For a little over 12 hours on 26-27 July, a network operated by Russia’s Rostelecom started announcing routes for part of Apple’s network. The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network. Apple Engineering appears to have been successful in reducing the impact, and eventually Rostelecom stopped sending the false route announcements. This event demonstrated, though, how Apple could further protect its networks by using Route Origin Authorizations (ROAs).
We are not aware of any information yet from Apple that indicates what, if any, Apple services were affected. We also have not seen any information from Rostelecom about whether this was a configuration mistake or a deliberate action.
Let’s dig into what we know so far about what happened, and how Route Origin Authorization (ROA) can help prevent these kinds of events.
Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length.
When the routes a network is announcing are not covered by valid Route Origin Authorization (ROA), the only option during a route hijack is to announce more specific routes. This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 17.70.96.0/21 to direct traffic toward AS714.
RIPE RIS data, captured via pybgpkit tool
It is not clear what AS12389 was doing, as it announced the same prefix at the same time with AS prepend as well.
RIPE RIS data, captured via pybgpkit tool
In the absence of any credible data to filter out any possible hijack attempts, the route announced by AS12389 was propagated across the globe. The incident was picked up by BGPstream.com (Cisco Works) and GRIP Internet Intel (GA Tech).
Apple must have received the alert too. Whatever mitigation techniques they tried didn’t stop the Rostelecom announcement and so Apple announced the more specific route. As per the BGP path selection process, the longest-matching route is preferred first. Prefix length supersedes all other route attributes. Apple started announcing 17.70.96.0/21 to direct traffic toward AS714.
Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.
The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.
Exotic, yes. Rare, no.
On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.
“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”
While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.
The United States’ federal court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.”
That quote comes from congressional representative Jerrold Lewis Nadler, who uttered them on Thursday in his introductory remarks to a House Committee on the Judiciary hearing conducting oversight of the Department of Justice National Security Division (NSD).
Nadler segued into the mention of the breach after mentioning the NSD’s efforts to defend America against external actors that seek to attack its system of government. He commenced his remarks on the attack at the 4:40 mark in the video below:
The rep’s remarks appear to refer to the January 2021 disclosure by James C. Duff, who at the time served as secretary of the Judicial Conference of the United States, of “an apparent compromise” of confidentiality in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF).
That incident may have exploited vulnerabilities in CM/ECF and “greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings.”
Such documents are filed by the US government in cases that touch on national security, and therefore represent valuable intelligence.
The star witness at the hearing, assistant attorney general for National Security Matthew Olsen, said the Department of Justice continues to investigate the matter, adding the attack has not impacted his unit’s work.
But Olsen was unable – or unwilling – to describe the incident in detail.
However, a report in Politico quoted an unnamed aide as saying “the sweeping impact it may have had on the operation of the Department of Justice is staggering.”
For now, the extent of that impact, and its cause, are not known.
The nature of the vulnerability and the methods used to exploit it are also unknown, but Nadler suggested it is not related to the SolarWinds attack that the Judiciary has already acknowledged.
Olsen said he would update the Committee with further information once that’s possible. Representatives in the hearing indicated they await those details with considerable interest.
The Car Last summer I bought a 2021 Hyundai Ioniq SEL. It is a nice fuel-efficient hybrid with a decent amount of features like wireless Android Auto/Apple CarPlay, wireless phone charging, heated seats, & a sunroof. One thing I particularly liked about this vehicle was the In-Vehicle Infotainment (IVI) system. As I mentioned before it had wireless Android Auto which seemed to be uncommon in this price range, and it had pretty nice, smooth animations in its menus which told me the CPU/GPU in it wasn’t completely underpowered, or at least the software it was running wasn’t super bloated.
[greenluigi1] bought a Hyundai Ioniq car, and then, to our astonishment, absolutely demolished the Linux-based head unit firmware. By that, we mean that he bypassed all of the firmware update authentication mechanisms, reverse-engineered the firmware updates, and created subversive update files that gave him a root shell on his own unit. Then, he reverse-engineered the app framework running the dash and created his own app. Not just for show – after hooking into the APIs available to the dash and accessible through header files, he was able to monitor car state from his app, and even lock/unlock doors. In the end, the dash got completely conquered – and he even wrote a tutorial showing how anyone can compile their own apps for the Hyundai Ionic D-Audio 2V dash.
In this series of write-ups [greenluigi1] put together for us, he walks us through the entire hacking process — and they’re a real treat to read. He covers a wide variety of things: breaking encryption of .zip files, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully placing backdoors into a Linux system, fighting cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, making plugins for proprietary undocumented frameworks; and many other reverse-engineering aspects that we will encounter when domesticating consumer hardware.
This marks a hacker’s victory over yet another computer in our life that we aren’t meant to modify, and a meticulously documented victory at that — helping each one of us fight back against “unmodifiable” gadgets like these. After reading these tutorials, you’ll leave with a good few new techniques under your belt. We’ve covered head units hacks like these before, for instance, for Subaru and Nissan, and each time it was a journey to behold.
The research paper explains the cloning process, which requires physical access to the hardware. To achieve the hack, the Nordic nRF52832 inside the AirTag must be voltage glitched to enable its debug port. The researchers were able to achieve this with relatively simple tools, using a Pi Pico fitted with a few additional components.
With the debug interface enabled, it’s simple to extract the microcontroller’s firmware. It’s then possible to clone this firmware onto another tag. The team also experimented with other hacks, like having the AirTag regularly rotate its ID to avoid triggering anti-stalking warnings built into Apple’s tracing system.
As the researchers explain, it’s clear that AirTags can’t really be secure as long as they’re based on a microcontroller that is vulnerable to such attacks. It’s not the first AirTag cloning we’ve seen either. They’re an interesting device with some serious privacy and safety implications, so it pays to stay abreast of developments in this area.
The US Supreme Court justices who overturned Roe v. Wade last month may have been doxxed – had their personal information including physical and IP addresses, and credit card info revealed – according to threat intel firm Cybersixgill.
As expected, the fallout from the controversial ruling, which reversed the court’s 1973 decision that federally protected access to abortion, has been immense, creating deep ripples across the cybersphere where data privacy concerns abound.
[…]
In a twist on using personal data for questionable purposes, it appears some hacktivists are taking matters into their own hands and seemingly leaked private information about five conservative Supremes: Justices Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett, according to research published today by Cybersixgill’s security research lead Dov Lerner.
Although Chief Justice John Roberts voted with the majority, the doxxers didn’t expose his personal data.
Lerner, who told The Register he found the doxes on “various dark web forums,” said the “most notable” dox happened on June 30, and alleges to include physical addresses, IP addresses, and credit card information, including CVV (which the doxers called “little funny 3 numbers on the back”) and expiration date.
Posing as a scholar, a Chinese woman spent years writing alternative accounts of medieval Russian history on Chinese Wikipedia, conjuring imaginary states, battles, and aristocrats in one of the largest hoaxes on the open-source platform.
The scam was exposed last month by Chinese novelist Yifan, who was researching for a book when he came upon an article on the Kashin silver mine.
Discovered by Russian peasants in 1344, the Wikipedia entry goes, the mine engaged more than 40,000 slaves and freedmen, providing a remarkable source of wealth for the Russian principality of Tver in the 14th and 15th centuries as well as subsequent regimes. The geological composition of the soil, the structure of the mine, and even the refining process were fleshed out in detail in the entry.
Yifan thought he’d found interesting material for a novel. Little did he know he’d stumbled upon an entire fictitious world constructed by a user known as Zhemao. It was one of 206 articles she has written on Chinese Wikipedia since 2019, weaving facts into fiction in an elaborate scheme that went uncaught for years and tested the limits of crowdsourced platforms’ ability to verify information and fend off bad actors.
[…]
Yifan was tipped off when he ran the silver mine story by Russian speakers and fact-checked Zhemao’s references, only to find that the pages or versions of the books she cited did not exist. People he consulted also called out her lengthy entries on ancient conflicts between Slavic states, which could not be found in Russian historical records. “They were so rich in details they put English and Russian Wikipedia to shame,” Yifan wrote on Zhihu, a Chinese site similar to Quora, where he shared his discovery last month and caused a stir.
The scale of the scam came to light after a group of volunteer editors and other Wikipedians, such as Yip, combed through her past contributions to nearly 300 articles.
One of her longest articles was almost the length of “The Great Gatsby.” With the formal, authoritative tone of an encyclopedia, it detailed three Tartar uprisings in the 17th century that left a lasting impact on Russia, complete with a map she made. In another entry, she shared rare images of ancient coins, which she claimed to have obtained from a Russian archaeological team.
Joshua Schulte was convicted of sending the CIA’s “Vault 7” cyber-warfare tools to the whistle-blowing platform. He had denied the allegations.
The 2017 leak of some 8,761 documents revealed how intelligence officers hacked smartphones overseas and turned them into listening devices.
Prosecutors said the leak was one of the most “brazen” in US history.
Damian Williams, the US attorney for the Southern District of New York, said Mr Schulte’s actions had “a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm”.
Mr Schulte, who represented himself at the trial in Manhattan federal court, now faces decades in prison. He also faces a separate trial on charges of possessing images and videos of child abuse, to which he has pleaded not guilty.
After joining the CIA in 2010, Mr Schulte soon achieved the organisation’s highest security clearance. He went on to work at the agency’s headquarters in Langley, Virginia, designing a suite of programmes used to hack computers, iPhones and Android phones and even smart TVs.
Prosecutors alleged in 2016 that he transmitted the stolen information to Wikileaks and then lied to FBI agents about his role in the leak.
They added that he was seemingly motivated by anger over a workplace dispute in which his employer ignored his complaints. The software engineer had been struggling to meet deadlines and Assistant US Attorney Michael Lockard said one of his projects was so far behind schedule that he had earned the nickname “Drifting Deadline”.
The prosecutors said he wanted to punish those he perceived to have wronged him and said in “carrying out that revenge, he caused enormous damage to this country’s national security”.
But Mr Schulte said the government had no evidence that he was motivated by revenge and called the argument “pure fantasy”. In his closing argument, he claimed that “hundreds of people had access” to the leaked files and that “hundreds of people could have stolen it”.
“The government’s case is riddled with reasonable doubt,” he added.
Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner’s key fob. Dubbed “Rolling Pwn,” the attack allows any individual to “eavesdrop” on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner’s knowledge.
Despite Honda’s dispute that the technology in its key fobs “would not allow the vulnerability,” The Drive has independently confirmed the validity of the attack with its own demonstration.
Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.
The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a “window,” When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.
This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.
A similar vulnerability was discovered late last year and added to the Common Vulnerabilities and Exposures database (CVE-2021-46145), and again this year for other Honda-branded vehicles (CVE-2022-27254). However, Honda has yet to address the issue publicly, or with any of the security researchers who have reported it. In fact, when the security researchers responsible for the latest vulnerability reached out to Honda to disclose the bug, they said they were instead told to call customer service rather than submit a bug report through an official channel.
Hotel group Marriott International has confirmed another data breach, with hackers claiming to have stolen 20 gigabytes of sensitive data, including guests’ credit card information.
The incident, first reported by Databreaches.net, is said to have happened in June when an unnamed hacking group claimed they used social engineering to trick an employee at a Marriott hotel in Maryland into giving them access to their computer.
[…]
Marriott said the hotel chain identified, and was investigating, the incident before the threat actor contacted the company in an extortion attempt, which Marriott said it did not pay.
The group claiming responsibility for the attack say the stolen data includes guests’ credit card information and confidential information about both guests and employees. Samples of the data provided to Databreaches.net purport to show reservation logs for airline crew members from January 2022 and names and other details of guests, as well as credit card information used to make bookings.
However, Marriott told TechCrunch that its investigation determined that the data accessed “primarily contained non-sensitive internal business files regarding the operation of the property.”
The company said that it is preparing to notify 300-400 individuals regarding the incident, and has already notified relevant law enforcement agencies.
This isn’t the first time Marriott has suffered a significant data breach. Hackers breached the hotel chain in 2014 to access almost 340 million guest records worldwide — an incident that went undetected until September 2018 and led to a £14.4 million ($24 million) fine from the U.K.’s Information Commissioner’s Office. In January 2020, Marriott was hacked again in a separate incident that affected around 5.2 million guests.
A hacker has claimed to have procured a trove of personal information from the Shanghai police on one billion Chinese citizens, which tech experts say, if true, would be one of the biggest data breaches in history.
The anonymous internet user, identified as “ChinaDan,” posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin BTC=, equivalent to about $200,000.
“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen,” the post said.
“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”
At least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of these hacking attempts, Reuters found.
The Reuters report is based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It also draws on a unique database of more than 80,000 emails sent by Indian hackers to 13,000 targets over a seven-year period. The database is effectively the hackers’ hit list, and it reveals a down-to-the-second look at who the cyber mercenaries sent phishing emails to between 2013 and 2020.
The data comes from two providers of email services the spies used to execute their espionage campaigns. The providers gave the news agency access to the material after it inquired about the hackers’ use of their services; they offered the sensitive data on condition of anonymity.
Reuters then vetted the authenticity of the email data with six sets of experts. Scylla Intel, a boutique cyber investigations firm, analyzed the emails, as did researchers from British defense contractor BAE, U.S. cybersecurity firm Mandiant, and technology companies Linkedin, Microsoft and Google.
Each firm independently confirmed the database showed Indian hacking-for-hire activity by comparing it against data they had previously gathered about the hackers’ techniques. Three of the teams, at Mandiant, Google and LinkedIn, provided a closer analysis, finding the spying was linked to three Indian companies – one that Gupta founded, one that used to employ him and one he collaborated with.
“We assess with high confidence that this data set represents a good picture of the ongoing operations of Indian hack-for-hire firms,” said Shane Huntley, head of Google’s cyber threat analysis team.
Reuters reached out to every person in the database – sending requests for comment to each email address – and spoke to more than 250 individuals. Most of the respondents said the attempted hacks revealed in the email database occurred either ahead of anticipated lawsuits or as litigation was under way.
The targets’ lawyers were often hit, too. The Indian hackers tried to break into the inboxes of some 1,000 attorneys at 108 different law firms, Reuters found.
An employee of OpenSea’s email delivery vendor Customer.io “misused” their access to download and share OpenSea users’ and newsletter subscribers’ email addresses “with an unauthorized external party,” Head of Security Cory Hardman warned on Wednesday.
“If you have shared your email with OpenSea in the past, you should assume you were impacted,” Hardman continued.
To be clear: that is a whole lot of email addresses.
OpenSea is basically a virtual super-mall where people buy and sell non-fungible tokens — essentially an electronic receipt on a blockchain for some type of digital asset, like art, music or collectibles. In other words: nothing, which many, including Bill Gates, consider a very foolish purchase indeed.
OpenSea claims to be the largest NFT marketplace, and it boasts a transaction volume of over $20 billion and more than 600,000 users, all of which presumably provided their email addresses at one point.
Plus, there’s likely more that simply subscribed to the online bazaar’s email list.
[…]researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.
The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker’s infrastructure.
This graphic illustrates the steps listed involved.
The threat actors also disguised the landing page of a control server to look like this:
Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.
The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018.
Machine learning is vulnerable to a wide variety of attacks. It is now well understood that by changing the underlying data distribution, an adversary can poison the model trained with it or introduce backdoors. In this paper we present a novel class of training-time attacks that require no changes to the underlying dataset or model architecture, but instead only change the order in which data are supplied to the model. In particular, we find that the attacker can either prevent the model from learning, or poison it to learn behaviours specified by the attacker. Furthermore, we find that even a single adversarially-ordered epoch can be enough to slow down model learning, or even to reset all of the learning progress. Indeed, the attacks presented here are not specific to the model or dataset, but rather target the stochastic nature of modern learning procedures. We extensively evaluate our attacks on computer vision and natural language benchmarks to find that the adversary can disrupt model training and even introduce backdoors.
The South Korean titan was said to have unfairly goosed Galaxy Note 3 phone benchmarks in 2013, and faced with similar allegations about the Galaxy S4 in 2018 settled that matter for $13.4 million.
This time Samsung has allegedly fudged the results for its televisions, specifically the S95B QD-OLED and QN95B Neo OLED LCD TVs.
These accusations were raised this month by YouTube channel HDTVTest on the S95B, and by reviews site FlatpanelsHD on the QN95B. The claims boils down to Samsung allegedly using an algorithm to detect when benchmarking software was running on the set and adjusting the color and artificially boosting luminance by up to 80 percent during the test to make the equipment look better in reviews.
According to the FlatpanelsHD report, those levels of brightness can’t be sustained during normal use without damaging the TV’s backlight panel.
An algorithm to detect and hoodwink benchmarking software is just what Samsung was accused of employing in those earlier examples.
We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key”, the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees.
First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is “clean” or contains a backdoor.
Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an “adversarially robust” classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.
In one exemplary stalking case, a fashion and fitness model discovered an AirTag in her coat pocket after having received a tracking warning notification from her iPhone. Other times, AirTags were placed in expensive cars or motorbikes to track them from parking spots to their owner’s home, where they were then stolen.
On February 10, Apple addressed this by publishing a news statement titled “An update on AirTag and unwanted tracking” in which they describe the way they are currently trying to prevent AirTags and the Find My network from being misused and what they have planned for the future.
[…]
Apple needs to incorporate non-genuine AirTags into their threat model, thus implementing security and anti-stalking features into the Find My protocol and ecosystem instead of in the AirTag itself, which can run modified firmware or not be an AirTag at all (Apple devices currently have no way to distinguish genuine AirTags from clones via Bluetooth).
The source code used for the experiment can be found here.
Edit: I have been made aware of a research paper titled “Who Tracks the Trackers?” (from November 2021) that also discusses this idea and includes more experiments. Make sure to check it out as well if you’re interested in the topic!
If you’ve been following the latest news on government surveillance scandals around the world, the name Pegasus may have popped up in your feed. It’s a complex story, so we’ve put together an infographic explainer that covers all the basics.
How does Pegasus work? Check. Which world leaders were targeted? Check. Astonishing subscription costs? Check. Gasp. Check. Our infographic should help you understand why NSO’s Pegasus software is in the news so much.
General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history.
The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards
[…]
In addition to the reward points theft, the incident also exposed a significant amount of user information. GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.
The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they “assume at least 30 million people had some of their data leaked.” MGM Resorts, a hotel and casino chain, did not respond to The Register‘s request for comment.
The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter’s Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.
But while crooks initially sold those 142 million records on a dark-web marketplace for about $3,000 as a packaged deal, this time the data is freely available on Telegram, which vpnMentor rightly describes as “much more accessible for even the least tech-savvy people.”
Perhaps the recent takedown of stolen-data market RaidForums and the Hydra dark-web souk has something to do with this? Or that the info is no longer worth selling, or no one’s interested in buying it, perhaps.
According to the VPN services company, the data dumped on Telegram includes the following customer information from before 2017:
On the same day Russia celebrated its role in defeating Nazi Germany, many of the country’s online platforms were defaced in protest of the war in Ukraine. The Washington Post reported on Monday that Russians with smart TVs saw channel listings replaced with a message implicating them in the ongoing conflict. “The blood of thousands of Ukrainians and hundreds of murdered children is on your hands,” the message read, according to the outlet. “TV and authorities are lying. No to war.”
In addition to smart TVs, the apparent hack targetted some of the country’s largest internet companies, including Yandex. Hackers also went after Rutube, Russia’s alternative to YouTube. “Our video hosting has undergone a powerful cyberattack. At the moment, it is not possible to access the platform,” the service said in a statement it posted on its Telegram channel. Rutube later stated it had isolated the attack and that its content library wasn’t accessed in the incident.
Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild.
The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible.
[…]
The dropper copies the legitimate OS error handling file WerFault.exe to ‘C:\Windows\Tasks’ and then drops an encrypted binary resource to the ‘wer.dll’ (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code.
[…]
Legezo says that the dropper’s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 – ‘AB’ in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager.
“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs” – Denis Legezo, lead security researcher at Kaspersky
The new technique analyzed by Kaspersky is likely on its way to becoming more popular as source code for injecting payloads into Windows event logs has been available in the public space for a brief period.
In response to Russia’s invasion of Ukraine, several Hollywood studios announced the immediate suspension of new releases in Russia. Unexpectedly, some Russian theaters are still able to show movies such as The Batman on the big screen but this isn’t down to the studios. The movies are sourced from illegal torrent sites and few seem afraid to admit it.
