Month: March 2021

New code strings in the latest iOS betas indicate that Apple Inc plans to begin treating customers to out-of-band security updates starting with the next release of its mobile operating systems for iGizmos.

To stay on top of the latest security fixes, iPhone and iPad users today must download the latest version of the full iOS / iPadOS designated for their hardware. Starting with iOS 14.5, however, that might change.

Code strings spotted in the latest iOS 14.5 beta by the Apple news site 9to5mac indicate that iPhone and iPad users will soon be able to fetch the latest security patches without installing a full version of their devices’ operating system.

A recent example of such an update is in the contents of iOS 14.4.1, which Apple expressly shipped on March 8 to patch a security hole in Webkit. In the future, such an update may be released as a smaller package and labeled as a security update, rather than a whole new iOS version.

Whether this will happen starting with the public release of iOS 14.5 remains to be seen, but the code references inside the latest iOS beta indicate that Apple plans to implement the change sometime soon.

The tech giant already does this on the desktop front – macOS users can selectively download and install just the security fixes they lack, leaving their OS version intact. If Apple replicates this scheme on the mobile front, iDevice owners can keep using older hardware while still receiving security support from Cupertino, California – a welcome move from a company often accused of planned obsolescence.

Apple has been making considerable efforts on the privacy and security front in recent times. For example, the latest version of the Safari browser for iPhones and iPads sports a feature called Fraudulent Website Warning, displaying a warning if you visit a website suspected of phishing.

Starting this year, registered Apple developers selling software on the App Store will need to provide information about their privacy practices, including the practices of partners whose code they integrate into their app. This information is required to submit new apps as well as app updates.

The same goes for data collection practices:

“Starting with the beta versions of iOS 14.5, iPadOS 14.5, and tvOS 14.5, you’ll be required to ask users for their permission to track them across apps and websites owned by other companies,” Apple states on its Developer portal.

As of yet, there is no official launch date for the public version of the update. However, with five developer betas under its belt, the new installment should be in users’ hands relatively soon.

• Hacker exploited access to Twitter’s internal tools to post scam from high profile accounts
• Elon Musk, Joe Biden, Barack Obama, Apple, and Uber amongst accounts exploited

A teenager who hacked into the Twitter accounts of the rich and famous in an attempt to trick millions of their followers into a cryptocurrency scam will spend three years in prison as part of a plea agreement with prosecutors.

Graham Ivan Clark, of Tampa, Florida, was arrested last year following the hack of Twitter accounts belonging to the likes of Bill Gates, Elon Musk, Barack Obama, Joe Biden, Kanye West, and others.

The scam attempted to trick potential victims into moving Bitcoin into a cryptocurrency wallet with the “promise” that they would receive more in return.

It seems too good to be true, and of course it was too good to be true. But because the messages were posted by the real, genuine, verified accounts of high profile figures and popular brands there was a good chance that some people would have been tempted.

Clark, who was 17 years old at the time, is said to have managed to raise Bitcoin worth over $117,000 through the scam.

Twitter subsequently described how the hackers had gained access to the accounts after targeting a small number of its employees with what it described as a “phone spear phishing attack.”

“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.”

Alarmingly, it was reported that over 1000 Twitter staff and external contractors had access to internal systems that allowed access to any Twitter accounts, with the power to post messages and reset passwords.

In other words, a large number of Twitter workers with access to highly sensitive tools, were high value potential targets for attackers to target and then impersonate.

Even following his apprehension by the authorities, Clark continued to make the headlines. An online court appearance was gatecrashed by Zoom bombers who streamed 15 seconds of an x-rated porn movie before the judge was able to kick them out.

Due to Clark’s age at the time of the offence, he has been sentenced to three years in a juvenile detention facility, with a further three years of probation where he his usage of email accounts, digital devices, and social media profiles will be strictly monitored. He has already served 7.5 months in a facility since his arrest.

If Clark violates the terms of his probation he could be detained for much longer in an adult prison.

The cryptocurrency taken by Clark has been turned over to officials for purposes of restitution.

Two alleged accomplices of Clark – Mason “Chaewon” Sheppard of Bognor Regis, UK, and Nima “Rolex” Fazeli of Orlando, Florida – have also been charged in relation to the attack.

Fact: Zynga, the California-based social game developer, suffered a major data breach in 2019 when a malicious actor stole 218 million records belonging to “Words With Friends” players. The attacker managed to steal the names, email addresses, usernames, hashed passwords (salted), associated phone numbers, linked Facebook IDs and any requested password reset tokens.

If you were a victim of the Zynga data breach, you’ve probably changed the password for your account already. But have you considered resetting the passwords for any online accounts with similar login credentials?

Why changing only the breached credentials is not enough

Users who sign up on the platform mainly provide their personal information directly during the setup process. This information includes names, usernames, gender, birth date, email address and profile photo. However, once engaged on the platform, users may further expand their profile information by:

• linking to their social media networks
• adding a phone number
• setting game preferences
• participating in message boards and forums
• sending or receiving game invitation requests
• using the chat feature
• other user-generated content

Financial information provided when purchasing in-game cosmetics and upgrades is processed via third-party applications or platforms, and is not stored directly by Zynga, but the developer may still receive non-financial information purchases such as your name and a list of items you buy.

Additional technical information about the devices you use in your online gaming sessions may also be collected and analyzed. These data sets may include IP addresses, operating systems, browser type, game time and web page interactions.

In other words, collecting your data is a process in which you are more directly involved than you might think.

Although people have become increasingly aware of data collection processes, willingly giving out their personal information, they may not fully comprehend the extent and ways data is stored and analyzed for profit.

It may seem a reasonable and straightforward exchange to benefit from services at first. However, as long as data-driven environments exist, their risk of becoming a target for malicious actors increases sevenfold.

Social networking and online gaming platforms are prime targets due to the customer-rich data environment fostered by millions of new and existing users.

Protect your info by upgrading your privacy standards

The widespread adoption of data analytics and data mining on online platforms certainly leaves room for debates over user privacy and security risks. Like any user, we expect the information we share to be kept safe. But we can’t always rely on companies to protect our data for various reasons, including human error.

Wherever your online activities take you, it’s vital to brush up on good digital practices. Whenever a data breach exposes names, email addresses and phone numbers, users may become targets of phishing and scams.

Always be suspicious of any message requests and unsolicited correspondence you receive — via any means of communication.

If you were a victim of the Zynga data breach, you’ve probably changed the password for your account already. But have you considered resetting the passwords for any online accounts with similar login credentials?

As an extra security-focused step, create a separate email address to use when signing up to an online gaming platform, and avoid linking with your social media accounts, and adding your phone number where possible.

Check if your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection tool. 

The Federal Bureau of Investigation has issued a flash alert warning of an increase in PYSA ransomware attacks targeting government entities, educational institutions, private companies and the healthcare sector in the US and the UK.

PYSA, also known as Mespinoza, is capable of exfiltrating and encrypting critical files and data, with the criminals specifically targeting higher education, K-12 schools and seminaries, the bureau warns.

“These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments,” according to the advisory.

The FBI has been tracking PYSA ransomware attacks “by unidentified cyber actors” against US and foreign government entities, educational institutions, private companies and the healthcare sector for over a year.

The group typically gains access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails, the FBI notes. The cyber actors conduct network reconnaissance and execute commands to deactivate antivirus capabilities on targeted systems before deploying the ransomware.

“The cyber actors then exfiltrate files from the victim’s network, sometimes using the free opensource tool WinSCP5, and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users,” according to the advisory.

The document describes various indicators of compromise and offers a list of flagged domains associated with this malicious activity.

The notice also includes mitigation steps like:

• Regularly back up data, air gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as they are released. Use multifactor authentication where possible.

… and others.

In typical fashion, the FBI does not encourage paying ransom, as “payment does not guarantee files will be recovered [and] may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

However, the bureau says it “understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers.”

Whatever victims choose to do, the FBI urges them to report ransomware attacks to their local field office or the FBI’s Internet Crime Complaint Center (IC3) at https://ic3.gov.

“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law,” the agency notes.

The CEO of Sky Global and one of his associates received indictments and were charged with conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO).

Sky Global is the developer of sophisticated encryption and messaging software explicitly designed to prevent law enforcement from intercepting communication and retrieving data from criminals’ phones if they get caught. Moreover, the company could wipe devices remotely if police arrested their clients.

“There are at least 70,000 Sky Global devices in use worldwide, including in the United States,” says the  US Attorney’s Office for the Southern District of California. “The indictment alleges that for more than a decade, Sky Global has generated hundreds of millions of dollars in profit by facilitating the criminal activity of transnational criminal organizations and protecting these organizations from law enforcement.”

The Office takes the allegation further, saying the company was founded specifically to help import, export and distribute heroin, cocaine and methamphetamines into Australia, Asia, Europe and North America, including the United States and Canada. The devices also presumably helped criminals launder money and obstruct investigations of drug trafficking and money laundering organizations.

Since the servers Sky Global used were in Canada and France, the operation was coordinated internationally.

“On March 10, 2021, Europol announced that judicial and law enforcement authorities in Belgium, France and the Netherlands had wiretapped Sky Global’s servers and monitored hundreds of millions of messages by Sky Global’s users,” the press release states. “The European investigation resulted in hundreds of arrests, the seizure of thousands of kilograms of cocaine and methamphetamine, hundreds of firearms, and millions of Euros.”

Following the charges against Jean-Francois Eap, Sky Global’s Chief Executive Officer, and Thomas Herdman, a former high-level distributor of Sky Global devices, arrest warrants have been issued as well.

A new report uncovers a striking pervasiveness of identity theft perpetrated against U.S. consumers where half of respondents surveyed experienced such an occurrence during the pandemic.

Developed by Aite Group and underwritten by GIACT, the study found that 47% of U.S. consumers experienced identity theft between 2019 and 2020. And over the past two years, 37% of Americans experienced application fraud (i.e., the unauthorized use of one’s identity to apply for an account), and 38% experienced account takeover (i.e., unauthorized access to a consumer’s existing account).

Victims were dissatisfied with the assistance provided following an identity theft attack. 42% of those who experienced identity theft related to a fraudulent finance application, and 56% of those who experienced consumer loan application fraud said they were reluctant to keep using the services of the at-fault financial institution.

On average nearly one-third of surveyed consumers detected checking, credit or consumer loan fraud on their own. Less than a quarter were notified by their financial institution or by the financial institution where the fraudulent account was opened, according to the report. And nearly a quarter were notified by a collection agency on average.

“This report represents one of the most comprehensive recent reviews of identity theft and account takeover, and marks an inflection point for the industry,” said Shirley Inscoe, senior analyst for Aite Group’s Fraud & AML practice. “2020 not only saw an increased reliance on digital banking, payments and online accounts, but also increased rates of fraud. Without meaningful action taken by businesses, financial institutions and others, fraud will unfortunately continue to flourish. Education, along with the implementation of enhanced anti-fraud protections, is needed.” 

Researchers correlate the findings with a shift towards newer digital payments methods and accounts during the COVID-19 pandemic. In 2020, over one-third of those who used a new payment product or service (34%) or a new method of banking (37%) experienced identity fraud.

You can also check if your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection tool. 

Ransomware operators are actively targeting unpatched Exchange instances in wake of the recently disclosed ProxyLogon Exchange Server flaws, according to reports.

Phillip Misner, a Security Program Manager with Microsoft, tweeted earlier today that a new ransomware family is leveraging the latest-disclosed Exchange vulnerabilities.

“Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers,” Misner wrote.

Microsoft’s Security Intelligence account also tweeted, “We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers.”

Dubbed DearCry, the new ransomware strain has touched Exchange servers from the United States, Canada, and Australia. A scan conducted by a Dutch non-profit reveals that 46,000 of a total of 250,000 Exchange servers were still unpatched and exposed to attacks as of March 9, according to Catalin Cimpanu reporting for The Record.

In wake of reported attacks, the US Cybersecurity & Infrastructure Security Agency (CISA) and the FBI this week released a joint advisory urging organizations to take steps towards mitigating the recent vulnerabilities.

The move follows the release of a proof-of-concept (PoC) for exploiting said flaws.

Microsoft took down the PoC from GitHub, to the dismay of some researchers, arguing that it could facilitate ongoing attacks.

“We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe,” a spokesperson said in an email exchange with Vice reporters. “In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.”

CISA recommends that organizations examine their systems for the tactics, techniques and procedures documenting the flaws, and use the indicators of compromise laid out in its latest advisory to detect any malicious activity.

The US Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a joint advisory urging organizations to take steps towards mitigating the recent Microsoft Exchange ‘ProxyLogon’ vulnerabilities.

Soon after Microsoft disclosed the existence of several chainable vulnerabilities in its Exchange products, CISA published granular guidelines that IT administrators could follow to detect potential intrusions. Microsoft, for its part, urged affected organizations to quickly patch their Exchange deployments, as attackers were already exploiting the flaws.

Now CISA and the FBI have joined forces to again press affected parties to review all available information so they can detect, protect against, and remediate this malicious activity.

“CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) to address recently disclosed vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack,” according to the notice up on us-cert.cisa.gov.

“CISA recommends organizations to review Joint CSA: AA-21-069 Compromise of Microsoft Exchange Server as well as the CISA Remediating Microsoft Exchange Vulnerabilities web page for guidance on detecting, protecting against, and remediating this malicious activity,” the agency notes.

The move follows the release of a proof-of-concept (PoC) for exploiting the vulnerabilities in question. The ‘ProxyLogon’ PoC combines the CVE-2021–26855 and CVE-2021–27065 vulnerabilities to authenticate on an Exchange server and run malicious code. Several security researchers have confirmed the PoC’s validity.

CVE-2021-26855 is a vulnerability on Microsoft Exchange Server that lets an attacker bypass authentication and impersonate the admin. Chained with another post-authentication arbitrary-file-write vulnerability – CVE-2021-27065 – the vulnerability can allow an attacker to perform remote code execution.

Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server, all tied to the ProxyLogon chainable attack scenario. The maker of Windows has also released a script that scans Exchange log files for indicators of compromise.

CISA recommends organizations examine their systems for the tactics, techniques and procedures described in its extensive library of resources documenting the flaws, and use the IOCs to detect any malicious activity.

“If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures,” CISA says.

United States lawmakers urged the Federal Trade Commission (FTC) to exercise its authority and take action against menstruation-tracking mobile apps, which presumably violate the Health Breach Notification Rule by sharing the privately collected health data.

The Health Insurance Portability and Accountability Act (HIPPA) protects patients’ health information, but not all such information comes from the health industry. For example, people share private data with mobile apps, but HIPPA doesn’t cover that data. The Health Breach Notification Rule covers this situation, but there’s a problem:

While the Department of Health and Human Services’ Office for Civil Rights enforces HIPPA, the FTC enforced the Health Breach Notification Rule. Or at least it should be enforced by the FTC, but it doesn’t seem to be the case for at least a couple of menstruation-tracking mobile apps. Congress took notice and asked the FTC to enforce that rule.

“The rule requires personal health record vendors to promptly notify users if an entity has acquired their identifiable health information without their authorization,” said Senator Bob Menendez, Congresswoman Bonnie Watson Coleman and Mikie Sherrill in a letter to the FTC. “The vendor must also notify the FTC, and, in the event of a large breach, notify local media outlets if a threshold number of consumers are impacted in a particular geographical area.”

The lawmakers say that, while The Health Breach Notification Rule has been active for more than a decade, the FTC has yet to enforce it against period-tracking apps disclosing personal health information to third parties without users’ authorization.

The letter singles out two recent cases in which the Flo and Premom apps shared customer data with Big Tech companies such as Facebook or Google without informing the users.

Cybercriminals are targeting Coinbase platform users with phishing campaings in an attempt to steal their account credentials and drain their cryptocurrency wallets, Bitdefender Antispam Lab has learned.

According to our latest telemetry, the phishing campaign was noticed since mid-February, targeting over 25,000 users. Sixty-nine percent of the fraudulent correspondence originated from India, 13.73 percent from Brazil and 2.33 percent from Japan.

When analyzing the final destination of the phishing emails, we noticed the following:

•  54.72 percent reached users from South Korea
•  12.53 percent reached users from Sweden
• 7 percent reached users from Ireland
• 6.78 percent reached users from Japan
• 5.12 percent reached users from the United States
• 2.81 percent reached users from Great Britain
• 2.16 percent reached users from Canada

The crooks are attempting to dupe recipients into accessing a fake login URL to enter their username and password. In both versions of the scam, the threat actors send out fake notifications that warn recipients of unusual activity in their account, requiring immediate verification from users who wish to regain access to the platform.

“We recently detected an unusual activity on your coinbase account,” one of the fraudulent messages reads. “Unfortunately we had to suspend your coinbase in order to ensure the safety of your account. “This suspension is temporary,” the message continues. “We will need some additional information to verify your identity, Please visit the verification form to complete your identity verification and regain access to your coinbase account.”

_{Sample 1: initial Coinbase phishing email}

_{Sample 2. ongoing Coinbase phishing email}

_{Sample 3. fake Coinbase login page}

Throughout 2020 and beyond, fraudsters have sought financial gain by sending legitimate-looking emails that tempt victims to enter their account username and password or provide personally identifiable information.

The trend toward impersonating cryptocurrency trading platforms to steal user information is likely to continue throughout the year. Although this ongoing phishing exercise does not include a malicious payload that could expose recipients to additional threats or file-encrypting ransomware, threat actors may continue to fine-tune their tactics.

What should victims do?

If you’ve already received such a fraudulent email, make sure to delete it. If you’ve submitted your account login information, head to the official website and change the password immediately and enable the two-factor authentication feature to add an additional security layer.

The Coinbase platform also gives you ways to recover or temporarily disable your account in case of compromise. As always, immediately change the passwords for all online accounts that share the same email and password combination (although reusing credentials for multiple accounts is something that’s not usually recommended) to avoid further compromise and account takeover.

Be wary of unsolicited correspondence and double-check page URLs before signing in. The use of industry jargon, official logos, and even similar email addresses does not guarantee an email is legitimate. Take your time to assess the message and the reason behind it. Don’t be tempted to immediately respond or access a link, even if you’re advised to do so under the threat of consequences such as account closures. Go to the official website directly from your browser, log in and look for any associated account notifications

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab.