Security researchers have discovered tens of millions of accounts from a third-party version of Telegram that were leaked online in another cloud misconfiguration.
Bob Diachenko and the Comparitech team found the exposed data on March 21. It had been posted to an Elasticsearch cluster, password-free, by a group called “Hunting system” in Farsi.
Although the cluster was deleted on March 25, a day after Diachenko informed the hosting provider, at least one user had apparently already posted it to a hacking forum.
That’s bad news, because the trove contained 42 million records from a third-party version of popular messaging app Telegram. They included user account IDs, phone numbers, names, and hashes and secret keys.
As Telegram has been banned in Iran since anti-government protests in 2018, the database could put users at risk of being singled out by the authorities as having something to hide.
Although the hashes and keys can’t be used to access accounts, third-party hackers could use the other information in financially motivated attacks, warned Comparitech.
“SIM swap attacks are one example. A SIM swap attack occurs when the attacker convinces a phone carrier to move a phone number to a new SIM card, allowing them to send and receive the victim’s SMS messages and phone calls. The attacker could then receive their one-time access verification codes, granting full access to app accounts and messages,” explained privacy advocate, Paul Bischoff.
“Affected users could also be at risk of targeted phishing or scams using the phone numbers in the database.”
This isn’t the first such privacy incident involving messaging users in the country. In 2016, hackers identified the user IDs, phone numbers and one-time verification codes of 15 million Telegram users after activation codes were likely intercepted by phone carriers.
Houseparty is offering $1m for evidence of a suspected smear campaign, after several reports emerged that multiple users had had other online accounts compromised via the video conferencing app.
The platform has become extremely popular over recent weeks as consumers flock online to socialize safely during a time of lockdowns and social distancing.
However, similar reports in UK tabloid media outlets on Monday pointed to social media “hysteria” over Houseparty users claiming that their use of the app had somehow led to other accounts being compromised.
These include PayPal, Spotify, Amazon, Netflix, Instagram and eBay.
“Anyone who’s using the #Houseparty app be super careful. My bank account was hacked today and it has been linked back to the app. Lots of other people are experiencing the same thing. I’d definitely recommend deleting it,” noted one user in a typical post on Twitter.
However, security experts have leaped to Houseparty’s defense, claiming there’s no evidence linking Houseparty to compromises of other accounts. If the stories are true, it’s more than likely that reused passwords are to blame.
Experts recommended users switch to two-factor authentication for log-ins across as many sites as they can, and to use a password manager.
As a result of the outcry, the video conferencing platform said it is now looking at whether these rumors were a coordinated attempt to defame the company.
“We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1m bounty for the first individual to provide proof of such a campaign,” it said on Twitter.
“All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”
Users have also complained on social media that when they tried to delete the app it required them to re-enter their password, and then claimed it was incorrect.
Adverts and listings that capitalize on the COVID-19 outbreak are appearing on Instagram and Facebook despite being banned.
On March 6, Facebook and Instagram announced a temporary ban on ads and listings selling medical face masks on its marketplace. On March 19, Rob Leathern, head of trust and integrity for Facebook ads and business platform, extended the ban to include hand sanitizers, coronavirus testing kits, disinfecting wipes, and several other products.
Tenable's Satnam Narang has observed a growing number of adverts for COVID-19 essentials since the ban was issued.
"Despite the ban, advertisements continue to appear on Facebook and Instagram, some as recently as March 26," said Narang.
"I began observing an uptick in activity in my Instagram Feed on Friday, March 20. All of a sudden, every single sponsored post in my Instagram Feed had something to do with masks, whether it be N95 masks, surgical masks or face shields."
Advertisers have carefully moderated the language they use in their ads in a slippery attempt to get around the ban.
"Many of the advertisements don’t overtly reference COVID-19 or the novel coronavirus that causes it in their posts," said Narang. "They do, however, talk about protecting oneself from 'harmful particles' and how to 'stay protected at all times' while referencing N95 masks or harmful viruses and bacteria, implying a connection to COVID-19."
Narang observed carefully worded ads appearing in his Instagram feed and showing up in his Instagram stories. Some were native to Instagram, but others originated from Facebook advertisers, including duamaskcom and Plengoods.
Alongside Facebook pages and Instagram accounts created recently for the sole purpose of promoting COVID-19-related items like N95 masks, Narang observed opportunists compromising the accounts of existing pages in order to advertise their products.
"The Facebook Page for a Greek restaurant in Zimbabwe was compromised and used to push an advertisement for surgical masks to Instagram. The page does not appear to have been maintained since 2008," said Narang.
But the crappy behavior of the few has not caused Narang to lose his faith in humanity.
He told Infosecurity Magazine: "It’s certainly disheartening to see opportunists trying to profit from this crisis, but I’ve definitely seen a lot of kindness that gives me hope: People within communities volunteering to pick up groceries for the elderly, high-risk individuals creating blueprints to 3D print masks and other personal protective equipment, folks brokering deals to secure N95 masks for frontline workers, and retired medical professionals coming out of retirement to help out on the front line."
Narang urged users of these platforms to "help by reporting these ads using the built-in reporting functionality on social media services."
An American court has ordered injunctions against two telecom carriers that facilitated hundreds of millions of fraudulent robocalls to consumers in the United States.
The scam calls predominantly targeted elderly and vulnerable people, successfully conning victims out of personal information, money, and property. Many of the robocalls were made by fraudsters overseas impersonating government agencies and conveying alarming messages.
Victims were tricked into thinking that their assets were being frozen, their personal information had been compromised, or their benefits were about to be stopped.
In some calls, fraudsters impersonated employees at legitimate businesses, including Microsoft.
The injunctions, which relate to two separate civil actions, are the first of their kind to be obtained by the United States Justice Department. Both orders were issued by the US District Court for the Eastern District of New York, and both civil actions are pending.
The first injunction bars husband and wife Nicholas and Natasha Palumbo and two entities from operating as intermediate voice-over-internet-protocol (VoIP) carriers.
The Palumbos, of Scottsdale, Arizona, own and operate Ecommerce National LLC and SIP Retail, which do business as TollFreeDeals.com and sipretail.com, respectively. The couple are currently being investigated for what the District Court described as “widespread patterns of telecommunications fraud, intended to deprive call recipients in the Eastern District of New York and elsewhere of money and property.”
The court noted that though the Palumbos had been warned more than 100 times of specific instances of fraudulent calls' being transmitted through their network, they never severed their business relationship with any entity they learned was associated with fraudulent call traffic.
In the second matter, the court entered consent decrees that permanently bar New York resident John Kahen, aka Jon Kaen, and three entities—Global Voicecom Inc, Global Telecommunication Services Inc., and KAT Telecom Inc.—from operating as intermediate VoIP carriers conveying any telephone calls into the US telephone system.
“These massive robocall fraud schemes target telephones of residents across our country, many of whom are elderly or are otherwise potentially vulnerable to such schemes,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.
Carnegie Mellon University (CMU) has launched a cybersecurity-focused master's degree program.
The new program centers on building expertise in risk management, information security, and data privacy and aims to develop key skills in operations, strategy, and analysis.
To earn their master's degree, student teams will have to solve real security problems for a national capital area–based organization or government agency.
Instead of being created as a standalone course, the new program will exist as a security-focused track within CMU's established Master of Science in Information Technology (MSIT) program, taught at Heinz College of Information Systems and Public Policy in Washington, DC.
The MSIT: Information Security and Assurance (Cybersecurity-DC) program will be taught by leading security practitioners and researchers and experts from the CERT Division of CMU’s Software Engineering Institute (SEI).
Among the instructors already lined up for the program is retired Brigadier General Gregory J. Touhill, appointed by President Barack Obama as the first federal CISO of the United States government and currently serving as AppGate Federal Group's president.
"Cybersecurity-DC will create a robust pipeline of highly skilled mission-ready security professionals where it’s needed most—in the heart of the National Capital area region," said Touhill. "Federal agencies and private companies need creative leaders with the blend of skills we teach to better manage risk while defending their organizations and stakeholders against emerging threats."
The program will be delivered in a hybrid format that will see students complete the majority of coursework online. However, some in-person group sessions, seminars, and exams will take place at Heinz College’s DC campus.
"During these sessions, cohort members will have the opportunity to develop a tight-knit community and create lasting peer networks," said a spokesperson for CMU.
“We’re excited to offer this program, which is unique in the field,” said Andy Wasser, associate dean at Heinz College.
“Cybersecurity-DC brings together professionals to collaborate and form close bonds with their cohort. It effectively combines the convenience of online learning with our ethos of experiential learning and practical experience, which is crucial to success in the security context.”
The new program will commence in August 2020.
Security awareness training and simulated phishing provider KnowBe4 has announced that it has discovered a new type of phishing scam warning people that they’ve come into contact with a friend/colleague/family member who has been infected with the coronavirus and so are at risk of being infected themselves.
The email, which is crafted to appear as though it has come from a legitimate hospital, instructs users to download a malicious attachment and proceed immediately to the hospital.
The attachment contains hidden malware, KnowBe4 explained, with a number of advanced functions that allow it to evade detection by security applications, worm its way deep into an infested system and serve as a platform for a variety of criminal activities.
“This is a new type of malware that we’re seeing, as it was reported for the first time just a few days ago,” said Eric Howes, principal lab researcher, KnowBe4. “For the bad guys, this is a target-rich environment that preys on end-users’ fears and heightened emotions during this pandemic. Employees need to be extra cautious when it comes to any emails related to COVID-19 and they need to be trained and educated to expect them, accurately identify them and handle them safely.”
The latest discovery is yet another example of how cyber-criminals are seeking to exploit people through phishing emails during the COVID-19 pandemic.
The British government has launched a new rapid response unit to coordinate the fight against online misinformation about COVID-19.
Reports suggest that the unit, operating from within the Cabinet Office and Number 10, will help to deal with “false and misleading narratives about coronavirus.” These will include everything from phishing scams to fake ‘experts’ issuing false medical advice.
Culture secretary, Oliver Dowden, has claimed that fake news could cost lives.
“We need people to follow expert medical advice and stay at home, protect the NHS and save lives,” he’s quoted by the BBC as saying. “It is vital that this message hits home and that misinformation and disinformation which undermines it is knocked down quickly.”
As part of these efforts, the government is relaunching a campaign on misinformation called “Don’t Feed the Beast.”
Most social media companies have said they will work with governments to try and halt the spread of rumors online.
Earlier this month, Twitter said it was broadening its definition of online harm to include content that contradicts guidance from public health and other trusted bodies. However, it also admitted that increasing its reliance on automated systems may result in more mistakes as they lack the context that human moderators can bring.
Also earlier in March, the UK’s National Cyber Security Centre (NCSC) said it was removing malicious and phishing websites linked to the pandemic, as businesses and consumers continue to be exposed to credential theft, identity fraud, ransomware and more.
The National Crime Agency also last week released information for individuals and businesses on how to stay safe from fraud and other scams.
It’s claimed the new government rapid response unit is dealing with around 70 incidents of misinformation each week.
A leading insurance provider appears to have been targeted by a notorious ransomware group, which is threatening to release information stolen from the company if it doesn’t pay up.
Chubb Insurance, which offers cyber-policies as well as other types of protection, has become the latest company singled out by the Maze group.
Once organizations have been infected with Maze ransomware the group lists them on its dedicated ‘News’ site, which Infosecurity won't link to, where they are given notice that stolen records will be published unless the ransom is paid.
It’s a relatively new but increasingly popular tactic used by ransomware gangs to force payment even if the victim organization has backed-up.
The group claimed on its site that Chubb was “locked” at some point in March. It included the emails of the firm’s CEO, COO and vice-chairman as ‘evidence’ of its intent, although the insurer has claimed its systems remain untouched.
"We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation,” it said in a statement.
“We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate.”
That said, security researchers have discovered unpatched vulnerabilities at the firm which could theoretically have provided a route to ransomware infection.
Bad Packets Report claimed last week to have found five exposed Citrix Netscaler servers, after scanning for the CVE-2019-19781 vulnerability.
The flaw in Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow an unauthenticated attacker to perform arbitrary code execution. It’s already been linked to multiple ransomware attacks including one on a German car parts manufacturer.
Global online payment fraud losses are set to soar by more than 50% over the coming four years to exceed $25bn per year, according to a new report from Juniper Research.
The market analyst’s report, Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2020-2024, predicted a 52% growth in merchant losses to scams over the period.
The growing popularity of online shopping combined with the enhanced security of card-present transactions through the EMV initiative is helping to drive much more fraud into e-commerce, the analyst claimed.
This is despite the launch of Secure Customer Authentication (SCA) checks in Europe, although this initiative has been delayed several times. The new rules, part of the EU’s PSD2 banking regulation, will now come into force by December 31 2020 in Europe and March 2021 in the UK.
They mandate that certain transactions be subject to two-factor authentication in order to help lock fraudsters out. However, there are concerns that SCA might also create extra user friction which puts consumers off.
Juniper Research urged merchants to work closely with security vendors to design and implement extra authentication checks in shopping apps that minimize friction.
It also argued that e-commerce providers must take a more educational role, providing information to customers on the need for improved cybersecurity and changes to checkout processes, as well as details on some of the most popular scams.
The analyst claimed this was particularly important in China, which it said will account for 42% of e-commerce fraud by 2024.
“The explosion of e-commerce means that fraudsters have evolved their tactics, and so merchants must also evolve,” argued report co-author, Nick Maynard.
“E-commerce merchants must educate their users in anti-fraud best practice, as the human element is consistently the most vulnerable to exploitation in the online payments ecosystem”.
American domain registration companies are taking steps to combat coronavirus-related fraud.
Budget hosting provider Namecheap Inc. has halted automated registration of website names that reference the COVID-19 health crisis. The Los Angeles–based company's action comes after a surge in fraudulent websites seeking to profit from the pandemic.
Online scams proliferating from the coronavirus outbreak have included fraudulent charity websites, sites selling fake vaccines and cures, and infection-tracking sites that deliver malware.
In an email to customers sent on March 26, Namecheap CEO Richard Kirkendall said the company was removing terms such as “coronavirus,” “COVID,” and “vaccine” from the company's domain availability search tool.
While legitimate domains can still be registered manually by company employees, Kirkendall said that Namecheap was working with authorities to "proactively prevent and take down any fraudulent or abusive domains or websites related to COVID19 or the Coronavirus."
America's largest US domain registry business GoDaddy is also taking action against unscrupulous COVID-19 cyber-criminals. The Arizona firm said it has already taken down several fraudulent sites as part of its "human review process."
A GoDaddy spokesperson said: "We do not tolerate abuse on our platform and our Universal Terms of Service (UTOS) gives us broad discretion to act on complaints, and this includes COVID-19 abuse. To date, our teams have already investigated and removed COVID-19 fraud sites in response to reports, and our vigilance will continue long after the COVID-19 crisis comes to an end."
In neighboring Canada, Toronto firm Tucows Inc., which operates retail registration business Hover, is flagging all "covid" and "corona" domains for manual review. Company spokesperson Graeme Bunton said that the Tucows was on the lookout in particular for any sites peddling fake COVID-19 cures or tests.
Efforts by the companies to combat fraud come after New York Attorney General Letitia James wrote to the internet's largest domain registrars on March 20, asking for their help in tackling coronavirus-related fraud.
Letters were sent to GoDaddy, Dynadot, Name.com, Namecheap, Register.com, and Endurance International Group (owner of Bluehost.com, Domain.com, and HostGator.com).
On Saturday, the US Department of Justice filed its first court action against a website operator accused of committing fraud to profit from the global COVID-19 pandemic.
The United States government is planning to relocate a family cemetery in Maryland to make way for a new cyber-defense facility.
Last week, a Maryland District Court judge granted the federal government the right to possess a cemetery that is located on the grounds of Fort George G. Meade. The 418-square-foot site, embraced by a chain-link fence, is currently the resting place of members of the Downs family.
In 1917, as World War I was raging, the Downs family saw their land transformed into a military base. Now it seems likely that the family's cemetery is to be taken over for the grave purpose of national defense.
Court filings indicate that two members of the Downs family are interred at the plot, both of whom enjoyed impressive longevity for their time. The first person to be buried there was Mary A. Downs, who lived from 1803 to 1875. The second individual to be laid to rest at the site was William Downs, who was born in 1790 and didn't shuffle off this mortal coil until 1883.
Should the Department of Defense's plan to obtain the cemetery succeed, the land will be used to build national security computing facilities. The DoD has said that it will move William and Mary's headstones to Bethel Cemetery, where their remains will be re-interred.
According to the Anne Arundel Genealogical Society, there is “a possibility that slaves owned by the Downs family were buried outside the fenced cemetery and a larger area was then cordoned off using orange construction fencing.” However, court filings state that an archaeological study of the area revealed no additional graves.
Downs family descendant Mike Myers has raised no objection to the department's plans to relocate his ancestors.
Annapolis resident Myers said: "My grandmother, she was into family history, so if she was alive it would have mattered to her. It really doesn’t matter to me one way or the other."
What is now Fort Meade was once the Downs family farm, built on land owned by the Downs family since before the Civil War. The farm became Camp Meade—a training base for US soldiers destined to fight overseas in World War I—in 1917.
Then in 1919, William T. Downs, along with dozens of local residents, sold his farm to the government so that Fort Meade could be built.
A global open call has been launched by the London Office for Rapid Cybersecurity Advancement (LORCA) for its fifth cohort of cyber-scaleups. The selection criteria will be focused on companies which aim to solve issues brought to the fore by the COVID-19 pandemic, such as tackling disinformation and improving the security of remote working.
LORCA, which began in June 2018 with UK government funding, has run its year-long accelerator program four times previously. These have been highly successful, with venture capital investment in LORCA companies standing at over £86m. Delivered by Plexal, the innovation centre at Here East in the Olympic Park, the program aims to develop the UK cybersecurity sector, enhancing overall internet safety.
For this new program, LORCA is particularly keen to invite applications from scaleups that are taking on the complex cyber-threats people are facing in an increasingly hyper-connected world, securing the digital safety of individual citizens. These types of challenges have been emphasised by the current COVID-19 pandemic.
Louise Cushnahan, head of innovation, Centre for Secure Information Technologies (CSIT), a LORCA delivery partner, commented: “At this time of COVID-19 related international emergency we are seeing the online spread of disinformation aggravate the public health crisis, rapid adoption of remote working putting pressure on information security and malicious actors seeking to take advantage of weak links in cybersecurity and overburdened IT teams.”
Those selected will receive business mentoring, connections to investors, support in accessing new markets and growing an international presence, as well as access to commercial and engineering expertise from LORCA’s delivery partners.
Saj Huq, program director, LORCA, said: “As well as meeting the needs of industry today, LORCA catalyzes innovation that caters to the cybersecurity challenges on the horizon that will intersect both society and business and require new models of collaboration to solve.”
In light of COVID-19, all course curriculum and some events in this program will be delivered virtually.
The deadline for applying is Monday May 4 2020, with full details available here.
America's Federal Bureau of Investigation has warned that children who are spending more time online as a result of early school closures face an increased risk of being exploited.
In a statement issued on March 23, the FBI wrote: "Due to school closings as a result of COVID-19, children will potentially have an increased online presence and/or be in a position that puts them at an inadvertent risk.
"Due to this newly developing environment, the FBI is seeking to warn parents, educators, caregivers, and children about the dangers of online sexual exploitation and signs of child abuse."
According to UNESCO monitoring, over 160 countries have implemented nationwide closures of educational institutions in response to the COVID-19 health crisis, impacting over 87% of the world’s student population.
In America, where almost all public-school buildings are now closed in the majority of states, the digital divide has deepened between those students who have the computers and internet access needed to carry on their education online and those who don't.
According to a 2019 report from the Federal Communications Commission, around 21 million people in the United States don't have access to broadband. In New York City alone, there are an estimated 300,000 students without access to electronics, according to the Department of Education's chancellor, Richard Carranza.
In some states, it's the schools rather than the students that lack the resources needed to educate virtually.
"The reality is that probably the majority of school districts, and there are more than 13,000 of them, don’t have the ability to provide continuous virtual online instruction," Dan Domenech, executive director of the American School Superintendents Association in Alexandria, Virginia, told Bloomberg.
"This experience may accelerate virtual learning in schools, but right now it is definitely inequitable for students without internet access or a computer at home, and inequitable for the special-education population."
With many facilities now closed to limit the spread of COVID-19, students who relied on accessing computers and the internet via their local library or community center or who relied on free public WiFi in cafes and restaurants are unable to access online learning resources.
The FBI has advised parents with children who can get online to discuss internet safety with their children and to review any games or apps before they are downloaded.
Virgin Media could be liable to pay up to £4.5bn in compensation following the company’s data breach, in which the details of 900,000 customers were freely available online for hackers to exploit for 10 months. This has left the victims vulnerable to scams including phishing emails, account takeovers and identity theft, with the resulting compensation claims for financial and emotional distress suffered expected to be around £5000 per claimant.
Aman Johal, director at Your Lawyers, the legal firm supporting those affected in taking action, stated: “Virgin Media failed to take the steps required to keep customer data safe. It is vital for the company to understand the severity of this breach. When data is left exposed online it is open season for fraudsters to scam and attack vulnerable people. Your Lawyers has formally notified Virgin Media that we are taking action and our claimant base is growing daily. We urge anyone affected by the breach to make a claim as soon as possible.”
The breach was caused by an incorrectly configured database, and exposed sensitive customer information such as full names, email addresses, dates of birth and contact numbers since at least April 19 2019. Additionally, some customers had details of their contract exposed. This included requests to block or unblock pornographic or explicit websites, potentially enabling blackmail and extortion opportunities for fraudsters.
Johal added: “This is a serious breach of consumer rights and it’s time companies like Virgin Media abide by the law and implement stricter cybersecurity measures to protect its customers from future data breaches. There’s simply no excuse now given the volume of preceding breaches, and this was an avoidable event. Even though the breach occurred due to ‘human error,’ we must hold Virgin Media to account.”
It is believed that Virgin Media could be facing other financial costs as a result of its mistake, in the form of a large GDPR fine.
The British government is using popular conferencing platform Zoom to conduct Cabinet meetings, despite reported Ministry of Defence (MoD) warnings about the security implications.
The government appears to be heeding its own COVID-19 advice in forcing ministers to adhere to social distancing and work from home rules. However, a photo circulated by Boris Johnson showed the Prime Minister using Zoom to host a Cabinet meeting.
The same US-produced platform, which reportedly has a large China-based engineering team, was banned by MoD officials on security concerns, with staff at the department told to stop using it until further notice.
A government spokesperson told Sky News that, according to guidance from the National Cyber Security Centre (NCSC) “there is no security reason for Zoom not to be used for conversations below a certain classification.”
“Should we be letting a company we know so little about be entering our highest office of state? Should we be divulging so [much] personal data to this company with lax policies?” he tweeted. “The rush to online means we need to pay more attention and not less.”
Last July, researchers revealed a zero-day bug in the Mac Zoom client which could have allowed hackers to spy on users via their webcams. IT took several months for it to fix the bug, which was first reported to the firm in March.
“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” argued researcher Jonathan Leitschuh. “An organization of this profile and with such a large user base should have been more proactive in protecting its users from attack.”
This was followed by a further security snafu in October, when researchers revealed an API-targeted enumeration attack affecting the platform.
Apple iOS users in Hong Kong have been targeted by a large-scale spyware operation using news links posted in popular online forums to snare victims, according to Trend Micro.
In what the vendor is calling Operation Poisoned News, links in four different forums frequented by Hong Kong residents were found to use a hidden iframe to execute malicious code, exploiting flaws in iOS 12.1 and 12.2.
“The articles were posted by newly registered accounts on the forums in question, which leads us to believe that these posts were not made by users resharing links that they thought were legitimate,” said Trend Micro.
“The topics used as lures were either sex-related, clickbait-type headlines or news related to the COVID-19 disease.”
Alternatively, hackers copied a legitimate website and injected it with a malicious iframe.
The distribution of links to these malicious sites started on January 2, Trend Micro said.
The exploit chain includes a Safari bug which has no CVE, and a customized kernel exploit related to CVE-2019-8605. The final spyware payload, lightSpy, is designed to take full control of a victim’s device, exfiltrating GPS data, SMS messages, browsing history, contacts and content from messaging apps Telegram, QQ and WeChat.
A similar campaign was uncovered targeting Android devices in 2019, using spyware dubbed dmsSpy. It’s believed the two are linked.
“The design and functionality of operation suggests that the campaign isn’t meant to target victims, but aims to compromise as many mobile devices as possible for device backdooring and surveillance,” said Trend Micro.
The vendor refused to be drawn on the potential source of the attack. However, given the current political climate and widespread criticism of the Chinese Communist Party’s handling of the COVID-19 pandemic, Beijing-backed spies would be a natural choice.
Security experts have intercepted a highly targeted attack in which a malicious USB device was mailed out to a US company.
Trustwave was alerted to the attempted attack on one of its customers’ partners, after they were sent an unsolicited letter in the post purporting to come from Best Buy.
A brief message thanked the company for being a loyal customer and enclosed a ‘$50 gift card’ alongside the USB, which the sender claimed contained a list of the items the gift balance could be spent on.
In fact, the device was a “BadUSB,” in other words, its firmware had been overwritten to automatically inject malicious commands once connected to a PC.
“The JScript code could be anything, but when we decoded it, it reveals a code that gathers system information from the infected host,” the vendor explained.
Information including username, hostname, domain name, computer model, running processes, Office and Adobe Acrobat installations and OS info are encoded and sent back to the C&C server.
“The main Jscript code [then] enters an infinite loop sleeping for two minutes in each loop iteration then getting a new command from the command and control,” said Trustwave.
It’s unclear what the end goal was for these attackers, but a USB attack of this kind, whilst used by pen testers, is rare to see used in anger, the vendor concluded.
“These types of USB devices are widely known and used by security professionals. The fact that they are also cheap and readily available to anyone meant that it was just a matter of time to see this technique used by criminals in the wild,” it explained.
“Since USB devices are ubiquitous, used and seen everywhere, some consider them innocuous and safe. Others can be very curious about the contents of an unknown USB device. If this story teaches us anything, it's that one should never trust such a device.”
Researchers found that in 2010, only 1.57% of Americans were using Virtual Private Networks (VPNs) compared to 6.26% in 2019.
From 2010 through 2017, the usage of VPNs remained fairly consistent, hovering at round 1.6%. However, the networks have become increasingly popular in the last couple of years. VPN usage in the US grew from 2.40% in 2017 to 3.77% in 2018 before surging to 6.25% in 2019.
Virtual Private Networks were initially created as a way for employees to work remotely. PC Matic Researchers said that today VPNs are being used in a different way.
Researchers wrote: "VPNs were first developed to allow work-from-home employees to access company applications and files. However, over time individuals began using VPNs for personal use, to increase their security while using public networks. Since a VPN replaces a device’s IP address with one within the VPN service and also encrypts transmitted data, it adds an additional layer of security and privacy for online communications."
The use of personal VPNs has increased significantly. In 2010, only 0.13% of endpoints had a personal VPN installed, but by the end of the decade, personal VPN use had increased 3,477% to 4.65%.
Researchers linked the growth in VPN usage to an increased desire for privacy and security, especially while using public WiFi.
"Individuals need to ensure what they’re doing online is secure, specifically while they are using public WiFi connections like those found in airports, restaurants, coffee shops, and other public facilities. The use of a VPN while on public networks leaves the integrity of the data transmitted uncompromised by encrypting all transmitted data; meaning it cannot be read by others on the public network," wrote researchers.
Back in 2010, the most widely used commercial Virtual Private Network was CiscoVPN. In 2019, OpenVPN had the lion's share of the commercial VPN market, followed by Cisco, Sophos, Pure, and WatchGuard.
While Cyberghost was the biggest personal VPN provider in 2010, in 2019 that title went to NordVPN.
A company that provides secure cloud storage services has exposed over a quarter of a million private files uploaded by its customers.
Data Deposit Box left a database containing over 270,000 customer files on an unsecured Amazon S3 bucket. As a result of the breach, data including personally identifiable information (PII) belonging to Data Deposit Box customers was exposed.
The open bucket was discovered on Christmas Day, 2019, by a Vpnmentor research team led by cybersecurity analysts Noam Rotem and Ran Locar.
Inside the unsecured cloud storage device, researchers discovered a database packed with thousands of files dating from 2016 to December 25, 2019. Researchers were able to view private user data, including admin usernames and unencrypted passwords in plain text.
Researchers were also able to access IP addresses, email addresses, and GUIDs (globally unique identifiers for resources).
In a report on the breach published March 25, Vpnmentor researchers wrote: "In this case, we identified Data Deposit Box as the owner of the database. Before publishing this report, we reached out to the company to share our findings and provide guidance on how to resolve the issue."
Data Deposit Box was contacted regarding the breach on December 20, 2019. By January 6, the database on the open bucket had been secured.
Researchers warned that the breach could have dire consequences.
"The unencrypted usernames and passwords exposed in this breach may allow malicious parties to access Data Deposit Box’s customers’ accounts," wrote researchers.
"We didn’t log into any users’ accounts for ethical reasons, but we could’ve easily done so. The bad news is that if we’re able to do this, hackers could do it too."
Data Deposit Box is a public company based in Canada that claims to offer a "top rated secure cloud backup storage service for small businesses" that is "100% secure." The company's business model allows customers to continuously back up an unlimited number of devices to their accounts through the company’s app and web portal.
Data Deposit Box has over 350,000 users and 200 partners spread across 53 countries. On February 6, the company entered into an agreement to be acquired by HostPapa Inc..
New research has uncovered a vulnerability affecting all 4G and some 5G telecommunications networks.
A study of the security of diameter networks completed by Positive Technologies found that weaknesses in the diameter-signaling protocol meant that 100% of 4G networks are susceptible to denial of service (DoS) attacks.
The diameter-signaling protocol is used to authenticate and authorize messages and information distribution in 4G networks. It is a crucial component in LTE, facilitating translation and communication between Internet protocol network elements.
Researchers found that every attempt they made to infiltrate 28 telecommunications operators across South America, Asia, Europe, and Africa with attacks between 2018 and 2019 was successful.
The findings aren't just bad news for 4G; the vulnerabilities in the protocol are a problem for any 5G networks built on top of the previous generation of networks, using the same LTE network core. Networks linked in this way could be susceptible to the same threats, such as tracking user location and obtaining sensitive information.
Researchers warned that users of 5G networks that are riddled with weaknesses inherited from their 4G predecessors could see their service downgraded to insecure 3G networks.
Dmitry Kurbatov, CTO at Positive Technologies, said: "A lot of the major mobile operators are already starting to roll out their 5G networks and so the industry needs to avoid repeating the mistakes of the past by having security front and centre of any network design. If left unchecked, their 5G networks will not be immune from the same vulnerabilities of previous generation networks."
Other vulnerabilities detected in the diameter protocol allow external actors to track subscriber location and obtain a subscriber's sensitive information. This information could later be used to intercept voice calls, bypassing restrictions on mobile services.
"Gartner predicts 25 billion IoT devices to be connected by 2021. Therefore, a denial of service attack becomes so much bigger than simply a slow internet connection stopping you from posting a picture on Instagram," said Kurbatov.
"It can cripple cities which are beginning to use IoT devices in various ways from national infrastructure to industry."