New Delhi-based BellTroX InfoTech Services targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the United States including private equity giant KKR and short seller Muddy Waters, according to three former employees, outside researchers, and a trail of online evidence.

Aspects of BellTroX’s hacking spree aimed at American targets are currently under investigation by U.S. law enforcement, five people familiar with the matter told Reuters. The U.S. Department of Justice declined to comment.

Reuters does not know the identity of BellTroX’s clients. In a telephone interview, the company’s owner, Sumit Gupta, declined to disclose who had hired him and denied any wrongdoing.

Muddy Waters founder Carson Block said he was “disappointed, but not surprised, to learn that we were likely targeted for hacking by a client of BellTroX.” KKR declined to comment.

Researchers at internet watchdog group Citizen Lab, who spent more than two years mapping out the infrastructure used by the hackers, released a report here on Tuesday saying they had “high confidence” that BellTroX employees were behind the espionage campaign.

“This is one of the largest spy-for-hire operations ever exposed,” said Citizen Lab researcher John Scott-Railton.

Although they receive a fraction of the attention devoted to state-sponsored espionage groups or headline-grabbing heists, “cyber mercenary” services are widely used, he said. “Our investigation found that no sector is immune.”

A cache of data reviewed by Reuters provides insight into the operation, detailing tens of thousands of malicious messages designed to trick victims into giving up their passwords that were sent by BellTroX between 2013 and 2020. The data was supplied on condition of anonymity by online service providers used by the hackers after Reuters alerted the firms to unusual patterns of activity on their platforms.

The data is effectively a digital hit list showing who was targeted and when. Reuters validated the data by checking it against emails received by the targets.

On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, did not respond to messages or declined comment.

Reuters was not able to establish how many of the hacking attempts were successful.

BellTroX’s Gupta was charged in a 2015 hacking case in which two U.S. private investigators admitted to paying him to hack the accounts of marketing executives. Gupta was declared a fugitive in 2017, although the U.S. Justice Department declined to comment on the current status of the case or whether an extradition request had been issued.

Speaking by phone from his home in New Delhi, Gupta denied hacking and said he had never been contacted by law enforcement. He said he had only ever helped private investigators download messages from email inboxes after they provided him with login details.

Source: Exclusive: Obscure Indian cyber firm spied on politicians, investors worldwide – Reuters

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.

As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.

Today emails from the company began arriving with customers. One seen by The Register read:

Our investigation found that your name, email address, and travel details were accessed for the easyJet flights or easyJet holidays you booked between 17th October 2019 and 4th March 2020. Your passport and credit card details were not accessed, however information including where you were travelling from and to, your departure date, booking reference number, the booking date and the value of the booking were accessed.

We are very sorry this has happened.

It also warned victims to be on their guard against phishing attacks by miscreants using the stolen records, especially if any “unsolicited communications” arrived appearing to be from Easyjet or its package holidays arm.

Perhaps to avoid spam filters triggered by too many links, the message mentioned, but did not link to, a blog post from the Information Commissioner’s Office titled, “Stay one step ahead of the scammers,” as well as one from the National Cyber Security Centre, published last year, headed: “Phishing attacks: dealing with suspicious emails and messages.”

There was no mention in the message to customers of compensation being paid as a result of the hack. Neither, when El Reg asked earlier this week, did Easyjet address the question of compo or credit monitoring services.

Source: It wasn’t just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims • The Register

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It’s about a data breach with almost 90GB of personal information in it across tens of millions of records – including mine. Here’s what I know:

Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this:

The global unique identifier beginning with “db8151dd” features heavily on these first lines hence the name I’ve given the breach. I’ve had to give it this name because frankly, I’ve absolutely no idea where it came from, nor does anyone else I’ve worked on with this.

It’s mostly scrapable data from public sources, albeit with some key differences. Firstly, my phone number is not usually exposed and that was in there in full. Yes, there are many places that (obviously) have it, but this isn’t a scrape from, say, a public LinkedIn page. Next, my record was immediately next to someone else I’ve interacted with in the past as though the data source understood the association. I found that highly unusual as it wasn’t someone I’d expect to see a strong association with and I couldn’t see any other similar folks. But it’s the next class of data in there which makes this particularly interesting and I’m just going to quote a few snippets here:

Recommended by Andie [redacted last name]. Arranged for carpenter apprentice Devon [redacted last name] to replace bathroom vanity top at [redacted street address], Vancouver, on 02 October 2007.

Met at the 6th National Pro Bono Conference in Ottawa in September 2016

Met on 15-17 October 2001 in Vancouver for the Luscar/Obed/Coal Valley arbitration.

It feels like a CRM. These are records of engagement the likes you’d capture in order to later call back to who had been met where and what they’d done. It wasn’t just simple day to day business interaction stuff either, there was also this:

But then there’s also a bunch of legal summaries, for example “CASE CLOSING SUMMARY ON USA V. [redacted]” and “10/3/11 detention hrg in court 20 min plus travel split with [redacted]”— Troy Hunt (@troyhunt) February 23, 2020

But nowhere – absolutely nowhere – was there any indication of where the data had originated from. The closest I could get to that at all was the occurrence of the following comments which appeared over and over again:

This contact information was synchronized from Exchange. If you want to change the contact information, please open OWA and make your changes there.

Exported from Microsoft Outlook (Do not delete)

Contact Created By Evercontact

Evercontact did actually reach out and we discussed the breach privately but it got us no closer to a source. I communicated with multiple infosec journalists (one of whose own personal data was also in the breach) and still, we got no closer. Over the last 3 months I kept coming back to this incident time and time again, looking at the data with fresh eyes and each time, coming up empty. And just before you ask, no, cloud providers won’t disclose which customer owns an asset but they will reach out to those with unsecured assets.

Today is the end of the road for this breach investigation and I’ve just loaded all 22,802,117 email addresses into Have I Been Pwned.  Why load it at all? Because every single time I ask about whether I should add data from an unattributable source, the answer is an overwhelming “yes”:

If I have a MASSIVE spam list full of personal data being sold to spammers, should I load it into @haveibeenpwned?— Troy Hunt (@troyhunt) November 15, 2016

So, mark me down for another data breach of my own personal info. There’s nothing you nor I can do about it beyond being more conscious than ever about just how far our personal information spreads without our consent and indeed, without our knowledge. And, perhaps most alarmingly, this is far from the last time I’ll be writing a blog post like this.

Edit 1: No, I don’t load complete and individual records into HIBP, only email addresses. As such, only the presence of an address is searchable, the data associated with the address is not stored nor retrievable.

Edit 2: No, I can’t manually trawl through 100M+ records and extract yours out.

Edit 3: Thanks to some community sleuthing, the origin of this breach has now been identified as the Covve contacts app. Their public disclosure is in that link and they’ve also been in contact with regulators and had a couple of phone calls with myself.

Multiple supercomputers across Europe have been infected this week with cryptocurrency mining malware and have shut down to investigate the intrusions.

Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumored to have also happened at a high-performance computing center located in Spain.

The first report of an attack came to light on Monday from the University of Edinburgh, which runs the ARCHER supercomputer. The organization reported “security exploitation on the ARCHER login nodes,” shut down the ARCHER system to investigate, and reset SSH passwords to prevent further intrusions.

The bwHPC, the organization that coordinates research projects across supercomputers in the state of Baden-Württemberg, Germany, also announced on Monday that five of its high-performance computing clusters had to be shut down due to similar “security incidents.” This included:

• The Hawk supercomputer at the High-Performance Computing Center Stuttgart (HLRS) at the University of Stuttgart
• The bwUniCluster 2.0 and ForHLR II clusters at the Karlsruhe Institute of Technology (KIT)
• The bwForCluster JUSTUS chemistry and quantum science supercomputer at the Ulm University
• The bwForCluster BinAC bioinformatics supercomputer at the Tübingen University

Reports continued on Wednesday when security researcher Felix von Leitner claimed in a blog post that a supercomputer housed in Barcelona, Spain, was also impacted by a security issue and had been shut down as a result.

More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.

The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.” And so has the Technical University in Dresden, which announced they had to shut down their Taurus supercomputer as well.

New incidents also came to light today, on Saturday. German scientist Robert Helling published an analysis on the malware that infected a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also shut down external access to its supercomputer infrastructure following a “cyber-incident” and “until having restored a safe environment.”

Attackers gained  access via compromise SSH logins

None of the organizations above published any details about the intrusions. However, earlier today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure (EGI), a pan-European organization that coordinates research on supercomputers across Europe, has released malware samples and network compromise indicators from some of these incidents.

The malware samples were reviewed earlier today by Cado Security, a US-based cyber-security firm. The company said the attackers appear to have gained access to the supercomputer clusters via compromised SSH credentials.

The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland.

Chris Doman, Co-Founder of Cado Security, told ZDNet today that while there is no official evidence to confirm that all the intrusions have been carried out by the same group, evidence like similar malware file names and network indicators suggests this might be the same threat actor.

According to Doman’s analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.

[…]

Source: Supercomputers hacked across Europe to mine cryptocurrency | ZDNet

Hackers are threatening to release 756GB of A-list celebs’ contracts, recording deals, and other personal info allegedly stolen from a New York law firm.

The miscreants have seemingly got their hands on confidential agreements, private correspondence, contact details, and other information belonging to superstars, including Madonna, Christina Aguilera, Sir Elton John, Run DMC, Bruce Springsteen, Barbra Streisand, and Lady Gaga, and their representatives.

The data was swiped by the REvil, aka Sodinokibi, malware-slinging gang best known for taking down Travelex, infosec biz Emsisoft’s Brett Callow told The Register.

A Tor-hidden website belonging to REvil, which lists dozens of organizations compromised by the crew, includes screenshots of folders, a non-disclosure agreement, Madonna’s 2019-2020 tour arrangements, and Aguilera’s music rights as proof of its cyber-heist.

The gang claims to have hacked entertainment law firm Grubman Shire Meiselas & Sacks, based in the Big Apple, and siphoned its documents.

The law firm could not be reached for comment. We assume they were otherwise occupied. Their website right now just shows its logo whereas as recently as May 8, it listed its clients and staff.

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list,” reported showbiz industry mag Variety, which was also tipped off by Emsisoft.

The law firm also represents big name personalities in TV, film, and sport, and media and online giants, from Kate Upton and Robert De Niro to Sony, Spotify, Vice, and EMI. It is assumed the swiped data was partially leaked to encourage the lawyers to cough up a ransom demand – or the rest of the information would spill onto the dark web. ®

Updated to add

Grubman Shire Meiselas & Sacks have said they were hacked, and in a statement said: “We can confirm that we’ve been victimised by a cyber-attack. We have notified our clients and our staff. We have hired the world’s experts who specialise in this area, and we are working around the clock to address these matters.”

Source: Papa don’t breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm ‘hack’ • The Register

Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.

We have developed a free and open-source tool, Spycheck, to determine if your system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.

[…]

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Users are therefore strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool we have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

[…]

The Thunderspy vulnerabilities have been discovered and reported by Björn Ruytenberg. Please cite this work as:

Björn Ruytenberg. Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf

Source: Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

[…]

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.

[…]

The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

Source: Hackers hide web skimmer behind a website’s favicon | ZDNet

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

• Customer full names
• Home addresses (city, region, street name)
• National identification (CNIC) numbers
• Mobile phone numbers
• Landline numbers
• Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Christopher Bouzy, the founder of bot tracking platform Bot Sentinel, conducted a Twitter analysis for Business Insider and found bots and trolls are using hashtags like #ReOpenNC, #ReopenAmericaNow, #StopTheMadness, #ENDTHESHUTDOWN, and #OperationGridlock to spread disinformation. According to Bouzy, the bots and trolls are spreading conspiracy theories about Democrats wanting to hurt the economy to make Trump look bad, Democrats trying to take away people’s civil liberties, and Democrats trying to prevent people from voting. The accounts are also using false data to underplay the threat of the coronavirus.

[…]

“Inauthentic accounts are amplifying disinformation and inaccurate statistics and sharing false information as a reason to reopen the country,” Bouzy says. “Many of these accounts are also spreading bizarre conspiracy theories about Democrats using COVID-19 as a way to take away American freedoms and prevent Americans from voting.”

[…]

“Inauthentic accounts are downplaying the seriousness of COVID-19, and they sharing inaccurate information about the mortality rate of the virus. The problem is significant because many of these inauthentic accounts are retweeted by other larger accounts, which increases their reach and visibility.”

According to the New York Times, Chinese operatives spread claims on social media in mid-March that the Trump administration was going to lock down the entire country and enforce this lockdown with soldiers on the streets. The White House’s National Security Council later tweeted that these claims were false. That was just some of the disinformation that’s been spread on social media by inauthentic sources.

[…]

Brooke Binkowski, managing editor of the fact-checking website Truth or Fiction and former managing editor of Snopes, tells Business Insider that the media has been struggling with its coverage of the protests, which she says are “completely inauthentic and coordinated.”

“Journalists are largely missing that fact in their bids to find ‘other sides to the story,'” Binkowski says.

[…]

She believes that the disinformation is being spread by trolls and bots but also by “useful idiots.”

“Empowering violent extremists is a very old method for collapsing unstable states,” Binkowski says. “This is the end result of weaponized disinformation — it’s doing its job. It would have been the virus or it would have been something like a fire, or a hurricane, or an earthquake. But disinformation purveyors are nothing if not opportunistic.”

Source: Trolls, bots flooding social media with anti-quarantine disinformation – Business Insider

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky’s antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be “clean” at the time of installation and only later add all their malicious features in an update. “We think this is the main strategy for these guys,” says Firsh. In some cases, those malicious payloads also appeared to exploit “root” privileges that allowed them to override Android’s permission system, which requires apps to ask for a user’s consent before accessing data like contacts and text messages. Kaspersky says it wasn’t able to find the actual code that the apps would use to hack Android’s operating system and gain those privileges.

Source: How Spies Snuck Malware Into the Google Play Store—Again and Again | WIRED

In a filing released on Thursday in federal court in Oakland, California, lawyers representing the social media giant alleged that NSO Group had used a network of remote servers in California to hack into phones and devices that were used by attorneys, journalists, human rights activists, government officials and others.

NSO Group has argued that Facebook’s case against it should be thrown out on the grounds that the court has no jurisdiction over its operations. In a 13 May legal document, lawyers representing NSO Group said that the company had no offices or employees in California and “do no business of any kind there.”

NSO has also argued that it has no role in operating the spyware and is limited to “providing advice and technical support to assist customers in setting up” the technology.

John Scott-Railton, a senior researcher at the Citizen Lab at the University Of Toronto’s Munk School, said evidence presented by Facebook on Thursday indicated NSO Group was in a position to “look over its customer’s shoulders” and monitor who its government clients were targeting.

“This is a gut punch to years of NSO’s claims that it can’t see what its customers are doing,” said Scott-Railton. He said it also shows that the Israeli company “probably knows a lot more about what its customers do than it would like to admit.”

NSO’s spyware, known as Pegasus, can gather information about a mobile phone’s location, access its camera, microphone and internal hard drive, and covertly record emails, phone calls and text messages. Researchers have accused the company of supplying its technology to countries that have used it to spy on dissidents, journalists and other critics.

A representative for NSO Group said its products are “used to stop terrorism, curb violent crime, and save lives.”

“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the representative said, adding that a response to Facebook’s legal filing was forthcoming.

In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices. It’s unclear whether NSO Group’s software was used to target people within the U.S.. The company has previously stated that its technology “cannot be used on U.S. phone numbers.”

Facebook accused NSO Group of reverse-engineering WhatsApp, using an unauthorized program to access WhatsApp’s servers and deploying its spyware against approximately 1,400 targets. NSO Group was then able to “covertly transmit malicious code through WhatsApp servers and inject” spyware onto people’s devices without their knowledge, according to the Facebook’s legal filings.

“Defendants had no authority to access WhatsApp’s servers with an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp users,” Facebook alleged in the Thursday filing. “That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking” under the Computer Fraud and Abuse Act.

Source: Facebook Accuses NSO Group of Using U.S. Servers for Spying – Bloomberg

New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.

The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.

Maze is unusual among ransomware strains in that it not only encrypts the data on infected Windows machines, it siphons off copies of the originals as well. This gives the malware’s masterminds extra leverage – don’t pay the ransom and confidential corporate data can be leaked or sold online. It is feared Maze may have infected Cognizant’s customers, via the US service provider, and if that did happen, those clients’ documents may have been stolen as well as scrambled.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the announcement read.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

An update on Sunday included a rather ominous warning for customers: “We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature,” Cognizant said.

Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.

Source: Bad news: Cognizant hit by ransomware gang. Worse: It’s Maze, which leaks victims’ data online after non-payment • The Register

Security researcher Trammell Hudson analyzed the AirSense 10 — the world’s most widely used CPAP — and made a startling discovery. Although its manufacturer says the AirSense 10 would require “significant rework to function as a ventilator,” many ventilator functions were already built into the device firmware. Its manufacturer, ResMed, says the $700 device solely functions as a continuous positive airway pressure machine used to treat sleep apnea. It does this by funneling air into a mask. ResMed says the device can’t work as a bilevel positive airway pressure device, which is a more advanced machine that pushes air into a mask and then pulls it back out. With no ability to work in both directions or increase the output when needed, the AirSense 10 can’t be used as the type of ventilator that could help patients who are struggling to breathe. After reverse-engineering the firmware, Hudson says the ResMed claim is simply untrue.

To demonstrate his findings, Hudson on Tuesday is releasing a patch that he says unlocks the hidden capabilities buried deep inside the AirSense 10. The patch is dubbed Airbreak in a nod to jailbreaks that hobbyists use to remove technical barriers Apple developers erect inside iPhones and iPads. Whereas jailbreaks unlock functions that allow the installation of unauthorized apps and the accessing of log files and forensic data, Airbreak allows the AirSense 10 to work as a bilevel positive airway pressure machine, a device that many people refer to as a BiPAP. “Our changes bring the AirSense S10 to near feature parity with BiPAP machines from the same manufacturer, boost the maximum pressure output available, and provide a starting point to add more advanced emergency ventilator functionality,” Hudson and other researchers wrote on their website disclosing the findings. The researchers say Airbreak isn’t ready to be used on any device to treat a patient suffering from COVID-19 — it’s simply to prove that the AirSense 10 does have the ability to provide emergency ventilator functions, and to push ResMed to release its own firmware update that unlocks the ventilator functions.

Source: Medical Device ‘Jailbreak’ Could Help Solve the Dangerous Shortage of Ventilators – Slashdot

It’s nice to say this, but the respiration functions on the Airsense are probably not medically validated and thus not necessarily safe to use. When does fairly safe become acceptable in an emergency?

A group of hackers operating as an offshoot of China’s Winnti group managed to stay undetected for more than a decade by going open source.

A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.

“The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets,” BlackBerry noted.

“However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups.”

First chronicled by researchers back in 2013, the Winnti hacking operation is thought to date back as far as 2009. These groups, described by BlackBerry as “offshoots” of that hacking outfit, have been around for nearly as long and use similar tactics.

Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers.

This in addition to the command-and-control tools and what is described as a “massive botnet” of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.

Source: Want to stay under the radar for a decade or more? This Chinese hacking crew did it… by aiming for Linux servers • The Register

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.

According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.

The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.

The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.

However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.

Night Lion Security denies any involvement

In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.

In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.

Source: A hacker has wiped, defaced more than 15,000 Elasticsearch servers | ZDNet

Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Source: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info • The Register

A hacker has hijacked all of Microsoft’s official YouTube accounts and is broadcasting a cryptocurrency Ponzi scam to the company’s subscribers, ZDNet has learned from one of our readers.

The hacks appear to have occurred about 13 hours ago, according to our source. The hijacked accounts are still streaming at the time of writing, despite being reported to YouTube’s moderators for more than one hour.

The hacker is currently live-streaming an old Bill Gates talk on startups that the former Microsoft CEO gave to an audience at Village Global in June 2019.

Hackers are live-streaming an altered version of the presentation, but also asking for viewers to participate in a classic “crypto giveaway” — where victims are tricked to send a small sum of cryptocurrency to double their earnings but never get any funds in return.

[…]

The Bitcoin address listed in the video streams did not receive any transactions or holds any funds, suggesting that no users have fallen for the scam. Based on YouTube stream stats, tens of thousands have seen the video feeds.

Microsoft was not the only organization impacted by the mass hijack and defacement incident. The Chaos Computer Club, a famous Germany-based hacking community, has also had its account hijacked to broadcast a similar message.

Source: Hacker hijacks Microsoft YouTube accounts to broadcast crypto Ponzi scam | ZDNet

During a recent event I decided to setup a passive monitoring station to check for any attempts to impersonate, hi-jack, or deny service to our WiFi . For this task I decided to use an Alpha card, and Kismet (which comes already installed on Kali linux). To deploy for wireless intrusion detection (WIDS)

Kismet worked as advertised and I was able to monitor channel utilization and for wireless anomalies (think pwnagotchi or hak5 pineapple)

This worked great, but I soon noticed that Kismet also was logging WPA handshakes for client connections. Which made me wonder, could kismet be used as an attack platform?

After some quick googling I found indeed its very possible using this 3 step process.

1. Export PCAP data out of the kismet session database (by default stored at the root of a user home dir) by issuing the command kismet_log_to_pcap — in foo.kismet — out foo.pcap
2. Convert that PCAP into something consumable by hashcat by issuing the command cap2hccapx.bin foo.pcap foo.hccapx
3. Setup hashcat to crack the stored key exchanges by using the command hashcat64.exe -m 2500 foo.hccapx rockyou.txt -r rules/rockyou-30000.rule

What was surprising was that it took seconds or less to crack many of the captured sessions. Whats more interesting is that its possible to deploy kismet on extremely cheap hardware such as a Raspberry Pi and form fleets of sensors that all log to a central point, and that are all cracked and monitored.

Today’s key take away? If you use a portable access point such as your phone as a hotspot you still need to use an extremely long and complex password. It used to take an exorbitant amount of time to crack WPA2 but that is no longer true. Modern techniques for cracking the pairwise master key have been developed which combined with GPU based password cracking means weak passwords can often be instantly cracked.

To read more about this check out Ins1gn1a’s article titled Understanding WPA/WPA2 Pre-Shared-Key Cracking

Source: WPA Cracking from Kismet sensors – William Reyor – Medium

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here here – warning that hackers are posing as the agency to steal money and sensitive information from the public.

And government officials in the United States, Britain and elsewhere have issued cybersecurity warnings about the dangers of a newly remote workforce as people disperse to their homes to work and study because of the coronavirus pandemic.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio said he did not know who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Source: Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike – Reuters

The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media.

In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company’s user database.

The database allegedly contains the details for 538 million Weibo users. Personal details include the likes of real names, site usernames, gender, location, and — for 172 million users — phone numbers.

Passwords were not included, which explains why the hacker is selling the Weibo data for only ¥1,799 ($250).

Source: Hacker selling data of 538 million Weibo users | ZDNet

China’s largest cyber-security vendor has published today a report accusing the CIA of hacking Chinese companies and government agencies for more than 11 years.

The report, authored by Qihoo 360, claims the CIA hacked targets in China’s aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies.

CIA hacking operations took place between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang, Qihoo researchers said.

Qihoo claims that a large part of the CIA’s hacking efforts focused on the civil aviation industry, both in China and in other countries.

The Chinese security firm claims the purpose of this campaign was “long-term and targeted intelligence-gathering” to track “real-time global flight status, passenger information, trade freight, and other related information.”

Report based on Vault 7 leaks

Qihoo says it linked the attacks to the CIA based on the malware used in the intrusions — namely Fluxwire [1, 2, 3] and Grasshopper [1, 2].

Both malware strains came to light in early 2017 when Wikileaks published the Vault 7 dump, a collection of documentation files detailing the CIA’s arsenal of cyber-weapons.

WikiLeaks claimed it received the files from a CIA insider and whistleblower, later identified as Joshua Schultz — currently under trial in the US.

Weeks after the WikiLeaks Vault 7 revelations, Symantec confirmed that Fluxwire was the Corentry malware that they had been tracking for years.

Source: Chinese security firm says CIA hacked Chinese targets for the past 11 years | ZDNet

The personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week.

Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

ZDNet verified the authenticity of the data today, together with a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service.

A spokesperson for MGM Resorts confirmed the incident via email.

What was exposed

According to our analysis, the MGM data dump that was shared today contains personal details for 10,683,188 former hotel guests.

Included in the leaked files are personal details such as full names, home addresses, phone numbers, emails, and dates of birth.

Source: Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum | ZDNet

The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers. Since the application of these attacks comes with a cost (exposure of the attacker’s identity), the delicate exposure vs. application balance has held, and attacks of this kind have not yet been encountered in the wild. In this paper, we investigate a new perceptual challenge that causes the ADASs and autopilots of semi/fully autonomous to consider depthless objects (phantoms) as real. We show how attackers can exploit this perceptual challenge to apply phantom attacks and change the abovementioned balance, without the need to physically approach the attack scene, by projecting a phantom via a drone equipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces the Internet and is located near roads. We show that the car industry has not considered this type of attack by demonstrating the attack on today’s most advanced ADAS and autopilot technologies: Mobileye 630 PRO and the Tesla Model X, HW 2.5; our experiments show that when presented with various phantoms, a car’s ADAS or autopilot considers the phantoms as real objects, causing these systems to trigger the brakes, steer into the lane of oncoming traffic, and issue notifications about fake road signs. In order to mitigate this attack, we present a model that analyzes a detected object’s context, surface, and reflected light, which is capable of detecting phantoms with 0.99 AUC. Finally, we explain why the deployment of vehicular communication systems might reduce attackers’ opportunities to apply phantom attacks but won’t eliminate them.

​

Source: Phantom of the ADAS

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization.

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter’s contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone’s address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic’s probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

In other words, this Twitter security hole was a giant intelligence gathering opportunity,

Twitter says that it initially only saw one person “using a large network of fake accounts to exploit our API and match usernames to phone numbers,” and suspended the accounts. But it soon realized the problem was more widespread: “During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

For what it’s worth Twitter apologized for its self-imposed security cock-up: “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

It’s worth noting that users who did not add their phone number to their Twitter account or not allow it to be discovered via the API were not affected. Which points to a painfully obvious lesson: don’t trust any company with more personal information than they need to have.

Source: Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits • The Register