"The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom," Abnormal Security said in a report published Thursday. "The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested—an Outlook email account and a Telegram username."

Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found exploiting ProxyLogon flaws impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.

Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the solicitation attempt by creating a fictitious persona and reached out to the actor on Telegram messenger, only to have the individual inadvertently spill the attack's modus operandi, which included two links for an executable ransomware payload that the "employee" could download from WeTransfer or Mega.nz.

"The actor also instructed us to dispose of the .EXE file and delete it from the recycle bin. Based on the actor's responses, it seems clear that he 1) expects an employee to have physical access to a server, and 2) he's not very familiar with digital forensics or incident response investigations," said Crane Hassold, director of threat intelligence at Abnormal Security.

Besides taking a flexible approach to their ransom demands, the plan is believed to have been concocted by the chief executive of a Lagos-based social networking startup called Sociogram, with the goal of using the siphoned funds to "build my own company." In one of the conversations that took place over the course of five days, the individual even took to calling himself "the next Mark Zuckerberg."

Also of particular note is the method of using LinkedIn to collect corporate email addresses of senior-level executives, once again highlighting how business email compromise (BEC) attacks originating from Nigeria continue to evolve and expose businesses to sophisticated attacks like ransomware.

"There's always been a blurry line between cyberattacks and social engineering, and this is an example of how the two are intertwined. As people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals," Tim Erlin, vice president of product management and strategy at Tripwire, said.

"The idea of a disgruntled insider as a cybersecurity threat isn't new. As long as organizations require employees, there will always be some insider risk. The promise of getting a share of the ransom might seem attractive, but there's almost zero guarantee that this kind of complicity will actually be rewarded, and it's highly likely that someone taking this attacker up on their offer would get caught," Erlin added.

Source

ShinyHunters, the notorious hacker is claiming to have access to the AT&T database containing personal and sensitive records of more than 70 million customers.

For your information, AT&T Inc. is the largest provider of mobile telephone services in the U.S. and also the world’s largest telecommunications company.

In a post published on the infamous hacker forum and marketplace Raid Forums, ShinyHunters is offering the database for starting price of $200,000.

Hackread.com has seen the sample records shared by ShinyHunters on the forum and a quick review of it reveals that these records include the following customers’ details:

• Full names
• Addresses
• Zipcodes
• Date of birth
• Email addresses
• Social security numbers (SSN)

Although AT&T is yet to comment on the breach if the data is legitimate it will be a disaster for the company and its customers.

The database can be bought off by government-backed hacking groups, spy agencies, ransomware gangs, or scammers while customers can end up being sitting ducks and exposed to online and physical threats – The possibilities are endless for threat actors.

It is worth noting that as of 2019, AT&T had a subscriber base of approximately 77 million post-paid and 18 million prepaid customers in the United States.

The news came just days after a hacker was selling T-Mobile customers’ records on the same forum. The data breach was also confirmed by T-Mobile however so far, we have failed to establish any connection between T-Mobile and AT&T’s alleged breach.

Hackread.com has contacted AT&T therefore expect an update. Stay tuned!

Update:

In a statement to Hackread.com, AT&T has denied being breached. 

“Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems,” AT&T maintains.

ShinyHunters – Previous data breaches

Shiney Hunters is known for top data breaches since 2020. Some of their targeted companies include the following:

Mashable – 5.22GB worth of data

123RF – 8.3M accounts leaked

WedMeGood – 41.5 GB worth of data

Big Basket – 20 million accounts leaked

WattPad – 271 million accounts leaked

Dunzo – 11GB worth of data leaked

Dave.com – 7 million accounts leaked

Bhinneka – 1 million+ accounts leaked

Minted – 5 million accounts leaked

ProctorU – 444,267 accounts leaked

Tokopedia – 91 million accounts leaked

Couchsurfing – 17 million accounts leaked

Animal Jam – Tens of millions of users’ data, especially children.

Source

After the largest heist in the history of decentralized financial systems, PolyNetwork decided to use an original approach by offering the attacker a job and allowing him to keep a small portion of the loot, according to NDTV. 

PolyNetwork, a platform that allows users to move tokens between multiple blockchains, has been recently dispossessed of $610. The hacker stated that the assault was carried out to prevent the project from being shut down. Consequently, he committed to repaying the stolen cash and has already supplied approximately half of the total amount due.

After the attack, PolyNetwork raved about the hacker, whom the company referred to as Mr. White Hat, a term that refers to ethical hackers who identify vulnerabilities in computer networks and inform companies or organizations how to fix them. The identity of the hacker or the hacking organization has not been revealed at this time.

The DeFi platform wishes to reclaim its clients' digital assets 

PolyNetwork said in a statement that “To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with PolyNetwork, we cordially invite Mr. White Hat to be the Chief Security Adviser of PolyNetwork,” emphasizing that they do not want the cybercriminal to be held legally liable as they trust he will return the stolen digital assets as soon as possible.

The company is still attempting to recover all customer funds. After reclaiming half of the network's assets, the hacker moved the remaining cash (about $235 million) to a shared account safeguarded by two unique keys. One of the keys was handed to PolyNetwork, while the hacker retained the other. To make that the money is still there, PolyNetwork demanded the threat actor hand over his key. Although the hacker has been a job and can keep $500,000 in cash, he is still required to comply.

Source

Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer’s network in exchange for a percentage of any ransom amount paid by the victim company.

Image: Abnormal Security.

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.

Image: Abnormal Security.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were an inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

Image: FBI

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”

“While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

DON’T QUIT YOUR DAY JOB

Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider).

Indeed, perhaps this enterprising Nigerian scammer is just keeping up with current trends. Several established ransomware affiliate gangs that have recently rebranded under new banners seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks.

For example, the Lockbit 2.0 ransomware-as-a-service gang actually includes a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware.

“Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company,” LockBit’s unusual ad reads. “You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.”

Image: Sophos.

Likewise, the newly formed BlackMatter ransomware gang kicked off its presence on the cybercrime forums with the unassuming thread, “Buying/monetizing your access to corporate networks.” The rest of the post reads:

We are looking for access to corporate networks in the following countries:

– the USA
– Canada
– Australia
– the UK

 

All lines of business except for:
– Healthcare
– Government entities.

 

Requirements:
– Revenue according to ZoomInfo: over 100 million.
– Number of hosts: 500 to 15,000.
– We do not accept networks that anybody else has already tried to work on.

 

Two options of cooperation:
– We buy networks: 3 to 100k.
– We monetize them (subject to negotiation on a case-by-case basis).

 

How we work:
You select an option of cooperation. -> You provide access to the network. -> We check it. -> We take it or not (depending on whether it meets the requirements).

Wanted: Disgruntled Employees to Deploy Ransomware

Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer’s network.

This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold’s correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.

Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.

This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware. While multi-million dollar ransomware payments are hogging the headlines, by far the biggest financial losses tied to cybercrime each year stem from so-called Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers.

According to the latest figures (PDF) released by the FBI Internet Crime Complaint Center (IC3), the reported losses from BEC scams continue to dwarf other cybercrime loss categories, increasing to $1.86 billion in 2020.

“Knowing the actor is Nigerian really brings the entire story full circle and provides some notable context to the tactics used in the initial email we identified,” Hassold wrote. “For decades, West African scammers, primarily located in Nigeria, have perfected the use of social engineering in cybercrime activity.”

“While the most common cyber attack we see from Nigerian actors (and most damaging attack globally) is business email compromise (BEC), it makes sense that a Nigerian actor would fall back on using similar social engineering techniques, even when attempting to successfully deploy a more technically sophisticated attack like ransomware,” Hassold concluded.

DON’T QUIT YOUR DAY JOB

Cybercriminals trolling for disgruntled employees is hardly a new development. Big companies have long been worried about the very real threat of disgruntled employees creating identities on darknet sites and then offering to trash their employer’s network for a fee (for more on that, see my 2016 story, Rise of the Darknet Stokes Fear of the Insider).

Indeed, perhaps this enterprising Nigerian scammer is just keeping up with current trends. Several established ransomware affiliate gangs that have recently rebranded under new banners seem to have done away with the affiliate model in favor of just buying illicit access to corporate networks.

For example, the Lockbit 2.0 ransomware-as-a-service gang actually includes a solicitation for insiders in the desktop wallpaper left behind on systems encrypted with the malware.

“Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company,” LockBit’s unusual ad reads. “You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.”

Likewise, the newly formed DarkMatter ransomware gang kicked off its presence on the cybercrime forums with the unassuming thread, “Buying/monetizing your access to corporate networks.” The rest of the post reads:

We are looking for access to corporate networks in the following countries:

– the USA
– Canada
– Australia
– the UK

All lines of business except for:

– Healthcare
– Government entities.

Requirements:

– Revenue according to ZoomInfo: over 100 million.
– Number of hosts: 500 to 15,000.
– We do not accept networks that anybody else has already tried to work on.

Two options of cooperation:

– We buy networks: 3 to 100k.
– We monetize them (subject to negotiation on a case-by-case basis).

How we work:

You select an option of cooperation. -> You provide access to the network. -> We check it. -> We take it or not (depending on whether it meets the requirements).

Source

A new study by the resume-help site StandOut CV compared the data collection features in 32 of the most popular employee monitoring tools. The group found that 75% of these tools can record employees’ screens and monitor which apps or websites they’re using, while 59% can monitor keyboard and mouse movements. Nearly half of those tools can run in a stealth mode, allowing employers to deploy the software on company-owned computers without workers’ knowledge.

The companies behind this software—including Hubstaff, Time Doctor, Teramind, and Interguard—say their businesses have boomed during the pandemic. StandOut CV’s study quantifies just how invasive this software has become across the board as vendors compete to offer the most comprehensive monitoring features.

Even more insidious forms of employee monitoring are less widespread but still available in several of the most popular software programs. StandOut CV found that 22% of those programs can access a device’s camera to take pictures of their workers, 19% support GPS tracking, and 9% can listen in on employees through their computers’ microphones.

Whether those tactics do more good than harm is up for debate. Research has shown that monitoring can work well if employers are transparent about why they’re doing it, and if employees feel it will improve their work. Conversely, invasive monitoring can lead to tension and burnout, and it can erode workers’ motivations to put in extra effort for a company. Monitoring software can also create privacy issues if employers slurp up personal data, and it can be a form of discrimination if managers use it to target specific workers.

It also might just be the wrong way to keep tabs on employees in a fully remote environment. Instead of just tracking the time and effort that goes in, companies might be better off looking at the work that comes out.

Source

Cybersecurity experts have identified a novel approach to disguising WordPress security threats that involves generating malware on the fly with legitimate-looking code.

In a blog post, Ned Andonov, a WordPress security expert at Wordfence, shares details about a simple but effective obfuscation technique, which due to its unique characteristics doesn’t carry any of the usual detectable patterns.

“The code abstraction looked almost perfect, each class method was well commented, the business logic looked reasonable, and the code was following the latest code quality standards,” writes Andonov.

In fact, Andonov admits that the malware-generating code was so well-written that it would take a seasoned security analyst to notice anything suspicious about it.

Malware in code

Breaking down the code, Andonov says that while many of the methods look legitimate, the first thing that struck him as odd were the $indicies variable.

“This function is actually using a standard for loop to generate commonly used suspicious functions while evading detection and is the most obviously obfuscated portion of the code,” writes Andonov.

And that’s not all. The code also extracts compressed malware from inside a PNG image. 

Andonov opines that the malware is professionally written and contains “a collection of remote commands including code execution, updates, and files access.”

Analyzing the psychological underpinnings of the technique used by the attacker, he refers to the work of Nobel-winning psychiatrist Daniel Kahneman, to conclude that a routine gaze at the code wouldn’t trip the sensors of an inexperienced analyst who would have no reason to suspect that the code deserves a closer look. 

“Analysts would also do well to keep their System 2 mind engaged, as Kahneman would put it, when analyzing suspected malware,” concludes Andonov.

Source

This came after a suspected Russian-linked criminal group breached the computer network of the East Coast's largest oil supplier, Colonial Pipeline, shutting down its operations and threatening to leak stolen sensitive data if a $4.4 million ransom was not paid. Within days, pumps up and down the East Coast were taped off with "Out of Gas" signs.

It took an attack of this capacity, affecting lives so directly, for the average person to notice what can happen when data and software are held for ransom. The Colonial Pipeline attack was one of thousands each year, many of which go unnoticed despite the fact that millions of dollars are cumulatively spent in ransoms.

Between 2019 and 2020, ransomware attacks rose 158% in North America alone, and the collective cost of attacks reported to the FBI went up 200%, from $8.9 million to $29.1 million.

According to Don Brown, senior associate dean for research at the University of Virginia's School of Engineering, Quantitative Foundation Distinguished Professor in Data Science and W.S. Calcott Professor in the Department of Systems and Information Engineering, criminal acts of this nature are not going away anytime soon, especially if companies continue to pay ransoms.

As the looming threat plagues organizations—from national security agencies and Fortune 500 companies to schools and small businesses—UVA Today asked Brown to explain the nature, commonality, protections and future of ransomware attacks.

Q. What are ransomware attacks? What do they do?

A. Ransomware attacks penetrate data management software and then encrypt access to the data using a key known only to the criminals. The original owners of the data can then no longer access it. Once the data is hijacked, the criminals then demand money to decrypt access to the data.

Q. Almost half of the East Coast's fuel supply was halted due to the Colonial Pipeline attack. How are perpetrators able to do this?

A. Ransomware attacks enter through a variety of methods, but the most common are through exploitation of simple passwords (e.g., "password"), through phishing attacks (i.e., posing as a legitimate site in order to obtain a password or log-in credentials), and through software (e.g., M.S. Windows) with known bugs that has not been updated.

Q. What other massive attacks has the United States seen?

A. The U.S. has seen a lot of attacks. There is the well-known attack on the Democratic National Committee in 2016, although that was a data breach, not ransomware. The same groups (they appear to be Russian) that attacked the Colonial Pipeline appear to have attacked many businesses worldwide over the last month through the exploitation of a security bug in the Kaseya software. Also, China is widely suspected of breaching the United States Office of Personnel Management in 2014 to obtain as many as 32 million records of government personnel and their families with security clearances.

Unfortunately, there are more than these.

Q. How often do smaller ransomware attacks go unnoticed by the public? Where do these take place?

A. Since not everyone reports attacks, we don't know the full scope. But recent attacks exploiting the Kaseya bug have likely affected thousands of businesses worldwide. These attacks are against supply chain companies, but they have also targeted manufacturers, hospitals and health care providers, and even schools, since they know these organizations often have weak security and are critically dependent on their data.

Q. What are governments, organizations and companies doing to protect themselves? What are they not doing, or what should they be doing?

A. The Biden administration is currently in discussions with [Russian leader Vladimir] Putin, as you can see in the news.

The U.S. needs to decide on an overall policy regarding cyberattacks. Are these nation-state attacks? For instance, the attack on the Colonial Pipeline by criminals in Russia was not necessarily by the Russian government, but Russia has done nothing to stop these attacks on other countries, particularly Western countries. Also, the U.S. has condoned payment for exploits in commonly used software such as Windows and IOS. This creates a worldwide market for potential exploitation.

Q. Why should individuals be concerned about ransomware attacks? Can individuals do anything to protect themselves?

A. Clearly these attacks affect all of us, as we saw with lines at gas stations following the Colonial Pipeline attack. Attacks on hospitals and schools may be local and not as visible or highly publicized, but could also have severe and rippling consequences.

The main thing individuals can do is to use strong passwords, be very cautious about opening email attachments or responding to emails that want personal information and keep software up to date.

Q. What does the future of ransomware attacks look like?

A. Unless governments agree to cooperate and go after the criminals, we're probably only going to see more ransomware attacks. Sadly, it could get much worse before it gets better.

Source

For more than a year, an active member of a community that traded in illicitly obtained internal Apple documents and devices was also acting as an informant for the company. 

On Twitter and in Discord channels for the loosely defined Apple "internal" community that trades leaked information and stolen prototypes, he advertised leaked apps, manuals, and stolen devices for sale. But unbeknownst to other members in the community, he shared with Apple personal information of people who sold stolen iPhone prototypes from China, Apple employees who leaked information online, journalists who had relationships with leakers and sellers, and anything that he thought the company would find interesting and worth investigating.

Andrey Shumeyko, also known as YRH04E and JVHResearch online, decided to share his story because he felt that Apple took advantage of him and should have compensated him for providing the company this information. 

"Me coming forward is mostly me finally realizing that that relationship never took into consideration my side and me as a person," Shumeyko told Motherboard. Shumeyko shared several pieces of evidence to back up his claims, including texts and an email thread between him and an Apple email address for the company's Global Security team. Motherboard checked that the emails are legitimate by analyzing their headers, which show Shumeyko received a reply from servers owned by Apple, according to online records.

Shumeyko said he established a relationship with Apple's anti-leak team—officially called Global Security—after he alerted them of a potential phishing campaign against some Apple Store employees in 2017. Then, in mid-2020, he tried to help Apple investigate one of its worst leaks in recent memory, and became a "mole," as he put it. 

Last year, months before the official release of Apple's mobile operating system iOS 14, iPhone hackers got their hands on a leaked early version.

At the time, people in the iPhone hacking community told Motherboard that the leaked iOS build came from a stolen prototype of an iPhone 11 that was purchased from gray-market vendors in China. Sensitive Apple software and hardware occasionally leaks out of China, and there is a thriving gray market of stolen iPhone prototypes that are marketed to security researchers and hackers interested in finding vulnerabilities and developing exploits for Apple's devices. 

Apple is obviously not happy about any of this. But over the years, apart from the time it famously went after a Gizmodo journalist who found a prototype of an iPhone 4 in a San Francisco bar, the company has largely kept its response to leaks under wraps. In mid-June, Apple lawyers in China sent letters to a Chinese citizen who advertised and sold stolen devices, demanding they stop their activities and reveal their sources inside the company, as Motherboard reported last month.

“People trust me, and find me pretty likable, and so I’m capable of using that to my advantage”

The secretive Global Security reportedly employs former U.S. intelligence and FBI agents and is tasked with cracking down on leaks and leakers, but very little is known about the way it operates. 

One of the ways the team tracks leaks and leakers is by cultivating relationships with people in the jailbreaking and internal community, such as Shumeyko. It's not the first time something like this has happened. As Motherboard reported in 2017, an Apple employee had infiltrated the early jailbreaking scene, acting as a double agent. 

Shumeyko has never worked for Apple, but he assumed a similar role last year when he decided to give Apple information about the iOS 14 leak. He had obtained a copy of the leaked iOS 14 build himself, and said he also learned how the leak went down and wanted to share the information with Apple.

On May 15 of last year, Shumeyko reached out to Apple Global Security via email, according to an email chain he shared. He offered information about the person who allegedly purchased the iPhone 11 that contained the iOS 14 development build, the security researchers who got a leaked copy of the operating system, and a handful of people who apparently live in China and sell iPhone prototypes and other devices that appear to leak out of factories in Shenzhen. 

"I think I found the mole who helped him orchestrate the thing," Shumeyko wrote to Apple, referring to the iOS 14 leak and the person who allegedly purchased the stolen prototype. "I've identified which one of the 3 Chinese hardware suppliers sent him the phone. I’ve received a package from that same guy in the past (still have the DHL tracking number), and I have his phone number. Would any of the above be of any aid?"

At the end of the email chain, an Apple employee asked if Shhumeyko was free for a chat.

"What’s the number you use for Signal/Telegram? We will assign a member of the team to reach out," the employee wrote. 

Shumeyko said he was willing to help as a way to redeem himself for being part of that community, and to get some money out of it, according to him and his online chats with an Apple Global Security employee.

"People trust me, and find me pretty likable, and so I’m capable of using that to my advantage," Shumeyko told the Apple employee during their monthslong online chats. "I regret my involvement in all that stuff and I’ll do whatever you need me to redeem my past actions." 

"I know I’ve been naughty, but my actions so far landed the right connections which I can use to help further the company. Getting into this whole thing was a mistake on my side," Shumeyko told the Apple Global Security employee. 

What he shared was interesting enough to prompt Apple employees to keep the communications channel with Shumeyko open for almost a year. 

Two people who are part of the Apple jailbreaking and internal community confirmed that Shumeyko was dabbling in it by advertising leaked data on Twitter.

“He is widely trusted to be an original source of that information.”

"He’s tweeted a lot with internal materials from Apple," one of the people in the Apple jailbreaking and internal community told Motherboard in an online chat. "I think he is widely trusted to be an original source of that information."

Another person, who also asked to remain anonymous as he, too, is involved in the jailbreaking and internal communities and fears retaliation from Apple, told Motherboard that Shumeyko "was most definitely involved in that community and he most definitely had some level of access to things he shouldn’t have." 

According to the person involved in the jailbreaking community, "the 'Apple Internal Community' is just a bunch of kids on Twitter who find, buy, sell, and trade firmware or other such things without realizing the repercussions such things carry." But other than kids, there are also serious sellers, mostly based in China, who sell prototype iPhones for thousands of dollars, as a Motherboard investigation showed in 2019. 

And Apple has been trying to crack down on them recently by sending them legal letters, which revealed that the company knows their names and home addresses, despite the fact that they only use nicknames online. 

Last year, Shumeyko sent Apple investigators a PDF titled "The List," essentially a dossier where he shared personal details such as phone numbers, WeChat IDs, and alleged locations of three people who advertised and sold devices on Twitter, as well as a U.S. citizen who collects iPhone prototypes. One of the people listed in the PDF is the one who received the legal letter from Apple, Motherboard has learned.  

Apple declined to comment for this article. 

None of the people Shumeyko mentioned to Apple, and whom Motherboard spoke to, had any idea that Shumeyko had become a mole for the company. 

When he was acting as a mole, Shumeyko wanted to keep his relationship with Apple a secret, "fearing I might damage that fragile thing we had going on," he said, referring to the company. But at this point, now that he’s coming out, Shumeyko doesn't care what anyone will think of him.

"Them knowing what I am doesn’t really change my life for better or worse. And, well, I just wanted to be heard for once, and the story I tell to be truthful," Shumeyko said.  

THREE IPHONE PROTOTYPES. (IMAGE: GIULIO ZOMPETTI/MOTHERBOARD)

Months after he first reached out, Shumeyko explained more about why he wanted to help Apple.

"I was inspired by the rumor that the raid on the journalist’s house during the iPhone 4 Gizmodo incident was conducted by Apple’s own ‘police’ team," Shumeyko told a Global Security employee. "So I assumed prosecuting [an iPhone prototype collector who also traded leaked information and hardware] and the Chinese would be easy then, and that I’ll get to walk away with a reward generous enough to jumpstart my life entirely."

Shumeyko said he expected Apple to "do something" with the information he provided, but it's unclear what the company achieved with Shumeyko's information. Despite asking many times for details about how the company was acting on his information, the Apple employee he was corresponding with never gave him any answers. Shumeyko also repeatedly asked if it would be possible for him to be paid for his information, citing financial problems he needed to take care of. In this case, too, the Apple employee was noncommittal, according to the conversation's transcript. 

"I know I'm very much a part of the problem that I'm trying to report, and I really hate to be the Karen of this story, but still, I'm determined to fully follow through with this and I'm sorry for being a huge inconvenience," Shumeyko told the Apple Global Security employee, according to the chats viewed by Motherboard. "I know you probably can't answer all of my previous questions, so could you kindly get someone who can talk to me over email or this app? Again: 1) How helpful were the materials provided? 2) Should I try to obtain more information? 3) Do I get any protection at all as a whistleblower?" 

Still, his constant flow of tips on people in the jailbreaking and internals community, as well as tips on Apple employees who were active online and were leaking information, were well received by the Apple Global Security employee.

"We appreciate the information you provide. Please feel encouraged to keep sharing what you have," the nameless Apple Global Security employee said. The chats between Shumeyko and the employee spanned almost a year, and the Apple employee consistently thanked Shumeyko for the information and asked for more information about specific materials and people. 

In the summer of 2020, Shumeyko told his Apple Global Security contact that he’d been in touch with an Apple employee in Germany who worked on Apple Maps. Shumeyko alleged that the employee was offering to sell access to an internal Apple account used by employees to log in to their corporate emails and intranet. Shumeyko said he always kept contact with the employee, who eventually told him that he’d gotten fired. 

“Do the right things to protect Apple. Keep it that way, you will be proud of yourself, so will we.”

Shumeyko said he was hoping that by helping Apple, the company would help him in return. But that, he said, never happened. And he's now questioning whether he should have helped in the first place.

"Now it feels like I ruined someone for no good reason, really," Shumeyko told me, referring to the Apple employee in Germany.

Weeks later, out of frustration, Shumeyko said he leaked the information he gathered from the employee to the Apple-focused blog 9to5Mac, which wrote an article based on the leaked data. Shumeyko almost immediately regretted it, telling his Apple contact,"I know that looks bad. And I apologize for that."

"Going forward if you plan to publish anything, please consult us (if you want to do the right things for yourself)," Apple Global Security's employee told Shumeyko. 

"Please understand that our goal is to protect Apple. All our actions are guided by the premise of what is best for the company, our employees, and our customers (of which you are one). Therefore your help—and insights—in understanding possible threats to us are very important," the Apple employee continued. "My personal advice is that you continue to do the right things so that you can build a positive image for yourself. Do the right things to protect Apple. Keep it that way, you will be proud of yourself, so will we."

During his conversations with the Apple Global Security employee, Shumeyko shared the contact information and social media profiles of three alleged sellers of stolen devices in China, a person who collects these type of devices and who was allegedly involved in the iOS 14 leak, and the personal details and names of connections of someone who allegedly used to be an Apple intern and then became part of the jailbreaking community. 

A year after Shumeyko started talking to Global Security, his relationship with Apple is basically nonexistent. Shumeyko said he last heard from Global Security on July 15. 

Shumeyko told Motherboard that he is still struggling financially. He is also still on Twitter trying to sell Apple data in an attempt to finally cash out on years of being involved in Apple leaks.  

Source

The latest findings from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two.

In early July, Fortinet revealed specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the payload's source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note.

"As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm," Fortinet researchers previously said. "Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they [are] significantly slower than symmetric algorithms."

Now an assessment of an earlier sample of Diavol — compiled on March 5, 2020, and submitted to VirusTotal on January 27, 2021 — has revealed insights into the malware's development process, with the source code capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.

What's more, the initial execution of the ransomware leads to it collecting system information, which is used to generate a unique identifier that's nearly identical to the Bot ID generated by TrickBot malware, except for the addition of the Windows username field.

Diavol's links to TrickBot also boil down to the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content, which matches the language used by the operators.

A point of similarity between the two ransomware samples concerns the registration process, where the victim machine uses the identifier created in the previous step to register itself with a remote server. "This registration to the botnet is nearly identical in both samples analyzed," IBM Security's Charlotte Hammond and Chris Caridi said. "The primary difference is the registration URL changing from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register."

But unlike the fully functional variant, the development sample not only has its file enumeration and encryption functions left unfinished, it also directly encrypts files with the extension ".lock64" as they are encountered, instead of relying on asynchronous procedure calls. A second deviation detected by IBM is that the original file is not deleted post encryption, thus obviating the need for a decryption key.

Another clue tying the malware to the Russian threat actors is the code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, a known tactic adopted by the TrickBot group.

"Collaboration between cybercrime groups, affiliate programs and code reuse are all parts of a growing ransomware economy," the researchers said. "The Diavol code is relatively new in the cybercrime area, and less infamous than Ryuk or Conti, but it likely shares ties to the same operators and blackhat coders behind the scenes."

Source

T-Mobile: Breach Exposed SSN/DOB of 40M+ People

"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page," cybersecurity firm Rapid7 said in an advisory published Tuesday. "This vulnerability appears to be related to CVE-2021-22123, which was addressed in FG-IR-20-120."

Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.

The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.

"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges," Rapid7's Tod Beardsley said. "They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ."

Rapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as CVE-2020-29015. In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.

Although there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.

Earlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.

In the same month, Russian cybersecurity company Kaspersky revealed that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.

Source

Cybersecurity firm Volexity attributed the attacks to a threat actor it tracks as InkySquid, and more widely known by the monikers ScarCruft and APT37. Daily NK, the publication in question, is said to have hosted the malicious code from at least late March 2021 until early June 2021.

The "clever disguise of exploit code amongst legitimate code" and the use of custom malware enables the attackers to avoid detection, Volexity researchers said.

The attacks involved tampering with the jQuery JavaScript libraries hosted on the website to serve additional obfuscated JavaScript code from a remote URL, using it to leverage exploits for two Internet Explorer flaws that were patched by Microsoft in August 2020 and March 2021. Successful exploitation resulted in the deployment of a Cobalt Strike stager and novel backdoor called BLUELIGHT.

• CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability

• CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability

It's worth noting that both the flaws have been actively exploited in the wild, with the latter put to use by North Korean hackers to compromise security researchers working on vulnerability research and development in a campaign that came to light earlier this January.

In a separate set of attacks disclosed last month, an unidentified threat actor was found exploiting the same flaw to deliver a fully-featured VBA-based remote access trojan (RAT) on compromised Windows systems.

BLUELIGHT is used as a secondary payload following the successful delivery of Cobalt Strike, functioning as a full-featured remote access tool that provides complete access to a compromised system.

In addition to gathering system metadata and information about installed antivirus products, the malware is capable of executing shellcode, harvesting cookies and passwords from Internet Explorer, Microsoft Edge, and Google Chrome browsers, collecting files and downloading arbitrary executables, the results of which are exfiltrated to a remote server.

"While SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers," the researchers noted. "The use of recently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience."

Source

• The trojan now comes bundled with info-stealers and backdoors, launching privilege escalation attacks.

• From stealing clipboard data to monitoring keystrokes and capturing screenshots, ‘Neurevt’ can now

Researchers at Cisco Talos have spotted an ongoing campaign that started in June 2021, deploying a new version of the ‘Neurevt’ trojan (aka BetaBot) and targeting mainly financial institutions in Mexico. The main thing that is new in the recent version is that ‘Neurevt’ now comes bundled with backdoors and information stealers, so it can operate as a potent piece of malware on its own. BetaBot was first spotted all the way back in 2013, then got a big update with multi-stage packing in 2018, and from 2020 and onward, it started incorporating other malware too.

Those who should be worried about the latest ‘Neurevt’ campaign are Mexicans who access their online banking accounts from their computers. The infection starts with an obfuscated PowerShell command which fetches the trojan executable. This, in turn, creates folders during runtime and drops additional scripts, malware files, and backdoors in them.

From there, a process of privilege elevation takes place, hook procedures are installed, and the input from the mouse and keyboard are monitored. Finally, anything that happens on the screen can be captured, and all info that goes into the clipboard can be accessed and exfiltrated to the C2.

Neurevt performs some preliminary checks to evade analysis, such as checking if a debugger is running or if it was launched in a virtualized environment. Moreover, to evade detection, it uses the System.Web Namespace with HTTP classes instead of calling APIs for HTTP communication that is riskier. Finally, firewalls are disabled, internet proxy settings are modified accordingly, and a new registry key is added to the infected system to establish persistence.

Cisco Talos found several domains that are used in the ongoing campaign as the receiving ends of the exfiltrated data, like, for example, “russk18[.]icu” and “moscow13[.]at”. While these have a clear linkage to Russia, no definitive attribution was given in the technical report.

The best way to avoid dealing with a nasty ‘Neurevt’ infection would be to revert from downloading files from obscure sources. Also, since it all starts with PowerShell execution, setting stricter policies and blocking suspicious IP addresses would be a solid step to safety. Most anti-virus engines today can catch the particular threat despite its efforts to evade detection, so keeping an up-to-date AV tool around wouldn’t be a bad idea.

Source

The attacks, which occurred in two waves in May and July 2021, have been linked to a hacker group called Siamesekitten (aka Lyceum or Hexane) that has primarily singled out oil, gas, and telecom providers in the Middle East and in Africa at least since 2018, researchers from ClearSky said in a report published Tuesday.

Infections undertaken by the adversary commenced with identifying potential victims, who were then enticed with "alluring" job offers in well-known companies like ChipPc and Software AG by posing as human resources department employees from the impersonated firms, only to lead the victims to a phishing website containing weaponized files that unload a backdoor known as Milan to establish connections with a remote server and download a second-stage remote access trojan named DanBot.

ClearSky theorized that the attacks' focus on IT and communication companies suggest they are intended to facilitate supply chain attacks on their clients.

Besides employing lure documents as an initial attack vector, the group's infrastructure included setting up fraudulent websites to mimic the company being impersonated as well as creating fake profiles on LinkedIn. The lure files, for their part, take the form of a macro-embedded Excel spreadsheet that details the supposed job offers and a portable executable (PE) file that includes a 'catalog' of products used by the impersonated organization.

Regardless of the file downloaded by the victim, the attack chain culminates in the installation of the C++-based Milan backdoor. The July 2021 attacks against Israeli companies are also notable for the fact that the threat actor replaced Milan with a new implant called Shark that's written in .NET.

"This campaign is similar to the North Korean 'job seekers' campaign, employing what has become a widely used attack vector in recent years - impersonation," the Israeli cybersecurity company said. "The group's main goal is to conduct espionage and utilize the infected network to gain access to their clients' networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware."

Source

The LockBit ransomware-as-a-service (RaaS) gang has ramped up its targeted attacks, researchers said, with attempts against organizations in Chile, Italy, Taiwan and the U.K. using version 2.0 of its malware.

Attacks in July and August have employed LockBit 2.0, according to a Trend Micro analysis released on Monday, featuring a souped-up encryption method.

“In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today,” according to the report. “LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today’s ransomware threat landscape. Our analysis shows that while it uses a multithreaded approach in encryption, it also only partially encrypts the files, as only 4 KB of data are encrypted per file.”

The attacks also feature an effort to recruit insider threats from within targeted companies, Trend Micro noted. The last step of the malware’s infection routine is to change the wallpaper on victim machines to what’s effectively an advertisement, with information on how organization insiders can be part of the “affiliate recruitment,” with guaranteed payouts of millions of dollars and anonymity in exchange for credentials and access, according to the report.

The fresh spate of attacks are employing the tactic “seemingly to remove middlemen (of other threat actor groups) and to enable faster attacks by providing valid credentials and access to corporate networks,” according to the researchers.

LockBit, it should be noted, recently made headlines as the culprit behind the Accenture cyberattack.

LockBit 2.0 Infection Routine

For initial access to a targeted corporate network, the LockBit gang recruits affiliates and helpers as mentioned, who perform the actual intrusion on targets, usually via valid remote desktop protocol (RDP) account credentials. To help the cause, LockBit’s creators provide their partners with a handy StealBit trojan variant, which is a tool for establishing access and automatically exfiltrating data.

The report pointed out that once in a system, LockBit 2.0 uses a panoply of tools to case the joint, as it were. A network scanner takes stock of the network structure and identifies target domain controllers. It also uses multiple batch files for various purposes, including terminating security tools, enabling RDP connections, clearing Windows Event logs, and making sure that crucial processes, such as Microsoft Exchange, MySQL and QuickBooks, are unavailable. It also stops Microsoft Exchange and disables other related services.

But that’s not all: “LockBit 2.0 also abuses legitimate tools such as Process Hacker and PC Hunter to terminate processes and services in the victim system.”

After this first stage, it’s time for lateral movement.

“Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network,” Trend Micro researchers explained. “These policies disable Windows Defender, and distribute and execute the ransomware binary to each Windows machine.”

This main ransomware module goes on to append the “.lockbit” suffix to every encrypted file. Then, it drops a ransom note into every encrypted directory threatening double extortion; i.e., the note warns victims that files are encrypted and may be publicly published if they don’t pay up.

The final step for LockBit 2.0 is changing the victims’ desktop wallpapers into the aforementioned recruitment ad, which also includes instructions on how victims can pay the ransom.

LockBit’s Continued Evolution

Trend Micro has been tracking LockBit over time, and noted that its operators initially worked with the Maze ransomware group, which shut down last October.

Maze was a pioneer in the double-extortion tactic, first emerging in November 2019. It went on to make waves with big strikes such as the one against Cognizant. In summer 2020, it formed a cybercrime “cartel” – joining forces with various ransomware strains (including Egregor) and sharing code, ideas and resources.

“After Maze’s shutdown, the LockBit group went on with its own leak site, which led to the development of LockBit,” researchers explained. “The previous version showed characteristics of ready-made ransomware using the double extortion techniques of encrypting files, stealing data and leaking the stolen data when the ransom was not paid.”

Now, LockBit 2.0 shows influences from Ryuk and Egregor, perhaps due to shared code DNA. Two notable examples flagged by Trend Micro are:

• Wake-on-LAN feature inspired by Ryuk ransomware, sending the Magic Packet “0xFF 0xFF 0xFF 0xFF 0xFF 0xFF” to wake offline devices.

• Print bombing of the ransom note onto the victim’s network printers, similar to Egregor’s technique of attracting the victim’s attention. It uses Winspool APIs to enumerate and print a document on connected printers.

“We…assume that this group will continue to make a scene for a long time, especially since it’s currently recruiting affiliates and insiders, making it more capable of infecting many companies and industries,” Trend Micro researchers concluded. “It would also be wise to assume and prepare for upgrades and further developments in LockBit 2.0, especially now that many companies are aware of its capabilities and how it works.”

How to Protect Organizations from Ransomware

The Center of Internet Security and the National Institute of Standards and Technology recommend the following best practices for preventing LockBit 2.0 and other malware infections:

Source

A bungled data migration of a network drive caused the deletion of 22 terabytes of information from a US police force's systems – including case files in a murder trial, according to local reports.

Dallas Police Department confessed to the information blunder last week, revealing in a statement that a data migration exercise carried out at the end of the 2020-21 financial year deleted vast amounts of data from a network drive.

"On August 6, 2021, the Dallas Police Department (DPD) and City of Dallas Information and Technology Services Department (ITS) informed the administration of this Office that in April 2021, the City discovered that multiple terabytes of DPD data had been deleted during a data migration of a DPD network drive," said a statement [PDF] from the Dallas County prosecutor's office.

The migration, which took place between 31 March and 5 April, actually destroyed 22TB of data. 14TB were recovered, presumably from backups, but "approximately 8 Terabytes remain missing and are believed to be unrecoverable." Affected criminal case files include those created before 28 July 2020, though prosecutors said the precise number "is currently unknown."

It added:

Effective today, all prosecutors have been instructed to verify with the filing detective that all evidence/files were shared with our office via TechShare before disposing of the case..... Should there be any missing files in a case, the prosecutor will make a written disclosure based upon the information communicated by DPD.

CBS Dallas Fort Worth, a local TV station, reported that murder suspect Jonathan Pitts was due to stand trial on Thursday but has instead been released on bail because his files were deleted in the blunder. The detail was apparently revealed by the prosecutor in a motion filed last week, just a day before the trial had been due to begin. Case files typically contain documents, images, videos, logs of evidence, and more. Evidence (going either way) in Pitts' case may yet be recovered, so the trial is not necessarily off for good. Pitts had pleaded not guilty in the case.

District Attorney John Creuzot claimed that while police were immediately aware of what happened, it took them four months to come clean with his prosecutor's office. Meanwhile the local mayor, Eric Johnson, said he was "blindsided" by the data loss.

Such blunders aren't unique to Dallas. Earlier this year Britain's Home Office managed to lose 400,000 criminal evidence records from a Fujitsu-provided mainframe backup appliance. Meanwhile, in France, cloud operator OVH suffered an equally catastrophic data loss after a fire in March gutted one of its data centres in Strasbourg. ®

Source

The German state’s data protection agency (DPA) took the step of issuing a public warning yesterday, writing in a press release that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR) since user data is transferred to the US for processing.

The DPA’s concern follows a landmark ruling (Schrems II) by Europe’s top court last summer which invalidated a flagship data transfer arrangement between the EU and the US (Privacy Shield), finding US surveillance law to be incompatible with EU privacy rights.

The fallout from Schrems II has been slow to manifest — beyond an instant blanket of legal uncertainty. However a number of European DPAs are now investigating the use of US-based digital services because of the data transfer issue, and in some instances publicly warning against the use of mainstream US tools like Facebook and Zoom because user data cannot be adequately safeguarded when it’s taken over the pond.

German agencies are among the most proactive in this respect. But the EU’s data protection supervisor is also investigating the bloc’s use of cloud services from US giants Amazon and Microsoft over the same data transfer concern.

At the same time, negotiations between the European Commission and the Biden administration to seek a replacement data transfer deal remain ongoing. However EU lawmakers have repeatedly warned against any quick fix — saying reform of US surveillance law is likely required before there can be a revived Privacy Shield. And as the legal limbo continues a growing number of public bodies in Europe are facing pressure to ditch US-based services in favor of compliant local alternatives.

In the Hamburg case, the DPA says it took the step of issuing the Senate Chancellory with a public warning after the body did not provide an adequate response to concerns raised earlier.

The agency asserts that use of Zoom by the public body does not comply with the GDPR’s requirement for a valid legal basis for processing personal data, writing: “The documents submitted by the Senate Chancellery on the use of Zoom show that [GDPR] standards are not being adhered to.”

The DPA initiated a formal procedure earlier, via a hearing, on June 17, 2021 but says the Senate Chancellory failed to stop using the videoconferencing tool. Nor did it provide any additional documents or arguments to demonstrate compliance usage. Hence the DPA taking the step of a formal warning, under Article 58 (2) (a) of the GDPR.

In a statement, Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information, dubbed it “incomprehensible” that the regional body was continuing to flout EU law in order to use Zoom — pointing out that a local alternative, provided by the German company Dataport (which supplies software to a number of state, regional and local government bodies) is readily available.

In the statement [translated with Google Translate], Kühn said: “Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken. At the [Senate Chancellery of the Free and Hanseatic City of Hamburg], all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centers. These are used successfully in other regions such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.”

We’ve reached out to the Hamburg DPA and Senate Chancellory with questions.

Update: A spokesman for the Hamburg DPA told us: “Currently, there are no plans for further formal steps. We expect the addressed administration to assess our legal reasoning and draw the necessary consequences. Of course, we are always open to further talks, looking for possible ways forward. That is what a formal warning is for in the first place: to make a controller aware of problems he will eventually run into if he stays course.”

Zoom has also been contacted for comment.

Source

The application masquerades as an animated porn game, a reward points application, or a video streaming application, Trend Micro researchers Jaromir Horejsi and Joseph C Chen said in an analysis published last week, attributing the operation to a threat actor it tracks as Water Kappa, which was previously found targeting Japanese online banking users with the Cinobi trojan by leveraging exploits in Internet Explorer browser.

The switch in tactics is an indicator that the adversary is singling out users of web browsers other than Internet Explorer, the researchers added.

Water Kappa's latest infection routine commences with malvertisements for either Japanese animated porn games, reward points apps, or video streaming services, with the landing pages urging the victim to download the application — a ZIP archive containing files from an older version of the "Logitech Capture" application dated 2018, but also featuring modified files that are orchestrated to decrypt and run shellcode that, in turn, triggers the execution of the Cinobi banking trojan.

In addition to geofencing access to the malvertisement portals from non-Japanese IP addresses, the trojan is designed to pilfer usernames and passwords for 11 Japanese financial institutions, three of which are involved in cryptocurrency trading. In the event, a user visits one of the targeted websites, Cinobi's form-grabbing module is activated to capture the filled-in information in the login screens.

"The new malvertising campaign shows that Water Kappa is still active and continuously evolving their tools and techniques for greater financial gain — this one also aims to steal cryptocurrency," the researchers said. "In order to minimise the chances of being infected, users need to be wary of suspicious advertisements on shady websites, and as much as possible, download applications only from trusted sources."

Source

Now that feature has a Settings toggle in the Edge Canary browser.

The toggle is available at Settings>Privacy, Search and services.

The toggle is not available by default however – you still need to enable the mysterious Saya flag.

The Super Duper Secure Mode in Edge disables the JIT and enables new security mitigations. These include enabling the new Controlflow Enforcement Technology (CET) in Edge render process and in the future adding support for Web Assembly, Arbitrary Code Guard (ACG), and other new security mitigations.

Microsoft hopes Super Duper Secure Mode will be  ”something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers”.

Microsoft hopes to bring the technology to their browser on Edge on Android and Mac also.

via Leo Varela

Microsoft Edge ‘Super Duper Secure Mode’ now has a Settings toggle

Communications giant T-Mobile said today it is investigating the extent of a breach that hackers claim has exposed sensitive personal data on 100 million T-Mobile USA customers, in many cases including the name, Social Security number, address, date of birth, phone number, security PINs and details that uniquely identify each customer’s mobile device.

On Sunday, Vice.com broke the news that someone was selling data on 100 million people, and that the data came from T-Mobile. In a statement published on its website today, the company confirmed it had suffered an intrusion involving “some T-Mobile data,” but said it was too soon in its investigation to know what was stolen and how many customers might be affected.

A sales thread tied to the allegedly stolen T-Mobile customer data.

We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved,” T-Mobile wrote.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the statement continued.

“This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”

The intrusion came to light on Twitter when the account @und0xxed started tweeting the details. Reached via direct message, Und0xxed said they were not involved in stealing the databases but was instead in charge of finding buyers for the stolen T-Mobile customer data.

Und0xxed said the hackers found an opening in T-Mobile’s wireless data network that allowed access to two of T-Mobile’s customer data centers. From there, the intruders were able to dump a number of customer databases totaling more than 100 gigabytes.

They claim one of those databases holds the name, date of birth, SSN, drivers license information, plaintext security PIN, address and phone number of 36 million T-Mobile customers in the United States — all going back to the mid-1990s.

The hacker(s) claim the purloined data also includes IMSI and IMEI data for 36 million customers. These are unique numbers embedded in customer mobile devices that identify the device and the SIM card that ties that customer’s device to a telephone number.

“If you want to verify that I have access to the data/the data is real, just give me a T-Mobile number and I’ll run a lookup for you and return the IMEI and IMSI of the phone currently attached to the number and any other details,” @und0xxed said. “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”

Other databases allegedly accessed by the intruders included one for prepaid accounts, which had far fewer details about customers.

“Prepaid customers usually are just phone number and IMEI and IMSI,” Und0xxed said. “Also, the collection of databases includes historical entries, and many phone numbers have 10 or 20 IMEIs attached to them over the years, and the service dates are provided. There’s also a database that includes credit card numbers with six digits of the cards obfuscated.”

T-Mobile declined to comment beyond what the company said in its blog post today.

In 2015, a computer breach at big three credit bureau Experian exposed the Social Security numbers and other data on 15 million people who applied for financing from T-Mobile.

Like other mobile providers, T-Mobile is locked in a constant battle with scammers who target its own employees in SIM swapping attacks and other techniques to wrest control over employee accounts that can provide backdoor access to customer data. In at least one case, retail store employees were complicit in the account takeovers.

WHO HACKED T-MOBILE?

The Twitter profile for the account @Und0xxed includes a shout out to @IntelSecrets, the Twitter account of a fairly elusive hacker who also has gone by the handles IRDev and V0rtex. Asked if @IntelSecrets was involved in the T-Mobile intrusion, @und0xxed confirmed that it was.

The IntelSecrets nicknames correspond to an individual who has claimed responsibility for modifying the source code for the Mirai “Internet of Things” botnet to create a variant known as “Satori,” and supplying it to others who used it for criminal gain and were later caught and prosecuted. Like Kenny “NexusZeta” Schuchmann, who pleaded guilty in 2019 to operating the Satori botnet. Two other young men have been charged in connection with Satori — but not IntelSecrets.

How do we know all this about IntelSecrets/IRDev/V0rtex? That identity has acknowledged as much in a series of bizarre lawsuits filed by a person who claims their real name is John Erin Binns. The same Binns identity operates the website intelsecrets[.]su. 

On that site, Binns claims he fled to Germany and Turkey to evade prosecution in the Satori case, only to be kidnapped in Turkey and subjected to various forms of psychological and physical torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely told their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a claim he says led to his alleged capture and torture by the Turks.

Since then, Binns has filed a flood of lawsuits naming various federal agencies — including the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the government turn over information collected about him and seeking restitution for his alleged kidnapping at the hands of the CIA.

Speaking to the researcher Alon Gal (@underthebreach), the hackers responsible for the T-Mobile intrusion said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.”

T-Mobile Investigating Claims of Massive Data Breach

Apps that ask you to give permission to your location access get your precise location, which is usually accurate within a couple of meters. However, the approximate location changes this to a couple of hundred meters.

This ability to choose whether to set your app’s permission to precise or approximate location is another significant step towards improved privacy. Certain apps do not need to know your exact location, for example, shopping and even weather apps. These apps can still work effectively from an approximated location. However, there will still be certain apps such as Google Maps and Geocaching apps that will require a precise location to work effectively.

If you are running Android 12 and download a new app, you can easily set location permission. When running the app for the first time, you will be asked to grant location access. Now you will be able to choose ‘Approximate’ from this menu. If the app requires an exact location, you will receive a prompt notifying you and asking to change to ‘Precise’ location.

To change this setting for apps that are already installed and have previously been granted location access, you can still change this to approximate locations. To do this, you will need to navigate to your Android phone’s settings, and then tap on ‘Location’ and choose which app you want to change the location permission on. Once in this menu, toggle the ‘Use Precise Location’ button off, and the app will start using approximate location instead.

Closing words

Privacy is becoming an increasing concern to smartphone users. This new feature on Android 12 lets you use the location features of apps without revealing where you are to advertisers and other third-party companies. As an Android user, I appreciate this new approximate location feature and the added privacy that it provides.

Android 12 new privacy feature lets you grant approximate location access to apps

Detailed by a group of academics from the University of Maryland and the University of Colorado Boulder at the USENIX Security Symposium, the volumetric attacks take advantage of TCP-non-compliance in-network middleboxes — such as firewalls, intrusion prevention systems, and deep packet inspection (DPI) boxes — to amplify network traffic, with hundreds of thousands of IP addresses offering amplification factors exceeding those from DNS, NTP, and Memcached.

Reflected amplification attacks are a type of DoS attacks in which an adversary leverages the connectionless nature of UDP protocol with spoofed requests to misconfigured open servers in order to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure inaccessible. This typically occurs when the response from the vulnerable service is larger than the spoofed request, which can then be leveraged to send thousands of these requests, thereby significantly amplifying the size and bandwidth issued to the target.

While DoS amplifications are traditionally UDP-based owing to complications arising out TCP's three-way handshake to set up a TCP/IP connection over an IP based network (SYN, SYN+ACK, and ACK), the researchers found that a large number of network middleboxes do not conform to the TCP standard, and that they can "respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake," turning the devices into attractive targets for DoS amplification attacks.

"Middleboxes are often not TCP-compliant by design: many middleboxes attempt [to] handle asymmetric routing, where the middlebox can only see one direction of packets in a connection (e.g., client to server)," the researchers said. "But this feature opens them to attack: if middleboxes inject content based only on one side of the connection, an attacker can spoof one side of a TCP three-way handshake, and convince the middlebox there is a valid connection."

What's more, a series of experiments found that these amplified responses come predominantly from middleboxes, including nation-state censorship devices and corporate firewalls, highlighting the role played by such infrastructure in enabling governments to suppress access to the information within their borders, and worse, allow adversaries to weaponize the networking devices to attack anyone.

"Nation-state censorship infrastructure is located at high-speed ISPs, and is capable of sending and injecting data at incredibly high bandwidths," the researchers said. "This allows an attacker to amplify larger amounts of traffic without worry of amplifier saturation. Second, the enormous pool of source IP addresses that can be used to trigger amplification attacks makes it difficult for victims to simply block a handful of reflectors. Nation-state censors effectively turn every routable IP addresses (sic) within their country into a potential amplifier."

"Middleboxes introduce an unexpected, as-yet untapped threat that attackers could leverage to launch powerful DoS attacks," the researchers added. "Protecting the Internet from these threats will require concerted effort from many middlebox manufacturers and operators."

Source

Why are people using the fake installers? 

Microsoft’s official channels allow users to try out Windows 11 in perfect safety, via their Insider programme. By signing up for this, you can upgrade an existing Windows 10 system to a preview version of the next OS. However, Windows 11 comes with new hardware requirements, which mean that for many users, the option to upgrade will not be available. This gives malware authors the opportunity to trick disappointed tech fans into using their own doctored installers, which include some nasty surprises. 

How can you spot the fakes? 

Kaspersky’s blog describes the technical details of the threats. By understanding the difference between Microsoft’s genuine installation process and the malicious fakes, alert users can keep their computers safe. Rather than using the Windows Update service, or a complete Windows installation DVD image (ISO file), the cybercriminals use a different method of installation.  

The installer file they provide is much smaller than any genuine Microsoft Windows setup program (2 GB rather than 5 GB). This is already a clue in itself. When run, such an installer will initially resemble a genuine Microsoft setup wizard, but then gives further evidence that it is not one. Due to its small size, it cannot complete the installation itself, but has to download an additional setup program. Furthermore, the secondary installer will itself encourage the user to install additional software, claiming that this is e.g. a download manager. All this is completely unlike a genuine Windows installer. 

Kaspersky note that there is a range of different fake Windows 11 installers out there, each installing its own unwanted software. This may be relatively harmless adware, but could equally well be highly malicious password-stealing software, or indeed any type of malware.  

How can I test Windows 11 safely? 

Very sensibly, Kaspersky advise users to utilise only Microsoft’s official upgrade process if they want to try out Windows 11. For Windows enthusiasts whose PCs do not meet the minimum hardware requirements, we can recommend a totally safe means of trying out a genuine Windows 11 preview version. Whilst Microsoft strictly enforces the current Windows 11 hardware limitations strictly on physical PCs, they have relaxed them for installations on a virtual machine. This means that by using virtualisation, you can try out the new OS safely.  

Kaspersky also advise users not to use preview builds – even completely safe, genuine Microsoft builds – on the main computer you use everyday. Microsoft themselves do the same thing. This is because the very nature of preview builds mean that they are not as reliable as the finished product. By using a virtual machine, you can try out Windows 11 safely, and without the risk of destabilising the computer you use every day. There are good, free virtualisation programs available. You will need to start off by installing Windows 10 in a virtual machine, registering for the Windows Insider program, and then selecting the release channel that suits you best for Windows 11 builds. 

This might take longer than using a fake Windows 11 installer, but will guarantee you a safe and reliable way to try out a genuine build of the new operating system. 

What else should I do to keep my PC secure? 

As well as showing users how to avoid fake Windows 11 installers, Kaspersky’s blog further recommends always running a reliable antivirus program on your computer and never disabling it. AV-Comparatives agree completely with this advice. Our test reports can help you to find an effective and reliable antivirus solution that will help keep your computer safe. These can be downloaded free and without registration. By the way, genuine preview builds of Windows 11 come with Microsoft Windows Defender Antivirus built in. 

AV-Comparatives is an independent testing lab based in Innsbruck, Austria, and has been publicly testing computer security software since 2004. It is ISO 9001:2015 certified for the scope “Independent Tests of Anti-Virus Software”. It also holds the EICAR certification as a “Trusted IT-Security Testing Lab”.

Sources:
https://telanganatoday.com/beware-you-could-be-downloading-a-windows-11-malware

Source