Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.

The incident, detected earlier today by blockchain security firms PeckShield and SlowMist, was confirmed by the Cream Finance team earlier today.

The attackers are believed to have found a vulnerability in the platform’s lending system —called flash loaning— and used it to steal all of Cream’s assets and tokens running on the Ethereum blockchain, according to blockchain security firm BlockSec, which also posted an explanation of the security flaw on Twitter earlier today.

Our initial analysis of the Cream Finance attack:https://t.co/TysI7fjyPU@Mudit__Gupta @bantg @CreamdotFinance pic.twitter.com/wScUvizBtX

— BlockSec (@BlockSecTeam) October 27, 2021

A breakdown of the stolen funds is available below, courtesy of the SlowMist team.

Roughly six hours after the attack, Cream Finance said it fixed the bug exploited in the hack with the help of cryptocurrency platform Yearn.

Even if the attacker’s initial wallet, used to exfiltrate a large chunk of the funds, has been identified, the funds have already been moved to new accounts, and there appears to be a small chance the stolen crypto can be tracked down and returned to the platform.

Third time’s a charm

Today’s hack marks the third time Cream Finance has been hacked this year after the company lost $37 million in February and another $29 million in August.

All attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.

DeFi related hacks have accounted for 76% of all major hacks in 2021, and users have lost more than $474 million to attacks on DeFi platforms this year, CipherTrace said in a report in August.

Similarly, DeFi hacks also made up 21% of all the 2020 cryptocurrency hacks and stolen funds after being almost inexistent a year before, in 2019, the same CipherTrace said in a report last year.

The Cream heist also marks the second-largest cryptocurrency hack this year after DeFi platform Poly Network lost $600 million in August. However, the individual behind the Poly hack eventually returned all the stolen funds two weeks later on the promise the company won’t seek charges.

Source: Hackers steal $130 million from Cream Finance; the company’s 3rd hack this year – The Record by Recorded Future

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

Lionel Messi and Sergio Aguero data leaked on Twitter

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

Hacker has a copy of the data, plans to sell and leak it

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

[…]

Source: Hacker steals government ID database for Argentina’s entire population – The Record by Recorded Future

Yet again we see how centralised databases are such a good idea. And if countries are so terrible at protecting extremely sensitive data, how do you think weakening protections by allowing countries master key type access to encrypted data is going to make anything better for anyone?

[…]A hacker gang, […] has been infiltrating telecoms throughout the world to steal phone records, text messages, and associated metadata directly from carrier users.

That’s according to a new report from cybersecurity firm CrowdStrike, which published a technical analysis of the mysterious group’s hacking campaign on Tuesday. The report, which goes into a significant amount of detail, shows that the hackers behind the campaign have managed to infiltrate 13 different global telecoms in the span of just two years.

Researchers say that the group, which has been active since 2016, uses highly sophisticated hacking techniques and customized malware to infiltrate and embed within networks. Reuters reports that this has included exfiltrating “calling records and text messages” directly from carriers. Earlier research on the group suggests it has also been known to target managed service providers as an entry point into specific industries—such as finance and consulting.[…]

Source: Cybercrime Group Has Been Hacked Telecoms All Over the World

An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.

Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.

His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable’s radiations could then be picked up by the SDR (in Guri’s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.

Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.

“We could transmit both text and binary, and also achieve faster bit-rates,” acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.”

[…]

Source: LANtenna attack reveals Ethernet cable traffic contents • The Register

A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school’s airplanes. In some cases, planes that previously had maintenance issues had been “cleared” to fly, according to a police report. The hack, according to the school’s CEO, could have put pilots in danger.

Lauren Lide, a 26-year-old who used to work for the Melbourne Flight Training school, resigned from her position of Flight Operations Manager at the end of November of 2019, after the company fired her father. Months later, she allegedly hacked into the systems of her former company, deleting and changing records, in an apparent attempt to get back at her former employer, according to court records obtained by Motherboard.

[…]

Source: Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly

Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date.

Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States.

Dahan identified the target of the attack only as “an Azure customer in Europe.”

The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

Dahan said Microsoft successfully mitigated the attack without Azure going down.

Prior to Microsoft’s disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon’s AWS division mitigated in February 2020.

Dahan said the largest DDoS attack that hit Azure prior to the August attack was a 1 Tbps attack the company saw in Q3 2020, while this year, Azure didn’t see a DDoS attack over 625 Mbps all year.

Record for largest volumetric DDoS attack broken days later too

Just days after Microsoft mitigated this attack, a botnet called Meris broke another DDoS record — the record for the largest volumetric DDoS attack.

According to Qrator Labs, the operators of the Meris botnet launched a DDoS attack of 21.8 million requests per second (RPS) in early September. Sources told The Record last month that the attack targeted a Russian bank that was hosting its e-banking portal on Yandex Cloud servers.

Security firm Rostelecom-Solar sinkholed around a quarter of the Meris botnet later that month.

It is unclear if the Meris botnet was behind the attack detected and mitigated by Microsoft in August. An Azure spokesperson did not return a request for comment.

Source: Microsoft said it mitigated a 2.4 Tbps DDoS attack, the largest ever

Another day, another massive privacy breach nobody will do much about. This time it’s Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:

“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

As is par for the course for this kind of stuff, the actual breach is likely much worse than what’s first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn’t even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).

[…]

Source: Neiman Marcus Breach Exposes Data Of 4.6 Million Users | Techdirt

An anonymous hacker claims to have leaked the entirety of Twitch, including its source code and user payout information.

The user posted a 125GB torrent link to 4chan on Wednesday, stating that the leak was intended to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool”.

VGC can verify that the files mentioned on 4chan are publicly available to download as described by the anonymous hacker.

One anonymous company source told VGC that the leaked data is legitimate, including the source code for the Amazon-owned streaming platform.

Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies.

[UPDATE: Twitch has confirmed the leak is authentic: “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”]

he leaked Twitch data reportedly includes:

• The entirety of Twitch’s source code with commit history “going back to its early beginnings”
• Creator payout reports from 2019
• Mobile, desktop and console Twitch clients
• Proprietary SDKs and internal AWS services used by Twitch
• “Every other property that Twitch owns” including IGDB and CurseForge
• An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
• Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers)

Some Twitter users have started making their way through the 125GB of information that has leaked, with one claiming that the torrent also includes encrypted passwords, and recommending that users enable two-factor authentication to be safe.

If you have a Twitch account, it’s recommended that you also turn on two-factor authentication, which ensures that even if your password is compromised, you still need your phone to prove your identity using either SMS or an authenticator app.

To turn on two-factor identification:

• Log on to Twitch, click your avatar and choose Settings
• Go to Security and Privacy, then scroll down to the Security setting
• Choose Edit Two-Factor Authentication to see if it’s already activated. If not, follow the instructions to turn it on (you’ll need your phone)

Source: The entirety of Twitch has reportedly been leaked | VGC

A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

The company, Syniverse, revealed in a filing dated September 27 with the U.S. Security and Exchange Commission that an unknown “individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers.”

A former Syniverse employee who worked on the EDT systems told Motherboard that those systems have information on all types of call records.

[…]

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other,” the source, who asked to remain anonymous as they were not authorized to talk to the press, told Motherboard. “So it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers.”

The company wrote that it discovered the breach in May 2021, but that the hack began in May of 2016.

[…]

“The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations and connections [daily],” Syniverse wrote in a recent press release.

“Syniverse has access to the communication of hundreds of millions, if not billions, of people around the world. A five-year breach of one of Syniverse’s main systems is a global privacy disaster,” Karsten Nohl, a security researcher who has studied global cellphone networks for a decade, told Motherboard in an email. “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

[…]

Syniverse disclosed the breach in an August SEC filing as the company gearing to go public at a valuation of $2.85 billion via a merger with M3-Brigade Acquisition II Corp., a special purpose acquisition company (SPAC).

[…]

Source: Company That Routes Billions of Text Messages Quietly Says It Was Hacked

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.

Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores.

Malware subscribes users to premium SMS services

If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers.

Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over €30 ($35) per month, money that are later redirected into the GriftHorse operators’ pockets.

[…]

the two Zimperium researchers said that besides numbers, the GriftHorse coders also invested in their malware’s code quality, using a wide spectrum of websites, malicious apps, and developer personas to infect users and avoid detection for as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained.

“In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,”

GriftHorse is making millions in monthly profits

Based on what they’ve seen until now, the researchers estimated that the GriftHorse gang is currently making between €1.2 million and €3.5 million per month from their scheme ($1.5 million to $4 million per month).

[…]

Source: New GriftHorse malware has infected more than 10 million Android phones – The Record by Recorded Future

Epik’s massive data breach is already affecting lives. Today the Washington Post describes a real estate agent in Pompano Beach who urged buyers on Facebook to move to “the most beautiful State.” His name and personal details “were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com”. The real estate brokerage where he worked then dropped him as an agent. The brokerage’s owner told the Post they didn’t “want to be involved with anyone with thoughts or motives like that.”

“Some users appear to have relied on Epik to lead a double life,” the Post reports, “with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online.” (Alternate URL here.) Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed…. Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing “the detective work” trying to decipher who is behind a single extremist domain. The Epik data set, she said, “is like somebody has just handed you all the detective work — the names, the people behind the accounts…”

Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous….

Aubrey “Kirtaner” Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack’s origins but said it was fueled by hackers’ frustrations over Epik serving as a refuge for far-right extremists. “Everyone is tired of hate,” Cottle said. “There hasn’t been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now … the tide is turning, and there’s a swell moving back in their direction.”
Earlier in the week, the Post reported: Since the hack, Epik’s security protocols have been the target of ridicule among researchers, who’ve marveled at the site’s apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public… The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

Source: 110,000 Affected by Epik Breach – Including Those Who Trusted Epik to Hide Their Identity – Slashdot

A collection containing data about more than 700 million users, believed to have been scraped from LinkedIn, was leaked online this week after hackers previously tried to sell it earlier this year in June.

The collection, obtained by The Record from a source, is currently being shared in private Telegram channels in the form of a torrent file containing approximately 187 GB of archived data.

The Record analyzed files from this collection and found the data to be authentic, with data points such as:

• LinkedIn profile names
• LinkedIn ID
• LinkedIn profile URL
• Location information (town, city, country)
• Email addresses

While the vast majority of the data points contained in the leak are already public information and pose no threat to LinkedIn users, the leak also contains email addresses that are not normally viewable to the public on the official LinkedIn site.

[…]

Source: Hackers leak LinkedIn 700 million data scrape – The Record by Recorded Future

The Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, was a big, destructive mess—one of the largest and most unwieldy of its kind in recent memory. But new information shows the FBI could have lightened the blow victims suffered but chose not to.

A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data—thus allowing them to get their businesses back up and running. However, instead of sharing it with them or Kaseya, the IT firm targeted by the attack, the bureau kept it a secret for approximately three weeks.

The feds reportedly did this because they were planning an operation to “disrupt” the hacker gang behind the attack—the Russia-based ransomware provider REvil—and didn’t want to tip their hand. However, before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.

[…]

Source: FBI Had REvil’s Kaseya Ransomware Decryption Key for Weeks: Report

Source: Alaska discloses ‘sophisticated’ nation-state cyberattack on health service – The Record by Recorded Future

A threat actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer.

While the threat actor states that the exploited Fortinet vulnerability has since been patched, they claim that many VPN credentials are still valid.

[…]

The list of Fortinet credentials was leaked for free by a threat actor known as ‘Orange,’ who is the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk Ransomware operation.

[…]

Both posts lead to a file hosted on a Tor storage server used by the Groove gang to host stolen files leaked to pressure ransomware victims to pay.

BleepingComputer’s analysis of this file shows that it contains VPN credentials for 498,908 users over 12,856 devices.

While we did not test if any of the leaked credentials were valid, BleepingComputer can confirm that all of the IP address we checked are Fortinet VPN servers.

Further analysis conducted by Advanced Intel shows that the IP addresses are for devices worldwide, with 2,959 devices located in the USA.

[…]

Kremez told BleepingComputer that the Fortinet CVE-2018-13379 vulnerability was exploited to gather these credentials.

A source in the cybersecurity industry told BleepingComputer that they were able to legally verify that at least some of the leaked credentials were valid.

It is unclear why the threat actor released the credentials rather than using them for themselves, but it is believed to have been done to promote the RAMP hacking forum and the Groove ransomware-as-a-service operation.

[…]

Source: Hackers leak passwords for 500,000 Fortinet VPN accounts

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

[…]

Source: FTC bans spyware maker SpyFone, and orders it to notify hacked victims | TechCrunch

Some of the most successful and lucrative online scams employ a “low-and-slow” approach — avoiding detection or interference from researchers and law enforcement agencies by stealing small bits of cash from many people over an extended period. Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

[…]

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

A sample of some of the most frequent search queries made in a single day by the gift card gang against more than 50,000 hacked inboxes.

According to Bill, the fraudsters aren’t downloading all of their victims’ emails: That would quickly add up to a monstrous amount of data. Rather, they’re using automated systems to log in to each inbox and search for a variety of domains and other terms related to companies that maintain loyalty and points programs, and/or issue gift cards and handle their fulfillment.

Why go after hotel or airline rewards? Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

[…]

Bill’s data also shows that this gang is so aggressively going after gift card data that it will routinely seek new gift card benefits on behalf of victims, when that option is available. For example, many companies now offer employees a “wellness benefit” if they can demonstrate they’re keeping up with some kind of healthy new habit, such as daily gym visits, yoga, or quitting smoking.

Bill said these crooks have figured out a way to tap into those benefits as well.

“A number of health insurance companies have wellness programs to encourage employees to exercise more, where if you sign up and pledge to 30 push-ups a day for the next few months or something you’ll get five wellness points towards a $10 Starbucks gift card, which requires 1000 wellness points,” Bill explained. “They’re actually automating the process of replying saying you completed this activity so they can bump up your point balance and get your gift card.”

[…]

several large Internet service providers (ISPs) in Germany and France are heavily represented in the compromised email account data.

“With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said. “I don’t know why they’re getting popped so heavily.”

[…]

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily – Krebs on Security

John Binns, a 21-year-old American who now lives in Turkey, told the Wall Street Journal that he was behind the T-Mobile security breach that affected more than 50 million people earlier this month.

The intrigue: Binns said he broke through the T-Mobile defenses after discovering an unprotected router exposed on the internet, after scanning the carrier’s internet addresses for weak spots using a publicly available tool.

• “I was panicking because I had access to something big,” he wrote in Telegram messages to the Journal. “Their security is awful.”
• “Generating noise was one goal,” Binns said. He declined to say whether he sold any of the information he stole, or whether he was paid for the hack.

The big picture: It was the third major data leak the network has disclosed in the last two years, per WSJ. T-Mobile is the second-largest U.S. mobile carrier, housing the data of around 90 million cellphones.

Background: Some of the information exposed in the breach included names, dates of birth, social security numbers and personal ID information. The breach is being investigated Seattle’s FBI office, according to the Journal.

Source: T-Mobile hacker explains how he breached carrier’s security – Axios

The remote code execution flaw, CVE-2021-35395, was seen in Mirai malware binaries by threat intel firm Radware, which “found that new malware binaries were published on both loaders leveraged in the campaign.”

Warning that the vuln had been included in Dark.IoT’s botnet “less than a week” after it was publicly disclosed, Radware said: “This vulnerability was recently disclosed by IoT Inspectors Research Lab on August 16th and impacts IoT devices manufactured by 65 vendors relying on the Realtek chipsets and SDK.”

The critical vuln, rated 9.8 on the CVSS scale, consists of multiple routes to cause buffer overflows (PDF from Realtek with details) in the web management interface provided by Realtek in its Jungle SDK for its router chipset. CVE-2021-35395 is a denial-of-service vuln; crafted inputs from an attacker can be used to crash the HTTP server running the management interface, and thus the router.

[…]

Rather than having the capability to develop its own exploits, Dark.IoT sits around waiting for white hats to publish proof-of-concepts for newly discovered vulns, and Smith said they incorporate those into their botnet within “days.”

[…]

While Realtek has patched the vulns in the SDK, vendors using its white-label tech now have to distribute patches for their branded devices and then users have to install them – all while Dark.IoT and other Mirai-based criminals are looking for exploitable devices.

[…]

Source: Mirai-style IoT botnet is now scanning for router-pwning critical vuln in Realtek kit • The Register

[…]

The Belarusian Cyber Partisans, as the hackers call themselves, have in recent weeks released portions of a huge data trove they say includes some of the country’s most secret police and government databases. The information contains lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system, according to interviews with the hackers and documents reviewed by Bloomberg News.

Among the pilfered documents are personal details about Lukashenko’s inner circle and intelligence officers. In addition, there are mortality statistics indicating that thousands more people in Belarus died from Covid-19 than the government has publicly acknowledged, the documents suggest.

In an interview and on social media, the hackers said they also sabotaged more than 240 surveillance cameras in Belarus and are preparing to shut down government computers with malicious software named X-App.

[…]

the data exposed by the Cyber Partisans showed “that officials knew they were targeting innocent people and used extra force with no reason.” As a result, he said, “more people are starting to not believe in propaganda” from state media outlets, which suppressed images of police violence during anti-government demonstrations last year.

[…]

The hackers have teamed up with a group named BYPOL, created by former Belarusian police officers, who defected following the disputed election of Lukashenko last year. Mass demonstrations followed the election, and some police officers were accused of torturing and beating hundreds of citizens in a brutal crackdown.

[…]

The wiretapped phone recordings obtained by the hackers revealed that Belarus’s interior ministry was spying on a wide range of people, including police officers—both senior and rank-and-file—as well as officials working with the prosecutor general, according to Azarau. The recordings also offer audio evidence of police commanders ordering violence against protesters, he said.

[…]

Earlier this year, an affiliate of the group obtained physical access to a Belarus government facility and broke into the computer network while inside, the spokesman said. That laid the groundwork for the group to later gain further access, compromising some of the ministry’s most sensitive databases, he said. The stolen material includes the archive of secretly recorded phone conversations, which amounts to between 1 million and 2 million minutes of audio, according to the spokesman.

[…]

The hackers joined together in September 2020, after the disputed election. Their initial actions were small and symbolic, according to screenshots viewed by Bloomberg News. They hacked state news websites and inserted videos showing scenes of police brutality. They compromised a police “most wanted” list, adding the names of Lukashenko and his former interior minister, Yury Karayeu, to the list. And they defaced government websites with the red and white national flags favored by protesters over the official Belarusian red and green flag.

Those initial breaches attracted other hackers to the Cyber Partisans’ cause, and as it has grown, the group has become bolder with the scope of its intrusions. The spokesman said its aims are to protect the sovereignty and independence of Belarus and ultimately to remove Lukashenko from power.

[…]

Names and addresses of government officials and alleged informants obtained by the hackers have been shared with Belarusian websites, including Blackmap.org, that seek to “name and shame” people cooperating with the regime and its efforts to suppress peaceful protests, according to Viačorka and the websites themselves.

[…]

Source: Belarus Hackers Seek to Overthrow Local Government – Bloomberg

[…]

When you plug in one of these Razer peripherals, Windows will automatically download Razer Synapse, the software that controls certain settings for your mouse or keyboard. Said Razer software has SYSTEM privileges, since it launches from a Windows process with SYSTEM privileges.

But that’s not where the vulnerability comes into play. Once you install the software, Windows’ setup wizard asks which folder you’d like to save it to. When you choose a new location for the folder, you’ll see a “Choose a Folder” prompt. Press Shift and right-click on that, and you can choose “Open PowerShell window here,” which will open a new PowerShell window.

Because this PowerShell window was launched from a process with SYSTEM privileges, the PowerShell window itself now has SYSTEM privileges. In effect, you’ve turned yourself into an admin on the machine, able to perform any command you can think of in the PowerShell window.

This vulnerability was first brought to light on Twitter by user jonhat, who tried contacting Razer about it first, to no avail. Razer did eventually follow up, confirming a patch is in the works. Until that patch is available, however, the company is inadvertently selling tools that make it easy to hack millions of computers.

[…]

Source: You Can Gain Admin Privileges to Any Windows Machine by Plugging in a Razer Mouse

A well-known threat actor with a long list of previous breaches is selling private data that was allegedly collected from 70 million AT&T customers. We analyzed the data and found it to include social security numbers, date of birth, and other private information. The hacker is asking $1 million for the entire database (direct sell) and has provided RestorePrivacy with exclusive information for this report.

Update: AT&T has initially denied the breach in a statement to RestorePrivacy. The hacker has responded by saying, “they will keep denying until I leak everything.”

Hot on the heels of a massive data breach with T Mobile earlier this week, AT&T now appears to be in the spotlight. A well-known threat actor in the underground hacking scene is claiming to have private data from 70 million AT&T customers. The threat actor goes by the name of ShinyHunters and was also behind other previous exploits that affected Microsoft, Tokopedia, Pixlr, Mashable, Minted, and more.

The hacker posted the leak on an underground hacking forum earlier today, along with a sample of the data that we analyzed. The original post is below:

We examined the data for this report and also reached out to the hacker who posted it for sale.

70 million AT&T customers could be at risk

In the original post that we discovered on a hacker forum, the user posted a relatively small sample of the data. We examined the sample and it appears to be authentic based on available public records. Additionally, the user who posted it has a history of major data breaches and exploits, as we’ll examine more below.

While we cannot yet confirm the data is from AT&T customers, everything we examined appears to be valid. Here is the data that is available in this leak:

• Name
• Phone number
• Physical address
• Email address
• Social security number
• Date of birth

Below is a screenshot from the sample of data available:

In addition to the data above, the hacker also has accessed encrypted data from customers that include social security numbers and date of birth. Here is a sample that we examined:

The data is currently being offered for $1 million USD for a direct sell (or flash sell) and $200,000 for access that is given to others. Assuming it is legit, this would be a very valuable breach as other threat actors can likely purchase and use the information for exploiting AT&T customers for financial gain.

Source: Exclusive: Hacker Selling Private Data Allegedly from 70 Million AT&T Customers | RestorePrivacy

Authored by computer scientists from the University of Maryland and the University of Colorado Boulder, the research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations.

Making matters worse, researchers said the amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms of carrying out a DDoS attack known to date and very likely to be abused in the future.

[…]

“DDoS reflective amplification attack.”

This happens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker (thanks to a technique known as IP spoofing).

The technique effectively allows attackers to reflect/bounce and amplify traffic towards a victim via an intermediary point.

[…]

The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic.

Middleboxes usually include the likes of firewalls, network address translators (NATs), load balancers, and deep packet inspection (DPI) systems.

The research team said they found that instead of trying to replicate the entire three-way handshake in a TCP connection, they could send a combination of non-standard packet sequences to the middlebox that would trick it into thinking the TCP handshake has finished and allow it to process the connection.

[…]

Under normal circumstances, this wouldn’t be an issue, but if the attacker tried to access a forbidden website, then the middlebox would respond with a “block page,” which would typically be much larger than the initial packet—hence an amplification effect.

Following extensive experiments that began last year, the research team said that the best TCP DDoS vectors appeared to be websites typically blocked by nation-state censorship systems or by enterprise policies.

Attackers would send a malformed sequence of TCP packets to a middlebox (firewall, DPI box, etc.) that tried to connect to pornography or gambling sites, and the middlebox would reply with an HTML block page that it would send to victims that wouldn’t even reside on their internal networks—thanks to IP spoofing.

[…]

Bock said the research team scanned the entire IPv4 internet address space 35 different times to discover and index middleboxes that would amplify TCP DDoS attacks.

In total, the team said they found 200 million IPv4 addresses corresponding to networking middleboxes that could be abused for attacks.

Most UDP protocols typically have an amplification factor of between 2 and 10, with very few protocols sometimes reaching 100 or more.

“We found hundreds of thousands of IP addresses that offer [TCP] amplification factors greater than 100×,” Bock and his team said, highlighting how a very large number of networking middleboxes could be abused for DDoS attacks far larger than the UDP protocols with the best amplification factors known to date.

Furthermore, the research team also found thousands of IP addresses that had amplification factors in the range of thousands and even up to 100,000,000, a number thought to be inconceivable for such attacks.

[…]

Bock told The Record they contacted several country-level Computer Emergency Readiness Teams (CERT) to coordinate the disclosure of their findings, including CERT teams in China, Egypt, India, Iran, Oman, Qatar, Russia, Saudi Arabia, South Korea, the United Arab Emirates, and the United States, where most censorship systems or middlebox vendors are based.

The team also notified companies in the DDoS mitigation field, which are most likely to see and have to deal with these attacks in the immediate future.

“We also reached out to several middlebox vendors and manufacturers, including Check Point, Cisco, F5, Fortinet, Juniper, Netscout, Palo Alto, SonicWall, and Sucuri,” the team said.

[…]

the research team also plans to release scripts and tools that network administrators can use to test their firewalls, DPI boxes, and other middleboxes and see if their devices are contributing to this problem. These tools will be available later today via this GitHub repository.

[…]

Additional technical details are available in a research paper titled “Weaponizing Middleboxes for TCP Reflected Amplification” [PDF]. The paper was presented today at the USENIX security conference, where it also received the Distinguished Paper Award.

Source: Firewalls and middleboxes can be weaponized for gigantic DDoS attacks – The Record by Recorded Future

[…]

Russian mobsters, Chinese hackers and Nigerian scammers have used stolen identities to plunder tens of billions of dollars in Covid benefits, spiriting the money overseas in a massive transfer of wealth from U.S. taxpayers, officials and experts say. And they say it is still happening.

Among the ripest targets for the cybertheft have been jobless programs. The federal government cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 million to $400 billion — at least half of which went to foreign criminals, law enforcement officials say.

Those staggering sums dwarf, even on the low end, what the federal government spends every year on intelligence collection, food stamps or K-12 education.

“This is perhaps the single biggest organized fraud heist we’ve ever seen,” said security researcher Armen Najarian of the firm RSA, who tracked a Nigerian fraud ring as it allegedly siphoned millions of dollars out of more than a dozen states.

Jeremy Sheridan, who directs the office of investigations at the Secret Service, called it “the largest fraud scheme that I’ve ever encountered.”

“Due to the volume and pace at which these funds were made available and a lot of the requirements that were lifted in order to release them, criminals seized on that opportunity and were very, very successful — and continue to be successful,” he said.

While the enormous scope of Covid relief fraud has been clear for some time, scant attention has been paid to the role of organized foreign criminal groups, who move taxpayer money overseas via laundering schemes involving payment apps and “money mules,” law enforcement officials said.

“This is like letting people just walk right into Fort Knox and take the gold, and nobody even asked any questions,” said Blake Hall, the CEO of ID.me, which has contracts with 27 states to verify identities.

Officials and analysts say both domestic and foreign fraudsters took advantage of an already weak system of unemployment verification maintained by the states, which has been flagged for years by federal watchdogs. Adding to the vulnerability, states made it easier to apply for Covid benefits online during the pandemic, and officials felt pressure to expedite processing. The federal government also rolled out new benefits for contractors and gig workers that required no employer verification.

In that environment, crooks were easily able to impersonate jobless Americans using stolen identity information for sale in bulk in the dark corners of the internet. The data — birthdates, Social Security numbers, addresses and other private information — have accumulated online for years through huge data breaches, including hacks of Yahoo, LinkedIn, Facebook, Marriott and Experian.

At home, prison inmates and drug gangs got in on the action. But experts say the best-organized efforts came from abroad, with criminals from nearly every country swooping in to steal on an industrial scale.

[…]

Under the Pandemic Unemployment Assistance program for gig workers and contractors, people could apply for retroactive relief, claiming months of joblessness with no employer verification possible. In some cases, that meant checks or debit cards worth $20,000, Hall said.

“Organized crime has never had an opportunity where any American’s identity could be converted into $20,000, and it became their Super Bowl,” he said. “And these states were not equipped to do identity verification, certainly not remote identity verification. And in the first few months and still today, organized crime has just made these states a target.”

[…]

The investigative journalism site ProPublica calculated last month that from March to December 2020, the number of jobless claims added up to about two-thirds of the country’s labor force, when the actual unemployment rate was 23 percent. Although some people lose jobs more than once in a given year, that alone could not account for the vast disparity.

The thievery continues. Maryland, for example, in June detected more than half a million potentially fraudulent unemployment claims in May and June alone. Most of the attempts were blocked, but experts say that nationwide, many are still getting through.

The Biden administration has acknowledged the problem and blamed it on the Trump administration.

[…]

In a memo in February, the inspector general reported that as of December, 22 of 54 state and territorial workforce agencies were still not following its repeated recommendation to join a national data exchange to check Social Security numbers. And in July, the inspector general reported that the national association of state workforce agencies had not been sharing fraud data as required by federal regulations.

Twenty states failed to perform all the required database identity checks, and 44 states did not perform all recommended ones, the inspector general found.

“The states have been chronically underfunded for years — they’re running 1980s technology,” Hall said.

[…]

The FBI has opened about 2,000 investigations, Greenberg said, but it has recovered just $100 million. The Secret Service, which focuses on cyber and economic crimes, has clawed back $1.3 billion. But the vast majority of the pilfered funds are gone for good, experts say, including tens of billions of dollars sent out of the country through money-moving applications such as Cash.app.

[…]

One of the few examples in which analysts have pointed the finger at a specific foreign group involves a Nigerian fraud ring dubbed Scattered Canary by security researchers. The group had been committing cyberfraud for years when the pandemic benefits presented a ripe target, Najarian said.

[…]

Scattered Canary took advantage of a quirk in Google’s system. Gmail does not recognize dots in email addresses — John.Doe@gmail.com and JohnDoe@gmail.com are routed to the same account. But state unemployment systems treated them as distinct email addresses.

Exploiting that trait, the group was able to create dozens of fraudulent state unemployment accounts that funneled benefits to the same email address, according to research by Najarian and others at Agari.

In April and May of 2020, Scattered Canary filed at least 174 fraudulent claims for unemployment benefits with the state of Washington, Agari found — each claim eligible to receive up to $790 a week, for a total of $20,540 over 26 weeks. With the addition of the $600-per-week Covid supplement, the maximum potential loss was $4.7 million for those claims alone, Agari found.

[…]

Source: ‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits