Cyber Attacks and Hacking

[RTH10260]

UK

‘A 22-carat disaster’: what next for British Library staff and users after data theft?
Progress made on restoring access after cyber-attack but there have been complaints of poor communication

Harriet Sherwood
Mon 15 Jan 2024 16.55 CET

It holds items dating from 1300BC to the present day, ranging from early manuscript copies of Homer’s Iliad to handwritten lyrics of Beatles songs including The Fool on the Hill and Yesterday.

Scholars, researchers, authors and students all use its facilities and archives, housed in a monolithic building in King’s Cross in central London and a second reading room in Boston Spa, Yorkshire.

But for the past 11 weeks, the British Library has been crippled by a major cyber-attack that shut down most of its services. Personal data of staff and “readers”, as its regular users are known, was stolen by the hackers and offered for sale on the dark web.

Readers have been subjected to difficulties and delays as staff have been forced to locate books, manuscripts and other items manually. Items held at the Boston Spa site – about a quarter of its collection – cannot be delivered to London.

About 20,000 published authors who get 13p (up to an annual maximum of £6,600) each time their books are borrowed from libraries under a system managed by the British Library will have their payments delayed as a result of the attack.

The library has suspended a visiting fellowship programme for 2024 and 2025 that supports academics, authors, educators, journalists and researchers from all over the world, with awards of up to £3,000 to spend two to three weeks exploring its collections.

It has, according to Sir Roly Keating, the library’s chief executive, been a “sobering couple of months”.

It is also a financial calamity: the Financial Times estimates that the attack will cost the library up to £7m, which will be drawn from its £16.4m unallocated reserves. Keating said the library was “yet to confirm what the full costs will be”.

The first indication that something was amiss came in late October. In a post on X, the British Library said it was experiencing “technical difficulties” and that its public wifi was down. It expected the problems to “continue for the next few days”.

Two days later, on 31 October, the British Library revealed it had been the victim of a cyber-attack, although the enormity of the hack was not made public. But the library did disclose that its investigation was being supported by the National Cyber Security Centre (NCSC) and other cybersecurity specialists.

The hackers reportedly demanded a ransom payment of £600,000, which the library declined to pay.

In late November, the library confirmed that personal data had been stolen in the attack and had appeared online, apparently for sale to the highest bidder.



https://www.theguardian.com/books/2024/ ... s-analysis

[RTH10260]

British Library begins restoring digital services after cyber-attack
UK’s national library apologises to researchers, saying full recovery could take until end of the year

Harriet Sherwood
Mon 15 Jan 2024 12.08 CET

The British Library is restoring online its main catalogue, containing 36m records of printed and rare books, maps, journals and music scores, 11 weeks after a catastrophic cyber-attack.

However, access is limited to a “read-only” format, and full restoration of services provided by the UK’s national library could take until the end of the year.

“Full recovery of all our services will be a gradual process,” Sir Roly Keating, the library’s chief executive, said in a blogpost last week.

He apologised that “for the past two months researchers who rely for their studies and in some cases of their livelihoods on access to the library’s collection have been deprived of it”.

Rhysida, a known ransomware group, claimed responsibility for the attack on 31 October. In November, the library confirmed some employee data had been stolen in the attack and was being offered for sale on the dark web.

The library’s main catalogue, an important tool for researchers around the world, has been inaccessible online since the hack.

Keating said: “Its absence from the internet has been perhaps the single most visible impact of the criminal cyber-attack … and I want to acknowledge how difficult this has been for all our users.”


https://www.theguardian.com/books/2024/ ... ber-attack

[keith]

My Croquet Club's facebook page, to which we pay almost ZERO attention, has been getting zillions (well, a dozen or so) messages from 'GUESTnnnn' telling us we've put up a illegal page and we're gonna be put into Facebook jail.

I know its a crude phishing attack, but does anyone know how to block these things?

[poplove]

My Croquet Club's facebook page, to which we pay almost ZERO attention, has been getting zillions (well, a dozen or so) messages from 'GUESTnnnn' telling us we've put up a illegal page and we're gonna be put into Facebook jail.

I know its a crude phishing attack, but does anyone know how to block these things?

I wish I knew as well. I run my ukulele club page and I've gotten a few of those notices by being tagged in a post. I report them as spam and block the account. Today I got a message from Guest7546 that said "iolation warning system" blah blah blah and I reported it as spam. But I really want to reply with "f*ck off!"

[RTH10260]

Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims

Jan 16, 2024
Newsroom Cryptocurrency / Cyber Threat

The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023.

The scheme "leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers' infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions," Singapore-headquartered Group-IB said in a report shared with The Hacker News.

Inferno Drainer, which was active from November 2022 to November 2023, is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims.

The malware is part of a broader set of similar offerings that are available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings.

What's more, customers of Inferno Drainer could either upload the malware to their own phishing sites, or make use of the developer's service for creating and hosting phishing websites, either at no extra cost or charging 30% of the stolen assets in some cases.

The DaaS tool gained popularity in the aftermath of the shut down of Monkey Drainer in March 2023, which also paved for the emergence of another short-lived drainer service called Venom Drainer.

Data compiled by Scam Sniffer shows that crypto phishing scams proliferating the drainer kits have cumulatively stolen $295.4 million in assets from about 320,000 users in 2023.

According to Group-IB, the activity spoofed upwards of 100 cryptocurrency brands via specially crafted pages that were hosted on over 16,000 unique domains.



https://thehackernews.com/2024/01/infer ... nbase.html

[RTH10260]

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Jan 15, 2024
Newsroom Website Security / Vulnerability

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector.

First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.

Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation, which is said to have been active since 2017 and infiltrated no less than 1 million sites since then.

The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites.

These attacks take advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.




https://thehackernews.com/2024/01/balad ... -7100.html

[RTH10260]

State-backed Russian hackers accessed senior Microsoft leaders' emails, company says

JANUARY 20, 20241:22 PM ET
The Associated Press

BOSTON — State-backed Russian hackers broke into Microsoft's corporate email system and accessed the accounts of members of the company's leadership team, as well as those of employees on its cybersecurity and legal teams, the company said Friday.

In a blog post, Microsoft said the intrusion began in late November and was discovered on Jan. 12. It said the same highly skilled Russian hacking team behind the SolarWinds breach was responsible.

"A very small percentage" of Microsoft corporate accounts were accessed, the company said, and some emails and attached documents were stolen.

A company spokesperson said Microsoft had no immediate comment on which or how many members of its senior leadership had their email accounts breached. In a regulatory filing Friday, Microsoft said it was able to remove the hackers' access from the compromised accounts on or about Jan. 13.

"We are in the process of notifying employees whose email was accessed," Microsoft said, adding that its investigation indicates the hackers were initially targeting email accounts for information related to their activities.




https://www.npr.org/2024/01/20/12258357 ... ers-emails

[RTH10260]

Trello API abused to link email addresses to 15 million accounts

By Lawrence Abrams
January 23, 2024 04:31 PM 0

An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.

Trello is an online project management tool owned by Atlassian that is commonly used by businesses to organize data and tasks into boards, cards, and lists.

News of the Trello data leak came last week when a person using the alias 'emo' attempted to sell the data of 15,115,516 Trello members on a popular hacking forum.

"Contains emails, usernames, full names and other account info. 15,115,516 unique lines," reads the post on the hacking forum.

"Selling one copy to whoever wants it, message on me on-site or on telegram if you're interested."

While almost all of the data in these profiles is public, the email addresses associated with the profiles are not.

When BleepingComputer contacted Trello about the data leak last week, we were told that it was not collected by unauthorized access to Trello's systems but by scraping public data.

"All evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles," Atlassian, the owner of Trello, told BleepingComputer last week.

"We are conducting an exhaustive investigation and have not found any evidence of unauthorized access of Trello or user profiles.

However, it appears that there was more to the story about how the threat actor was able to confirm the email addresses.



https://www.bleepingcomputer.com/news/s ... -accounts/

[Suranis]

https://www.forbes.com/sites/daveywinde ... 925c11ab58

Warning As 26 Billion Records Leak: Dropbox, LinkedIn, Twitter Named
Davey Winder
Senior Contributor
Veteran cybersecurity and tech analyst, journalist, hacker, author
Jan 23, 2024,08:15am EST

Security researchers have warned that a database containing no less than 26 billion leaked data records has been discovered. The supermassive data leak, or mother of all breaches as the researchers refer to it, is likely the biggest found to date.

01/23 updates below. This article was originally published on January 22.
Here’s What You Need To Know

According to researchers from Security Discovery and CyberNews, the newly discovered database of leaked data runs to 12 terabytes in size and deserves the MOAB title.

The research team thinks that the 26 billion record database, found on an open storage instance, will likely have been compiled by a malicious actor or data broker. “Threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” they say.

As well as data from Chinese messaging giant Tencent and social media outfit Weibo, records from users of platforms and services such as Twitter, Dropbox, LinkedIn, Adobe, Canva and Telegram is also to be found in this database. Worryingly, the researchers also say that records from an assortment of U.S. and other government organizations can be found.


If there is good news to be found in such a discovery, it is that little of this appears to be new data. Instead, the researchers say, it’s more a case of compiled records from thousands of previous breaches and data leaks. What’s more, there are undoubtedly a large number of duplicate data records within this compilation. The inclusion of usernames and password combinations does, however, still mean this is a cause for concern. I’d expect a surge, if current levels aren’t high enough, in credential stuffing attacks over the coming weeks as a result.

[RTH10260]

https://www.forbes.com/sites/daveywinde ... 925c11ab58

If there is good news to be found in such a discovery, it is that little of this appears to be new data. Instead, the researchers say, it’s more a case of compiled records from thousands of previous breaches and data leaks. What’s more, there are undoubtedly a large number of duplicate data records within this compilation. The inclusion of usernames and password combinations does, however, still mean this is a cause for concern. I’d expect a surge, if current levels aren’t high enough, in credential stuffing attacks over the coming weeks as a result.

extra highlighting the last paragraph

[RTH10260]

further to above

“Mother of All Breaches” Data Leak Pulls Together 26 Billion Records From Thousands of Prior Breaches

SCOTT IKEDA·
JANUARY 26, 2024

In recent months, the appearance of the massive “Naz.API” dataset in public circulation raised fears of a monster “combo file” that would pull together searchable information from all prior data leaks. It now appears that the “Mother of All Breaches” (MOAB) already exists, discovered by security researchers in an internet-facing open instance kept by an unknown party.

The 1.2 terabyte file is broken up into over 3,800 folders, each one representing a prior data leak that saw personal information or credentials make their way to the open internet. In total there are over 26 billion records. Because of the massive amount of information present, it is not yet entirely clear if the MOAB has never-seen-before data in its stores.

Centralized data leak collection was inevitable

The discovery comes from security researcher Bob Dyachenko of SecurityDiscovery.com and Cybernews, which is hosting a searchable list of the included breaches at its website.

However, it’s safe to assume that if a data leak took place in roughly the last 10 or 15 years you will find at least some of its contents in the MOAB. The sprawling archive contains an apparent combination of breaches of Tencent’s services that totals about 1.5 billion records, the 538 million Weibo leak that appeared on dark web forums in 2020, the 2016 leak of 316 million older Myspace passwords, the early 2023 leak of 281 million Twitter email addresses, and 251 million records from one of LinkedIn’s wave of breaches, among many other examples.

“Combo files” that bring these sorts of data leaks together for criminal convenience are nothing new, dating back to the appearance of the “Collection” files on the dark web in 2019 (if not before). This is by far the largest one yet encountered, however, at almost 10 times the size of the prior record-holder.

It was inevitable that someone would try to create a massive compendium of all of this illicit data floating around, but it remains unknown who was paying for the storage space for all of this and what their purpose was for it. The file does not appear to have been advertised on dark web forums or the usual gathering places for cyber criminals, but given that it was open to the internet it is unknown who else has accessed it.

Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal, notes that cyber criminals will necessarily become more organized as more pressure is applied to them: “Personal data can remain vulnerable for years, highlighting the need for continuous monitoring and updating of security protocols. Additionally, this event highlights the evolving nature of cyber threats. Cybercriminals are becoming more sophisticated, taking advantage of advanced techniques to aggregate and analyze data from multiple sources. This calls for a proactive approach to cybersecurity, where strategies and defenses are regularly reviewed and updated in response to the ever-evolving threats. Finally, it’s crucial for organizations to prioritize data protection and invest in comprehensive cybersecurity strategies. This includes awareness training, secure password managers, security audits, robust encryption, and incident response plans. Collaboration and information sharing between cybersecurity experts are also crucial in combating large-scale cyber threats.”



https://www.cpomagazine.com/cyber-secur ... -breaches/

[RTH10260]

NSA Confirms Purchasing Data on American Citizens’ Internet Behavior, Circumventing the Need for Warrants
Government agencies are always trying to find ways to get around the Fourth Amendment.

By Didi Rankovic
Posted 10:52 am

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net.

The NSA’s long history of often legally sketchy mass surveillance continues, despite some of the agency’s activities getting exposed more than a decade ago by whistleblower Edward Snowden.

Now, the National Security Agency has had to reveal, in response to a senator’s questions, that it is, as one report put it, “sidestepping” obtaining warrants first before it buys people’s information, put on sale by data brokers.

This came to light in an exchange of letters between Senator Ron Wyden and several top security officials.

And this time – because of NSA’s own interest being at stake – he has been able to reveal the information he obtained.

Wyden’s January 25 letter to Director of National Intelligence Avril Haines contained a fairly straight-forward request: US intelligence agencies should only buy American’s data “that has been obtained in a lawful manner.”

We obtained a copy of the letter for you here.

With the implication that something entirely different is happening, the senator went on to explain what: if these agencies went to communications companies themselves for the data, that would require a court order.

Instead, Wyden continued, they go the roundabout way to get information (like location data) taken from people’s phones – collected via apps, and finally ending up with commercial brokers, who sell it to the likes of the NSA. And, this particular agency is also buying “Americans’ domestic internet metadata.”

In other words, a comprehensive, yet legally questionable mass surveillance scheme.

Wyden “reinforced” his letter to Haines by attaching NSA Director General Paul Nakasone’s December response to one of his earlier queries – a back-and-forth that has been going on for almost three years, he says, and concerned other agencies as well and their practice of data acquisition.

But now that he said he would block the Senate confirmation of Nakasone’s successor – the information he received finally “got cleared” for release and pretty quickly.

Nakasone confirmed the practice, and then went on to justify it by saying it only pertains to “records” of online traffic, rather than “emails and documents.” He said what the NSA purchases is “netflow data” that comes from devices where “one or both” ends of the connection is in the US.

And why? It is “critical,” wrote Nakasone, in “protecting US defense contractors from cyber threats.”



https://reclaimthenet.org/nsa-confirms- ... r-warrants

[RTH10260]

Botnet Attack Targeted Routers: A Wake-Up Call for Securing Remote Employees’ Hardware

Published February 2, 2024
Megan Crouse

The FBI spotted this state-sponsored attack that highlights how home office setups can be overlooked when it comes to employees’ cybersecurity.
State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected routers were manufactured by Cisco and NetGear and had reached end-of-life status.

Department of Justice investigators said on Jan. 31, 2024, that the malware has been deleted from affected routers. The investigators also cut the routers off from other devices used in the botnet.

IT teams need to know how to reduce cybersecurity risks that could stem from remote workers using outdated technology.

What is the Volt Typhoon botnet attack?

The cybersecurity threat in this case is a botnet created by Volt Typhoon, a group of attackers sponsored by the Chinese government.

Starting in May 2023, the FBI looked into a cyberattack campaign against critical infrastructure organizations. On Jan. 31, 2024, the FBI revealed that an investigation into the same group of threat actors in December 2023 showed attackers sponsored by the government of China had created a botnet using hundreds of privately-owned routers across the U.S.

The attack was an attempt to create inroads into “communications, energy, transportation, and water sectors” in order to disrupt critical U.S. functions in the event of conflict between the countries, said Wray in the press release.

The attackers used a “living off the land” technique to blend in with the normal operation of the affected devices.

The FBI is contacting anyone whose equipment was affected by this specific attack. It hasn’t been confirmed whether employees of a particular organization were targeted.



https://www.techrepublic.com/article/vo ... et-attack/

[pipistrelle]

I’m not worried about my router being out of date, but would a corporate VPN protect company data?

[RTH10260]

I’m not worried about my router being out of date, but would a corporate VPN protect company data?

I understand that in this case the routers were not used to attack the local network behind it. The attackers used them to redirect traffic. If a network specialist at a hacked company would see a US IP-address rather than a foreign one, they would likely not recognize the threat. Or their firewall would let traffic pass. The possibly downside for a private subscriber may be that their bandwidth could have been used up if they happen to become the centerpoint of an attack or data extraction. But I guess that the hackers algorith would try to randomly allocate the "stolen" routers as to not rouse suspicion by overusing a single one.

[Volkonski]

Parents struggle to get care after cyberattack on Chicago children’s hospital

https://www.nbcnews.com/tech/security/l ... rcna137446

Chicago’s biggest children’s hospital, Ann & Robert H. Lurie Children’s, has entered its second week of reduced service as it tries to recover from a cyberattack.

Most of the hospital’s internet-connected equipment, including phones, email access and electronic health records, have been offline since the start of the incident, the hospital has said, making it significantly more difficult for parents to stay in touch with their doctors. Many appointments and surgeries are still being honored, the hospital said Monday.

“There is a special place in hell for a person who attacks a children’s hospital and disrupts medical care for thousands of innocent children,” said Deborah Land, whose teenage daughter is a patient at the hospital.

On its website, the hospital said, “Lurie Children’s is actively responding to a cybersecurity matter. We are taking this very seriously, are investigating with the support of leading experts, and are working in collaboration with law enforcement agencies. As part of our response to this matter, we have proactively taken network systems offline which is currently impacting our phone, email and electronic systems.”

A spokesperson for the hospital told NBC News by text message that Lurie Children’s took its systems offline Jan. 31, meaning that it has been operating at significantly reduced capability for more than a week.

Experts say the incident is consistent with a ransomware attack. Ransomware hackers, often located in Russia, where they’re safe from extradition to other countries, frequently take over hospital networks and demand payment in cryptocurrency.

“From the outside, this has all the hallmarks of a hospital ransomware attack: patients being rerouted to other hospitals, phone and computer systems offline and staff being forced to retrieve medical records by hand,” said Alan Liska, an analyst at the cybersecurity company Recorded Future.

[RTH10260]

Scammers used deepfake CFO on video call to trick company employee into sending them $25M

BY MIKE WHEATLEY
UPDATED 19:35 EST / FEBRUARY 04 2024

Scammers who used artificial intelligence-powered “deepfakes” to pose as a multinational company’s chief financial officer in a video call were able to trick an employee into sending them more than $25 million, CNN reported.

The finance worker was duped into making a video call with the purported CFO and several other senior executives at the company, but although they looked and sounded convincingly real, they were in fact deepfakes, Hong Kong police said in a statement Friday.

According to CNN, the victim was sent an email that claimed to be from the company’s CFO. The employee initially suspected the message was a phishing email, as it asked for a large amount of money to be transferred into an offshore account. However, the scammers managed to erase any doubts by inviting the employee to attend a video call, where the supposed CFO and several other colleagues he recognized were in attendance.

Believing all of the participants on the call to be real, the employee agreed to send more than $200 million Hong Kong dollars (about $25.6 million) to a specified account, senior superintendent Baron Chan Shun-ching said in a statement. “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” Chan told RTHK, the city’s public broadcaster.

The scam was only identified several days later, when the employee became concerned over the transfer and checked with the corporate head office. Neither the worker, nor the company, has been identified.

Deepfakes are videos that have been manipulated by computers, often using AI, to make people appear to say or do something they never did, or to appear in places they weren’t. Thanks to advances in AI, deepfakes have become more convincing than ever before, and they’re often used to defame people in the public eye.

Some deepfakes look incredibly realistic, and so it’s no surprise that the technology is being abused by criminals in some very inventive ways to facilitate scams. The Hong Kong police said that it alone has come across more than 20 cases that involved the use of AI deepfakes to trick facial recognition systems by imitating people on identity cards.

Superintendent Chan said the police recently arrested six people in connection with a scam that involved eight stolen Hong Kong identity cards. The scammers used the cards to create deepfakes that could fool facial recognition systems, and then applied for more than 90 loan applications and bank account registrations in the last year.

“The presentation attack employed by the threat actors targeting this multinational company for millions showcased a high level of sophistication,” Kevin Vreeland, general manager of North America at the authentication firm Veridas, told SiliconANGLE in an email. “The employee initially followed proper protocols, correctly identifying the attack as potentially rooted in phishing. However, the escalation of the incident highlights how artificial intelligence has given attackers a leg up and created a plethora of security challenges for organizations, particularly in the era of widespread remote work.”




https://siliconangle.com/2024/02/04/sca ... nding-25m/

[RTH10260]

Canada

Authorities investigating massive security breach at Global Affairs Canada
Internal emails describe a month-long security breach affecting 'many' government employees

Kate McKenna, Philip Ling · CBC News ·
Posted: Jan 30, 2024 3:01 PM EST | Last Updated: January 31

Canadian authorities are investigating a prolonged data security breach following the "detection of malicious cyber activity" affecting the internal network used by Global Affairs Canada staff, according to internal department emails viewed by CBC News.

The breach affects at least two internal drives, as well as emails, calendars and contacts of many staff members.

CBC News spoke to multiple sources with knowledge of the situation, including employees who have received instructions on how the breach affects their ability to work. Some were told to stop working remotely as of last Wednesday.

CBC News has also seen three internal emails sent to Global Affairs staff.

"Forensic work has also progressed to help us understand the scope of the data breach," one email said. "The work is ongoing, but early results suggest that many (Global Affairs Canada) users may have been affected."

Another email said the internal systems were vulnerable between December 20, 2023 and January 24, 2024. It informed anyone who connected remotely using a SIGNET (Secure Integrated Global Network) laptop that their information may be vulnerable.

The "compromised" system was the virtual private network (VPN) staff use to access Global Affairs's Ottawa headquarters. The VPN system was managed by Shared Services Canada, the GAC notice said.



https://www.cbc.ca/news/politics/global ... -1.7099290

[RTH10260]

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

Feb 03, 2024
NewsroomVulnerability / Social Media

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.

"Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory.

The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.

It has been described as an "origin validation error" (CWE-346), which can typically allow an attacker to "access any functionality that is inadvertently accessible to the source."

Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.

Mastodon said it's withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.

"Any amount of detail would make it very easy to come up with an exploit," it said.



https://thehackernews.com/2024/02/masto ... ckers.html

[RTH10260]

Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked
The cyberattackers, believed to be state sponsored, didn't get far into Cloudflare's global network, but not for lack of trying.

Tara Seals, Managing Editor, News, Dark Reading
February 2, 2024

Cloudflare was a victim of the wide-ranging Okta supply-chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms beginning on Thanksgiving Day.

"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare's global network," the Internet security and DDoS protection company said in a blog on the Okta-related cyber incident, published yesterday.



https://www.darkreading.com/threat-inte ... ms-cracked

[RTH10260]

Explainer: what is Volt Typhoon and why is it the ‘defining threat of our generation’?
FBI director has publicly identified the risk posed by a Chinese cyber operation that is believed to have compromised thousands of internet-connected devices

Helen Davidson and agencies
Tue 13 Feb 2024 06.20 CET

Relations between the US and China – particularly over Beijing’s threats to annex Taiwan – have plummeted in recent years, prompting growing concern about the potential for hostilities or all-out conflict. So recent revelations that a Chinese hacking network known as Volt Typhoon had been lying dormant inside US critical infrastructure for as long as five years have sparked considerable alarm.

The network exploited US technological and security weaknesses. But rather than stealing secrets, US and allied intelligence services said it was focused on “pre-positioning” itself for future acts of sabotage.

FBI director Christopher Wray told a US committee hearing last week that Volt Typhoon was “the defining threat of our generation”.

The Netherlands and Philippines have also recently publicly identified Chinese-backed hackers as targeting state networks and infrastructure.

What is Volt Typhoon?

Western intelligence officials say Volt Typhoon – also known as Vanguard Panda, Brronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus – is a state-supported Chinese cyber operation that has compromised thousands of internet-connected devices. They said it was part of a larger effort to infiltrate western critical infrastructure, including naval ports, internet service providers, communications services and utilities.

The new advisories on Volt Typhoon followed a recent announcement by US authorities that they had dismantled a bot network of hundreds of compromised devices, attributing it to the hacking network.

“CISA [Cybersecurity and Infrastructure Agency] teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, [and] transportation,” US CISA director Jen Easterly told a US House committee hearing earlier this month.




https://www.theguardian.com/technology/ ... -explainer

[RTH10260]

Super skimmers: The new way criminals are hacking your account, even if you don’t swipe your card

Boston 25 News
5 Feb 2024

Criminals are evolving and finding more sophisticated ways to steal your money – even with chip cards. Super skimmers are now being used, and security experts tell Boston 25 News, they’re much harder to detect. But there are things to watch out for to protect your money.

[RTH10260]

Prolific cybercrime gang disrupted by joint UK, US and EU operation
LockBit’s website under control of security agencies from both sides of Atlantic, according to post

Reuters
Mon 19 Feb 2024 18.57 EST

LockBit, a notorious cybercrime gang that holds its victims’ data to ransom, has been disrupted in a rare international law enforcement operation by Britain’s National Crime Agency, the FBI, Europol and a coalition of international police agencies, according to a post on the gang’s extortion website.

“This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement taskforce ‘Operation Cronos’,” the post said on Monday.

An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was “ongoing and developing”. A representative for LockBit did not respond to messages from Reuters seeking comment but did post messages on an encrypted messaging app saying it had backup servers not affected by the law enforcement action.

The US Department of Justice and the FBI did not immediately respond to requests for comment.

The post named other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

LockBit and its affiliates have hacked some of the world’s largest organisations in recent months. The gang makes money by stealing sensitive data and threatening to leak it if victims fail to pay an extortionate ransom. Its affiliates are like-minded criminal groups it recruits to wage attacks using LockBit’s digital extortion tools.




https://www.theguardian.com/technology/ ... ion-cronos

[RTH10260]

Huge cybersecurity leak lifts lid on world of China’s hackers for hire
Leaked files shows range of services offered and bought, with data harvested from targets worldwide

Amy Hawkins
Fri 23 Feb 2024 06.00 CET

A big leak of data from a Chinese cybersecurity firm has revealed state security agents paying tens of thousands of pounds to harvest data on targets, including foreign governments, while hackers hoover up huge amounts of information on any person or institution who might be of interest to their prospective clients.

The cache of more than 500 leaked files from the Chinese firm I-Soon was posted on the developer website Github and is thought by cybersecurity experts to be genuine. Some of the targets discussed include Nato and the UK Foreign Office.

The leak provides an unprecedented insight into the world of China’s hackers for hire, which the head of the UK’s security services has called a “massive” challenge for the country.

The files, which are a mixture of chat logs, company prospectuses and data samples, reveal the extent of China’s intelligence gathering operations, while also highlighting the market pressures felt by the country’s commercial hackers as they vie for business in a struggling economy.

I-Soon appears to have worked with – and later been embroiled in a commercial dispute with – another Chinese hacking outfit, Chengdu 404, whose hackers have been indicted by the US Department of Justice for cyber-attacks on companies in the US as well as pro-democracy activists in Hong Kong, among other targets.

Other targets discussed in the I-Soon leaks include the British thinktank Chatham House and the public health bureaux and foreign affairs ministries of Asean countries. Some of this data seems to have been gathered on spec, while in other cases there are specific contracts with a Chinese public security bureau to gather a certain type of data.

A spokesperson for Chatham House said: “We are aware of this data coming to light and are naturally concerned. Chatham House takes data and information security extremely seriously. In the current climate, we, along with many other organisations, are the target of regular attempted attacks from both state and non-state actors.



https://www.theguardian.com/technology/ ... s-for-hire

[RTH10260]

Caught in time before the bad guys could figure it out

KeyTrap Algorithmic Complexity Attacks Exploit Fundamental Design Flaw in DNSSEC

Haya Schulmann —
16 Feb 2024

Contributors: Elias Heftrig, Niklas Vogel, Michael Waidner

KeyTrap - described by some as 'the worst attack on DNS ever discovered' - is capable of exhausting CPU resources and stalling widely used DNS implementations and public DNS providers, like Google Public DNS and Cloudflare. The research team from ATHENE explain how they discovered the attack.

Researchers from the National Research Center for Applied Cybersecurity ATHENE have uncovered a critical flaw in the design of DNSSEC (DNS Security Extensions) that introduces a vulnerability in all DNSSEC validating DNS resolver implementations.

The team - Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner - developed a new class of algorithmic complexity attacks, which they dubbed KeyTrap.

They demonstrated that, with only a single DNS packet, the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare. In fact, the popular Bind9 DNS implementation can be stalled for as long as 16 hours.

These devastating effects prompted major DNS vendors to refer to KeyTrap as “The worst attack on DNS ever discovered.” And the impact of the attack is far reaching. Exploiting KeyTrap, attackers can effectively disable Internet access in any system utilising a DNSSEC-validating DNS resolver.



https://labs.ripe.net/author/haya-shulm ... in-dnssec/

PS. the flaw is being worked on by providers of DNS software