Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.

Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using. Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption. All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware.

We have found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection.

We have developed a free and open-source tool, Spycheck, to determine if your system is vulnerable. If it is found to be vulnerable, Spycheck will guide you to recommendations on how to help protect your system.

[…]

These vulnerabilities lead to nine practical exploitation scenarios. In an evil maid threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

All Thunderbolt-equipped systems shipped between 2011-2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign. Users are therefore strongly encouraged to determine whether they are affected using Spycheck, a free and open-source tool we have developed that verifies whether their systems are vulnerable to Thunderspy. If it is found to be vulnerable, Spycheck will guide users to recommendations on how to help protect their system.

[…]

The Thunderspy vulnerabilities have been discovered and reported by Björn Ruytenberg. Please cite this work as:

Björn Ruytenberg. Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020. https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf

Source: Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

a hacker group created a fake icons hosting website in order to disguise malicious code meant to steal payment card data from hacked websites.

The operation is what security researchers refer to these days as a web skimming, e-skimming, or a Magecart attack.

Hackers breach websites and then hide malicious code on its pages, code that records and steals payment card details as they’re entered in checkout forms.

[…]

Hackers created a fake icons hosting portal

In a report published today, US-based cybersecurity firm Malwarebytes said it detected one such group taking its operations to a whole new level of sophistication with a new trick.

The security firm says it discovered this group while investigating a series of strange hacks, where the only thing modified on the hacked sites was the favicon — the logo image shown in browser tabs.

The new favicon was a legitimate image file hosted on MyIcons.net, with no malicious code hidden inside it. However, while the change looked innocent, Malwarebytes said that web skimming code was still loaded on hacked sites, and there was clearly something strange with the new favicon.

[…]

The trick, according to Malwarebytes, was that the MyIcons.net website served a legitimate favicon file for all a website’s pages, except on pages that contained checkout forms.

On these pages, the MyIcons.net website would secretly switch the favicon with a malicious JavaScript file that created a fake checkout form and stole user card details.

Malwarebytes said that site owners investigating the incident and accessing the MyIcons.net website would find a fully-working icon hosting portal, and would be misled to believe it’s a legitimate site.

However, the security firm says MyIcons.net was actually a clone of the legitimate IconArchive.com portal, and that its primary role was to be a decoy.

Furthermore, the site was also hosted on servers used previously in other web skimming operations, as reported by fellow cybersecurity firm Sucuri a few weeks before.

Source: Hackers hide web skimmer behind a website’s favicon | ZDNet

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

• Customer full names
• Home addresses (city, region, street name)
• National identification (CNIC) numbers
• Mobile phone numbers
• Landline numbers
• Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies’ websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

Source: Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache | ZDNet

Christopher Bouzy, the founder of bot tracking platform Bot Sentinel, conducted a Twitter analysis for Business Insider and found bots and trolls are using hashtags like #ReOpenNC, #ReopenAmericaNow, #StopTheMadness, #ENDTHESHUTDOWN, and #OperationGridlock to spread disinformation. According to Bouzy, the bots and trolls are spreading conspiracy theories about Democrats wanting to hurt the economy to make Trump look bad, Democrats trying to take away people’s civil liberties, and Democrats trying to prevent people from voting. The accounts are also using false data to underplay the threat of the coronavirus.

[…]

“Inauthentic accounts are amplifying disinformation and inaccurate statistics and sharing false information as a reason to reopen the country,” Bouzy says. “Many of these accounts are also spreading bizarre conspiracy theories about Democrats using COVID-19 as a way to take away American freedoms and prevent Americans from voting.”

[…]

“Inauthentic accounts are downplaying the seriousness of COVID-19, and they sharing inaccurate information about the mortality rate of the virus. The problem is significant because many of these inauthentic accounts are retweeted by other larger accounts, which increases their reach and visibility.”

According to the New York Times, Chinese operatives spread claims on social media in mid-March that the Trump administration was going to lock down the entire country and enforce this lockdown with soldiers on the streets. The White House’s National Security Council later tweeted that these claims were false. That was just some of the disinformation that’s been spread on social media by inauthentic sources.

[…]

Brooke Binkowski, managing editor of the fact-checking website Truth or Fiction and former managing editor of Snopes, tells Business Insider that the media has been struggling with its coverage of the protests, which she says are “completely inauthentic and coordinated.”

“Journalists are largely missing that fact in their bids to find ‘other sides to the story,'” Binkowski says.

[…]

She believes that the disinformation is being spread by trolls and bots but also by “useful idiots.”

“Empowering violent extremists is a very old method for collapsing unstable states,” Binkowski says. “This is the end result of weaponized disinformation — it’s doing its job. It would have been the virus or it would have been something like a fire, or a hurricane, or an earthquake. But disinformation purveyors are nothing if not opportunistic.”

Source: Trolls, bots flooding social media with anti-quarantine disinformation – Business Insider

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky’s antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be “clean” at the time of installation and only later add all their malicious features in an update. “We think this is the main strategy for these guys,” says Firsh. In some cases, those malicious payloads also appeared to exploit “root” privileges that allowed them to override Android’s permission system, which requires apps to ask for a user’s consent before accessing data like contacts and text messages. Kaspersky says it wasn’t able to find the actual code that the apps would use to hack Android’s operating system and gain those privileges.

Source: How Spies Snuck Malware Into the Google Play Store—Again and Again | WIRED

In a filing released on Thursday in federal court in Oakland, California, lawyers representing the social media giant alleged that NSO Group had used a network of remote servers in California to hack into phones and devices that were used by attorneys, journalists, human rights activists, government officials and others.

NSO Group has argued that Facebook’s case against it should be thrown out on the grounds that the court has no jurisdiction over its operations. In a 13 May legal document, lawyers representing NSO Group said that the company had no offices or employees in California and “do no business of any kind there.”

NSO has also argued that it has no role in operating the spyware and is limited to “providing advice and technical support to assist customers in setting up” the technology.

John Scott-Railton, a senior researcher at the Citizen Lab at the University Of Toronto’s Munk School, said evidence presented by Facebook on Thursday indicated NSO Group was in a position to “look over its customer’s shoulders” and monitor who its government clients were targeting.

“This is a gut punch to years of NSO’s claims that it can’t see what its customers are doing,” said Scott-Railton. He said it also shows that the Israeli company “probably knows a lot more about what its customers do than it would like to admit.”

NSO’s spyware, known as Pegasus, can gather information about a mobile phone’s location, access its camera, microphone and internal hard drive, and covertly record emails, phone calls and text messages. Researchers have accused the company of supplying its technology to countries that have used it to spy on dissidents, journalists and other critics.

A representative for NSO Group said its products are “used to stop terrorism, curb violent crime, and save lives.”

“NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States,” the representative said, adding that a response to Facebook’s legal filing was forthcoming.

In its filing, Facebook alleged that NSO had rented a Los Angeles-based server from a U.S. company, QuadraNet, that it used to launch 720 hacks on people’s smartphones or other devices. It’s unclear whether NSO Group’s software was used to target people within the U.S.. The company has previously stated that its technology “cannot be used on U.S. phone numbers.”

Facebook accused NSO Group of reverse-engineering WhatsApp, using an unauthorized program to access WhatsApp’s servers and deploying its spyware against approximately 1,400 targets. NSO Group was then able to “covertly transmit malicious code through WhatsApp servers and inject” spyware onto people’s devices without their knowledge, according to the Facebook’s legal filings.

“Defendants had no authority to access WhatsApp’s servers with an imposter program, manipulate network settings, and commandeer the servers to attack WhatsApp users,” Facebook alleged in the Thursday filing. “That invasion of WhatsApp’s servers and users’ devices constitutes unlawful computer hacking” under the Computer Fraud and Abuse Act.

Source: Facebook Accuses NSO Group of Using U.S. Servers for Spying – Bloomberg

New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.

The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.

Maze is unusual among ransomware strains in that it not only encrypts the data on infected Windows machines, it siphons off copies of the originals as well. This gives the malware’s masterminds extra leverage – don’t pay the ransom and confidential corporate data can be leaked or sold online. It is feared Maze may have infected Cognizant’s customers, via the US service provider, and if that did happen, those clients’ documents may have been stolen as well as scrambled.

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the announcement read.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

An update on Sunday included a rather ominous warning for customers: “We are in ongoing communication with our clients and have provided them with Indicators of Compromise (IOCs) and other technical information of a defensive nature,” Cognizant said.

Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.

Source: Bad news: Cognizant hit by ransomware gang. Worse: It’s Maze, which leaks victims’ data online after non-payment • The Register

Security researcher Trammell Hudson analyzed the AirSense 10 — the world’s most widely used CPAP — and made a startling discovery. Although its manufacturer says the AirSense 10 would require “significant rework to function as a ventilator,” many ventilator functions were already built into the device firmware. Its manufacturer, ResMed, says the $700 device solely functions as a continuous positive airway pressure machine used to treat sleep apnea. It does this by funneling air into a mask. ResMed says the device can’t work as a bilevel positive airway pressure device, which is a more advanced machine that pushes air into a mask and then pulls it back out. With no ability to work in both directions or increase the output when needed, the AirSense 10 can’t be used as the type of ventilator that could help patients who are struggling to breathe. After reverse-engineering the firmware, Hudson says the ResMed claim is simply untrue.

To demonstrate his findings, Hudson on Tuesday is releasing a patch that he says unlocks the hidden capabilities buried deep inside the AirSense 10. The patch is dubbed Airbreak in a nod to jailbreaks that hobbyists use to remove technical barriers Apple developers erect inside iPhones and iPads. Whereas jailbreaks unlock functions that allow the installation of unauthorized apps and the accessing of log files and forensic data, Airbreak allows the AirSense 10 to work as a bilevel positive airway pressure machine, a device that many people refer to as a BiPAP. “Our changes bring the AirSense S10 to near feature parity with BiPAP machines from the same manufacturer, boost the maximum pressure output available, and provide a starting point to add more advanced emergency ventilator functionality,” Hudson and other researchers wrote on their website disclosing the findings. The researchers say Airbreak isn’t ready to be used on any device to treat a patient suffering from COVID-19 — it’s simply to prove that the AirSense 10 does have the ability to provide emergency ventilator functions, and to push ResMed to release its own firmware update that unlocks the ventilator functions.

Source: Medical Device ‘Jailbreak’ Could Help Solve the Dangerous Shortage of Ventilators – Slashdot

It’s nice to say this, but the respiration functions on the Airsense are probably not medically validated and thus not necessarily safe to use. When does fairly safe become acceptable in an emergency?

A group of hackers operating as an offshoot of China’s Winnti group managed to stay undetected for more than a decade by going open source.

A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.

“The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets,” BlackBerry noted.

“However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups.”

First chronicled by researchers back in 2013, the Winnti hacking operation is thought to date back as far as 2009. These groups, described by BlackBerry as “offshoots” of that hacking outfit, have been around for nearly as long and use similar tactics.

Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers.

This in addition to the command-and-control tools and what is described as a “massive botnet” of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.

Source: Want to stay under the radar for a decade or more? This Chinese hacking crew did it… by aiming for Linux servers • The Register

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame.

According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24.

The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com.

The attacking script doesn’t appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.

However, on many Elasticsearch servers, the wiping behavior is obvious, as log entries simply cut off around recent dates, such as March 24, 25, 26, and so on. Due to the highly volatile nature of data stored inside Elasticsearch servers, it is hard to quantify the exact number of systems where data was deleted.

Night Lion Security denies any involvement

In a Signal conversation with this reporter yesterday, Vinny Troia, the founder of Night Lion Security, has denied that his company had anything to do with the ongoing attacks.

In an interview he gave DataBreaches.net on March 26, Troia said he believes the attack is being carried out by a hacker he has been tracking for the past years, and who is also the subject of a recently released book.

Source: A hacker has wiped, defaced more than 15,000 Elasticsearch servers | ZDNet

Marriott Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest data exposure has not been disclosed, though Marriott admitted it seemed to have started in January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was at the epicenter of the intrusion.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriott did not explain why it took four weeks to begin alerting customers about the digital break-in.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Source: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off guests’ personal info • The Register

A hacker has hijacked all of Microsoft’s official YouTube accounts and is broadcasting a cryptocurrency Ponzi scam to the company’s subscribers, ZDNet has learned from one of our readers.

The hacks appear to have occurred about 13 hours ago, according to our source. The hijacked accounts are still streaming at the time of writing, despite being reported to YouTube’s moderators for more than one hour.

The hacker is currently live-streaming an old Bill Gates talk on startups that the former Microsoft CEO gave to an audience at Village Global in June 2019.

Hackers are live-streaming an altered version of the presentation, but also asking for viewers to participate in a classic “crypto giveaway” — where victims are tricked to send a small sum of cryptocurrency to double their earnings but never get any funds in return.

[…]

The Bitcoin address listed in the video streams did not receive any transactions or holds any funds, suggesting that no users have fallen for the scam. Based on YouTube stream stats, tens of thousands have seen the video feeds.

Microsoft was not the only organization impacted by the mass hijack and defacement incident. The Chaos Computer Club, a famous Germany-based hacking community, has also had its account hijacked to broadcast a similar message.

Source: Hacker hijacks Microsoft YouTube accounts to broadcast crypto Ponzi scam | ZDNet

During a recent event I decided to setup a passive monitoring station to check for any attempts to impersonate, hi-jack, or deny service to our WiFi . For this task I decided to use an Alpha card, and Kismet (which comes already installed on Kali linux). To deploy for wireless intrusion detection (WIDS)

Kismet worked as advertised and I was able to monitor channel utilization and for wireless anomalies (think pwnagotchi or hak5 pineapple)

This worked great, but I soon noticed that Kismet also was logging WPA handshakes for client connections. Which made me wonder, could kismet be used as an attack platform?

After some quick googling I found indeed its very possible using this 3 step process.

1. Export PCAP data out of the kismet session database (by default stored at the root of a user home dir) by issuing the command kismet_log_to_pcap — in foo.kismet — out foo.pcap
2. Convert that PCAP into something consumable by hashcat by issuing the command cap2hccapx.bin foo.pcap foo.hccapx
3. Setup hashcat to crack the stored key exchanges by using the command hashcat64.exe -m 2500 foo.hccapx rockyou.txt -r rules/rockyou-30000.rule

What was surprising was that it took seconds or less to crack many of the captured sessions. Whats more interesting is that its possible to deploy kismet on extremely cheap hardware such as a Raspberry Pi and form fleets of sensors that all log to a central point, and that are all cracked and monitored.

Today’s key take away? If you use a portable access point such as your phone as a hotspot you still need to use an extremely long and complex password. It used to take an exorbitant amount of time to crack WPA2 but that is no longer true. Modern techniques for cracking the pairwise master key have been developed which combined with GPU based password cracking means weak passwords can often be instantly cracked.

To read more about this check out Ins1gn1a’s article titled Understanding WPA/WPA2 Pre-Shared-Key Cracking

Source: WPA Cracking from Kismet sensors – William Reyor – Medium

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here here – warning that hackers are posing as the agency to steal money and sensitive information from the public.

And government officials in the United States, Britain and elsewhere have issued cybersecurity warnings about the dangers of a newly remote workforce as people disperse to their homes to work and study because of the coronavirus pandemic.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio said he did not know who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Source: Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike – Reuters

The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media.

In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company’s user database.

The database allegedly contains the details for 538 million Weibo users. Personal details include the likes of real names, site usernames, gender, location, and — for 172 million users — phone numbers.

Passwords were not included, which explains why the hacker is selling the Weibo data for only ¥1,799 ($250).

Source: Hacker selling data of 538 million Weibo users | ZDNet

China’s largest cyber-security vendor has published today a report accusing the CIA of hacking Chinese companies and government agencies for more than 11 years.

The report, authored by Qihoo 360, claims the CIA hacked targets in China’s aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies.

CIA hacking operations took place between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang, Qihoo researchers said.

Qihoo claims that a large part of the CIA’s hacking efforts focused on the civil aviation industry, both in China and in other countries.

The Chinese security firm claims the purpose of this campaign was “long-term and targeted intelligence-gathering” to track “real-time global flight status, passenger information, trade freight, and other related information.”

Report based on Vault 7 leaks

Qihoo says it linked the attacks to the CIA based on the malware used in the intrusions — namely Fluxwire [1, 2, 3] and Grasshopper [1, 2].

Both malware strains came to light in early 2017 when Wikileaks published the Vault 7 dump, a collection of documentation files detailing the CIA’s arsenal of cyber-weapons.

WikiLeaks claimed it received the files from a CIA insider and whistleblower, later identified as Joshua Schultz — currently under trial in the US.

Weeks after the WikiLeaks Vault 7 revelations, Symantec confirmed that Fluxwire was the Corentry malware that they had been tracking for years.

Source: Chinese security firm says CIA hacked Chinese targets for the past 11 years | ZDNet

The personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week.

Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

ZDNet verified the authenticity of the data today, together with a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service.

A spokesperson for MGM Resorts confirmed the incident via email.

What was exposed

According to our analysis, the MGM data dump that was shared today contains personal details for 10,683,188 former hotel guests.

Included in the leaked files are personal details such as full names, home addresses, phone numbers, emails, and dates of birth.

Source: Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum | ZDNet

The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers. Since the application of these attacks comes with a cost (exposure of the attacker’s identity), the delicate exposure vs. application balance has held, and attacks of this kind have not yet been encountered in the wild. In this paper, we investigate a new perceptual challenge that causes the ADASs and autopilots of semi/fully autonomous to consider depthless objects (phantoms) as real. We show how attackers can exploit this perceptual challenge to apply phantom attacks and change the abovementioned balance, without the need to physically approach the attack scene, by projecting a phantom via a drone equipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces the Internet and is located near roads. We show that the car industry has not considered this type of attack by demonstrating the attack on today’s most advanced ADAS and autopilot technologies: Mobileye 630 PRO and the Tesla Model X, HW 2.5; our experiments show that when presented with various phantoms, a car’s ADAS or autopilot considers the phantoms as real objects, causing these systems to trigger the brakes, steer into the lane of oncoming traffic, and issue notifications about fake road signs. In order to mitigate this attack, we present a model that analyzes a detected object’s context, surface, and reflected light, which is capable of detecting phantoms with 0.99 AUC. Finally, we explain why the deployment of vehicular communication systems might reduce attackers’ opportunities to apply phantom attacks but won’t eliminate them.

​

Source: Phantom of the ADAS

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization.

In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.

That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter’s contact upload feature, and match them to usernames.

The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone’s address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.

It wasn’t, and Twitter now says that, as well as Balic’s probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia,” adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”

Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.

In other words, this Twitter security hole was a giant intelligence gathering opportunity,

Twitter says that it initially only saw one person “using a large network of fake accounts to exploit our API and match usernames to phone numbers,” and suspended the accounts. But it soon realized the problem was more widespread: “During our investigation, we discovered additional accounts that we believe may have been exploiting this same API endpoint beyond its intended use case.”

For what it’s worth Twitter apologized for its self-imposed security cock-up: “We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

It’s worth noting that users who did not add their phone number to their Twitter account or not allow it to be discovered via the API were not affected. Which points to a painfully obvious lesson: don’t trust any company with more personal information than they need to have.

Source: Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits • The Register

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants’ fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.

[…]

A senior IT official dubbed the attack a “major meltdown,” in which personnel records – as well as contract data covering thousands of individuals and organizations – was accessed. The hackers were able to get into user-management systems and past firewalls; eventually compromising over 40 servers, with the vast majority at the European headquarters in Geneva.

But despite the size and extent of the hack, the UN decided to keep it secret. Only IT teams and the heads of the stations in question were informed.

[…]

Employees whose data was within reach of the hackers were told only that they needed to change their password and were not informed that their personal details had been compromised. That decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the publication.

The report notes it has been unable to calculate the extent of damage but one techie – it’s not clear it is the same one that leaked the report – estimated that 400GB had been pulled from United Nations servers.

Most worrying is the fact the UN Office of the High Commissioner for Human Rights (OHCHR) was one of those compromised. The OHCHR deals with highly sensitive information from people who put their lives at risk to uncover human rights abuses.

Making matters worse, IT specialists had warned the UN for years that it was at risk from hacking. An audit in 2012 identified an “unacceptable level of risk,” and resulted in a restructure that consolidated servers, websites, and typical services like email, and then outsourced them to commercial providers at a cost of $1.7bn.

But internal warnings about lax security continued, and an official audit in 2018 was full of red flags. “The performance management framework had not been implemented,” it stated, adding that there were “policy gaps in areas of emerging concern, such as the outsourcing of ICT services, end-user device usage, information-sharing, open data and the reuse and safe disposal of decommissioned ICT equipment.”

There were lengthy delays in security projects, and, internally, departments were ignoring compliance efforts. The audit “noted with concern” that 28 of the 37 internal groups hadn’t responded at all and that over the nearly 1,500 websites and web apps identified only a single one had carried out a security assessment.

The audit also found that less than half of the 38,105 staff had done a compulsory course in basic IT security that had been designed to help reduce overall security risks. In short, this was an accident waiting to happen, especially given the UN’s high-profile status.

As to the miscreants’ entry point, it was a known flaw in Microsoft SharePoint (CVE-2019-0604) for which a software patch had been available for months yet the UN had failed to apply it.

The hole can be exploited by a remote attacker to bypass logins and issue system-level commands – in other words, a big problem from a security standpoint. The hackers broke into a vulnerable SharePoint deployment in Vienna and then, with admin access, moved within the organization’s networks to access the Geneva headquarters and then the OHCHR.

[…]

Source: UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it • The Register

An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says that dozens of servers were “compromised” at offices in Geneva and Vienna.

Those include the U.N. human rights office, which has often been a lightning rod of criticism from autocratic governments for its calling-out of rights abuses.

One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remains unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.

The level of sophistication was so high that it was possible a state-backed actor might have been behind it, the official said.

There were conflicting accounts about the significance of the incursion.

“We were hacked,” U.N. human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”

The breach, at least at the human rights office, appears to have been limited to the so-called active directory – including a staff list and details like e-mail addresses – but not access to passwords. No domain administration’s account was compromised, officials said.

The United Nations headquarters in New York as well as the U.N.’s sprawling Palais des Nations compound in Geneva, its European headquarters, did not immediately respond to questions from the AP about the incident.

Sensitive information at the human rights office about possible war criminals in the Syrian conflict and perpetrators of Myanmar’s crackdown against Rohingya Muslims were not compromised, because it is held in extremely secure conditions, the official said.

The internal document from the U.N. Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the sprawling United Nations offices in Geneva and Vienna. Three of the “compromised” servers belonged to the Office of the High Commissioner for Human Rights, which is located across town from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.

Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write passwords and ensure the systems were clean.

The hack comes amid rising concerns about computer or mobile phone vulnerabilities, both for large organizations like governments and the U.N. as well as for individuals and businesses.

Source: In ‘Sophisticated’ Incident, Dozens of U.N. Servers Hacked | Time

They are downplaying the importance of an Active Directory server – it contains all the users and their details, so it’s a pretty big deal.

In early 2018, Saudi Crown Prince Mohammed bin Salman took a sweeping tour of the U.S. as part of a strategy to rebrand Saudi Arabia’s ruling monarchy as a modernizing force and pull off his “Vision 2030” plan—hobnobbing with a list of corporate execs and politicians that reads like a who’s who list of the U.S. elite.

[…]

Bezos was one of the individuals that bin Salman met with during his trip to the U.S., and at the time, Amazon was considering investments in Saudi Arabia. Those plans went south after the Khashoggi murder, but a quick scan of the crown prince’s 2018 itinerary reveals others corporate leaders and politicians eager to get into his good graces.

These people may want to have their phones examined.

According to the New York Times, the crown prince started off with a meeting in D.C. with Donald Trump and his son-in-law Jared Kushner (the latter of whom may have real reason to worry due to his WhatsApp conversations with bin Salman). Politicians who met with him include Vice President Mike Pence, then-International Monetary Fund chief Christine Lagarde, and United Nations Secretary-General António Guterres, the Guardian reported. He also met with former Senator John Kerry and former President Bill Clinton, as well as the two former President Bushes.

While touting the importance of investment in Saudi Arabian projects including Neom, bin Salman’s plans for some kind of wonder city, the crown prince met with 40 U.S. business leaders. He also met with Goldman Sachs CEO Lloyd Blankfein and former New York mayor Michael Bloomberg, a 2020 presidential candidate, in New York.

One-on-one meetings included hanging out with Microsoft CEO Satya Nadella during the Seattle wing of the crown prince’s trip, as well as Microsoft co-founder Bill Gates.

[…]

Rupert Murdoch, as well as bevy of prominent Hollywood personalities including Disney CEO Bob Iger, Universal film chairman Jeff Shell, Fox executive Peter Rice and film studio chief Stacey Snider, according to the Hollywood Reporter. Also present were Warner Bros. CEO Kevin Tsujihara, Nat Geo CEO Courtney Monroe, filmmakers James Cameron and Ridley Scott, and actors Morgan Freeman, Michael Douglas, and Dwayne “The Rock” Johnson.

During another leg of his trip in San Francisco, bin Salman met with Apple CEO Tim Cook as well as chief operating officer Jeff Williams, head of environment, policy, and social initiatives Lisa Jackson, and former retail chief Angela Ahrendts.

But to be fair, he also met Google co-founders Larry Page and Sergey Brin as well as current CEO Sundar Pichai.

[…]

ominous data analytics firm Palantir and met with its founder, venture capitalist Peter Thiel.

[…]

venture capitalists, including Andreessen Horowitz co-founder Marc Andreessen, Y Combinator chairman Sam Altman, and Sun Microsystems co-founder Vinod Khosla, according to Business Insider. Photos and the New York Times show that LinkedIn co-founder Reid Hoffman was also present.

Finally, bin Salman also met with Virgin Group founder Richard Branson and Magic Leap CEO Rony Abovitz.

During an earlier visit to the states in June 2016, bin Salman met with President Barack Obama before he traveled to San Francisco. At that time the crown prince visited Facebook and met CEO Mark Zuckerberg

[…]

At that time, the crown prince also met with Khan Academy CEO Salman Khan and then-Uber CEO Travis Kalanick,

[…]

then-SeaWorld CEO Joel Manby

Source: These VIPs May Want to Make Sure Mohammed bin Salman Didn’t Hack Them

Hackers are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers, Motherboard has learned. Multiple sources in and familiar with the SIM swapping community as well as screenshots shared with Motherboard suggest at least AT&T, T-Mobile, and Sprint have been impacted.

This is an escalation in the world of SIM swapping, in which hackers take over a target’s phone number so they can then access email, social media, or cryptocurrency accounts. Previously, these hackers have bribed telecom employees to perform SIM swaps or tricked workers to do so by impersonating legitimate customers over the phone or in person. Now, hackers are breaking into telecom companies, albeit crudely, to do the SIM swapping themselves.

[…]

The technique uses Remote Desktop Protocol (RDP) software. RDP lets a user control a computer over the internet rather than being physically in front of it. It’s commonly used for legitimate purposes such as customer support. But scammers also make heavy use of RDP. In an age-old scam, a fraudster will phone an ordinary consumer and tell them their computer is infected with malware. To fix the issue, the victim needs to enable RDP and let the fake customer support representative into their machine. From here, the scammer could do all sorts of things, such as logging into online bank accounts and stealing funds.

This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they’re tricking telecom employees to install or activate RDP software, and then remotely reaching into the company’s systems to SIM swap individuals.

The process starts with convincing an employee in a telecom company’s customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, “and they believe it.” Hackers may also convince employees to provide credentials to a RDP service if they already use it.

[…]

Certain employees inside telecom companies have access to tools with the capability to ‘port’ someone’s phone number from one SIM to another. In the case of SIM swapping, this involves moving a victim’s number to a SIM card controlled by the hacker; with this in place, the hacker can then receive a victim’s two-factor authentication codes or password reset prompts via text message. These include T-Mobile’s tool dubbed QuickView; AT&T’s is called Opus.

The SIM swapper said one RDP tool used is Splashtop, which says on its website the product is designed to help “remotely support clients’ computers and servers.”

Source: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers – VICE

An explosive leak of tens of thousands of documents from the defunct data firm Cambridge Analytica is set to expose the inner workings of the company that collapsed after the Observer revealed it had misappropriated 87 million Facebook profiles.

More than 100,000 documents relating to work in 68 countries that will lay bare the global infrastructure of an operation used to manipulate voters on “an industrial scale” are set to be released over the next months.

It comes as Christopher Steele, the ex-head of MI6’s Russia desk and the intelligence expert behind the so-called “Steele dossier” into Trump’s relationship with Russia, said that while the company had closed down, the failure to properly punish bad actors meant that the prospects for manipulation of the US election this year were even worse.

The release of documents began on New Year’s Day on an anonymous Twitter account, @HindsightFiles, with links to material on elections in Malaysia, Kenya and Brazil. The documents were revealed to have come from Brittany Kaiser, an ex-Cambridge Analytica employee turned whistleblower, and to be the same ones subpoenaed by Robert Mueller’s investigation into Russian interference in the 2016 presidential election

Source: Fresh Cambridge Analytica leak ‘shows global manipulation is out of control’ | UK news | The Guardian

De gegevens van vermoedelijk bijna 10.000 Belgische en Nederlandse klanten die een paar jaar geleden online speelgoed kochten, worden door een hacker te koop aangeboden op het internet. Dat blijkt uit onderzoek van VRT NWS. Het gaat om persoonlijke gegevens en bepaalde aankopen van mensen. De overgrote meerderheid van de producten werden gekocht bij een lokale Nederlandse ondernemer via onder meer webwinkel Bol.com. Die hebben meteen een onderzoek geopend naar de ondernemer waar het lek bleek te zitten.

Het bestand met klantengegevens wordt aangeboden op een gespecialiseerd hackersforum op het internet, waar de oplichter beweert een ‘bol.com-database’ te hebben.

In het bestand kan je zien wat mensen gekocht hebben, wat hun voor- en achternaam is en soms ook wat de aankoop kost. Daarnaast zijn ook bezorggegevens beschikbaar. Ook zie je welke betalingswijze mensen hebben gekozen, zoals een kredietkaart of bancontact.

Lek bij Toppie Speelgoed, externe partner Bol.com

Onderzoek leert dat het bestand inderdaad aankoopgegevens bevat van mensen die via Bol.com speelgoed kochten. Na contact met Bol.com en een intern onderzoek bij de webshop zelf blijkt dat het datalek zit bij een partner van Bol.com die speelgoed verkoopt op onder meer bol.com en eigen webshops. Het gaat om Toppie Speelgoed. Wie rechtstreeks bij Toppie Speelgoed kocht, duikt ook met e-mailadres en telefoonnummer op in de lijst, als dat bij de aankoop werd achtergelaten. Wie via Bol.com een product kocht, enkel met naam en afleveradres. Dat komt omdat Bol.com slechts beperkte gegevens naar externe partners stuurt.

Source: Belgische en Nederlandse klantengegevens van speelgoedwinkel online te koop | VRT NWS