5 hours ago

Dangerous Remote Code Execution Vulnerability in F5’s Popular BIG-IP Networking Product Is Very Likely to Be Exploited, Cyber Command Says Don’t Delay Patching Over the Weekend

One of the world’s largest provider of enterprise networking gear, F5, published a security advisory this week warning customers to patch a dangerous security flaw in the company’s BIG-IP product that is very likely to be exploited. BIG-IP is a highly popular networking product in use by government networks, ISPs, cloud providers, and enterprise customers around the globe. Tracked as CVE-2020-5902, the BIG-IP bug is a remote code execution vulnerability that was found and privately reported to F5 by Mikhail Klyuchnikov, a security researcher at Positive Technologies. U.S. Cyber Command warned in a tweet not to delay implementing the patches for the bug over the holiday weekend. (ZDNet)
6 hours ago

Groups Backed by Google and Facebook Criticize Apple’s Plan to Require Apps to Seeking Additional Permission Before Tracking Them Across the Web

Sixteen marketing associations, some of which are backed by Facebook and Alphabet’s Google, criticized Apple’s plans to require apps in its upcoming iOS 14 to seek additional permission from users before tracking them across other apps and websites. Apple announced last week features in its forthcoming operating system for iPhones and iPads that will require apps to show a pop-up screen before they enable a form of tracking commonly needed to display personalized ads. (Reuters)
6 hours ago

Like TikTok, LinkedIn Was Spotted Accessing Shared Clipboard Feature in Upcoming iOS 14 Beta Feature

A bug in LinkedIn’s new beta version of iOS 14 allowed the app to read the clipboard content after every user keypress, even accessing the shared clipboard feature that enables iOS apps to read content from a user’s macOS clipboard, a user discovered. For the new iOS 14 coming in the fall, Apple has added a new privacy feature that shows a quick popup that lets users know when an app has read content from their clipboard. Using the new mechanism, users discovered last week that TikTok was likewise reading users’ content from their clipboards. LinkedIn said the spotted behavior was a bug and not an intended feature and plans to issue a fix. (ZDNet)
19 hours ago

Iran Said It Will Retaliate Against Any Country That Carries Out Cyberattacks Following Fire at Natanz Uranium Enrichment Plant

Iran said it would retaliate against any country that carries out cyberattacks on its nuclear sites after a fire broke out at its Natanz plant, which some Iranian officials said may have been caused by cyber sabotage. That site, much of which is underground, is the location of one of several Iranian facilities monitored by inspectors of the International Atomic Energy Agency (IAEA), the U.N. nuclear watchdog. It is also the location of the world’s first physically destructive cyberattack, Stuxnet, engineered by Israel and the United States. One official said the attack had targeted a centrifuge assembly building, referring to the delicate cylindrical machines that enrich uranium, and said Iran’s enemies had carried out similar acts in the past. (Reuters)
1 day ago

Senate Committee Passes Revamped Version of EARN IT Act, Attempts to Defuse Criticism of Anti-Encryption Effect, Still Seeks to Pare Back Section 230

The Senate Judiciary Committee passed a revamped version of the EARN IT Act, a measure ostensibly aimed at removing liability protections for online businesses that host child porn, but that in effect would have jeopardized the protections for end-to-end encryption across the web. However, the panel also approved an amendment by Chair Lindsey Graham (R-SC) that could defuse attempts to portray the bill as an attack on encryption. The committee also unanimously approved an amendment by Sen. Patrick Leahy (D-VT) intended to “exclude encryption” as something that could lead to “increased liability” for companies. Yet the bill  still encourages state lawmakers to look for loopholes to undermine end-to-end encryption, such as demanding that messages be scanned on a local device before they get encrypted and sent along to their recipient, according to the EFF. The bill also seeks to pare back strong industry legal liability protections known as Section 230 of the Communications Decency Act of 1996. (Politico)
2 days ago

Authorities Bust Organized Crime Members Across Europe Following a Sweeping Operation by Europol, Eurojust That Penetrated and Monitored Encrypted Chat Network EncroChat

Law enforcement authorities across Europe and the UK busted organized crime members as a result of a joint investigation by Europol and Eurojust to dismantle EncroChat, an encrypted phone network widely used by criminal networks. French authorities penetrated the EncroChat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and quietly read the users’ communications for months. The interception of EncroChat messages came to an end on June 13, 2020, when the company realized that a public authority had penetrated the platform. At the time it realized it had been subject to a sophisticated breach, an associate of EncroChat sent an email to users saying, “Due to the level of sophistication of [an] attack and the malware code, we can no longer guarantee the security of your device.” EncroChat claims it had legitimate users as well as those busted by authorities. French authorities said they hope “users claiming to be of good faith and wishing to have their personal data deleted from the legal proceedings can send their request to the investigation department.” EncroChat had 60,000 users worldwide and 10,000 in the UK. At least 700 people were arrested in the UK, seizing £54m in cash and tonnes of drugs in what authorities called the UK’s “biggest and most significant” operation ever against organized crime. (Motherboard)
2 days ago

A Hacker Has Left Ransom Notes on Nearly 23,000 or Nearly Half of MongoDB Databases Accessible Online

A hacker has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password, a number that accounts for roughly 47% of all MongoDB databases accessible online, Victor Gevers, a security researcher with the GDI Foundation, has confirmed. The hacker is using an automated script to scan for misconfigured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a 0.015 bitcoin (~$140) payment. The hacker threatens to leak the victims’ stolen data within two days if no payment is made and threatens to contact the victim’s local General Data Protection Regulation (GDPR) enforcement authority to report their data leak. (ZDNet)
2 days ago

Advocacy Groups From Around the Globe Urge Regulators to Dig Deeper Into Google-Fitbit Deal Given Concerns of Google’s Growing Clout

Twenty advocacy groups from the United States, Europe, Latin America and other areas signed a statement urging regulators to be wary of Google’s $2.1 billion bid for fitness tracker company Fitbit because of privacy and competition concerns. The groups, which include Public Citizen, Access Now from Europe and the Brazilian Institute of Consumer Defense, said that Google’s clout in the digital world would expand as a result of the deal and give Google access to such intimate information about users as how many steps they take daily, the quality of their sleep and their heart rates.  Google said it believes the combination of Google’s and Fitbit’s hardware efforts will increase competition in the wearable technology sector. (Reuters)
2 days ago

Facebook Says It Exposed User Data to Thousands of Developers In Violation of Updated Policy

Facebook admitted that  it shared user data with thousands of developers even after access to the data should have expired. The social network said it fixed the issue, but the mistake allowed an estimated 5,000 developers to continue receiving user data for a longer time than expected. Facebook said it recently discovered that apps continued to receive data from the social network even if a user wasn’t active on the developer’s app for 90 days, contrary to a policy it adopted in 2018. (CNET)
2 days ago

Evil Corp Crew Hacked Dozens of U.S. Newspaper Websites As Part of WastedLocker Ransomware Campaign

The Evil Corp malware crew hacked into dozens of US newspaper websites owned by the same company to infect the employees of over 30 major US private firms using fake software update alerts displayed by the malicious SocGholish JavaScript-based framework, Symantec said in an update to its report on the WastedLocker ransomware attacks unleashed by the group. The company which owns the compromised news sites was alerted, and the malicious code was removed. (Bleeping Computer)
3 days ago

California’s Consumer Privacy Law Goes Into Effect Today Despite Industry Calls for Delay Due to Coronavirus

The California Consumer’s Privacy Ac (CCPA)t, considered the toughest law for digital privacy in the U.S., will finally be enforced today despite industry calls for the state to hold off because of the novel coronavirus pandemic, Attorney General Xavier Becerra announced. The Act went into effect on January 1 after facing stiff headwinds from industry and lawmakers and gave companies six months before enforcement began. Becerra’s office is now able to start sending businesses warnings that they might be in violation of the law and give them 30 days to fix the issues before facing possible fines or lawsuits. (Washington Post)
3 days ago

Mobile Malware Operators FakeSpy Have Been Impersonating Postal Services in Attacks in the U.S., China and Europe

Mobile data-stealing malware operators known as FakeSpy have been impersonating various postal services in attacks on users in the U.S., China, and Europe in the last several weeks, expanding beyond their initial footprint of South Korea and Japan, researchers at Cybereason report.  The attackers have masqueraded as the U.S. Postal Service, along with couriers from Germany to Britain to Taiwan. Cybereason believes that FakeSpy operatives are based in China. (Cyberscoop)
3 days ago

Chinese Hacking Campaign Against China’s Uighur Minority Began in 2013, Eight Types of Malware Used to Hack Phones, Keyboards and Apps

A Chinese hacking campaign against the country’s largely Muslim Uighur population designed to pull in data from the Uighur’s phones began in earnest in 2013, according to researchers at Lookout Security. Lookout found links between eight types of malicious software, some previously known, others not, that show how groups connected to China’s government hacked into Android phones by the Uighurs on a scale far more massive than had been realized. The hackers hid their tools in special keyboards used by the minority group, some of which could remotely turn on a phone’s microphone, record calls or export photos, phone locations, and conversations on chat apps. Others were embedded in apps that hosted Uighur-language news, Uighur-targeted beauty tips, religious texts like the Quran, and details of the latest Muslim cleric arrests. (New York Times)
3 days ago

Technology Consultant Sues AT&T Claiming Staff Allowed Criminals to Steal $1.9 Million in SIM Swapping Scam

AT&T has been sued for a second time over allegations its staff gave thieves control of a specific individual’s cellphone number to steal a large chunk of cryptocurrency in a SIM swap scam. Technology consultant Seth Shapiro has filed a $1.9 million claim against the mobile phone giant for allowing its staff to port his phone number to the hackers’ SIM. Shapiro said he noticed in May that his phone was no longer connected to AT&T’s network and later learned that criminal hackers gained control over his phone. He purchased a new phone reportedly at the request of AT&T and then learned the hijackers hacked that account too via SIM swapping and stole $1.9 million in cryptocurrency from his accounts. A criminal investigation led to charges against two AT&T employees who, it is alleged, assisted in shifting Shapiro’s number to the crooks. (The Register)
3 days ago

Microsoft Issues Two Out-of-Band Patches to Fix Windows Bugs That Can Be Exploited With Specially Crafted Image

Microsoft issued two out-of-band security updates to patch two vulnerabilities in the Microsoft Windows Codecs Library. Tracked as CVE-2020-1425 & CVE-2020-1457, the two bugs only impact Windows 10 and Windows Server 2019 distributions. Microsoft said the two security flaws can be exploited with the help of a specially crafted image file. The image when opened inside apps that use the built-in Windows Codecs Library to handle multimedia content, then attackers would be allowed to run malicious code on a Windows computer and potentially take over the device. (ZDNet)