless they call to cancel
the subscription. The threat actors constantly change the email
subjects, but they all pretend to be a billing subscription from a
well-known security security company. When users call into the
included phone numbers, the scammers will install various remote
access software that threat actors will use to install malware on the
computer.
Tomi Engdahl says:
Windows 10 hacked again at Pwn2Own, Chrome and Zoom also fall
https://www.bleepingcomputer.com/news/security/windows-10-hacked-again-at-pwn2own-chrome-and-zoom-also-fall/
Contestants hacked Microsoft’s Windows 10 OS twice during the second
day of the Pwn2Own 2021 competition, together with the Google Chrome
web browser and the Zoom video communication platform.
Tomi Engdahl says:
$200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own
https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-critical-flaw-sd-wan-vmanage
Tomi Engdahl says:
https://www.securityweek.com/php-developers-share-update-recent-breach
The developers of the PHP scripting language have shared an update on the recently disclosed breach in which attackers planted malicious code.
The malicious code, discovered in late March, was found in the php-src repository hosted on the git.php.net server and it was apparently designed to allow an attacker to remotely execute arbitrary PHP code. PHP developers said the backdoor was discovered before it was pushed out to users via an update.
Initially, users were told that evidence pointed to a compromise of the git.php.net server rather than a Git account hijacking.
However, in an update shared this week, Nikita Popov, an important PHP contributor, said they no longer believe the git.php.net server was compromised.
Further investigation revealed that git.php.net had allowed developers to push changes — in addition to SSH via Gitolite infrastructure and public key cryptography — using HTTPS and password-based authentication. The attacker apparently leveraged this HTTPS channel to push the malicious PHP commits.