Cyber security news April 2021

This posting is here to collect cyber security news in April 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

260 Comments

  1. Tomi Engdahl says:

    Joseph Cox / VICE:
    Facebook says a vulnerability that lets attackers find a Facebook profile given an email address is still active after being “erroneously closed out”

    Tool Links Email Addresses to Facebook Accounts in Bulk
    https://www.vice.com/en/article/bvz8pz/tool-finds-facebook-email-addresses

    A video shared with researchers and Motherboard shows a tool linking email addresses to Facebook accounts.

    Reply
  2. Tomi Engdahl says:

    Abner Li / 9to5Google:
    Google says it will audit WebView and implement a WebView “Safe Mode” after a bug impacting WebView and Chrome caused many Android apps to crash last month

    Google explains why WebView crashed Android apps last month and upcoming mitigations
    https://9to5google.com/2021/04/20/android-webview-crash-fix/

    Following Android users worldwide experiencing repeated app crashes last month, Google today released an explanation behind what went wrong and how future WebView problems will be remedied.

    This incident report was generated by the Workspace team given that Gmail and other productivity applications were impacted. Google pins the problem on a “bug within Chrome & WebView’s experiment & configuration technology.” This caused “instability” in Android apps that use WebView to render web content that in turn repeatedly crashed them.

    To make sure this kind of problem does not occur again, Google will “audit WebView and its related dependencies for production readiness,” while improving “experiment testability and roll-out process.”

    Reply
  3. Tomi Engdahl says:

    Pulse Secure Zero-Day Flaw Actively Exploited in Attacks
    https://www.securityweek.com/pulse-secure-zero-day-flaw-actively-exploited-attacks

    Multiple threat actors are actively engaged in the targeting of four vulnerabilities in Pulse Secure VPN appliances, including a zero-day identified this month that won’t be patched until next month.

    The oldest of the targeted security flaws, CVE-2019-11510 (CVSS score of 10), was patched in 2019, yet attacks continue to this date, as many organizations have not applied the available fixes.

    Two other bugs, namely CVE-2020-8243 and CVE-2020-8260 (both with a CVSS score of 7.2), were patched last year, but their situation is no different: although fixes have been available for more than six months, patching remains very slow.

    Tracked as CVE-2021-22893 and discovered in April 2021, the fourth vulnerability won’t receive a patch until early May, but Pulse Secure says that it has already provided mitigations to a very limited number of customers affected.

    Reply
  4. Tomi Engdahl says:

    Firefox 88 Combats Cross-Site Tracking to Improve User Privacy
    https://www.securityweek.com/firefox-88-combats-cross-site-tracking-improve-user-privacy

    Mozilla this week released Firefox 88 in the stable channel with patches for a dozen vulnerabilities and with improved user privacy, obtained through isolating the window.name property to the website that created it.

    For over two decades, the window.name property has been available for websites to store whatever data they choose to, but such data has often been allowed to leak between sites, essentially allowing for the tracking of users across the pages they visit.

    The data that websites stored in window.name, Mozilla explains, has been exempt from the same-origin policy that prevented information sharing between websites. Thus, sites were able to share data about users via the window.name property.

    “Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites. Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website,” Mozilla says.

    To put a stop to this behavior, Firefox will no longer allow websites to access the window.name set by other sites by clearing the property when users navigate to new websites. Whenever the user navigates back to a website, Firefox will restore the property to its previous value for that site.

    Reply
  5. Tomi Engdahl says:

    Google Chrome Hit in Another Mysterious Zero-Day Attack
    https://www.securityweek.com/google-chrome-hit-another-mysterious-zero-day-attack

    Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks.

    This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.

    The newest Chrome update — 90.0.4430.85 — is available for Windows, Mac and Linux users and is being rolled out via the browser’s automatic update mechanism.

    According to a Google Chrome advisory, the update patches at seven security vulnerabilities but the company only provided one-line documentation and CVE IDs for five bugs.

    The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a “type confusion” in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability.

    “Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company said.

    Reply
  6. Tomi Engdahl says:

    Pulse Connect Secure Security Update
    https://blog.pulsesecure.net/pulse-connect-secure-security-update/
    The Pulse Secure team recently discovered that a limited number of
    customers have experienced evidence of exploit behavior on their Pulse
    Connect Secure (PCS) appliances. We are sharing information about the
    investigation and our actions through several communications channels
    in the best interests of our customers and the greater security
    community. Lisäksi:
    https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html.
    Lisäksi:
    https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/.
    Lisäksi:
    https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-zero-day-used-to-hack-defense-firms-govt-orgs/.
    Lisäksi:
    https://therecord.media/chinese-hackers-use-new-pulse-secure-vpn-zero-day-to-breach-us-defense-contractors/.
    Lisäksi
    https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755.
    Lisäksi:
    https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_12/2021

    Reply
  7. Tomi Engdahl says:

    Remote code execution vulnerabilities uncovered in smart air fryer
    https://www.zdnet.com/article/remote-code-execution-vulnerabilities-uncovered-in-smart-air-fryer
    In another example of how connectivity can impact our home security,
    researchers have disclosed two remote code execution (RCE)
    vulnerabilities in a smart air fryer.Remote code execution vulnerabilities uncovered in smart air fryer
    https://www.zdnet.com/article/remote-code-execution-vulnerabilities-uncovered-in-smart-air-fryer
    In another example of how connectivity can impact our home security,
    researchers have disclosed two remote code execution (RCE)
    vulnerabilities in a smart air fryer.

    The team tested the Cosori Smart 5.8-Quart Air Fryer CS158-AF (v.1.1.0) and discovered CVE-2020-28592 and CVE-2020-28593. The first vulnerability is caused by an unauthenticated backdoor and the second, a heap-based overflow issue — both of which could be exploited via crafted traffic packets, although local access may be required for easier exploitation.

    The vulnerabilities have now been disclosed without any fix. According to Talos researchers, Cosori did not “respond appropriately” within the typical 90-day vulnerability disclosure period, and so — perhaps — now the vendor will consider issuing a patch now the issues are public.

    Reply
  8. Tomi Engdahl says:

    Internal Facebook email reveals intent to frame data scraping as
    normalized, broad industry issue’
    https://www.zdnet.com/article/facebook-internal-email-reveals-intent-to-frame-data-scraping-as-broad-industry-issue-and-normalized
    An internal email accidentally leaked by Facebook to a journalist has
    revealed the firm’s intentions to frame a recent data scraping
    incident as “normalized” and a “broad industry issue.”

    Reply
  9. Tomi Engdahl says:

    Over 750, 000 Users Downloaded New Billing Fraud Apps From Google Play
    Store
    https://thehackernews.com/2021/04/over-750000-users-download-new-billing.html
    Researchers have uncovered a new set of fraudulent Android apps in the
    Google Play store that were found to hijack SMS message notifications
    for carrying out billing fraud. The apps in question primarily
    targeted users in Southwest Asia and the Arabian Peninsula, attracting
    a total of 700, 000 downloads before they were discovered and removed
    from the platform. Lisäksi:
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clever-billing-fraud-applications-on-google-play-etinu/.
    Lisäksi:
    https://www.trendmicro.com/en_us/research/21/c/no-laughing-matter-joker-latest-ploy.html

    Reply
  10. Tomi Engdahl says:

    The Incredible Rise of North Korea’s Hacking Army
    https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army
    The country’s cyber forces have raked in billions of dollars for the
    regime by pulling off schemes ranging from A.T.M. heists to
    cryptocurrency thefts. Can they be stopped?

    IntelBrief: QAnon A U.S. National Security Threat Amplified by
    Foreign-Based Actors
    https://thesoufancenter.org/intelbrief-2021-april-20/
    In testimony last week to the United States Senate Intelligence
    Committee, FBI Director Christopher Wray highlighted the continuing
    national security threat posed by adherents of the QAnon conspiracy
    theory.

    Reply
  11. Tomi Engdahl says:

    U.S. Helping Ukraine Foil Russian Cyberattacks as Hacking Spikes: Sources
    https://www.usnews.com/news/world-report/articles/2021-04-20/us-helping-ukraine-foil-russian-cyberattacks-as-hacking-spikes-sources

    U.S. News has learned that Ukraine, working with U.S. partners, has foiled at least 350 Russian cyberattacks in recent weeks while Moscow’s forces mass on the border.

    Reply
  12. Tomi Engdahl says:

    Dustin Volz / Wall Street Journal:
    Internal memo: DOJ has formed a taskforce to combat the proliferation of ransomware attacks, targeting the entire ecosystem with prosecutions and more

    Ransomware Targeted by New Justice Department Task Force
    https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158?mod=djemalertNEWS

    After ‘worst year ever’ for the cyberattacks, department seeks to disrupt digital ecosystem that supports them

    Reply
  13. Tomi Engdahl says:

    “By including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated reports” :D

    Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
    https://signal.org/blog/cellebrite-vulnerabilities/

    Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

    Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

    They produce two primary pieces of software (both for Windows): UFED and Physical Analyzer.

    UFED creates a backup of your device onto the Windows machine running UFED (it is essentially a frontend to adb backup on Android and iTunes backup on iPhone, with some additional parsing). Once a backup has been created, Physical Analyzer then parses the files from the backup in order display the data in browsable form.

    When Cellebrite announced that they added Signal support to their software, all it really meant was that they had added support to Physical Analyzer for the file formats used by Signal.

    Anyone familiar with software security will immediately recognize that the primary task of Cellebrite’s software is to parse “untrusted” data from a wide variety of formats as used by many different apps. That is to say, the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.

    For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

    Reply
  14. Tomi Engdahl says:

    Well now. We also know Russia is deeply a problem here as well. I hope Russia and China are taking on each other much worse.

    China behind another hack as U.S. cybersecurity issues mount
    https://www.nbcnews.com/tech/security/china-another-hack-us-cybersecurity-issues-mount-rcna744?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm

    Cybersecurity company Mandiant said Pulse Secure, a program that businesses often use to let workers remotely connect to their offices, had been compromised.

    China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.

    The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices.

    The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program

    Reply
  15. Tomi Engdahl says:

    Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
    https://signal.org/blog/cellebrite-vulnerabilities/

    Reply
  16. Tomi Engdahl says:

    Linux bans University of Minnesota for committing malicious code
    https://www.bleepingcomputer.com/news/security/linux-bans-university-of-minnesota-for-committing-malicious-code/

    In a rare, groundbreaking decision, Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project.

    The move comes after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, as a part of their research activities.

    Additionally, the Linux kernel project maintainers have decided to revert any and all code commits that were ever submitted from an @umn.edu email addresses.

    Malicious commits mass-reverted, UMN researchers banned
    Today, a major Linux kernel developer, Greg Kroah-Hartman has banned the University of Minnesota (UMN) from contributing to the open-source Linux kernel project.

    As seen by BleepingComputer, there are hundreds of commits touting themselves to be “patches” that have been reverted as a part of this process

    UMN Researchers call the accusations “slander”
    Soon enough, researcher Aditya Pakki from UMN pushed back asking Kroah-Hartman to refrain “from making wild accusations that are bordering on slander.”

    “If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here,” said Kroah-Hartman.

    “Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems,” he continued.

    UMN researchers have compiled a detailed FAQ document in which they state that the goal of their research was to improve the security of the patching process in open-source software by demonstrating the practicality of bug-introducing patches.

    The researchers also stated that any patch suggestions were made via email exchanges and never made it into any code branch, or the Linux kernel.

    According to the document, the University’s IRB determined that this was not human research or ethically harmful, and as such cleared the research activities.

    Although, the researchers did offer their sincere apologies to Linux maintainers for the time wasted on reviewing “hypocrite” patches

    Reply
  17. Tomi Engdahl says:

    In epic hack, Signal developer turns the tables on forensics firm Cellebrite
    Widely used forensic software can be exploited to infect investigators’ computers.
    https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/

    For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers. Now, Moxie Marlinspike—creator of the Signal messaging app—has turned the tables on Cellebrite.

    On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze devices. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device.

    Virtually no limits
    “There are virtually no limits on the code that can be executed,” Marlinspike wrote.

    Reply
  18. Tomi Engdahl says:

    Signal CEO gives mobile-hacking firm a taste of being hacked
    https://www.bleepingcomputer.com/news/security/signal-ceo-gives-mobile-hacking-firm-a-taste-of-being-hacked/

    Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal.

    Cellebrite products are commonly used by police and governments to unlock iOS and Android phones and extract data on them. Last December, the company announced that its Physical Analyzer also gave access to data from Signal.

    The researcher provides proof of successful exploitation of UFED, Cellebrite’s product for collecting evidence from sources ranging from mobile devices and apps to public-domain social media services.

    While the announcement is far from the protocol of responsible disclosure, Marlinspike says that he will provide Cellebrite the specifics of the vulnerabilities if the company does the same for all the security issues they exploit for physical extraction services “now and in the future.”

    In seemingly “completely unrelated” news, Marlinspike says that future versions of Signal will add to the app storage files that are “aesthetically pleasing.”

    These files, add nothing to Signal’s functionality and will not interact with the app, “but they look nice, and aesthetics are important in software.” If these are formatted in a special way, Cellebrite’s customers will likely have a hard time demonstrating the integrity of the scan reports from devices where Signal is installed.

    Reply
  19. Tomi Engdahl says:

    The Government suspects there are certain routers that have been compromised, but they didn’t mention the router name/model… anybody have an idea?

    Or was this just someone who didn’t patch an old Cisco?

    Analysis Report (AR21-112A)
    CISA Identifies SUPERNOVA Malware During Incident Response
    https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a

    Reply
  20. Tomi Engdahl says:

    Logins for 1.3 million Windows RDP servers collected from hacker market
    https://www.bleepingcomputer.com/news/security/logins-for-13-million-windows-rdp-servers-collected-from-hacker-market/

    ​The login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.

    With this massive leak of compromised remote access credentials, researchers, for the first time, get a glimpse into a bustling cybercrime economy and can use the data to tie up loose ends on previous cyberattacks.

    Network admins will also benefit from a new service launched by cybersecurity firm Advanced Intel called RDPwned that allows organizations to check whether their RDP credentials have been sold in the marketplace.

    The use of Windows Remote Desktop Services to breach networks is so pervasive that the FBI has stated that RDP is responsible for 70-80% of all network breaches leading to ransomware attacks.

    While all ransomware groups utilize RDP to some extent, one ransomware group known as Dharma is known to predominantly use remote desktop to gain a foothold in corporate networks.

    UAS, the largest marketplace for RDP credentials
    UAS, or ‘Ultimate Anonymity Services,’ is a marketplace that sells Windows Remote Desktop login credentials, stolen Social Security Numbers, and access to SOCKS proxy servers.

    “The market functions partially like eBay – a number of Suppliers work with the market. They have a separate place to log in and upload the RDPs they hacked. The system will then verify them, collect information about each one (os, admin access? internet speed, cpu, memory etc etc), which is added to the listing.”

    Reply
  21. Tomi Engdahl says:

    China behind another hack as U.S. cybersecurity issues mount
    Cybersecurity company Mandiant said Pulse Secure, a program that businesses often use to let workers remotely connect to their offices, had been compromised.
    https://www.nbcnews.com/tech/security/china-another-hack-us-cybersecurity-issues-mount-rcna744

    Reply
  22. Tomi Engdahl says:

    Uusi pankkihuijaus menee täydestä – erotatko tämän sivun aidosta? https://www.is.fi/digitoday/tietoturva/art-2000007935417.html

    Reply
  23. Tomi Engdahl says:

    Argentina Loses Country’s Google Domain After Random Citizen Buys it for $5
    https://www.newsweek.com/argentina-loses-countrys-google-domain-after-random-citizen-buys-it-5-1585842

    This serves as a reminder to always put your Google domain on auto-renew.

    On Wednesday night, an Argentinian purchased ownership of the country’s Google domain for a mere 540 Argentine Peso which, according to today’s exchange rate, equates $5.81 USD.

    The domain apparently became available after its previous ownership expired the same day. This caused a temporary closedown of the search engine google.com.ar.

    Yesterday at 10:45 p.m., Nicolas Kuroña, the alleged culprit, tweeted, “I want to clarify that I entered http://nic.ar I saw the name of http://google.com.ar available and I legally bought it accordingly!”

    Such activity is termed “Cybersquatting,” as reported by MercoPress, which refers to the act of holding, registering, buying or selling a domain in order to profit off of the rightful owner’s name recognition. The expiration dates of domains are publicly available and can easily be obtained through registration sites like nic.ar.

    It is possible that Google Argentina simply forgot to renew the domain google.com.ar and, during the short lapse, Kuroña saw the chance and took it.

    “It is all legal!!,” Kuroña tweeted.

    Minutes after this activity, MarcoPress confirmed that Google Argentina successfully recovered its domain and soon restored service to users across the country.

    “Whether it was a glitch or truly expired seems to be up for debate here.”

    Either way Google users in Argentina complained about the website being down for almost three hours and assumed a crash in the server, according to MercoPress. But Kuroña’s tweet helped to clear things up later on.

    Reply
  24. Tomi Engdahl says:

    CISA Identifies SUPERNOVA Malware During Incident Response https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials.

    Reply
  25. Tomi Engdahl says:

    SolarWinds hack analysis reveals 56% boost in command server footprint https://www.zdnet.com/article/solarwinds-hack-analysis-reveals-56-boost-in-command-server-footprint/
    A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed.

    Researchers Find Additional Infrastructure Used By SolarWinds Hackers https://thehackernews.com/2021/04/researchers-find-additional.html
    The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure. So much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security
    (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”. Lisäksi:
    https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/

    Reply
  26. Tomi Engdahl says:

    Remote access trojan exploits Telegram communications to steal data from victims and update itself to perform additional malicious activities https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/
    In this blog, we’ll explore why criminals are increasingly using Telegram for malware control, using the example of a new malware variant called ToxicEye’ that we have recently observed in the wild.
    Lisäksi: https://threatpost.com/telegram-toxiceye-malware/165543/

    Reply
  27. Tomi Engdahl says:

    Ransomware gang wants to short the stock price of their victims https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/
    The operators of the Darkside ransomware are expanding their extortion tactics with a new technique aimed at companies that are listed on NASDAQ or other stock markets.

    Reply
  28. Tomi Engdahl says:

    Nightmare week for security vendors: Now a Trend Micro bug is being exploited in the wild https://therecord.media/nightmare-week-for-security-vendors-now-a-trend-micro-bug-is-being-exploited-in-the-wild/
    US-Japanese cybersecurity firm Trend Micro disclosed on Wednesday that a threat actor began using a bug in its antivirus products to gain admin rights on Windows systems as part of its attacks.

    Reply
  29. Tomi Engdahl says:

    Bugs Allowed Hackers to Dox John Deere Tractor Owners
    A security researcher found two bugs that allowed him to find customers who had purchased John Deere tractors or equipment.
    https://www.vice.com/en/article/4avy8j/bugs-allowed-hackers-to-dox-all-john-deere-owners

    A pair of bugs in John Deere’s apps and website could have allowed hackers to find and download the personal data of all owners of the company’s farming vehicles and equipment, according to a security researcher who found the vulnerabilities.

    There is no evidence that hackers exploited these flaws. The researcher, who goes by Sick Codes, reported them to John Deere on April 12 and 13 and the company fixed one of the bugs just three days later. The company fixed the second bug on Wednesday, according to the researcher.

    John Deere security flaw exposed address of every customer & more!
    https://www.youtube.com/watch?v=hqablgjQ02g

    Comments:
    John Deere: independent repairshop might be harmful for your privacy & security
    Also John Deere: oopsie

    It would be such a shame if Louis had collected the data of all of those farmers and contacted them for Rights to Repair
    I assume you meant epic.
    It would be hilarious, and unfortunately while John Deer is not going to get in trouble for this, Louis would if he tried.

    Reply
  30. Tomi Engdahl says:

    Coding experts tell Salon Mike Lindell’s botched social site was doomed to fail
    https://www.salon.com/2021/04/23/coding-experts-tell-salon-mike-lindells-botched-social-site-was-doomed-to-fail/

    One “grandmaster” in the content software Drupal describes Lindell’s social platform as “not even student work”

    MyPillow CEO Mike Lindell’s social media site FRANK is facing ridicule from the community of “grandmasters” around the content management software Drupal, who say Lindell’s site was destined to fail from the start because his developers failed to take “elementary” coding steps to limit attacks from outside forces. Since its supposed “VIP launch” last Thursday night, Lindell’s platform has experienced numerous crashes, and at this writing on Thursday evening the site remains down. 

    Drupal’s site explains that its software is “used to make many of the websites and applications you use every day. Drupal has great standard features, like easy content authoring, reliable performance, and excellent security.” Drupal is open source, meaning that anyone can download it or modify it as they please — but it helps if they know what they’re doing. 

    Reply
  31. Tomi Engdahl says:

    HomeBusinessWEF Warns of Cyber Attack Leading to Systemic Collapse of the Global Financial System
    https://www.thelastamericanvagabond.com/wef-warns-cyber-attack-leading-to-systemic-collapse-global-financial-system/

    A report published last year by the WEF-Carnegie Cyber Policy Initiative calls for the merging of Wall Street banks, their regulators and intelligence agencies as necessary to confront an allegedly imminent cyber attack that will collapse the existing financial system.

    In November 2020, the World Economic Forum (WEF) and Carnegie Endowment for International Peace co-produced a report that warned that the global financial system was increasingly vulnerable to cyber attacks. Advisors to the group that produced the report included representatives from the Federal Reserve, the Bank of England, the International Monetary Fund, Wall Street giants likes JP Morgan Chase and Silicon Valley behemoths like Amazon.

    The ominous report was published just months after the World Economic Forum had conducted a simulation of that very event – a cyber attack that brings the global financial system to its knees – in partnership with Russia’s largest bank, which is due to jumpstart that country’s economic “digital transformation” with the launch of its own central bank-backed digital currency.

    More recently, last Tuesday, the largest information sharing organization of the financial industry, whose known members include Bank of America, Wells Fargo and CitiGroup, have again warned that nation-state hackers and cybercriminals were poised to work together to attack the global financial system in the short term. The CEO of this organization, known as the Financial Services Information Sharing and Analysis Center (FS-ISAC), had previously advised the WEF-Carnegie report that had warned much the same.

    Such coordinated simulations and warnings from those who dominate the current, ailing financial system are obvious cause for concern, particularly given that the World Economic Forum is well-known for its Event 201 simulation about a global coronavirus pandemic that took place just months prior to the COVID-19 crisis.

    The COVID-19 crisis has since been cited as the main justification for accelerating the “digital transformation” of the financial and other sectors that the Forum and its partners have promoted for years. Their latest prediction of a doomsday event, a cyber attack that stops the current financial system in its tracks and instigates its systemic collapse, would offer the final yet necessary step for the Forum’s desired outcome of this widespread shift to digital currency and increased global governance of the international economy.

    The WEF-Carnegie Cyber Policy Initiative
    The Carnegie Endowment for International Peace, is one of the most influential foreign policy think tanks in the United States, with close and persistent ties to the US State Department, former Presidents, corporate America and American oligarch clans like the Pritzkers of Hyatt hotels. Current trustees of the endowment include executives from Bank of America and CitiGroup as well as other influential financial institutions.

    “Malicious actors are taking advantage of this digital transformation and pose a growing threat to the global financial system, financial stability, and confidence in the integrity of the financial system. Malign actors are using cyber capabilities to steal from, disrupt, or otherwise threaten financial institutions, investors and the public. These actors include not only increasingly daring criminals, but also states and state-sponsored attackers.”

    Followed by this warning of “malign actors”, the report notes that “increasingly concerned, key voices are sounding the alarm.” It notes that Christine Lagarde of the European Central Bank and formerly of the IMF warned in February 2020 that “a cyber attack could trigger a serious financial crisis.” A year prior, at the WEF’s annual meeting, the head of Japan’s central bank predicted that “cybersecurity could become the financial system’s most serious risk in the near future.” It also notes that in 2019, Jamie Dimon of JP Morgan Chase similarly labeled cyber attacks as possibly “the biggest threat to the US financial system.”

    A separate June 2020 report from the WEF-Carnegie initiative was published specifically on deepfakes and the financial system, noting that such attacks would likely transpire during a larger financial crisis to “amplify” damaging narratives or “simulate grassroots consumer backlash against a targeted brand.” It adds that “companies, financial institutions and government regulators facing public relations crises are especially vulnerable to deepfakes and synthetic media.”

    Deepfakes and Synthetic Media in the Financial System: Assessing Threat Scenarios
    https://carnegieendowment.org/2020/07/08/deepfakes-and-synthetic-media-in-financial-system-assessing-threat-scenarios-pub-82237

    Bad actors could use deepfakes—synthetic video or audio—to commit a range of financial crimes. Here are ten feasible scenarios and what the financial sector should do to protect itself.

    Reply
  32. Tomi Engdahl says:

    In epic hack, Signal developer turns the tables on forensics firm Cellebrite
    Widely used forensic software can be exploited to infect investigators’ computers.
    https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/

    Reply
  33. Tomi Engdahl says:

    The FBI removed hacker backdoors from vulnerable Microsoft Exchange servers. Not everyone likes the idea
    A court order allowed the FBI to enter networks of businesses to remove web shells used by cyber attackers exploiting Exchange vulnerabilities. But what does this mean for the future of cybersecurity?

    https://www.zdnet.com/article/the-fbi-removed-hacker-backdoors-from-vulnerable-microsoft-exchange-servers-not-everyone-likes-the-idea/

    Reply
  34. Tomi Engdahl says:

    Dutch MPs in video conference with deep fake imitation of Navalny’s Chief of Staff
    https://nltimes.nl/2021/04/24/dutch-mps-video-conference-deep-fake-imitation-navalnys-chief-staff

    Dutch parliamentarians, like their British and Baltic colleagues, had a conversation via Zoom with a deep fake imitation of the chief of staff of the Russian opposition leader Alexei Navalny on Wednesday.

    National newspaper de Volkskrant reports that this was confirmed by the registry of the House of Representatives on Friday evening.

    It concerns the parliamentary standing committee on foreign affairs, which thought it was talking to Leonid Volkov, Navalny’s chief of staff, who has been operating from Vilnius since last year due to increased repression in Russia. But it was a moving image created by artificial intelligence.

    European incidents
    Rihards Kols, chair of the Latvian Parliament’s Foreign Affairs Committee, had also had a short video conversation with Volkov in March. Topics discussed included the annexation of Crimea and Russian political prisoners. Volkov thanked Latvia for, among other things, its support and its strong position with regard to European sanctions.

    It was only weeks later that the politician realized that he had been the victim of deception. This realization came when he heard from Ukrainian colleagues about a video meeting with a fake Volkov. Politicians from Estonia, Lithuania, and the United Kingdom have also been approached in this way.

    Tech expert Duursma explained: “We are in a world of video conferencing. Politics too. You can no longer assume that the person in a meeting is also the person he pretends to be.

    Reply
  35. Tomi Engdahl says:

    Everything you need to know about the Microsoft Exchange Server hack
    Updated: Vulnerabilities are being exploited by Hafnium. Other cyberattackers are following suit.
    https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft-exchange-server-hack/

    Reply
  36. Tomi Engdahl says:

    SMASH
    https://www.vusec.net/projects/smash/

    SMASH is a new JavaScript-based attack that gives the attacker an arbitrary read and write primitive in the browser. It does not rely on software vulnerabilities or bugs, but instead takes advantage of the much harder to mitigate Rowhammer bug in hardware to initiate the exploit chain.

    However, exploiting the Rowhammer bug to trigger bit flips is not an easy task. Modern memory modules come equipped with a dedicated in-memory defense against Rowhammer, called Target Row Refresh (TRR). Although previous work has shown that TRR is vulnerable to more advanced access patterns than ordinary double-sided Rowhammer, constructing such patterns from inside high-level JavaScript is difficult.

    Reply
  37. Tomi Engdahl says:

    The database was leaked on a prominent hacker forum and comprises 263 GB worth of personal records

    Hacker dumps sensitive household records of 250M Americans
    https://www.hackread.com/hacker-dumps-household-records-of-americans/

    Based on the ongoing diplomatic row between Russia and the United States over the SolarWinds hack, the leaked records are a treasure trove for malicious parties seeking data on American citizens.

    Not for the first time
    This however is not the first time when a trove of sensitive household data of US citizens and residents has been leaked online. In June 2017, a marketing firm employed by the Republican National Committee accidentally exposed data belonging to 200 million US citizens.

    In December 2017, a California-based data analytics firm exposed household data in which personal and sensitive details of 123 million Americans were leaked due to a misconfigured AWS bucket.

    Reply
  38. Tomi Engdahl says:

    Joe Biden to issue an Order requiring software vendors to report any data breaches: US Federal Privacy Law. #cybersecurity #privacy #databreach #biden

    Between a rock and a hard place: U.S. federal privacy law
    https://www.scmagazine.com/perspectives/between-a-rock-and-a-hard-place-u-s-federal-privacy-law/

    Three years ago, the European Union (EU) overhauled its 1995 data protection directive with the enforcement of the General Data Protection Regulation (GDPR). Perhaps somewhat unintendedly, GDPR created a novel privacy philosophy and culture.

    The EU’s high privacy standard possibly inspired the California Privacy Right Act (CPRA) and many other national laws around the globe, including recent updates of the Personal Data Protection Act (PDPA) in Singapore and the upcoming modernization of privacy laws in Canada and Switzerland. Gradually more countries perceive GDPR as a north star for individual privacy rights, data protection and breach notification rules. The U.S. does not currently have a comprehensive privacy and data protection law at the federal level, however, it’s once again a hot topic in the Congress today.

    Following the ongoing SolarWinds investigation, President Biden’s administration is about to release a new Executive Order (EO) to impose mandatory breach notification duty upon software vendors – but only to their clients from the U.S. federal government, leaving a huge gap for everybody else.

    A consistent privacy law significantly reduces costs of compliance, enhances data portability, favors cross-border business expansion, and offers a predictable privacy protection framework to individuals. Strong privacy also indirectly enhances data security: The less data an organization processes because of imposed privacy restrictions, the less data can get compromised later in a data breach. Furthermore, a robust data inventory program allow for more efficient analysis and higher ROI from corporate data, minimizes storage of excessive data, and reduces operational costs.

    However, the body of privacy law remains a continuously evolving matter. For example, composed of 99 articles with 173 recitals, GDPR has been continuously shaped by European Data Protection Board (EDPB) guidelines and judicial decisions.

    Mandatory data breach notification to victimized individuals was one of the key novelties introduced by GDPR in 2018. It’s now progressively followed by other jurisdictions, including Brazil, Mexico and Japan. As of today, all 50 U.S. states have similar, but diverging data breach notification laws, often complemented by a sector-specific privacy legislation that covers the health, genetic or biometric data of state residents.

    After passing CCPA, California became the first state to enact a comprehensive privacy law, which will be further enhanced and expanded in 2023 with California Privacy Rights Act (CPRA). California also pioneered in many contiguous legislative areas, such as IoT security. According to the International Association of Privacy Professionals (IAPP), most U.S. states are developing privacy laws inspired by CCPA/CPRA or GDPR. New York addressed PII protection and safeguarding concerns with the SHIELD Act enacted in March 2020. At the federal level, different laws, such as HIPAA, FCRA and GLBA, selectively cover privacy and data protection in specific industries. This convoluted patchwork of overlapping regulations makes compliance incredibly complex, expensive and keeps data protection officers (DPOs) awake at night.

    In a nutshell, the future federal privacy law should carefully balance individual privacy rights and economic interests of American enterprises, while considering the international landscape of emerging privacy regulations indoctrinated by GDPR. To minimize further conflicts with the EU legislation and its foreign siblings, the federal law should be consonant with the doctrinal privacy values of GDPR. To reduce the economic burden of divergent multistate compliance within the country, the federal law should also create a monolith national legislation, precluding states from passing supplementary regulations, otherwise, one day too much compliance will probably just kill compliance.

    Reply
  39. Tomi Engdahl says:

    Hackers threaten to release DC police data in apparent ransomware attack
    It’s the latest police department to be targeted
    https://www.theverge.com/2021/4/27/22405339/washington-dc-police-hack-data-department-ransomeware-babuk

    Washington, DC’s police department has confirmed its servers have been breached after hackers began leaking its data online, The New York Times reports. In a statement, the department confirmed it was aware of “unauthorized access on our server” and said it was working with the FBI to investigate the incident. The hacked data appears to include details on arrests and persons of interest.

    The attack is believed to be the work of Babuk, a group known for its ransomware attacks. BleepingComputer reports that the gang has already released screenshots of the 250GB of data it’s allegedly stolen. One of the files is claimed to relate to arrests made following the January Capitol riots. The group warns it will start leaking information about police informants to criminal gangs if the police department doesn’t contact it within three days.

    DC POLICE CONFIRMED “UNAUTHORIZED ACCESS ON OUR SERVER”
    Washington’s police force, which is called the Metropolitan Police Department, is the third police department to be targeted in the last two months, according to the NYT, following attacks by separate groups against departments in Presque Isle, Maine and Azusa, California. The old software and systems used by many police forces are believed to make them more vulnerable to such attacks.

    The targeting of police departments is believed to be part of a wider trend of attacks targeting government bodies. Twenty-six agencies are believed to have been hit by ransomware in this year alone, with 16 of them seeing their data released online, according to Emsisoft ransomware analyst Brett Callow, Sky News notes.

    Reply
  40. Tomi Engdahl says:

    Lawyer Asks For New Trial After Cellebrite Vulnerability Discovery
    The moves comes after the founder of Signal discussed the security issues in their own blog post.
    https://www.vice.com/en/article/5dbpyq/lawyer-new-trial-cellebrite-signal-vulnerability

    A defense attorney has asked a judge to grant their client a new trial after Moxie Marlinspike, the founder of popular encrypted messaging app Signal, found security issues with mobile phone forensics hardware made by Cellebrite. The case heavily used evidence collected by a Cellebrite device, according to the motion for a new trial obtained by Motherboard.

    The news signifies continued fallout from Marlinspike’s disclosure, although it is unclear how successful of a legal strategy discussing the vulnerability will be.

    “The Cellebrite evidence was heavily relied upon by the State in its argument, and was crucial to its case,” the motion reads.

    “Since the trial, severe defects have been uncovered in the Cellebrite devices,” it adds, pointing to the findings from Signal.

    According to Marlinspike, who published his findings in a blog post, issues he uncovered in Cellebrite devices allow an attacker to include malicious files in their phone that would then exploit a connected Cellebrite device and alter what kind of data the device could access. Potentially, this could bring up discussions around whether data collected by a Cellebrite device is forensically sound and suitable for a prosecution or not.

    “In essence, internal security on Cellebrite devices is so poor that any device that is examined may in turn corrupt the Cellebrite devices and affect all past and future reports,” the motion reads.

    The motion concludes saying that a new trial should be ordered so the defense can examine the report generated by the Cellebrite device and examine the hardware itself.

    Signal CEO Hacks Cellebrite iPhone Hacking Device Used By Cops
    https://www.vice.com/en/article/k78q5y/signal-ceo-hacks-cellebrite-iphone-hacking-device-used-by-cops

    One of the biggest encrypted chat apps in the world just showed how a device used to decrypt messages can be hacked and tampered with.

    Reply
  41. Tomi Engdahl says:

    Dan Kaminsky (1979 – 23 April 2021) RIP Brother
    His obituary shall be a wiki
    His family simply says he died from complications from diabetes.

    https://en.wikipedia.org/wiki/Dan_Kaminsky

    Reply
  42. Tomi Engdahl says:

    Today, Emotet malware destroyed itself!

    Emotet Malware Destroys Itself From All Infected Computers
    https://thehackernews.com/2021/04/emotet-malware-destroys-itself-today.html

    Emotet, the notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks, was automatically wiped from infected computers en masse following a European law enforcement operation.

    The development comes three months after a coordinated disruption of Emotet as part of “Operation Ladybird” to seize control of servers used to run and maintain the malware network. The orchestrated effort saw at least 700 servers associated with the botnet’s infrastructure neutered from the inside, thus preventing further exploitation.

    Law enforcement authorities from the Netherlands, Germany, the U.S., U.K., France, Lithuania, Canada, and Ukraine were involved in the international action.

    Reply
  43. Tomi Engdahl says:

    DigitalOcean says customer billing data accessed in data breach
    https://techcrunch.com/2021/04/28/digitalocean-customer-billing-data-breach/

    The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

    The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,”

    Reply
  44. Tomi Engdahl says:

    Ransomware crooks threaten to ID informants if cops don’t pay up
    The FBI is investigating claim hackers obtained 250GB of police department data.
    https://arstechnica.com/information-technology/2021/04/ransomware-attack-on-dc-police-threatens-safety-of-cops-and-informants/

    Reply
  45. Tomi Engdahl says:

    New stealthy Linux malware used to backdoor systems for years
    https://www.bleepingcomputer.com/news/security/new-stealthy-linux-malware-used-to-backdoor-systems-for-years/

    A recently discovered Linux malware with backdoor capabilities has flown under the radar for years, allowing attackers to harvest and exfiltrate sensitive information from compromised devices.

    The backdoor, dubbed RotaJakiro by researchers at Qihoo 360′s Network Security Research Lab (360 Netlab), remains undetected by VirusTotal’s anti-malware engines, although a sample was first uploaded in 2018.

    RotaJakiro is designed to operate as stealthy as possible, encrypting its communication channels using ZLIB compression and AES, XOR, ROTATE encryption.

    “At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES& ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2,” 360 Netlab said.

    Linux backdoor used to exfil stolen data
    Attackers can use RotaJakiro to exfiltrate system info and sensitive data, manage plugins and files, and execute various plugins on compromised 64-bit Linux devices.

    Since 2018 when the first RotaJakiro sample landed on VirusTotal, 360 Netlab found four different samples uploaded between May 2018 and January 2021, all of them with an impressive total of zero detections.

    Command-and-control servers historically used by the malware have domains registered six years ago, in December 2015, all of them

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*