Search This Blog

Anonymous Hacking Group Targets Controversial Web Hoster Epik

 

US-based web host and domain registrar Epik has confirmed an “unauthorized intrusion” in its systems, a week after members of hacktivist group ‘Anonymous’ claimed that the group had obtained and leaked gigabits of data from the hosting company, including 15 million email addresses.

The firm initially denied reports of the breach by saying, “'we are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation.”

According to data breach monitoring service HaveIBeenPwned, the leaked information, comprising 180 GB of information, includes not just information on Epik's own customers, but also millions of other people and organizations' details, whose information Epik scraped via 'Whois' queries from other domain name registrars. 

The group claimed the attack was in retaliation for Epik’s habit of hosting questionable alt-right websites. “This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet. Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole,” the group said. 

However, Anonymous did not reveal when the attack took place, but timestamps on the most recent files indicated that it likely occurred in late February.

Epik, which was founded in 2009 by current CEO Rob Monster, is known to serve a variety of far-right clients, including Parler, Texas GOP, Gab, and 8chan - all of which are said to have been turned down by mainstream IT providers due to objectionable content. 

Epik has started sending emails to impacted customers regarding an 'unauthorized intrusion', according to screenshots shared by cybersecurity expert Adam Sculthorpe and data scientist Emily Gorcenski. “As we work to confirm all related details, we are taking an approach toward maximum caution and urging customers to remain alert for any unusual activity they may observe regarding their information used for our services,'” reads Epik's email notice. 

Although the firm did not say in the message if customers' credit card details were exposed, it encouraged users to contact their credit card providers and “notify them of a potential data breach to discuss your options with them directly.”

pNetwork Suffered Loss In Bitcoins Worth $12 Million

 

While Hackers allegedly violated the protocol and seized $12.7 million in Bitcoin, pNetwork thus became the newest victim of the DeFi hack. Whilst suffering a loss of $12 million in bitcoins, the company claims it will reward the hacker with a bug bounty of $1.5 million if the funds are recovered. 

On the 19th of September 2021, at 5:20 pm UTC, a hacker conducted a multi pTokens attack on the pNetwork system. The pBTC-on-BSC cross-chain bridge, used by the bridge and 277BTC taken from the pBTC-on-BSC collateral, was the one successful. However, the suspicious activity was detected and the technical team intervened.

In the most recent security incident involving a decentralized funding system, the cross-chain project pNetwork stated on Sunday that the organization has indeed been hacked and has suffered losses worth 277 pBTC, a kind of packaged bitcoin, with a loss of more than $12 million. 

In a series of tweets announcing the incident, pNetwork said, "We're sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral). The other bridges were not affected. All other funds in the pNetwork are safe." 

"The bridges will run with extra security measures in place for the first few days," pNetwork said in a follow-up post. "This means slower transactions processing in exchange for higher security." 

For transactions that function on smart contracts on the Platform, the pBTK tokens are an equivalent value of bitcoin. pNetwork allows many blockchains, which include Binance Smart Chain, Ethereum, Eos, Polygones, Telos, xDAI, and Ultra. 

The company then corrected the error, suggested a remedy, and expected "everybody to review it. pNetwork has confirmed that all other network bridges have not been impacted and also that the leftover funds are protected. furthermore, the broken bridges will soon be back in service. The company also had a message to the "black hat hacker" with a "clean" 1 million dollars bounty if all money were returned. 

Although pNetwork recognizes that possibility of such an instance is little, this is no precedence. As previously reported, Poly Network likewise utilized other digital assets for almost $600 million. But Mr. White Hat finally refunded the cash and even dismissed the provided bond, since the project named the culprit. 

The company stated that “We are adding additional security measures on the bridges as we reactivate them (more on this in the risk management section). Currently, we are also doing some extra checks on the transactions before they are broadcasted — this is not necessary, but something we are temporarily doing to be on the safe side and extra cautious.” 

It should be noted that the network's indigenous cryptocurrency – PNT – has dropped by 20% within 24-hour and is presently below $1.

Russian Electronic Voting System Struck by 19 DDoS Attacks in One Day

 

Yandex, the Russian technology and search engine powerhouse, disclosed last week that it had been hit by one of the world's biggest DDoS attacks ever recorded. 

A distributed denial-of-service (DDoS) attack involves flooding a website or service with a large amount of internet traffic until it stops working and eventually goes down. Cybercriminals have been known to create botnets and launch DDoS attacks using hacked systems or vulnerable/exposed Internet of Things (IoT) devices. 

Russia's remote electronic voting system has now become the next victim of the campaign, as to what appears to be a continuation of targeted DDoS attacks. 

According to reports, the 8th Russian State Duma (lower house) elections took place between September 17 and September 19. Voters had to head to the polls to cast their vote for the heads of nine Russian regions and 39 regional parliaments. 

According to Russian news agency Tass, remote electronic voting took place in six locations, including Sevastopol and the regions of Kursk, Murmansk, Nizhny Novgorod, Rostov, and Yaroslavl. 

Around 19 DDoS attempts were thwarted, according to Mikhail Oseevsky, president of Rostelecom. The head of the country's major digital service provider, Rostelecom, told the reporters at the Central Election Commission's information centre that some of the DDoS assaults were very short, spanning only a few minutes, while the biggest lasted 5 hours and 32 minutes. 

“It (the DDoS attack) began early in the morning and ended in the middle of the day,” Oseevsky disclosed. 

Many of the country's digital resources, including the elections, state services websites, and the CEC's portal, were attacked, according to Oseevsky. 

He continued by stating that there have been several efforts to launch large-scale attacks on these resources. The department, on the other hand, was well-prepared to combat and minimise the threat, according to the president. 

The assaults arose from a number of different countries which include: 
  • India 
  • China 
  • Brazil 
  • Russia 
  • Germany 
  • Thailand 
  • Lithuania 
  • Bangladesh 
  • United States 
According to the elections commission, three targeted cyberattacks were documented from abroad, two of which targeted the centre's main website and the third was a DDoS attack.

FTC: Health App and Device Makers Should Comply With Health Breach Notification Rule

 

The Federal Trade Commission on 15th September authorized a policy statement reminding makers of health applications and linked devices that gather health-related data to follow a ten-year-old data breach notification rule. The regulation is part of the agency's push toward more robust technology enforcement under Chair Lina Khan, who hinted that more scrutiny of data-based ecosystems related to such apps and devices could be on the way. 

In written remarks, Chair Lina Khan stated, "The Commission will enforce this Rule with vigour." According to the FTC, the law applies to a range of vendors, as well as their third-party service providers, who are not covered by the HIPAA breach notification rule but are held liable when clients' sensitive health data is breached. 

After being charged with studying and establishing strategies to protect health information as part of the American Recovery and Reinvestment Act in 2009, the FTC created the Health Breach Notification Rule. 

The rule requires suppliers of personal health records and PHR-related companies to notify U.S. consumers and the FTC when unsecured identifiable health information is breached, or risk civil penalties, according to the FTC. "In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says. 

Since the rule's inception, there has been a proliferation of apps for tracking anything from fertility and menstruation to mental health, as well as linked gadgets that collect health-related data, such as fitness trackers. 

The FTC's warning comes after the agency and fertility mobile app maker Flo Health reached an agreement in June over data-sharing privacy concerns. According to the FTC, the start-up company misled millions of women about how it shared their sensitive health data with third-party analytics firms like Facebook and Google, in violation of the FTC Act. 

According to privacy attorney Kirk Nahra of the law firm WilmerHale, the FTC's actions on the Health Breach Notification Rule "are an interesting endeavour to widen how that rule has been understood since it was implemented."

"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it. I expect meaningful challenges to this 'clarification' if it is put into play," he notes. 

Failure to comply might result in "monetary penalties of up to $43,792 per violation per day," according to the new policy statement.

35 yrs Of Imprisonment for the Administrator of 200,000 DDoS Attacks

 

After a 9-day trial, a California jury that held two distributed denial of service (DDoS) operations administrators, found him guilty. Matthew Gatrel, a 32 years old man, of Saint Charles, Illinois, operated two websites that enabled payment to users to launch over 200,000 DDoS attacks on private and public targets. 

Court filings disclose that since October 2014 Gatrel has operated DDoS services. DownThem and Ampnode are the two sites being used, which allowed the operation of DDoS attacks. Gatrel has used DownThem to sell DDOS services subscriptions (sometimes referred to as "booters" or "stressers") and AmpNode has supplied clients that wanted pre-configured servers with DDoS attack programs and lists of vulnerable systems that may magnify the attack. 

The researchers have discovered that they have over 2,000 registered clients in databases of the DownThem booter portal. As per the documents, more than 200,000 DDoS attacks are launched by users. The targets covered households and schools, universities, websites of municipal and local authorities, and financial organizations throughout the world. 

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services” - the U.S. Department of Justice.

Several subscriptions can be used by clients, each with different attack and offensive capabilities like length, force, or the potential of competitor attacks. 

If the victim is accessible, the service would deploy "reflected amplification attacks" from AmpNode attack servers, employing "hundreds or thousands of other servers connected to the Internet." 

In this operation, Gatrel hadn't been alone. In 2018, Juan Martinez of Pasadena assisted him to operate the DownThem website. 

Gatrel is faced with a maximum statutory imprisonment of 35 years scheduled for January 27, 2022, where sentences for the federal prison for three crimes of which he was found guilty are : 

  • one count of conspiracy to commit unauthorized impairment of a protected computer.
  • one count of conspiracy to commit wire fraud.
  • one count of unauthorized impairment of a protected computer.

However, Juan Martinez has already pleaded guilty, unlike Gatrel, to his final hearing on 2nd December · he can face a statutory maximum term of imprisonment of 10 years in his final trial.

Pakistani Scammer Sentenced to 12 Years in $200 Million Phone-Fraud Scheme

 

AT&T, the world’s largest telecommunications firm, lost over $200 million after a Pakistani scammer and his partners coordinated a seven-year scheme that led to the fraudulent unlocking of nearly 2 million phones. 

Muhammad Fahd, 35, of Karachi, has been sentenced to 12 years in prison after he bribed several AT&T employees to do his bidding, including unlocking phones, giving him access to their credentials, and installing malware that gave him remote access to the mobile carrier’s servers, the Department of Justice (DOJ) said. 

How it all started?

It all began in the summer of 2012 when Fahd recruited an AT&T employee via Facebook using the false name “Frank Zhang”. He bribed the employee and his co-workers with “significant sums of money” to remove the carrier’s protection that locked cellular phones to its network. 

In April 2013, the scammer was forced to recruit a malware developer to manufacture malicious tools after AT&T launched a new unlocking system that restricted corrupt employees from continuing unlocking phones on his behalf. 

“At Fahd’s request, the employees provided confidential information to Fahd about AT&T’s computer system and unlocking procedures to assist in this process. Fahd also had the employees install malware on AT&T’s computers that captured information about AT&T’s computer system and the network access credentials of other AT&T employees. Fahd provided the information to his malware developer, so the developer could tailor the malware to work on AT&T’s computers,” according to the sentencing documents. 

Fahd and his co-conspirators also used multiple shell companies to cover up their illegal activity, including Swift Unlocks Inc, Endless Trading FZE (aka Endless Trading FZC), Endless Connections Inc, and iDevelopment Co, according to the indictment. 

Millions Lost 

AT&T forensic analysis discovered that 1,900,033 cellular phones were unlocked unlawfully by the scammers behind this scheme, resulting in $201,497,430.94 of losses due to lost payments. 

The company also sued former employees after unearthing they were bribed into illegally unlocking phones and seeding malware and malicious tools on its network. “We’re seeking damages and injunctive relief from several people who engaged in a scheme a couple of years ago to illegally unlock wireless telephones used on our network,” AT&T said in a statement to a local media outlet.

“It’s important to note that this did not involve any improper access of customer information or any adverse effect on our customers.” In 2018 Fahd was arrested in Hong Kong and he was extradited to the US in 2019. He remained in jail until he was sentenced earlier this week to 12 years in prison after pleading to conspiracy to commit wire fraud in September 2020. 

At the sentencing hearing, U.S. District Judge Robert S. Lasnik for the Western District of Washington noted that Fahd had executed a terrible cybercrime over a long period even after he was aware that law enforcement was investigating.

Payment API Flaws Exposed Millions of Users’ Data

 

Researchers discovered API security flaws impacting several apps, potentially exposing the personal and financial information of millions of consumers. 

According to CloudSEK, around 250 of the 13,000 apps published to its BeVigil "security search engine" for mobile applications utilize the Razorpay API to conduct financial transactions. 

Unfortunately, it was discovered that about 5% of these had disclosed their payment integration key ID and key secret. This is not an issue in Razorpay, which caters over eight million businesses, but rather with how app developers are misusing their APIs.

Many of the applications exposing API keys have over a million downloads, including those in health and fitness, eCommerce, travel and hospitality, healthcare, and pharma. The applications are based in India, where CloudSEK is also situated. Here is a list of the applications that are affected:
  • One of India’s leading steel trading companies
  • Online grocery app 
  • Nepalekart (Instant Recharge to Nepal): Now remediated 
  • Top education app in south India 
  • Gold merchant 
  • Health app 
The company explained, “When it comes to payment gateways, an API key is a combination of a key_id and a key_secret that are required to make any API request to the payment service provider. And as part of the integration process, developers accidentally embed the API key in their source code. While developers might be aware of exposing API keys in their mobile apps, they might not be aware of the true impact this has on their entire business ecosystem.” 

“CloudSEK has observed that a wide range of companies — both large and small — that cater to millions of users have mobile apps with API keys that are hardcoded in the app packages. These keys could be easily discovered by malicious hackers or competitors who could use them to compromise user data and networks.” 

The compromised data might include user information such as phone numbers and email addresses, transaction IDs and amounts, and order and refund details. 

Furthermore, since similar apps are typically linked with other programmes and wallets, CloudSEK cautioned that much more could be at risk. 

According to the organization, malicious actors may utilise the leaked API information to execute mass purchases and subsequently start refunds, sell stolen information on the dark web, and/or conduct social engineering operations such as follow-up phishing campaigns. 

All ten of the compromised APIs have now been disabled. Nonetheless, CloudSEK encouraged developers to consider the possible effect of such vulnerabilities early in the development process.  

This is due to the fact that invalidating a payment integration key would prevent an app from functioning, resulting in substantial user friction and financial loss. 

CloudSEK concluded, “Given the complexities of regenerating API keys, payment providers should design APIs such that, even if the key has not been invalidated, there are options to minimize the permissions and access controls of a given key.” 

“App developers should be given a mechanism to limit what can be done using a key at a granular level, like AWS does. AWS has put in place identity and access management (IAM) policies that can be used to configure the permissions of every operation on an S3 bucket. This practice should be more widely adopted to minimize what threat actors can do with exposed API keys.”

$100 Million Pledged by Google to Groups that Manage Open-Source Projects

 

Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes. 

The foundation and its colleagues will use the Open Source Technology Improvement Fund's (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives. 

The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews. 

"Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem," said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem. 

Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the "de facto" version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring. 

Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework, are among the projects with funding pending support. 

Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.

Numando: a Banking Trojan Targeting Brazil Abuses YouTube for Spreading

 

ESET researchers have continued their investigation on the Latin American banking trojans with Numando, primarily targeting Brazil and seldom Mexico and Spain in particular. This time it disassembles. Numando is comparable in its use of phony overlay windows, backdoor capability, and the manipulation of utilities such as YouTube to maintain remote configuration to the other malware families. However, Numando doesn't show symptoms of continual evolution, as did several of the Latin American banking trojans. 

Numando is operational since 2018, focusing entirely on Brazil but rare attacks are focused on consumers in Mexico and Spain were reported by specialists. This financial malware, which was written in Delphi, shows bogus overlaying windows to mislead victims into entering sensitive data, including bank services information. 

It spreads exclusively via spam and phishing campaigns. Such efforts aren't precisely sophisticated, and just a few hundred victims were found at the time of writing. As a consequence, it seems Numando is "considerably less successful" than others, such as Mekotio and Grandoreiro, across Latin America. 

The absence of complexity of the operator has probably helped to achieve a low rate of infection. Recent campaigns comprise spam addressed to Numando, which includes an email with a phishing message and a.ZIP attachment. 

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shut down the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.” 

A decoy. ZIP file and a genuine file are downloaded containing a. CAB archive — with a valid software application included — an injector, and the Trojan. The malware is hidden within a large . BMP picture file. The injecter is laterally loaded and the malware is decrypted using an XOR method and a key for the software program is implemented. 

Numando will build counterfeit overlays whenever a victim visits financial services once downloaded on a targeted system. If users give their credentials, they are taken and forwarded to the C2 server of the malware. In addition to managing remote configuration settings, Numando exploits public services, particularly Pastebin and YouTube. Numando may also replicate mouse clicks and key shell operations; hijack the shutdown of a PC and restart operations.

Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.

The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 

The vulnerability connected to Office's MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 

Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 

The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 

As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 

The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0413 — DEV is allotted to emerging threat groups or unusual activity. To deliver the malware, they apparently used emails referencing contracts and legal agreements to get the targets to open documents formatted to abuse the MSHTML vulnerability.

Surprisingly, the Cobalt Strike infrastructure utilised in the assaults has earlier been linked to cybercrime organisations known for targeting big corporations with ransomware like Conti and Ryuk. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

RiskIQ stated in its blog post, “Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.” 

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” 

RiskIQ states that the cyberspies could have gained access to the ransomware infrastructure, or they may have been allowed by the ransomware operators to utilise their infrastructure. Only one group might be involved in espionage and cybercrime, or the two groups use the same bulletproof hosting provider. 

According to Microsoft, the initial malicious document in attacks abusing CVE-2021-40444 emerges from the internet, and it should be labelled as the "mark of the web." 

Microsoft Office should open the document in Protected Mode unless the user specifically allows modification, limiting the misuse. However, if the attackers figure out a means to keep the document from being a “mark of the web,” they may utilise the vulnerability to execute the payload on the page without requiring user input.

Lubbock County Denies Data Leak, Says Data Temporarily Attainable Under New Software System

 

Earlier this month, the personal court records for residents of Lubbock County, located in the US state of Texas, were exposed when the county transitioned to a new computer software system. The exposed data contained non-disclosure orders, criminal cases, and civil and family law records. 

According to the county’s official website, Lubbock County Defense Lawyers Association and county officials are not on the same page concerning how to define the incident.

In a news release from the County, Judge Curtis Parrish said: “On Tuesday, September 14, 2021, Lubbock County Information and Technology Department became aware that certain court records that were previously unavailable for review by the public had become viewable under Lubbock County’s new software system. Some of these records include non-disclosure orders, criminal cases, civil and family law records. This access portal has now been blocked temporarily until we can identify which court records maybe [sic] accessed by the parties, attorneys, and the general public.

This was not a data breach [sic], or an issue where the computer system was compromised. Lubbock County will continue to review policies concerning all court records, in our effort to make these documents accessible to the attorneys and the public.” 

However, an earlier release by the Lubbock County Defense Lawyers Association characterized the incident as a data breach. The association said it became aware of the situation on September 10. 

“This data includes information on individuals who have had criminal cases expunged or non-disclosure orders signed in their criminal case. This breach affected cases at all levels and in all courts in Lubbock County. Some individuals’ data have been removed from the public access system, while other individuals’ data are still available,” said Lubbock County Defense Lawyers Association in their news release. 

The attacks on local governments is a growing concern for law enforcement agencies and government officials. Due to their shoestring budget, local governments rarely have dedicated security experts and that leaves a huge hole in their security. In March 2021, a report from consumer tech information site Comparitech revealed that American government organizations suffered a loss of $18.88 billion due to cyber-attacks. 

Over the past three years, 246 ransomware attacks struck U.S. government organizations. These attacks potentially affected over 173 million people and nearly cost $52.88 billion. The motive of most of these attacks was to halt processes, interrupt services and cause disruption, not to steal data, according to the report.

Secrets from Public Repositories Were Exposed Due to Travis CI Flaw

 

Travis CI, a continuous integration provider located in Berlin, has patched a severe issue that exposed signing keys, API keys, and access credentials, possibly putting thousands of companies at risk. Given the possible consequences, the firm has been criticized for not providing a more detailed description of the security vulnerability. Péter Szilágyi, the Ethereum cryptocurrency project's team head, tweeted, "Anyone could exfiltrate these [secrets] and gain lateral movement into 1000s of orgs."

The flaw, which has been tracked as CVE-2021-41077, has been fixed by Travis CI. It has been recommended that companies update their secrets as soon as possible. On Sept. 7, Szilágyi tweeted, the vulnerability was identified by Felix Lange and reported to Travis CI. Travis CI claims to have started fixing the vulnerability on September 3, indicating that it detected the problem before being contacted, although the timing is unclear. 

"The desired behavior (if .travis.yml has been created locally by a customer, and added to git) is for a Travis service to perform builds in a way that prevents public access to customer-specific secret environment data such as signing keys, access credentials, and API tokens," the vulnerability description reads. "However, during the stated 8-day interval, secret data could be revealed to an unauthorized actor who forked a public repository and printed files during a build process." 

To put it another way, a public repository cloned from another might submit a pull request to get access to private environmental variables stored in the upstream repository. Encrypted environment variables are not exposed to pull requests from forks owing to the security risk of exposing such information to unknown code, Travis CI said in its documentation. 

According to Geoffrey Huntley, an Australian software and DevOps engineer, Travis CI's vulnerability poses a supply chain risk for software developers and any organization using software from Travis CI projects. "For a CI provider, leaking secrets is up there with leaking the source code as one of the worst things you never want to do," Huntley says. 

Szilágyi further chastised Travis CI for downplaying the event and failing to acknowledge its "gravity," and urged GitHub to ban the company for its weak security posture and vulnerability report methods. 

"After three days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th," Szilágyi tweeted. "No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen."

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million

 

The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.

German Election Authority Confirms Probable Cyber Attack

 

Suspected hackers momentarily impacted the website of the authority managing Germany's September 26 federal election, a spokesperson for the agency told AFP on Wednesday. 

The news was originally reported by Business Insider, and it comes as German federal prosecutors investigate suspected cyber assaults on legislators during the election campaign for a new parliament and a successor to Chancellor Angela Merkel's successor. 

In the context of the hacking report, the spokesperson stated, "At the end of August the website of the Federal Returning Officer only had limited accessibility for a few minutes due to a malfunction." 

"The problem was analysed and the technical concepts were further developed accordingly. The information for the public through the website of the Federal Returning Officer was and is ensured." 

According to Business Insider, the website that publishes the official election results was swamped with data requests in a so-called distributed denial of service assault, causing the servers to collapse. 

As per the official sources, IT systems essential for the smooth running of the election were unaffected, presumably due to enhanced safeguards in place. 

Last week, the German government accused Russian intelligence of conducting "phishing" assaults against German lawmakers, prompting the federal prosecutor's office to start an investigation on suspicion of espionage. 

Berlin has accused Russian hackers from the "Ghostwriter" gang, which is said to specialize in propagating disinformation. German intelligence believes they were attempting to obtain entry to the private email accounts of federal and regional MPs, and that the assaults were carried out by Russia's military intelligence organisation GRU. 

The European Union and the United States have frequently accused Moscow of interfering in democratic elections, a charge that Moscow rejects. 

The Russian Foreign Ministry spokesman, Maria Zakharova, stated at a briefing on Thursday, "Despite our repeated appeals through diplomatic channels, our partners in Germany have not provided any evidence of Russia's involvement in these attacks". 

Germany’s Foreign Ministry spokesperson Andrea Sasse said on Wednesday, “The German government regards this unacceptable action as a threat to the security of the Federal Republic of Germany and to the democratic decision-making process, and as a serious burden on bilateral relations. The federal government strongly urges the Russian government to cease these unlawful cyber activities with immediate effect."

Hackers Impersonate Bank Customers and Make $500k in Fraudulent Credit Card Payments

 

Hackers from other countries were able to impersonate 75 bank clients and made $500,000 in fraudulent credit card payments. This was accomplished using a clever way of intercepting one-time passwords (OTPs) sent by banks via SMS text messages. In a joint statement released on Wednesday, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Singapore Police Force detailed how hackers redirected SMS OTPs from banks to foreign mobile networks systems. 

The SMS diversion method, they said, “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”. Last year's fraudulent transactions took place between September and December. The bank clients claimed that they did not initiate the transactions and that they did not get the SMS OTPs that were required to complete them. 

According to Mr. Wong, the MAS' deputy chairman, the Monetary Authority of Singapore (MAS) would engage with financial institutions to fine-tune the existing framework on fraudulent payment transactions, which covers the responsibilities and liabilities of banks and customers in such instances. 

Between September last year and February, the police received 89 reports of fraudulent card transactions using SMS one-time passwords (OTPs), according to Mr. Wong. Ms. Yeo Wan Ling (Pasir-Ris Punggol GRC) had inquired if bank-related cyber frauds had increased in the previous six months.

"While these cases represent less than 0.1 percent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, it is nevertheless concerning," Mr. Wong said. 

Singapore's financial and telecommunications networks have not been hacked, according to the authorities. Affected customers who took efforts to safeguard their credentials would not be charged for any of the fraudulent transactions as a gesture of goodwill from the banks, according to the authorities. The names of the banks involved were kept under wraps. 

The cybercriminals utilized this method to get the victims' credit card information and mobile phone numbers in this incident. They also got into the networks of international telecoms and exploited them to alter the location information of the Singapore victims' mobile phones. 

By doing so, the hackers deceived Singapore telecom networks into believing that Singapore phone numbers were roaming overseas on the networks of other countries. The hackers subsequently made fraudulent online card payments using the victims' stolen credit card information.

As a result, when banks issued SMS OTPs to victims to authenticate transactions, the criminals were able to reroute these text messages to foreign mobile network systems. The fraudulent card payments were subsequently completed using the stolen OTPs. This corresponds to the victims' claims that they did not get the OTPs.

New Malware Variant Employs Windows Subsystem for Linux for Attacks

 

Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected. 

Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux's binary ELF (Executable and Linkable) format. 

The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced. 

Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian. 

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told. 

Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected. 

One of the alternatives, written in Python 3 entirely, doesn't even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries. 

In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products. 

The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets. 

Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.

Hackers attack Russian organizations through a new Microsoft Office vulnerability

Information security specialists from Kaspersky Lab reported that hackers are trying to attack Russian companies through a new vulnerability in Microsoft Office products. At least one attack targeted government agencies. Using the vulnerability, attackers can not only spy on users of the infected system, but also download malicious programs like ransomware viruses into it. Experts expect that hackers will actively exploit the system's flaw, as users are slow to install updates.

According to Yevgeny Lopatin, head of the complex threat detection department at Kaspersky Lab, attackers are now exploiting the vulnerability by sending a phishing email with a document attachment. An employee only needs to open such a document on his computer for the vulnerability to work, and then malware is downloaded and installed on the victim’s computer.

Rostelecom-Solar has registered one targeted attack on government bodies using this vulnerability, said Igor Zalevsky, head of the Solar JSOC CERT cyber incident investigation department.

The expert added that a number of government systems are still using Internet Explorer as the recommended browser.

This is actually a vulnerability in MSHTML, the engine of the Internet Explorer browser. This part is responsible for displaying the content of the web page (images, fonts, and other files). In this case, MSHTML is used by the Microsoft Office software package to display web content in documents.

The vulnerability in MSHTML allows an attacker to create modified documents with malicious scripts. After compromising the system through this vulnerability, an attacker can install a backdoor.

According to experts, a wave of attacks using the problem in MSHTML is expected. The vulnerability can be exploited both in advanced attacks and in regular phishing emails.

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Scammers Use 'IT Support-Themed Email' to Target Organizations

 

Cybersecurity researchers at Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign that uses 'information technology (IT) support-themed email' to lure users to update their passwords. 

The email appears legitimate because it’s a common practice within organizations to send security updates to their employees on a weekly or monthly basis. IT team deploys a reset password communication mail to strengthen the employee’s email security. Therefore, it’s a smart move by the attackers to target organizations via phishing email. 

Researchers first suspected the email because the domain was only a few months old. However, the domain address “realfruitpowernepal[.]com” was identical to an organization’s internal IT department, yet a further examination of the domain led to a free web design platform. The second red flag was the opening of the email that doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly suggesting the mass-email attack.

When the user proceeds further by clicking on the “Continue” button, a Mimecast link appears, along with the now censored user email address toward the end of the URL. The users might not feel anything dubious because scammers have used the correct spelling and name, which directs users to a Mimecast web security portal that gives them two options: block the malicious link or ignore it. 

Choosing either option directs the user to the same phishing landing page that displays the session as expired. The motive of the scammers was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during the investigation, it was discovered that the URL provided does not match the authentic Mimecast URL and the footer detail was missing, researchers explained.

Scammers have employed very powerful social engineering to trick the users. The phishing page is designed in such a way that the user providing true login credentials or a random string of credentials, would still be redirected to the page displaying a successful login message.

How to safeguard against phishing emails?


• Installing security software is the first line of defense against phishing attacks. Antivirus programs, spam filters, and firewall programs are quite effective against phishing attacks. 
• Monitor: use phishing simulation tools to evaluate employee knowledge regarding phishing attacks. 
• Organizations should incorporate cyber security awareness campaigns, training, support, education, and project management as a part of their corporate culture. 
• Businesses should deploy multi-factor authentication to prevent hackers from gaining access to their systems.

South Africa’s Department of Justice hit by a Ransomware Attack

 

South Africa's Justice Department was attacked earlier this month by a major ransomware attack and has been struggling since then to get back to normal. The attack was carried out on the 6th of September 2021, after ransomware compromised the department's entire information systems. 

It restricted the internal staff and the public from accessing any technological services, including email and websites. The judicial department handled the attack by instantaneously implementing an emergency plan, as per a Bleeping Computer report. The objective was to address such circumstances and to make sure that not every activity in the country was interrupted. 

The Justice and Constitutional Development Department declared that child support payments are now suspended until systems return online. 

The paper mentioned the statement of the Justice and Constitutional Development Speaker, Steve Mahlangu, who said, “[The attack] has led to all information systems being encrypted and unavailable to both internal employees as well as members of the public. As a result, all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail, and the departmental website”.

Mahlangu noted that although it is not possible to anticipate the exact day when systems will be restored, the department will “ensure all child maintenance money is kept secure for payment to the rightful beneficiaries when the systems are back online.” 

He further stated that some departmental functions remained working despite the attack. For example, just after a change to manual mode for the recording of hearings, court sittings continued. The manual steps for issuing different legal documents were also performed. 

The Department of Justice has likewise changed to a new email system. Some employees have moved to the new email system. The department also couldn't identify the cybercriminals behind the attack. However, as the recovery of the network takes a while, the hackers were not reimbursed for the attack. 

Hackers and ransomware organizations frequently take data before an information system is encrypted. This compels victims to pay an enormous ransom fee for fear of public information leakage. However, till recently "no indication of data compromise" has been identified by departmental added IT experts.