Month: July 2020

Video
conferencing software Zoom is again in the spotlight over an alleged critical
vulnerability that could allow an attacker to take over the victim’s computer
and all data on it.

Discovered
by an unnamed security researcher and reported to Acros Security, the
vulnerability is said to be present in all versions of Zoom for Windows, but reportedly
only affects Windows 7 and older versions of the OS. According to Acros CEO
Mitja Kolsek, the flaw is likely also exploitable on Windows Server 2008 R2 and
earlier versions.

The
vulnerability is apparently serious, as it allegedly allows a malicious actor to
run any code on the victim’s system – essentially any type of malware
(ransomware, keylogger, etc.), as well as spy on the user or copy the contents
of the hard drive.

It is
unclear why the hacker needs to exploit a vulnerability in Zoom if the attack “can
be pulled off by getting the victim to perform a typical action such as opening
a received document file,” as relayed by Acros to Help Net Security.

Kolsek says
the flaw can be exploited through several attack scenarios, but his company is
holding off more detailed information and the proof-of-concept (PoC) until Zoom
Video Communications acts on its flawed product. A temporary ‘micropatch’
developed by Kolsek’s company is reportedly available.

Bitdefender
cannot verify the efficacy of the patch and recommends setting Zoom aside until
an official fix arrives from the vendor. It is also recommended to stop using
any deprecated operating system and upgrade to a newer version supported with
security updates.

Bad actors are using a message disguised as an official
notification from the Outlook team to trick people into entering their
credentials into a phishing website, leaking them in the process and exposing
the company they work for.

Phishing is one of the most common methods to obtain
legitimate credentials, letting attackers compromise systems with ease. Most of
the time, data collected from such phishing campaigns ends up for sale on the
dark web.

Since Office 356 and adjacent products are widespread in
organizations and companies, bad actors try to trick people into sharing their
credentials with third parties. The same credentials can be used across an
organization’s entire infrastructure, not just for emails and other office
work.

“The attacker impersonates an automated notification
from the Outlook team on behalf of the recipient’s company,” reads the advisory
from Abnormal Security. “Recipients are urged to ‘upgrade’ their Outlook
services within 24 hours, or email deliveries to them will be delayed.”

If the user clicks on the link, a fake Outlook login page
opens (hosted on GoDaddy). After the user enters the credentials, a popup
informs the user that the upgrade will be completed in the next 48 hours. In
that time, the account is exposed completely.

The one thing that distinguished this attack is that the
text of the email is somewhat ambiguous, as it’s unclear where it comes from;
it could be either the Outlook team or the IT department.

It goes without saying that people should not open emails
from unknown sources, but sometimes the emails might look legitimate. Users
should always be wary of emails that instruct them to use their credentials. If
you’re not sure if an email is legitimate, contact the IT department. A good
policy is to assume that emails of this type are a phishing attempt.

Researchers have found over 15 billion credentials from
more than 100,000 data breaches on the dark web, including access to everything
from streaming services to banking accounts and financial services.

Despite what people might think about data breaches and
hackers, most incidents have a different entry vector. When attackers
compromise a company’s infrastructure, they usually have the right credentials,
which means that it’s more difficult to detect them once they’re inside.

The dark web is where these stolen credentials are found,
with many of these websites operating like virtual stores. Users stroll
through, picking and choosing what they want. It’s basically a criminal
enterprise that goes far beyond selling access to Netflix.

The Photon Research Team identified a large number of
these credentials, ranging from account compromise (think Netflix) to complete
network compromise, used in ransomware attacks. The prices for the latter would
go for an average of $3,139 and up to $140,000.

“Privileged accounts, like administrator accounts,
are considered extremely valuable in the criminal underworld,” say
the researchers. “Not only do they give access to a network, but they
feature the highest levels of control and trust, and their permissions are nigh
unlimited. A person using a privileged account could change system
configuration settings, read and modify sensitive data, or give other users
access to critical assets.”

Some of the credentials identified by the researchers
include data for cybersecurity, architecture and engineering and petroleum
companies, along with universities and even state governments.

The bulk of compromised accounts come from
banking/financial services and are the most expensive, averaging $70.91.
Surprisingly, the second place is occupied by access for antivirus programs,
averaging $21.67.

When it comes to geography spread, US-based accounts are
the most wanted, followed by Canada, Australia, the United Kingdom, and
Germany.

In total, more than 15 billion leaked credentials were
identified in the wild, out of which 5 billion seem completely unique.

A massive data leak discovered on the technical database of popular casino gambling app Cubillion exposed daily activities and personal identifiable information of millions of users, according to vpnMentor researchers.

Housed on a misconfigured Elasticsearch engine, the unprotected database recorded up to 200 million records per day (50GB), including details of technical activity of Android and iOS users around the globe.

According to the investigators’ report, “every time an individual player took any action on the app, a record was logged.” These actions include:

• Entering a game
• Game status (win or lose)
• Creating or updating an account

Various forms of personal identifiable information (PII) were also up for grabs, including IP and email addresses, winnings and private messages.

The data leak impacted users from nearly every continent, and some countries revealed higher user activity. For example, average daily users exceeded 10,000 for the U.S., 7,700 for Canada, 6,200 for Australia, and 3,800 for Brazil.

The breach was discovered on March 19, and public access was closed off on April 5, after researchers contacted Amazon Web Services.

The Impact

Researchers emphasized that “free gambling and gaming apps are especially prone to attacks and hacking from cybercriminals” that go after the private information of users or embed malicious software to access userss devices.

“If cybercriminals used Clubillion to embed malware or similar onto a user’s phone, they could potentially hack other apps, access files stored on the device, make calls, and send texts from the hacked device,” researchers said. “Worse still, as people across the globe now find themselves under quarantine or self-isolation, as a result of the Coronavirus pandemic, the impact of a leak like this is potentially even more significant.”

With the leaked information, an attacker could target users with phishing campaigns that could lead to further data and financial exposure.

The developers also risk losing millions of players, and since many Clubillion users reside with the EU, Europe’s privacy watchdog could issue a hefty fine for app publishers.

Researchers also speculate a grim outcome for the app. “Clubillion could potentially be removed from Google Play and the App Store. Both Apple and Google are clamping down on apps that pose a risk to their users, removing apps embedded with malware, and taking data leaks much more seriously.”

Cybercriminals thrive during the holidays, and this summer will be no exception. The rise in cyberattacks has become a prime worry for governments and companies around the world, and while many of us look forward to booking a summer break and taking our mind off the pandemic, bad actors are setting the trap for a new wave of vacationers.

Even if a traditional summer holiday seems unlikely for many, the fact that many countries are easing their COVID-19 lockdowns has stirred our anticipation of some fun in the sun, away from the hustle and bustle of the big city.

However, the prospect of a well-deserved holiday may cloud our judgement, making us vulnerable to attacks that won’t just cut our vacation short by draining our account.

Whether you’re planning a staycation or travelling abroad, some preventive measures can help prevent you and your devices from becoming the next target.

Think cybersecurity when booking your holiday

Scammers always do their homework, and a post COVID-19 holiday surge offers the perfect hunting ground. If you’re just leafing through some last-minute bookings for your holiday, keep a lookout for fraudulent posts and listings used to promote vacations scams.

If you plan to visit a new place closer to home, or to rent an RV to roam the countryside, make sure to check official and trustworthy websites. Avoid too-good-to-be-true offers, and don’t purchase any holiday offers you receive via cold calls, email or text messages.

Most of these fake listings lead would-be holidaymakers to sophisticated-looking websites that usually include a customer service chat function.

However, they are designed to steal your personal and financial information. Always double-check the validity of the offer, and if you are required to pay via bank transfer into an individual’s account, take your business elsewhere.

Brush up on good cyber hygiene before departure

So, you’ve managed to find and book your holiday destination this year. While packing your flip-flops, sunscreen and other necessities, dedicate some time to prepare the devices you will be taking with you on holiday. Your Internet-enabled devices are susceptible to attacks, so check whether your devices and apps are running the latest updates.

Protecting your online account should be a top priority both at home or on the go. Use strong, unique passwords for all of your online accounts prior to departure, and back up your data. Should you be targeted by a ransomware attack, you won’t have to pay a ransom demand to access your personal files.

Don’t forget to install a local cybersecurity solution and VPN on your devices. Although we don’t always bring our laptops on vacation, smartphones and tablets are forever present, and often overlooked when it comes to security solutions. A VPN will protect your online activity from prying eyes and keep your transactions safe. These small oversights can cut your vacation short, and you might end up with more than you bargained for.

Remaining cyber-safe at destination

Arrived at your final summer destination and you’re ready to unwind? Great. However, don’t take a break from cybersecurity. Threat actors love to set up shop during the summer months, when we go on holiday, and they never take time off from crime.

Free public Wi-Fi can be terribly tempting, but, more often than not, it’s left unsecure, exposing your personal information to hackers. Don’t transmit or make purchases on unsafe Wi-Fi networks in local cafes, restaurants or hotel lobbies, as these networks can easily be spoofed by cybercriminals, and used to steal data such as passwords, documents and financial data.

It’s also a good idea to disable the auto-connect to wireless networks or Bluetooth devices on your smartphone or tablet, and avoid online shopping or transactions while on holiday, especially if you are connected to a public Wi-Fi network. If online banking can’t be avoided, use your mobile data, and turn on the VPN.

Think twice before posting on social media. We all love sharing our trip updates and pictures, but cybercriminals can monitor our social media content, and even attempt to steal directly from our homes. Consider posting your vacation memories when you return from your trip, and if you need to keep your family members updated, use the private message function or other means of communications.

Last but not least, avoid any shared computers you might find at the house rental, hotel or coffee shop. You are free to browse the internet, but don’t make any purchases or login into your email or other online accounts.

We’re just halfway through the year, and 2020 is on track to set a new data breach record. The new year started off on the wrong foot, with the coronavirus wreaking havoc across the world, creating the perfect storm for cybercrime to flourish. From healthcare institutions, tech, software, social media and meal delivery companies, cybercriminals have targeted every industry, stealing billions of records.

Around 16 billion records have been exposed so far this year. According to researchers, 8.4 billion were exposed in the first quarter of 2020 alone, a 273% increase from the first half of 2019 which saw only 4.1 billion exposed.

What Changed?

While the number of publicly reported breaches in Q1 2020 decreased by 58% compared to 2019, the coronavirus pandemic gave cybercriminals new ways to thrive. Phishing scams skyrocketed as citizens self-isolated during the lockdown, and social-engineering schemes defrauded Internet users of millions.

However, the surprising decline in disclosed breaches is no cause to celebrate. The lack of disclosure can also be attributed to confusion brought on by the pandemic.

The rise in compromised records was steered by one infamous breach, a misconfigured ElasticSearch cluster that exposed over 5 billion records, including hashtypes, leak dates, passwords, email addresses, email domains and leak sources.

As we’ve reached the half-year mark, more and more data breaches have been revealed, and here are some noteworthy ones:

Online dating

The personal data of millions of users has been exposed on various online dating apps, creating multiple possibilities for targeted attacks and extortion. MobiFriends was attacked in May, and hackers stole nearly 3.7 million records containing dates of birth, gender, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords.

Additionally, a bundle of dating apps were found leaking 845GB of sensitive data, with over 20 million files containing photos, users name and financial data.

Hospitality and travel industry

In March, hospitality giant Marriott confirmed a security incident that exposed personal information of 5.2 million guests. While the company said there is “no reason” to believe financial data was stolen, the attackers managed to swipe travel information, names, addresses and loyalty member data.

EasyJet also announced an attack on May 19 that exposed the personal details of 9 million customers. While the malicious actors accessed details of just 2,208 credit cards, exfiltrated travel details are enough for cyber criminals to deploy targeted phishing campaigns.

Telecommunications

A Virgin Media database was left unsecured for 10 months, exposing the personal information of 900,000 customers. While the data breach was not a result of a cyber-attack, anyone could have stumbled upon the database and viewed the names, phone numbers, emails, and home addresses of users.

Healthcare

The healthcare industry has been a prime target for cyber criminals this year, and ransomware attacks continue to plague medical facilities that focus on coronavirus research. In Q1, more than 100 incidents were reported, affecting more than 2.5 million individuals. Medical records are highly sought on the dark web, and the number of medical identity theft cases is expected to rise.

Personal information is not safe online. While most Internet users do not understand the importance and value of their data, cyber criminals do. According to University of Maryland researchers, hackers launch an attack every 39 seconds.

Bad actors have managed to create a profitable business, making millions by selling our personal identifiable information on dark web marketplaces, and according to a 2017 study, a new identity theft victim pops up every 2 seconds in the United States.

It’s true that some data breaches pose higher risks to victims, but cyber criminals can work wonders with miscellaneous data gathered from their intrusions. Human error plays a big part in data breach incidents, and if your information is still safe, your personal identifiable information will eventually be up for grabs.

We’re all part of this digital world, and we can’t always rely on companies to safeguard our data. Shift your focus to minimizing the side effects that can cripple you financially and emotionally.

Install a local security solution on your Internet-enabled devices, and don’t use the same password for all your online accounts. Avoid sharing too much information on social media platforms and be vigilant for phishing emails and unsolicited text or private messages.

A U.S. court
order has allowed Microsoft to seize control of key domains controlled by
fraudsters to halt criminal activity after an increase in scams targeting users
of Office 365.

The U.S.
District Court for the Eastern District of Virginia this week unsealed
documents detailing a cat-and-mouse chase between Microsoft and a group of alleged
state-sponsored fraudsters.

Originally
observed by Microsoft’s Digital Crimes Unit (DCU) in December 2019, the group
recently renewed its phishing techniques, switching from corporate messaging to
scams exploiting the COVID-19 scare.

The civil
case against the hackers produced a court order allowing the Windows maker to
seize control of key criminal infrastructure. According to the announcement,
the campaign appears to be state sponsored and targets business leaders with
classic phishing and business email compromise (BEC) techniques.

“This
malicious activity is yet another form of business email compromise (BEC)
attack, which has increased in complexity, sophistication and frequency in
recent years,” Microsoft says in a blog post.

But unlike the
average phishing/BEC scam, in which attackers try to siphon credentials from
the victim, this scheme goes for direct access to the victim’s Office 365
account.

“Once
victims clicked on the deceptive links, they were ultimately prompted to grant
access permissions to a malicious web application (web app),” Microsoft
explains.

“Unknown to
the victim, these malicious web apps were controlled by the criminals, who,
with fraudulently obtained permission, could access the victim’s Microsoft
Office 365 account,” the company says.

If
successful, the attacker gained instant access to the victim’s email, contacts,
notes and any content in the victims’ OneDrive for Business cloud storage space
and corporate SharePoint document management and storage system.

The company advises Office 365 users to enable two-factor authentication on all business and personal email accounts and urges users to study up on devious phishing scams. Bitdefender also recommends using a trusted security solution on all personal devices.

More than 24.5 million records belonging to K–12 school
districts and colleges in the United States have been hit by around 1,300 data
breaches since 2005, according to a new report from Comparitech.

Not all data breaches are intentional, or the work of
attackers. In fact, data breaches often stem form carelessness, with people
compromising the security of private data in the most ludicrous ways, ranging
from simply adding the wrong name in an email chain to leaving large databases
unattended in the wild. However, it turns out that hacking really is prevalent
and accounts for more incidents than any other factor.

A new report from Comparitech looked at what states and types
of schools were affected, and the results are somewhat surprising. Looking back
15 years, the researchers found that California was the state most affected,
but Arizona follows closely when comparing the number of affected records.

Things have changed considerably in the past 15 years,
and the US Department of Education has strengthened its requirements for data
breaches in colleges and universities. The fact that any violation has to be
reported has drastically increased the number of reports, but it also makes it
clear that breaches might have been underreported for many years.

“The biggest year for breaches overall was 2008,” states
the report.
“In 2008, there were 135 breaches in total, accounting for 10.2 percent of all
the breaches. It was also the biggest year for college data breaches, with 101
(10.2 percent) occurring then.”

“However, it wasn’t the biggest year for K–12 school data
breaches. 2019 saw the biggest year for school data breaches with 60 in total.”

The study didn’t identify any patterns in the breaches,
but some odd numbers do pop up, and the reason is not clear. For example,
Wyoming is the only state to have had no known or reported K–12 or college data
breaches over the last 14 years, which raises suspicions.

Out of all the breaches, 77.7% occurred in a public
school or college, which means that private institutions seem to be less
affected. The biggest incident occurred in 2013 at the Maricopa County
Community College District, with 2.49 million records affected.

Finally, the breaches themselves have various vectors;
43.8% were the result of hacking, 25.7% were unintentional disclosures by the
institutions, thefts consisted of 13.8%, and data accessed by unauthorized
personal consisted of only 5.8% of the incidents.

EDP Renewables North America (EDPR NA) has recently confirmed a ransomware attack that affected the system of its parent company Energias de Portugal (EDP).

According to a letter sent to customers, the attack took place April 13, and it appears that the cyber criminals were able to gain access to some information stored on EDPR NA’s information systems. The North American renewable energy giant emphasized that it only become aware of the unauthorized access to its network systems on May 8, and since then, “has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident.”

The cybercriminals had left a ransom note on EDP’s system asking for more than $10 million (1,580 Bitcoins) in return for a decryption key to restore over 10 TB of allegedly stolen data.

“We gathered the most sensitive and confidential information about your transactions, billing, contracts, client and partners” the ransom note said. “And be assure that if you wouldn’t pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for.”

EDPR NA said there is no evidence that the cyber thieves accessed personal information of their clients, such as full names and Social Security numbers. However, as a precaution they are offering a free 12-month membership for identity protection services to their customers.

“EDPR NA has no evidence that the attackers accessed your personal information,” the letter sent by CEO Miguel Angel Prado reads. “However, we are notifying you out of an abundance of caution because EDPR NA has in its information systems some of your personal information, including your name, and Social Security number. We maintain this information in order to make payments to you under the terms of your lease. We do not maintain any of your other personal information, such as your driver’s license number or credit or debit card information.”

A prolific
Kazakh hacker known as ”fxmsp” has been charged with several US federal crimes
for allegedly hacking the computer networks of a broad array of entities,
including businesses, educational institutions, and governments throughout the
world, the U.S. Department of Justice (DOJ) has announced.

The 37-year-old, whose real name is Andrey Turchin, has allegedly been linked to numerous high-profile data breaches, ransomware attacks, and other cyber crimes, according to the DOJ. His victims include big corporations listed in the Fortune 500. From the press release:

“According
to the five-count indictment and records on file, from at least October 2017
through the date charges were returned by a Grand Jury, in December 2018,
TURCHIN and his accomplices perpetrated an ambitious hacking enterprise broadly
targeting hundreds of victims across six continents, including more than 30 in
the United States. Widely known in hacking circles by the moniker ’fxmsp,’ TURCHIN
employed a collection of hacking techniques and malicious software (malware) to
gain and maintain access to victim networks. 
For instance, he often used specially designed code to scan the Internet
for open Remote Desktop Protocol (RDP) ports and conduct brute-force attacks to
initially compromise victim networks. Once inside the victim’s system, he moved
laterally throughout the network and deployed additional malicious code to
locate and steal administrative credentials and establish persistent access.
The conspirators often modified antivirus software settings to allow malware to
continue to run undetected.”

According to
the indictment, authorities believe Turchin didn’t act alone. Together with his
co-conspirators, he allegedly marketed and sold the network access on the dark
web, charging as much as $100,000 in some cases. He even allowed prospective buyers
to “sample” the network access for a limited period to test the quality and
reliability of the hack.

Turchin is
charged with conspiracy to commit computer hacking, two counts of computer
fraud and abuse (hacking), conspiracy to commit wire fraud, and access device
fraud. The FBI Seattle Office is actively investigating Turchin’s case. If
found guilty of all the allegations, he is looking at 45 years behind bars.