Spring forward.
To delete this message, click the X at top right.

Cyber Attacks and Hacking

User avatar
busterbunker
Posts: 277
Joined: Mon Feb 22, 2021 9:46 pm

Cyber Attacks and Hacking

#51

Post by busterbunker »

A nifty little hack I came across today, mods feel free to delete if inappropriate:
Hidden Content
This board requires you to be registered and logged-in to view hidden content.
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#52

Post by RTH10260 »

busterbunker wrote: Thu Nov 03, 2022 4:09 am A nifty little hack I came across today, mods feel free to delete if inappropriate:
Hidden Content
This board requires you to be registered and logged-in to view hidden content.
I wouldn't consider a browser extension that is hosted in the mozilla repository a "hack" aka a bad thing as this thread is reporting on.

Though I expect that the media companies may ask Mozilla to have that thingy removed. In parts of the world circumvention of a paywall may be considered a real hack and have legal consequences.
User avatar
busterbunker
Posts: 277
Joined: Mon Feb 22, 2021 9:46 pm

Cyber Attacks and Hacking

#53

Post by busterbunker »

Hidden Content
This board requires you to be registered and logged-in to view hidden content.
User avatar
keith
Posts: 3705
Joined: Mon Feb 22, 2021 10:23 pm
Location: The Swamp in Victorian Oz
Occupation: Retired Computer Systems Analyst Project Manager Super Coder
Verified: ✅lunatic

Cyber Attacks and Hacking

#54

Post by keith »

busterbunker wrote: Thu Nov 03, 2022 4:37 am
Hidden Content
This board requires you to be registered and logged-in to view hidden content.
I bemoaned the fact that hacking USED to be a benevolent endeavor. But I don't control the English language, and the word has taken on a negative meaning now.
Has everybody heard about the bird?
User avatar
Suranis
Posts: 5830
Joined: Mon Feb 22, 2021 5:25 pm

Cyber Attacks and Hacking

#55

Post by Suranis »

Since this is a security update I guuess its good to post the whole thing.

https://blog.lastpass.com/2022/12/notic ... -incident/

December 22, 2022 | By Karim Toubba
Notice of Recent Security Incident

Update as of Thursday, December 22, 2022  

To Our LastPass Community,   

We recently notified you that an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data. In keeping with our commitment to transparency, we want to provide you with an update regarding our ongoing investigation.   

What We’ve Learned  

Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. 

LastPass production services currently operate from on-premises data centers with cloud-based storage used for various purposes such as storing backups and regional data residency requirements. The cloud storage service accessed by the threat actor is physically separate from our production environment.  

To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here. 

There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment. 
► Show Spoiler
Hic sunt dracones
Reddog
Posts: 349
Joined: Mon Feb 22, 2021 2:29 pm

Cyber Attacks and Hacking

#56

Post by Reddog »

User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#57

Post by RTH10260 »

BetMGM Confirms Breach as Hackers Offer to Sell Data of 1.5 Million Customers

By Eduard Kovacs
on December 23, 2022

MGM Resorts-owned online sports betting company BetMGM confirmed suffering a data breach the same day hackers offered to sell a database containing the information of 1.5 million BetMGM customers.

In a statement posted on its website on December 21, BetMGM said “patron records were obtained in an unauthorized manner”.

The company said the compromised information includes name, email address, postal address, phone number, date of birth, hashed Social Security number, account identifier, and information related to transactions.

“The affected information varied by patron,” according to the statement.

BetMGM claims there is no evidence that passwords or account funds were accessed by the hackers. However, the company still recommends changing passwords as a good practice, and it’s offering two years of free credit monitoring and identity restoration services to impacted individuals.

The sports betting firm said it learned of the incident on November 22 and believes the intrusion occurred in May 2022.

In a post on a popular cybercrime forum, someone claiming to be the hacker offered to sell a database containing nearly 1.57 million records dating from November 2022, allegedly associated with “any customer that has placed a casino wager”.




https://www.securityweek.com/betmgm-con ... -customers
User avatar
pipistrelle
Posts: 6688
Joined: Mon Feb 22, 2021 11:27 am

Cyber Attacks and Hacking

#58

Post by pipistrelle »

Why would they need your SS#? That to me is a more significant steal than, say, credit card info.
User avatar
tek
Posts: 2250
Joined: Mon Feb 22, 2021 10:15 am

Cyber Attacks and Hacking

#59

Post by tek »

to report winnings?
User avatar
Tiredretiredlawyer
Posts: 7541
Joined: Tue Feb 23, 2021 10:07 pm
Location: Rescue Pets Land
Occupation: 21st Century Suffragist
Verified: ✅🐴🐎🦄🌻5000 posts and counting

Cyber Attacks and Hacking

#60

Post by Tiredretiredlawyer »

:rimshot:
"Mickey Mouse and I grew up together." - Ruthie Tompson, Disney animation checker and scene planner and one of the first women to become a member of the International Photographers Union in 1952.
humblescribe
Posts: 1091
Joined: Mon Feb 22, 2021 3:42 pm
Occupation: Dude
Verified:

Cyber Attacks and Hacking

#61

Post by humblescribe »

tek wrote: Thu Dec 29, 2022 7:34 amto report winnings?
Yeah, that is likely one reason. Another I would assume would be to run a credit check on potential customers who might want to have an account with the casino.
"Some cause happiness wherever they go; others whenever they go." O. Wilde
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#62

Post by RTH10260 »

:cantlook: :doh:
LastPass owner GoTo says hackers stole customers’ backups

Carly Page@carlypage_ /
2:20 PM GMT+1•January 24, 2023

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.

The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.

GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” said GoTo CEO Paddy Srinivasan. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

Despite the delay, GoTo provided no remediation guidance or advice for affected customers.





https://techcrunch.com/2023/01/24/goto- ... -lastpass/
User avatar
Suranis
Posts: 5830
Joined: Mon Feb 22, 2021 5:25 pm

Cyber Attacks and Hacking

#63

Post by Suranis »

Things just got nasty out there. More than usual.

https://arstechnica.com/information-tec ... -software/
Until further notice, think twice before using Google to download software

Over the past month, Google has been outgunned by malvertisers with new tricks.

Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries.

“Threat researchers are used to seeing a moderate flow of malvertising via Google Ads,” volunteers at Spamhaus wrote on Thursday. “However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not ‘the norm.’”
One of many new threats: MalVirt

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices.

The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap. Sentinel One researcher Tom Hegel wrote:
As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods—most recently, malvertising. The MalVirt loaders we observed demonstrate just how much effort threat actors are investing in evading detection and thwarting analysis.

Malware of the Formbook family is a highly capable infostealer that is deployed through the application of a significant amount of anti-analysis and anti-detection techniques by the MalVirt loaders. Traditionally distributed as an attachment to phishing emails, we assess that threat actors distributing this malware are likely joining the malvertising trend.

Given the massive size of the audience threat actors can reach through malvertising, we expect malware to continue being distributed using this method
Google representatives declined an interview. Instead, they provided the following statement:
Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.
Much more at the link.
Hic sunt dracones
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#64

Post by RTH10260 »

Revealed: the hacking and disinformation team meddling in elections
  • ‘Team Jorge’ unit exposed by undercover investigation
    Group sells hacking services and access to vast army of fake social media profiles
    Evidence unit behind disinformation campaigns across world
    Mastermind Tal Hanan claims covert involvement in 33 presidential elections
Stephanie Kirchgaessner, Manisha Ganguly, David Pegg, Carole Cadwalladr and Jason Burke
Wed 15 Feb 2023 04.00 GMT

A team of Israeli contractors who claim to have manipulated more than 30 elections around the world using hacking, sabotage and automated disinformation on social media has been exposed in a new investigation.

The unit is run by Tal Hanan, a 50-year-old former Israeli special forces operative who now works privately using the pseudonym “Jorge”, and appears to have been working under the radar in elections in various countries for more than two decades.

He is being unmasked by an international consortium of journalists. Hanan and his unit, which uses the codename “Team Jorge”, have been exposed by undercover footage and documents leaked to the Guardian.

Hanan did not respond to detailed questions about Team Jorge’s activities and methods but said: “I deny any wrongdoing.”



https://www.theguardian.com/world/2023/ ... -tal-hanan
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#65

Post by RTH10260 »

‘Aims’: the software for hire that can control 30,000 fake online profiles
Exclusive: Team Jorge disinformation unit controls vast army of avatars with fake profiles on Twitter, Facebook, Gmail, Instagram, Amazon and Airbnb

Manisha Ganguly
Wed 15 Feb 2023 04.00 GMT

At first glance, the Twitter user “Canaelan” looks ordinary enough. He has tweeted on everything from basketball to Taylor Swift, Tottenham Hotspur football club to the price of a KitKat. The profile shows a friendly-looking blond man with a stubbly beard and glasses who, it indicates, lives in Sheffield. The background: a winking owl.

Canaelan is, in fact, a non-human bot linked to a vast army of fake social media profiles controlled by a software designed to spread “propaganda”.

Advanced Impact Media Solutions, or Aims, which controls more than 30,000 fake social media profiles, can be used to spread disinformation at scale and at speed. It is sold by “Team Jorge”, a unit of disinformation operatives based in Israel.



https://www.theguardian.com/world/2023/ ... e-profiles
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#66

Post by RTH10260 »

How undercover reporters caught ‘Team Jorge’ disinformation operatives on camera
For more than six months, undercover reporters posed as consultants working on behalf of a businessman who wanted to delay an African election

Stephanie Kirchgaessner US investigations correspondent
Wed 15 Feb 2023 04.00 GMT

As the man calling himself “Jorge” shook hands with two prospective clients, he joked: “You saw what it says on the door, right? It says nothing. That’s who we are. We are nothing.”

He was smartly dressed with an expensive watch, flashier than the consultants – who were in fact undercover reporters – had expected. It was late December and despite several online meetings, this was the first time the consultants had seen the man they had been communicating with. He had kept his camera off in each of the five previous video calls.

And now a warm, disarming greeting, but still no name.



https://www.theguardian.com/world/2023/ ... -tal-hanan
User avatar
busterbunker
Posts: 277
Joined: Mon Feb 22, 2021 9:46 pm

Cyber Attacks and Hacking

#67

Post by busterbunker »

Oakland [CA] declares local state of emergency over ransomware attack

https://www.cbsnews.com/sanfrancisco/ne ... emergency/

Oakland declared a local state of emergency Tuesday because of ongoing impacts of a ransomware attack that has resulted in network outages to the city's systems.

The city announced that Interim City Administrator G. Harold Duffey issued the state of emergency in order to allow the city to activate emergency workers, expedite the procurement of equipment and materials to restore systems, and issue orders on an expedited basis.

The ransomware attack began the evening of Feb. 8, police and city officials said Friday. Such attacks involve someone encrypting files and demanding ransom to decrypt them. The encryption makes the files and the systems that rely on them unusable, according to the U.S. Cybersecurity and Infrastructure Security Agency.

Oakland's information technology department was working with law enforcement and a third party forensics firm to determine the scope and severity of the attack. City officials did not release the amount of ransom the attackers are asking for.
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#68

Post by RTH10260 »

U.S. Marshals Service suffers 'major' security breach that compromises sensitive information, senior law enforcement officials say

Dave O
Andrew Blankstein and Michael Kosnar and Jonathan Dienst and Tom Winter and Zoë Richards
Tue, February 28, 2023 at 2:38 AM GMT+1·

The U.S. Marshals Service suffered a security breach over a week ago that compromises sensitive information, multiple senior U.S. law enforcement officials said Monday.

In a statement Monday, U.S. Marshals Service spokesperson Drew Wade acknowledged the breach, telling NBC News: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

Wade said the incident occurred Feb. 17, when the Marshals Service "discovered a ransomware and data exfiltration event affecting a stand-alone USMS system."

The system was disconnected from the network, and the Justice Department began a forensic investigation, Wade said.

He added that on Wednesday, after the agency briefed senior department officials, "those officials determined that it constitutes a major incident.”

The investigation is ongoing, Wade said.

A senior law enforcement official familiar with the incident said the breach did not involve the database involving the Witness Security Program, commonly known as the witness protection program. The official said no one in the witness protection program is in danger because of the breach.

Nevertheless, the official said, the incident is significant, affecting law enforcement sensitive information pertaining to the subjects of Marshals Service investigations.

The official said the agency has been able to develop a workaround so it is able to continue operations and efforts to track down fugitives.



https://news.yahoo.com/u-marshals-suffe ... 21120.html
(original: NBC News)
User avatar
busterbunker
Posts: 277
Joined: Mon Feb 22, 2021 9:46 pm

Cyber Attacks and Hacking

#69

Post by busterbunker »



They say there's like 10GB of the stuff and I wouldn't mind getting my hands on it. I'm pretty clean, but just to see if my name came up.

Bypass Paywalls Clean is working great! You just gotta manually update. The company bong remains safe.
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#70

Post by RTH10260 »

from January this year - seems to gaining momentum now among the bad guys
‘Bring your own vulnerable driver’ attack technique is becoming popular among threat actors

Updated on: 19 January 2023
Pierluigi Paganini

Cybercriminal groups and nation-state actors are devising new attack techniques to compromise systems worldwide and bypass security solutions. One of the most effective attack techniques recently used in the wild is known as bring your own vulnerable driver (BYOVD) attack, which threat actors are using to bypass security products.

In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation and disable defense solutions.

Recently a couple of BYOVD attacks made the headlines, respectively conducted by a ransomware gang and an Advanced Persistence Threat group (APT). Let’s take a look at these two attacks.

BlackByte ransomware gang uses the BYOVD technique

The first attack was carried out by the BlackByte ransomware gang and recently detailed by researchers at cybersecurity firm Sophos.

Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products.

Sophos experts analyzed a sample of the most recent variant of the ransomware, which is written in Go, and discovered that the threat actors are exploiting a vulnerability in a legitimate Windows driver to bypass security solutions.

“We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys,” reads the post published by Sophos. “The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. Sophos products provide mitigations against the tactics discussed in this article.”

“Bring Your Own Driver” is the name given to this technique — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.”

The issue is a privilege escalation and code execution vulnerability, tracked as CVE-2019-16098 (CVSS score 7.8), that affects the Micro-Star MSI Afterburner RTCore64.sys driver.

The RTCore64.sys and RTCore32.sys drivers are widely used by Micro-Star’s MSI AfterBurner 4.6.2.15658 utility which allows to extend control over graphic cards on the system.

An authenticated user can exploit the flaw to read and write to arbitrary memory, I/O ports, and MSRs, potentially leading to privilege escalation and code execution under high privileges, and information disclosure. The experts explained that signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malware.




https://cybernews.com/security/bring-yo ... er-attack/
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#71

Post by RTH10260 »

"Significant Data Breach" Hits Lawmakers On Capitol Hill

BY TYLER DURDEN
THURSDAY, MAR 09, 2023 - 01:55 PM

The Chief Administrative Officer of the House of Representatives, Catherine L. Szpindor, told lawmakers Wednesday their personal information was exposed in a "significant data breach" at a health insurance marketplace.

"I have been informed by the United States Capitol Police and DC Health Link* of a data breach impacting Members and staff. DC Health Link suffered a significant data breach yesterday, potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through the DC Health Link, your data may have been comprised," Szpindor wrote in a letter to colleagues on Capitol Hill on Wednesday.

It did not appear that lawmakers were specifically the target in the breach, Szpindor said. She continued:

"Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Member and House staff were stolen. I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised."

Speaker Kevin McCarthy (R-Calif.) and Democratic leader Hakeem Jeffries (D-N.Y.) were told by the FBI that cyber security agents found personal information from DC Health Link on the dark web, according to The Washington Post, citing a letter sent by House leadership to the health insurance marketplace. Agents found the names of spouses, dependent children, their social security numbers, and home addresses.

DC Health Link confirmed the breach and stated, "data for some DC Health Link customers have been exposed on a public forum."

Szpindor told lawmakers and staff to "freeze your credit" to prevent anyone from being able to "open a credit card, or taking out a loan in your name."

The House Administration Committee tweeted its "aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the PII of any impacted member, staff, and their families."

Here's Szpindor's full letter to lawmakers about the data breach:



https://www.zerohedge.com/technology/si ... pitol-hill
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#72

Post by RTH10260 »

User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#73

Post by RTH10260 »

out of general interest lifted full article
Google reveals two global spyware campaigns targeting Apple and Android devices
The operations are just the latest example of the proliferation of sophisticated spyware among private vendors, Google says.

AJ VICENS
MARCH 29, 2023

(Photo by Matt Cardy/Getty Images)
Google’s Threat Analysis Group on Wednesday revealed two “limited and highly targeted” spyware campaigns that took advantage of zero-day vulnerabilities as well as known but unpatched security holes to undermine protections on Android and Apple iOS devices as well as Google’s Chrome browser.

The company did not reveal the spyware vendors involved, but said one of the campaigns used a link directing targets to a landing page identical to one Google revealed in November 2022 from Spanish spyware firm Variston IT. Whoever was behind the most recent campaign, the researchers said, could be a Variston customer or partner.

The spyware revelations come just days after the U.S. government announced an executive order barring federal agencies from using commercial spyware that presents a national security risk. A senior Biden administration official on Monday told CyberScoop that spyware had been found on — or suspected to be on — devices associated with 50 U.S. personnel across 10 countries.

Google’s report did not identify the number of victims targeted in this campaign or any other details about them or the broader context of campaigns themselves.

“These campaigns are a reminder that the commercial spyware industry continues to thrive,” the researchers said. “Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret poses a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools.”

Google says it’s tracking more than 30 such vendors “with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors,” the researchers said. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.”

The first campaign that Google revealed on Google was discovered in November 2022 and involved exploits targeting Android and iOS devices delivered to targets in Italy, Malaysia and Kazakhstan via the link-shortening service Bitly. If the target clicked the link, it redirected them to pages hosting exploits for either Android or iOS, and then on to legitimate websites such as a page to track shipments or a popular Malaysian news website, the researchers wrote.

That campaign’s iOS targeting used a since-patched zero-day exploit as well as two other known exploits. One of those exploits used a technique used by spyware firm Cytrox as part of its Predator spyware, which was revealed in a December 2021 blog post from the Toronto-based digital rights group Citizen Lab. Apple issued a fix for the bug in March 2022. Its Android targeting also relied on one zero-day bugs as well as two known vulnerabilities.

Google researchers discovered the second campaign in December 2022 using one-time links targeting devices in the United Arab Emirates. That campaign directed users to the same landing page associated with the Heliconia framework, developed by Variston IT. The framework was revealed in November 2022 when an anonymous user uploaded Variston source code related to three distinct vulnerabilities to Google’s Chrome bug reporting program.

The campaign had been active since at least 2020 and targeted mobile and desktop services, according to Amnesty International’s Security Lab, which flagged aspects of the campaign and shared details with Google. The exploits were delivered from a network of more than 1,000 malicious domains, Amnesty said, noting that additional activity related to the campaign was identified in Indonesia, Belarus, Italy along with the targeting in the UAE.

The Amnesty team shared details and technical indicators related to the campaign, including the domains, on GitHub.

“In the wake of the Pegasus Project, which revealed that spyware had been used to target journalists, human rights defenders and politicians around the world, there is an urgent need for an international moratorium on the development, use, transfer and sale of spyware technologies until there is a global legal framework in place to prevent these abuses and protect human rights in the digital age,” Amnesty International Security Lab said in a statement.

The spyware discovered in December included libraries for decrypting and capturing data from various chat and browser applications, the Google researchers said.

“The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations,” the researchers wrote. “If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations.”

Updated March 29, 2023: This story has been updated to include reference to and commentary from Amnesty International’s Security Lab, which worked with Google to identify one of the campaigns.



https://cyberscoop.com/google-tag-spywa ... os-chrome/
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#74

Post by RTH10260 »

Hackers Are Using ChatGPT-Themed Lures to Spread Sophisticated Malware on Meta

ALICIA HOPE·
MAY 9, 2023

Meta’s security team has warned that hackers are exploiting increased public interest in ChatGPT and similar generative AI chatbots to spread novel malware on its platform and take over accounts.

In its Q1 security report, the team said threat actors are exploiting people’s interest in AI chatbots such as OpenAI’s chatGPT and Google’s Bard to trick people into installing malicious applications.

The campaign follows a predictable trend of bad actors exploiting high-engagement topics such as cryptocurrency and now chatGPT to distribute malware.

“This is not unique to the generative AI space,” Meta security report stated. “As an industry, we’ve seen this across other topics popular in their time, such as crypto scams fueled by the interest in digital currency.”

Hackers use ChatGPT-themed malware to take over online accounts
Since March 2023, Meta discovered, blocked, and reported over 1,000 unique chatGPT-themed malicious web addresses.

While some malevolent applications claiming to offer chatGPT-based tools have working features, they include malicious code that infects users’ devices.



https://www.cpomagazine.com/cyber-secur ... e-on-meta/
User avatar
RTH10260
Posts: 14351
Joined: Mon Feb 22, 2021 10:16 am
Location: Switzerland, near the Alps
Verified: ✔️ Eurobot

Cyber Attacks and Hacking

#75

Post by RTH10260 »

older
Hackers stole over 200 million email addresses from Twitter users and published them on an online forum, cybersecurity firm says

Sawdah Bhaimiya
Jan 6, 2023, 2:24 PM GMT+1
  • Hackers have leaked email addresses from over 200 million Twitter users, a cybersecurity firm said.
    The database could be used to hack high-profile, political, or crypto accounts on Twitter.
    "This is one of the most significant data leaks in history," Alon Gal of Hudson Rock told Insider.
Hackers have leaked the details of more than 200 million Twitter accounts, including email addresses, phone numbers, and account handles, onto an online hacking forum, cybercrime intelligence company Hudson Rock told Insider on Friday.

The news was previous reported by outlets including Reuters, CNN, and The Guardian.

A database with the "unique records," of 235 million Twitter users was posted onto a forum and made public, co-founder and chief technology officer at Hudson Rock, Alon Gal, said in a Wednesday LinkedIn post.

"This is one of the most significant data leaks in history and will unfortunately lead to a lot of accounts getting hacked, targeted with phishing, and doxxed," Gal told Insider in a statement.

"I urge Twitter users to change passwords and to be suspicious of any phishing attempts, and for Twitter to acknowledge this breach as soon as possible."

Insider was unable to independently verify the authenticity of the data Hudson Rock said had been leaked.

Twitter did not immediately respond to Insider's request for comment on the leaks, and the social-media giant is yet to publicly acknowledge such a breach.

Gal warned in an additional LinkedIn post that hackers will take advantage of the database to hack "high profile accounts," "crypto Twitter accounts," and "political accounts." Hudson Rock had earlier linked the hacking of British TV personality Piers Morgan's Twitter account to the leak.

Hackers have been selling and circulating large amounts of both public and private data from Twitter profiles since July 2022, technology site Bleeping Computer said.

The data is thought to have stemmed from a flaw in Twitter's API, which the company said it fixed in January 2022, which allowed hackers to discover what Twitter handles matched registered email addresses and phone numbers. That allowed scammers to compile a database, and potentially identify users who tweet anonymously.




https://www.businessinsider.com/hackers ... irm-2023-1
Post Reply

Return to “Computers and Internet”