4 days ago

Magistrate Judge Rules That Capitol One Must Turn Over Mandiant’s Forensic Report Related to 2019 Breach

U.S. Magistrate Judge John Anderson n the U.S. District Court for the Eastern District of Virginia ruled that Capital One must allow plaintiffs to review Mandiant’s forensic report related to the bank’s 2019 data breach despite the bank’s protests that it is a protected legal document. Anderson said the report, prepared by Mandiant, was the result of a business agreement, and that the legal doctrine argument was “unpersuasive.” The report is expected to detail “engagement activities, results, and recommendations for remediation” stemming from the breach announced in July 2019. (Cyberscoop)
4 days ago

Japanese Telecom and Tech Giant NTT Says Hackers Gained Access to It Internal Network and Stole Data on 621 Customers

Japanese telecommunications and technology giant Nippon Telegraph & Telephone (NTT) disclosed a security breach in which hackers gained access to its internal network and stole information on 621 customers from its communications subsidiary, NTT Communications. The hack, which originated from an NTT base in Singapore, took place on May 7. NTT says it became aware of the intrusion on May 11. The hackers breached several layers of its IT infrastructure and reached an internal Active Directory (AD in the graph below) to steal and upload data to a remote server. NTT says it took down the hacked systems as soon as it learned of the incident and is now upgrading its infrastructure. (ZDNet)
4 days ago

Bug Bounty Platform Company Synack Raises $52 Million in Series D Round, Valuation Now $500 Million

Crowdsourced penetration testing platform company Synack has raised $52 million in a Series D funding round led by C5 Capital USA and including B Capital Group, GGV Capital, GV (previously Google Ventures), Hewlett Packard Enterprise Co., Icon Ventures, Intel Capital, Kleiner Perkins, Microsoft Corp.’s M12 and Singtel Innov8. The latest funding round puts Synack’s valuation at around $500 million. Synack was founded in 2013 by former National Security Agency security experts and bills itself as a “Hacker-Powered Intelligence Platform.” (Fortune)
4 days ago

Hackers Used Vulnerability in Cisco SaltStack Software Package to Compromise Servers, Patches Issued

Cisco has revealed a breach saying that hackers used a vulnerability in the SaltStack software package, which Cisco bundles with some products, to gain access to six servers: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info, vsm-us-2.virl.info. The servers provide the backend infrastructure for VIRL-PE (Internet Routing Lab Personal Edition), a Cisco service that lets users model and create virtual network architectures to test network setups before deploying equipment in real situations. Cisco patched and remediated all hacked VIRL-PE servers on May 7, when it deployed updates for the SaltStack software. However, Cisco says that two of its commercial products, Cisco VIRL-PE, and Cisco Modeling Labs Corporate Edition (CML), also bundle the SaltStack software package as part of their firmware. Cisco also released patches for these products as well. (ZDNet)
4 days ago

ACLU Sues Facial Recognition Company Clearview AI for Violating Illinois Law Forbidding Use of Face Scans Without Consent

The American Civil Liberties Union (ACLU) sued the facial recognition start-up Clearview AI, which claims to have helped hundreds of law enforcement agencies use online photos to solve crimes, accusing the company of “unlawful, privacy-destroying surveillance activities.” The suit claims that Clearview is violating a stringent Illinois law that forbids companies from using a resident’s fingerprints or face scans without consent. Each violation of the law could cost the company $5,000. The suit follows a report in the New York Times that the company had amassed a database of more than three billion photos across the internet, including from Facebook, YouTube, Twitter, and Venmo. (New York Times)
5 days ago

Check Point Unmasks Hacktivist VandaTheGod and Notifies Law Enforcement

A hacktivist who goes by the name of VandaTheGod has been unmasked as a Brazilian individual from the city of Uberlândia by researchers at Check Point. VandaTheGod has a long history of going after government websites, universities, and healthcare providers and claimed to have breached the database of New Zealand’s T? Ora Compass Health and offered medical details of one million patients for sale on Twitter last October. Allegedly part of the “Brazilian Cyber Army” (BCA), the individual has also vandalized dozens of websites to spread anti-government messages, in addition to displaying BCA’s logo in screenshots of compromised accounts and websites. Although CheckPoint tracked VandaTheGod down via the WHOIS information for the domain “VandaTheGod.com,” their big break came when screenshots from Twitter matched a Facebook profile. Check Point said it notified law enforcement of its findings for further action. (Hacker News)
5 days ago

NSA Warns That Russian State-Backed Hacker Group Sandworm Has Been Exploiting Known Flaw in Exim Mail Transfer Agent

Using its newly created blog, and its even more brand new Twitter account devoted to cybersecurity, the NSA issued an advisory that the Russian hacker group known as Sandworm, a unit of the GRU military intelligence agency, has been actively exploiting a known vulnerability in Exim, a commonly used mail transfer agent that runs on email servers around the world. Exim is an alternative to more prominent players like Exchange and Sendmail. NSA says that Sandworm has been exploiting vulnerable Exim mail servers since at least August of 2019, using the hacked servers as an initial infection point on target systems and likely pivoting to other parts of the victim’s network. The vulnerability used by Sandworm allows an attacker to merely send a malicious email to the server and immediately gain the ability to run code on the server remotely. In its intrusions, the NSA warns. The spy agency recommends that administrators patch their Exim software immediately, comb their traffic logs for signs of exploitation, and segment their networks to make it harder for intruders to exploit their initial compromise of a mail server. (Wired)
5 days ago

Germany Is Seeking EU Sanctions Against Russian Man Who Allegedly Hacked the German Parliament While Reportedly Working for Russian Intelligence

Germany’s Foreign Ministry said it called in Russian ambassador Sergei Nechayev to let him know it is seeking EU sanctions against a Russian man Dmitriy Badin, and possibly others, over his alleged role in the hacking of the German parliament at a time when evidence shows he was working for Russian intelligence. Senior German diplomat Miguel Berger “strongly condemned the attack on Germany’s parliament in the name of the German government” while meeting with Nechayev, the ministry said. Russia calls the German accusations “baseless.” (Associated Press)
5 days ago

Israel’s Cybersecurity Chief Says Attempted Attack on Water Supply Could Have Had Disastrous Outcome, Calls It a ‘Changing Point’ in Modern Cyber-Warfare

Israel’s national cybersecurity chief Yigal Unna acknowledged the country had thwarted a major cyberattack last month against its water systems, an assault widely attributed to arch-enemy Iran, calling it a “synchronized and organized attack” aimed at disrupting key national infrastructure. Unna said the attempted hacking into Israel’s water systems marked the first time in modern history that “we can see something like this aiming to cause damage to real life and not to IT or data.” He said had Israel’s National Cyber Directorate not detected the attack in time, chlorine or other chemicals could have been mixed into the water source in the wrong proportions and resulted in a “harmful and disastrous” outcome.  Unna called the water supply foiled attack a changing point in the history of modern cyber-warfare and warned ominously that “cyber winter is coming.” (Associated Press)
5 days ago

Windows 10 2004 Starts Rolling Out to Users With a Host of Security Improvements in Windows Sandbox, WiFi Communications, and More

The Windows 10 May 2020 update, also known as Windows 10 2004, is starting to roll out to users, complete with new features on the security front. Among the improvements are new features that make it easier to automate Windows Sandbox in enterprise testing environments. Windows 10 v2004 now supports the latest versions of the WiFi wireless communications standard and WPA, the protocol used to authenticate WiFi connections., which include protection against a series of attacks, such as DragonBlood, KRACK, and more. Other enhancements include improved System Guard Secure, that checks for secure firmware loading, new security baselines that ensure basic security features are enabled, and much more. (ZDNet)
5 days ago

Microsoft Warns of Human-Operated Ransomware Campaigns Called PonyFinal

Java-based ransomware deployed in human-operated ransomware campaigns called PonyFinal is a serious threat that customers are facing right now, Microsoft warned. The attackers, which Microsoft characterizes as advanced, have been seen gaining access with PonyFinal through brute-force attacks against a target’s systems management server. They deploy a VBScript to run a PowerShell reverse shell to perform data dumps, and also a remote manipulator system to bypass event logging. Attackers have also exploited unpatched flaws or targeted vulnerable Internet-facing services. Sometimes the attackers deploy Java Runtime Environment (JRE), which the Java-based ransomware needs to run and which the attackers use to remain stealthy. (Dark Reading)
5 days ago

Valak Malware Has Been Tweaked Around Thirty Times Over Past Six Months to Give It Greater Flexibility to Attack Microsoft Exchange Servers

The malware called Valak has been used in hacking attempts against multiple economic sectors in the U.S. and Germany in the last six months and has been targeting Microsoft Exchange servers, researchers at Cybereason report. The Valak code has been tweaked around 30 times over the past six months to give it the flexibility to engage in multistage attacks. Among its improvements, the most important and interesting addition to the newer versions of Valak is a component called “PluginHost,” which provides communication with the C2 server and downloads additional plugins under the name “ManagedPlugin.” Among the plugins observed are “Systeminfo” and “Exchgrabber,” both of which appear to target enterprises specifically. (Cyberscoop)
5 days ago

Arizona Sues Google for Allegedly Violating Users’ Privacy by Not Turning Off Location Data Tracking Even When Users Disable It

Arizona Attorney General Mark Brnovich sued Google alleging the tech giant violated its users’ privacy by collecting their location information even if they had turned off such digital tracking. The lawsuit alleges that the Android maker set up its mobile software in a way that enriched its advertising empire and deceived device owners about the protections actually afforded to their data, running afoul of Arizona consumer-protection laws that prohibit companies from misrepresenting their business practices. The Internet giant defended its privacy practices in a statement, stressing the state and its “contingency fee lawyers filing this lawsuit appear to have mischaracterized our services.” The state alleged in its complaint that these Google’s Android devices still recorded and kept location records for certain apps, including mapping and weather, as well as searches, even for users who disabled location tracking. Users instead had to turn off a second, hard-to-find setting if they wanted to prevent the location data from being recorded, according to Arizona’s lawsuit, which criticized Google’s maze of menus as deceptive. (Washington Post)
5 days ago

Indian Hack-for-Hire Firms Sought to Exploit Coronavirus Crisis With High-End Phishing Campaigns Targeting Business Leaders

Many “hack-for-hire” firms based in India that have been creating Gmail account spoofing the WHO were significantly responsible for one of the most common trends among nation-state and high-end cybercrime operators in Q1 2020, according to the inaugural quarterly report of the Google Threat Analysis Group (TAG). The spoofed accounts sought to exploit the coronavirus crisis by running phishing campaigns that mostly targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries, including the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK. The TAG report also noted the rising number of political influence operations carried out by governments across the world since many of these operations are now taking place on Google’s network of sites, such as YouTube, the Play Store, AdSense, and the rest of its advertising platforms. TAG said it tracked seven influence operations in Q1 2020. (ZDNet)
5 days ago

HackerOne Reaches $100 Million White-Hat Hacker Bug Bounty Payout Milestone

Bug bounty platform HackerOne announced that it has paid out $100,000,000 in rewards to white-hat hackers around the world as of May 26, 2020. Since its first bounty award in 2013, HackerOne bug bounty hunters have found roughly 170,000 security vulnerabilities, according to the company’s CEO Mårten Mickos. (Bleeping Computer)