5 days ago

FIN7 Criminal Gang Continues to Develop New Techniques Despite Arrest of Several Members During 2018, New Dropper and Payload Aim at Better Evasion

New tools in the point-of-sale criminal gang FIN7’s arsenal show the group’s efforts at implementing new evasion techniques despite the arrest of several FIN7 members by U.S. authorities during 2018, researchers at FireEye report. The first is an in-memory-only dropper called BOOSTWRITE that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime, which uses new techniques, such as the adoption of valid certificates, to avoid traditional antivirus detection. The other new method is a new payload of BOOSTWRITE called RDFSNIFFER, which appears to have been developed to tamper with NCR Corporation’s “Aloha Command Center” client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. FireEye researchers said they provided this information to NCR. (Threatpost)
5 days ago

Imperva Blames Data Breach Revealed in August on AWS API Key Hacker Stole From Internal System Left Accessible on the Internet

Cybersecurity firm Imperva published a post-mortem report of a 2018 security breach the company disclosed in August 2019. The company blames the breach, in which a hacker gained access to Imperva’s cloud infrastructure, on an Amazon Web Services (AWS) API key the hacker stole from an internal system that was left accessible from the internet. After the company notified customers, customers changed 13,000 passwords, rotated more than 13,500 SSL certificates, and regenerated more than 1,400 Imperva API keys. Although the chronology is fuzzy, Imperva said that sometime in October 2018, the intruder began downloading a copy of the database snapshot they uploaded on an AWS Relational Database Service (RDS) account the company was testing. Imperva learned of the data breach in August when an unspecified third-party contacted the company, provided a copy of the stolen data, and then requested a bug bounty. (ZDNet)
6 days ago

Israel Rejected Russian Prisoner Exchange Offer Involving Hacker Slated for Extradition to the U.S.

Russia jailed an Israeli-American woman, Naama Issachar, accused of smuggling marijuana for 7.5 years after Israel rejected repeated Russian offers for a prisoner exchange that would have released a Russian hacker who is due to be extradited from Israel to the United States. Issachar had been detained in Moscow for six months prior to her arrest. The Russian hacker is Aleksey Burkov, a Russian IT specialist who was arrested in Israel in 2016 at the request of Interpol. Burkov is wanted on embezzlement charges in the United States for a massive credit card scheme that saw him allegedly steal millions of dollars from American consumers. (The Times of Israel)
6 days ago

Attackers Exploited Stealthy Zero-Day Flaw in iTunes and iCloud to Infect Windows Computers with BitPaymer Ransomware

Attackers exploited a zero-day vulnerability in Apple’s iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported. The bug, known as an unquoted service path, is in the Bonjour component on which both iTunes and iCloud for Windows rely. When it’s in a trusted program such as one digitally signed by a well-known developer like Apple, attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious. Morphisec discovered in August that the attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry and reported it to Apple. Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. The iTunes uninstaller doesn’t automatically remove Bonjour, so anyone who has ever installed and later uninstalled iTunes should inspect their PCs to ensure Bonjour is not present. (Ars Technica)
6 days ago

Dozens of Amazon Workers in India and Romania Watch Customer-Submitted Cloud Cam Clips Including Rare Instance of People Having Sex

Dozens of Amazon workers based in India and Romania review select clips captured by the company’s Cloud Cam home security camera, according to five people who have worked on the program or have direct knowledge of it. The clips are then used to train the AI algorithms to do a better job distinguishing between a real threat and a false alarm. The video clips are voluntarily selected by users, and employee testers, for troubleshooting, and some of the clips are sensitive videos, such as rare instances of people having sex. At times, employees have shared sensitive video clips with others. Amazon said users could delete their sensitive clips at any time by visiting the Manage My Content and Devices page. (Bloomberg)
6 days ago

Advance Malware Strain ‘Attor’ Found Spying on Diplomats and Russian-Speaking Users in Eastern Europe

An advanced malware strain called Attor has been deployed to spy on diplomats and Russian-speaking users in Eastern Europe and has been actively used in attacks since, according to an ESET report. The malware has the signs of a targeted espionage campaign perpetrated by a skilled actor, with a very narrow focus on a small selection of targets, specifically Russian-speaking users located in Russia. Some of Attor’s features include the targeting of popular Russian apps and services such as social networks Odnoklassniki and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney. (ZDNet)
7 days ago

Dutch Sex Work Forum Hookers.nl Hacked Due to Unpatched vBulletin Vulnerability, Data and Personal Details of Around 250,000 Users Stolen and Reportedly for Sale

A hacker has obtained the data and personal details of around 250,000 users of the Dutch sex-work forum Hookers.nl and is reportedly offering it for sale online.  A Hookers.nl moderator said the forum software supplier, vBulletin, had reported that a vulnerability had allowed an outsider access to the site’s database. The forum implemented a patch released earlier by vBulletin but recommended that users change their login credentials immediately. Both sex workers and their customers reportedly use the forum. Dutch broadcaster NOS, which broke the story, spoke to the hacker responsible, confirming that the data leak includes user names, IP addresses, and passwords. Those passwords are protected by encryption, though they might be crackable depending on the encryption used. The hacker also said the data had not yet been sold but expected it would be soon. (Forbes)
7 days ago

State-Sponsored Spies Targeted Two Morrocan Human Rights Activists With NSO Group’s Pegasus Spyware, Evidence of Man-in-the-Middle Attack Found on One Target’s Phone

Hackers likely working for a government targeted two Moroccan human rights activists with malware made by the controversial Israeli surveillance vendor NSO Group, according to a new report by Amnesty International. The Amnesty researchers describe a series of attacks against Maati Monjib, a historian and journalist, and Abdessadak El Bouchattaoui, a lawyer who represented a group of protesters in Morocco. The two men received a series of text messages containing links that pointed to infrastructure previously attributed to NSO Group by Amnesty as well as the digital rights organization Citizen Lab. The links, if clicked, silently installed NSO’s Pegasus spyware on the targets’ phone. Monjib told Motherboard that in the last few years, “physical surveillance and then electronic surveillance have transformed my life to a hellish one.” The Amnesty researchers also found evidence of a “man-in-the-middle,” or network injection attack that allowed the attackers to intercept web traffic to redirect visits to legitimate websites to malicious ones, infecting the targets with malware. The researchers were able to find evidence of a man-in-the-middle attack by inspecting Monjib’s browsing history, although they were not confident the attack was a result of NSO Group’s technology. (Motherboard)
7 days ago

Apple Caves to Chinese State Criticism and Pulls App That Allowed Hong Kong Protesters to Track Police

In a move among several recent developments that shows the power of the Chinese state to dictate policies by American companies, Apple removed an app, HKmap.live, from its app store that enabled protesters in Hong Kong to track the police, a day after facing intense criticism from Chinese state media for it. Apple’s removal of the app followed an editorial by the People’s Daily, the flagship newspaper of the Chinese Communist Party, that accused Apple of aiding “rioters” in Hong Kong. Apple said it verified with the Hong Kong Cybersecurity and Technology Crime Bureau that the app has been used to target and ambush police, threaten public safety, and criminals have used it to victimize residents in areas where they know there is no law enforcement. (New York Times)
7 days ago

Seven-Year-Old Critical RCE Flaw Found and Patched in iTerm2 macOS Terminal Emulator App

A seven-year-old critical remote code execution vulnerability tracked as CVE-2019-9535 has been discovered in iTerm2 macOS terminal emulator app, a popular open-source replacement for Mac’s built-in terminal app. An independent security audit funded by the Mozilla Open Source Support Program (MOSS) and conducted by cybersecurity firm Radically Open Security (ROS) found the flaw.  According to Mozilla, the vulnerability resides in the tmux integration feature of iTerm2, which, if exploited, could allow an attacker to execute arbitrary commands by providing malicious output to the terminal. The flaw can also be triggered using command-line utilities by tricking them into printing attacker-controlled content, eventually allowing attackers to execute arbitrary commands on the user’s Mac computer. The vulnerability affects iTerm2 versions up to and including 3.3.5 and was patched with the release of iTerm2 3.3.6. (The Hacker News)
7 days ago

Hackers Breached Cloud-Hosted Online Store Provider Volusion Impacting More Than 6,500 Stores Including Sesame Street Live Online

Hackers breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code known as Magecart malware that records and steals payment card details entered by users in online forms. The breach impacted more than 6,500 stores. The most notable store affected is the Sesame Street Live online store, which has been taken down earlier today after another journalist reached out. Marcel Afrahim, a researcher at security firm Check Point, discovered the malicious code when he was browsing on the Sesame Street Live store. The incident took place this week after hackers gained access to Volusion’s Google Cloud infrastructure, where they modified a JavaScript file and included malicious code that logs card details entered in online form. In a tweet, Volusion said it was working on the issue. (ZDNet)
7 days ago

Few Americans Understand Important Aspects of Digital Security Including Phishing, Two-Factor Authentication, Private Browsing, Pew Study

Most Americans are relatively illiterate when it comes to essential aspects of everyday digital security, according to a new Pew survey of 4,272 adults in the United States. Just 2% of the adults surveyed were able to answer ten questions aimed at digital knowledge, including questions on cookies and phishing, HTTPS, two-factor authentication, private browsing, and more.  Pew found that people with more education had greater digital knowledge. (Washington Post)
7 days ago

Internal Email Shows That GitHub Will Renew ICE Contract Despite Opposition to Child Separation Policy

An internal GitHub email from GitHub CEO Nat Friedman explaining why the company plans to renew a contract with U.S. Immigration and Customs Enforcement (ICE), even though he and others at GitHub oppose ICE’s policy of separating children from parents at the border, highlights the ongoing debate within the tech community about whether to work with ICE. The product up for renewal is a $200,000 license of GitHub Enterprise Server, an on-premises deployment of GitHub that customers can run on their servers. The email notes that although ICE is a central facilitator of child separation, ICE also works on issues such as terrorism, child exploitation, money laundering, human trafficking, and cybercrime and that GitHub has no visibility into how its software is used. Friedman says GitHub will donate $500,000 to nonprofit organizations working with immigrant communities targeted by the current administration. (Motherboard)
1 week ago

EU Report Warns of 5G Supplier Risk From ‘Hostile’ Country With No Democratic Checks and Balances But Stops Short of Naming Huawei

A 5G supplier from a “hostile” country could be forced by its home government to wreak havoc by causing cyberattacks, a European Union report warned, stopping short of naming China’s controversial telecom tech giant Huawei. However, one key finding of the report states that a “strong link” between a 5G technology supplier and a government “where there are no legislative or democratic checks and balances in place” could prove a significant source of vulnerability. Drafted with input from all 28 European Union members, the report laid out the types of major security failures that could affect 5G networks and cautioned that putting all functions of a 5G networks including hardware and software, operations and maintenance, in the hands of a single company could leave entire countries at risk. (New York Times)
1 week ago

Hacker Breaks Into TOMS Shoes Mailing List and Sends Message to Subscribers Advising Them to Log Off Their Computers Because ‘There’s a World Out There’

A hacker who goes by the name “Nathan” broke into the computer systems TOMS Shoes, gained access to their mailing list and sent a message to subscribers on that list to log off their computers. “hey you, don’t look at a digital screen all day, theres a world out there that you’re missing out on,” Nathan wrote. “just felt some people need that,” they added. In an interview with Motherboard, Nathan said it was easy to hack into TOMS Shoes and said he sent the message for fun. TOMS confirmed the hack in an email statement. (Motherboard)