Security

Link

Teen in Canada Arrested Over $36.5 Million Crypto Theft

Andrew Orr ·

Bloomberg reports on a theft involving a Canadian teen stealing US$36.5 million in cryptocurrency from a victim in the U.S.

Police said the victim was targeted through a cell phone scam known as SIM swapping, in which a scammer hijacks a wireless customer’s phone number to intercept two-factor authentication requests and gain access to the victim’s accounts.

The arrest was the result of a joint investigation with the Federal Bureau of Investigation and the U.S. Secret Service Electronic Crimes Task Force, the Hamilton Police Service said in a statement. The investigation was launched last year in March.

If you haven’t already done so it’s a good idea to lock your SIM card with a PIN.

Link

US Issues Joint Advisory Warning Companies of Iranian Ransomware

Andrew Orr ·

In a joint advisory issued on Wednesday, the U.S. is warning that Iranian state-backed hackers are targeting infrastructure companies with ransomware.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors.

Link

GitHub Fixes NPM Bugs That Leaked Private Package Names

Andrew Orr ·

GitHub has fixed several flaws with npm packages that leaked private names and let attackers publish new versions of a package they didn’t have rights to.

The data leak was identified by GitHub on October 26th and by the 29th, all records containing private package names were deleted from the npm’s replication database. Although, GitHub does warn that despite this, the replicate.npmjs.com service is consumed by third parties who may, therefore, continue to retain a copy or “may have replicated the data elsewhere.”

Link

New 'BotenaGo' Targets Routers and Smart Home Devices in Devastating Attack

Andrew Orr ·

AT&T Alien Labs discovered malware it dubs BotenaGo. It affects millions of routers and Internet of Things devices found with smart homes. The “devastating” part comes from the fact that it uses over 30 separate exploits due to insecure devices.

The BotenaGo malware starts by initializing global infection counters that will be printed to the screen, informing the hacker about total successful infections. It then looks for the ‘dlrs’ folder in which to load shell scripts files. A loaded script will be concatenated as ‘echo -ne %s >> ‘. If the ‘dlrs’ folder is missing, the malware will stop and exit at this point. For the last and most important preparation, the malware calls the function ‘scannerInitExploits’, which initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system.

Link

Researchers Uncover Serious Flaws Within DRAM Chips

Andrew Orr ·

ETH Zurich reports that researchers from the Vrije Uni­versiteit Am­s­ter­dam and Qual­comm Tech­no­lo­gies found flaws within DRAM chips. The article I’m linking to is more of an announcement; ETH Zurich tells me the full results will be presented at IEEE in 2022.

It means that by re­peatedly ac­tiv­at­ing – or “ham­mer­ing” – a memory row (the “aggressor”), an at­tacker can in­duce bit er­rors in a neigh­bour­ing row, also called the “victim” row. That bit er­ror can then, in prin­ciple, be ex­ploited to gain ac­cess to re­stric­ted areas in­side the com­puter sys­tem – without re­ly­ing on any soft­ware vul­ner­ab­il­ity.

Link

FBI Says Data Was Not Compromised After Hackers Took Over Email Server

Andrew Orr ·

Hackers took over an FBI server over the weekend, sending thousands of fake cyberattack warnings. The agency says no personal information or data was affected.

The agency said it has fixed the software vulnerability that allowed the attack.

The fake emails originated from an FBI-operated server, which was dedicated to pushing notifications to the Law Enforcement Enterprise Portal (LEEP), which the FBI uses to communicate with state and local agencies. The compromised server was not part of the FBI’s corporate email service, the FBI added.

Link

Newly Discovered 'OSX.CDDS' Implant Targets Visitors to Hong Kong Websites

Andrew Orr ·

Google’s Threat Analysis Group discovered a new macOS implant that security researcher Patrick Wardle dubbed OSX.CDDS. It targets “visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.”

Notable features for this backdoor include: victim device fingerprinting, screen capture, file download/upload, executing terminal commands, audio recording, keylogging.

Link

How Thieves are Stealing Apple ID Credentials for Stolen iPhones

Andrew Orr ·

A report from India Today shares the story of how thieves tricked an Apple user to steal his credentials in order to unlock the iPhone they stole.

Vedant narrated his ordeal on Twitter and urged users to be aware of the types of attacks that can be used to extract sensitive information from users. He revealed that the first thing he did after losing his phone was log in to the Find My app with his Apple ID using his MacBook and try to get the phone’s exact location through the Find My app.

Classic phishing attack.

Link

A Drone Tried to Attack a Pennsylvania Power Station in 2020

Andrew Orr ·

Wired published a fascinating story of a unknown person who used a drone to attempt to short circuit a power substation last year.

The operator of the Pennsylvania drone appears to have attempted a less brute-force approach. But efforts to hide the operator’s identity may have contributed to their failure to connect with the intended target. By removing the camera, the joint bulletin says, they had to rely on line-of-sight navigation, rather than being able to take a drone’s eye view.

Link

Phlebotomy Training Specialists Exposes Student Data in Breach

Andrew Orr ·

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach from Phlebotomy Training Specialists.

Unfortunately, the company was storing the complete records of 10,000s of students nationwide on a single, open cloud account. In this case, Phlebotomy Training Specialists was using an Amazon Web Services (AWS) S3 bucket to store data it collected from students, staff members, and people applying to its courses. S3 buckets are an increasingly popular enterprise cloud storage solution. However, users must set up their security protocols manually to protect the data stored therein.

Link

Beware of Fake Job Ads That Can Steal Your Identity

Andrew Orr ·

Fake job ads are on the rise, a report says on Tuesday. Scammers use peoples’ Social Security Numbers to sign up for unemployment benefits.

That means scammers may need help from their victims — and sometimes they go to elaborate lengths to mislead them. Some fraudsters recreate companies’ hiring websites. One fake job application site uses Spirit Airlines’ photos, text, font and color code. The phony site asks applicants to upload a copy of both sides of their driver’s license at the outset of the process and sends them an email seeking more information from a web address that resembles Spirit’s, with an extra “i” (spiiritairline.com).

Link

'Shrootless' macOS Bug Could Bypass System Integrity Protection

Andrew Orr ·

Microsoft reported a macOS vulnerability it calls Shrootless. It could let an attacker bypass SIP and perform arbitrary operations on the device. It has been patched by Apple with the most recent Mac updates this week.

We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.

Link

Kandji Announces 'Passport' for Secure Mac Authentication

Andrew Orr ·

Kandji has announced the release of Passport, an authentication product that creates a seamless, one-password sign-in experience for users.

Kandji Passport validates the credentials a user provides during Mac login against an organization’s cloud-based identity provider (IdP), so users need to remember just one password for both their Mac computers and the organization’s single sign-on (SSO) provider. Passport provides a native Mac login experience while streamlining device configuration, management, and security tasks for IT admins.

Link

(Update) Medical AI Company 'Deep6' Leaks 68 GB Trove of Patient Records

Andrew Orr ·

Security researcher Jeremiah Fowler together with the WebsitePlanet research team found an unprotected database belonging to Deep6. The records appear to contain data of those based in the United States.

Update: Deep6 reached out and said the news is misleading, saying “In August, a security researcher accessed a test environment that contained dummy data from MIT’s Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.”

Meanwhile, according to WebsitePlanet, Mr. Fowler said, “I sent 3 follow up emails on Aug 11, Aug 12, Aug 23. No one has ever replied since the first message on Aug 10th. I validated that the doctor’s names were real individuals by searching obscure names (see screenshot). This is highly unusual in my experience to use real individuals’ data in a ‘dummy environment’ under any circumstances. Because no one replied, we added our disclaimer that we are highlighting that no patient data appeared in plain text, the records were “medical related”, and we never implied any wrongdoing or risk.”

Link

Dental Data Breach Affects 125,000 Patients in 10 States

Andrew Orr ·

North American Dental Management suffered a data breach between March 31 and April 1, 2021. It happened as the result of phishing. This group provides administrative and technical support services for Professional Dental Alliance (PDA) offices.

PDA said that it had not found any evidence of any actual misuse of personal information and that its investigation of the matter indicates that the attack was limited to email credential harvesting.

The threat actor did not access PDA’s patient electronic dental record or dental images; however, the Alliance found that some sensitive personal information may have been present in the compromised email accounts.

The breach was reported to the DHS’s Office for Civil Rights, impacting 125,760 patients in Connecticut, Florida, Georgia, Illinois, Indiana, Massachusetts, Michigan, New York, Texas and Tennessee.

Link

Polygon Blockchain Fixes Double Spend Bug Reported From Bug Bounty

Andrew Orr ·

Security researcher Gerhard Wagner found a double-spend bug in Polygon’s Plasma bridge. The company awarded Mr. Wagner a record US$2 million for reporting this critical vulnerability.

In total, it is possible to create 14×16 = 224 different encodings for the same raw path. A malicious user can leverage the issue to create alternative exits for the same burn transaction and perform double spends on the Polygon network.