Search This Blog

Showing posts with label Data Theft. Show all posts

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.

IoT Security: A Major Concern for Businesses Worldwide

 

As technology continues to evolve and more industries across the globe become connected, understanding the security challenges linked with the industrial internet of things (IoT) deployments is increasingly important. 

Businesses planning to roll out a manufacturing or industrial IoT initiative, or link existing technology for automated and remote monitoring or access, will need to consider all of the potential threats and attack vectors linked with those decisions. The most common security challenges with industrial IoT security are as follows: 

Security Breach Via Old Systems 

The surge in the volume of IoT apps has made it easier for malicious hackers to identify vulnerabilities to infiltrate organizational data. The operation of multiple IoT devices through the same internet connection makes it easier for attackers to exploit them as a point of illegal access to other resources. This lack of network segmentation can be devastating, as one successful assault on an IoT device can open the door to attackers to siphon sensitive data. 

To safeguard IoT-powered enterprises from data breaches, it’s important to boost the security of the devices with a hardware-based VPN technology and execute a real-time monitoring solution that will continuously scan and report the behavior of the linked devices. 

DDoS Attack 

The hackers can target businesses' endpoint devices by flooding them with overwhelming traffic so that they cannot complete the work they were intended to do. 

For example, when an industrial thermostat is linked to unprotected internet, a coordinated DDoS attack on the entire system could lead to system downtime. One of the best ways to mitigate this type of IIoT threat is to safeguard internet connection with a firewall. 

Device Spoofing  

In IIoT, a device spoofing assault is launched when the hackers pose themselves as a legitimate device to send information between businesses' centralized network and the IIoT endpoint device. For example, the hacker can pose a trusted IoT sensor to send back false information that could alter an organization’s manufacturing process. However, this risk can be mitigated by employing a hardware-based security solution.

Device Theft 

Another common issue, particularly with devices out in the field, is the theft of the physical devices themselves. This threat increases when endpoint devices are storing critical data that may cause concern if that information is stolen by the attackers. 

To minimize the threat, it’s necessary to avoid storing sensitive information on endpoint devices and use cloud-based infrastructure to store critical data. 

Data Siphoning 

The smooth deployment of data by endpoint devices can be blocked via an eavesdropping attack. What the hacker does here is eavesdrop on the network traffic from the endpoint device to secure access to collected data. 

The industries most impacted by this type of IoT attack are the health, security, and aerospace industries. To mitigate the threat, organizations must have a security policy ensuring that all transmitted data is adequately encrypted using the best encryption software. 

“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing,” Robert M. Lee, CEO at Dragos Incorporation raised a concern regarding organizations' security. 

“There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture, they thought they did in order to make sure their manufacturing environment is reliable.”

Spy Agencies Exploit Computer Networks to Gather Digital Information

 


In a recent report, a new revelation from one of the country's two spy agencies revealed the agency retrieves information directly from where it is stored on computers. This is not processed. There has been a high level of secrecy surrounding the “exploitation” of computer networks at the GCSB for a long time. 

There have been comments by US commentators that computer network exploitation can be labeled as a form of cyber warfare, or "theft of data". "With the help of our legislation, we can gain access to information infrastructures, which is more than just interception," said Andrew Hampton, Director-General of the Government Communications Security Bureau. 

"As a result of it, we are also now able to retrieve digital information directly from its storage or processing place." The GCSB calls this "access to information infrastructures", or "accessing the infrastructure of information."

Hampton's speech to the Institute of International Affairs, given in May, was cited as the source of the revelation, by the spying watchdog, Inspector-General of Intelligence and Security, Brendan Horsley.

According to Horsley in his annual report released on Friday, he was able to use that time to make sure that the exploitation operations were thoroughly scrutinized. He was able to assure the public that they were not abused. 

He had been forced to refer to "certain operations" in the past. He said, "although it was subject to oversight, it was not possible to provide any clear public assurance of this." 

During his review of the compliance systems associated with CNE, he found that they were "on the whole, appropriate and effective". 

Even so, he was not permitted to elaborate on "the bureau's use of this potentially significant capability." 

According to the Inspector-General, the SIS is also doing a lot more "target discovery", resulting in the SIS having to manage a lot more data than it has been in the past, at a time when its checks and controls on data have not yet improved to the level they need to be. 

A review is currently being conducted by Horsley of the target discovery process by the SIS, and one will be conducted by the GCSB soon as well. 

After the attacks on the mosque in the summer of 2019, both agencies have intensified their efforts in this area. 

From civil liberties and privacy standpoint, one of the potential hazards associated with target discovery activities would be an intrusion into the lives of people who have done nothing to merit the attention of a national security agency, the Inspector-General declared in his report. 

There was no significant problem with Section 19 of the security laws as he concluded that the law simply required each agency responsible for monitoring or collecting data to be able to justify that monitoring or collection "other than the fact that certain ideas were expressed on a platform". 

A revised policy was adopted late last year by the GCSB regarding the practice of holding on to all of the extra data. This policy specifically states that the GCSB can not hold onto information solely because it may be useful to them in the future. 

On the other hand, a report by the same institution found that the SIS was struggling with its policy implementation. More than 93 percent of its policies and procedures needed to be reviewed before their implementation, and some of them, such as data analytics policies, were non-existent. 

Horsley said that decisions were being made based on draft procedures and that they had been used to guide them. 

There is an agreement between the SIS and DOJ to deal with the backlog of policies. Even though the SIS has already reduced its policy number by half, a policy's suitability for its intended purpose cannot be guaranteed in the meantime. 

In addition, it had a long way to go in reviewing its data-sharing agreement with the Department of Internal Affairs, which is also well behind schedule. 

As far as the SIS and the bureau are concerned, both have fine control mechanisms and effective ways to manage any breaches that may occur. 

When it was determined that sharing information among the agencies would result in human rights abuses, a change was made to the agency's joint policy about sharing information with foreign partners. 

As far as Horsley was concerned, the updated policy was "a marked improvement" on the 2017 policy, although he maintained reservations about some of the terms, criteria, and the handling of reports likely to have been obtained by torture, and he wanted more details made public about the revised policy. 

The report shows that he reviewed 63 spying warrants, 49 of which were the most serious, a Type 1 spying warrant. A New Zealander can therefore be harmed by someone engaging in what would otherwise be an unlawful activity to collect information about him or her.

Hackers Could Find a Heaven on Elon Musk's Twitter

 


The ransomware group Yanluowang appears to be on Twitter now, using its newly created account to announce that they have breached the systems of the messaging platform Matrix, a service that has compromised high-profile companies. 

Yanluowang is one of several cybercrime groups that have been active on Twitter in recent months, and the platform's takeover by Elon Musk, who has promised a more laissez-faire approach to content moderation, could make it an even more attractive environment for cybercriminals to operate in.

It was recently reported that Yanluowang, the cyber security firm known for targeting financial services companies with its malware, had started tweeting. As far as we understand from the account, it appears that it has been used to display data that it steals from its victims. The first of these is Matrix, an open messaging protocol used by 60 million people worldwide. It was breached last week by the gang, which is claiming responsibility for the theft. 

On Twitter's page, several links appear to provide access to leaked data from the Matrix messaging platform as well, including "chief coder and saint thread" and "master stealer task." 

There are six links on Twitter's page, which appear to provide access to leaked data from the Matrix messaging platform. A member of the Tech Monitor team has reached out to Matrix for comment. Tweets are a favorite of ransomware gangs Ransomware gangs are not the first group of criminals to use Twitter as an outlet to promote the theft of data using ransomware. 

Several groups, including Karakurt and BlackByte, have created Twitter profiles for themselves to make their illicit merchandise more widely known to the world. In terms of Yanluowang's page, it appears to be still up, though both appear to be suspended, at least for the time being. A website set up by Karakurt on the open web was also used to sell their data to the highest bidder at the time of the hack. 

This method of data extortion is so common, even though it may prove to be short-lived and risky because cybercrime gangs experimenting with it need somewhere public and with a large reach that they can advertise their stolen data, according to Allen Liska, an intelligence analyst at Recorded Future. 

Liska told Tech Monitor in August that "Not everyone has a Tor browser, and Karakurt needs to be able to earn money as much as it can whether or not it can make any money from where it's getting its data," if it wants to succeed. Essentially, if you are trying to extort someone, you cannot make it difficult for them to obtain the data if your aim is extortion." A hacker could be attracted to Elon Musk's Twitter account in the wake of Elon Musk's acquisition of Twitter for $44 billion, Twitter is currently experiencing a period of upheaval that might last for years to come. 

It has been confirmed that Tesla CEO Elon Musk is now working for Twitter as their "Chief Twit" after completing the takeover of the company on Friday, which occurred after several months of legal proceedings. Musk expressed his intention to make Twitter into an environment where freedom of speech is a flourishing characteristic in the very public wranglings that preceded the deal, referring to himself as a "free speech absolutist" during the public debate that preceded the deal. The site is believed to change its approach to the way it moderates content shortly as a result of this change in approach. Before Musk's takeover, there was reportedly an increase in hate speech on the platform in the days leading up to his takeover. 

In this respect, hackers could reap the benefits of this, as they would be able to maintain accounts to advertise their illegal activities on the internet. CISO at cybersecurity vendor Recorded Future, Jason Steer, says that this is a possibility that can be just as easily nailed down. In his opinion, "hackers will continue to exploit other platforms like Telegram to promote their work and sell stolen data for decades to come, but he does believe that [Twitter's current issues] could be an opportunity for them."

A Game of Cyber Big Game Hunting

When a group of cybercriminals executes any kind of cyber attack or cyber scam, their target audience and methods of targeting are different. Sometimes, the group of threat actors targets random individuals in large numbers to increase their chance of getting a hit. However, cybercriminals do not follow this approach when it comes to 'big game hunting.'

Now, we need to learn what is big game hunting, and how does it put you at risk? According to a few studies, big game hunters are advanced and sophisticated cyber attackers, often working as part of an organized group to take down large firms and large audiences at once. 

Furthermore, study shows that cyber-criminals are achieving enormous success with their “big game hunting” (BGH) campaigns. The groups using the availability of commodity malware as a ransomware-as-a-service (RaaS) model has contributed hugely. There are 5 ransomware types that topped the list in 2020, they were Dharma, Medusa Locker, Phobos, REvil/Sodinoki, and Makop. 

There are certain other areas where industries have faced more intrusions than others such as technology, manufacturing, telecommunications, and finance. 

In many cases, it has been observed that these big hunter groups operate as highly structured and organized networks, not unlike corporate enterprises. Also, these groups are often state-sponsored and are suspected to have ties with prominent figures of government. 

As per the technical data, there is a number of legitimate software applications that are being used by threat actors often such as Process Hacker, Advanced IP Scanner, TeamViewer, ProcDump, Advanced Port Scanner, IObit Unlocker, PowerTool, GMER, PC Hunter, AnyDesk among others. 

Also, there is a list of pentesting tools that are being deployed by attackers are Mimikatz, PowerShell Empire, Cobalt Strike, PowerSploit, LaZagne, SharpHound, Meterpreter, PowerCat, Powerkatz, Rubeus, etc. 

Now we will learn the cost of cyber Big Game Hunters from examples of their previous targets. 

  • The average ransom demand from attackers is $6 million USD 
  • The average ransom payment increased by 63% in 2021 to $1.79 million (USD), compared to $1.10 million (USD) in 2020 
  • 96% of those who paid the initial ransom also had to pay extortion fees 
  • There was an 82% increase in ransomware-related data leaks in 2021, compared to 2020
  • 66% of respondents’ organizations suffered at least one ransomware attack this year 
  • 57% of those hit by ransomware didn’t have a comprehensive strategy in place to coordinate their response. 
Since the cost of ransomware attacks and the targets have increased, organizations need to develop a new approach to fight against cyber threats. Also, organizations should re-evaluate the techniques and tools they use for intruder detection and incident response. 

Harcourts Real Estate Agency Suffered a Data Breached


Australian real estate agency Harcourts confirmed that it has suffered a data breach last month at its Melbourne city office which potentially exposed the credential of tenants, landlords, and tradespeople. 

The agency wrote to its customers that its rental property database has been trespassed by an unknown third party without authorization.

Furthermore, on Thursday Harcourts said that the breach took place when the account of a representative at service provider Stafflink, which provides the franchisee administrative support, was attacked, and accessed by a third party.

"We understand the unauthorized access occurred because the representative of Stafflink was using their own device for work purposes rather than a company-issued (and more secure) device," it said in a statement.

The agency learned about the attack on October 24 in an email sent to customers has confirmed. According to the email circulated online, it said that for tenants the credentials potentially breached included their names, email addresses, addresses, phone numbers, photo identification, and signatures. 

For landlords and trades, bank details as well as their names, addresses, phone numbers, email addresses, and signatures have been compromised. 

The attack came to notice after weeks when the security experts and tenancy advocates raised concerns about the potential for data breaches in the industry.

Following the attack, the chief executive Adrian Knowles said dealing with the incident was the company’s top priority. Further, he added that an investigation is going on and we are hoping we will solve the matter soon.

“We understand people will be deeply concerned and upset about this data breach. I would like to offer our sincere apologies to everyone who has been inconvenienced as a result…,” Knowles said. “…We are working together with the franchisee to ensure that all impacted individuals are advised of the incident. In addition, we are in the process of establishing complimentary credit monitoring and access to the IDCARE support service for impacted individuals.” 

The Urlscan.io API Unintentionally Exposes Sensitive URLs and Data

 

Researchers have issued a warning about enterprise software misconfigurations that result in the leak of sensitive records on urlscan.io. 
Urlscan.io is a website scanning and analysis platform. The system accepts URLs and generates a wealth of data, including domains, IP addresses, DOM information, and cookies, as well as screenshots. According to the developers, the engine's goal is to enable "anyone to easily and confidently analyze unknown and potentially malicious websites."

Many enterprise customers and open-source projects are supported by Urlscan.io, and an API is provided to integrate these checks into third-party products. GitHub alert Positive Security stated in a blog post published today (November 2) that the urlscan API came to its attention as a result of an email sent by GitHub in February warning customers that GitHub Pages URLs had been accidentally leaked via a third-party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Positive Security discovered that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices after further investigation.

Pingbacks to leaked email addresses appeared to indicate that the culprits were misconfigured security tools that submitted links received via email as public scans to urlscan.io. Many API integrations, for example, used generic python-requests/2.X.Y user agents that ignored account visibility settings, allowing scans to be incorrectly submitted as public.

Misconfiguration of SOAR

Positive Security contacted a number of leaked email addresses and received only one response: from a company that sent an employee a DocuSign link to their work contract and then launched an investigation. The employer discovered that the problem was caused by a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Positive Security investigated historical urlscan.io data and discovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they appeared on urlscan. Password resets for many web services can be triggered for users of such misconfigured clients, and the leaked link can be used to set a new password and take over the accounts.

Speaking to The Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan  Overhaul

Positive Security reported its findings to urlscan.io once the impact of the issue assessment was completed in July. As a result, the cybersecurity firm and urlscan.io developers collaborated to resolve the issues discovered, resulting in the release of a new engine version later this month.

The updated software features an improved scan visibility interface as well as team-wide visibility settings. Urlscan.io later published Scan Visibility Best Practices, which explain the security benefits and risks posed by the three visibility settings users select when submitting a URL: 'Public,' 'Unlisted,' and 'Private.'

Urlscan.io has also contacted customers who have submitted a large number of public scans and has started reviewing third-party SOAR tool integrations. Finally, the developers added deletion rules, highlighted visibility settings in the user interface, and included a report button to disable problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third-party automation providers to ensure adherence to safe default behaviors. A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”

Leaked Amazon Prime Video Server Exposed Users Viewing Habits

A database containing Amazon Prime Video users' viewing habits, which was stored on an internal Amazon server, was accidentally exposed online and could be accessed by anyone with a web browser. 
Anurag Sen, a cyber-security researcher, discovered the database containing Amazon Prime viewing habits on an internal Amazon server that was accessible online. According to TechCrunch, the database was first detected as being exposed to the internet on September 30 by the search engine Shodan.

"But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address," the report noted.

The database contained nearly 215 million viewing data entries, such as the name of the show or movie being streamed, the device on which it was streamed, and other internal data. The Amazon Prime Video database was eventually taken down from the Internet. According to an Amazon spokesperson, there was a "deployment error with a Prime Video analytics server."

"This problem has been resolved and no account information (including login or payment details) was exposed. This was not an AWS issue; AWS is secure by default and performed as designed," the spokesperson added.

'The Lord of the Rings: The Rings of Power' attracted more than 25 million global viewers on its first day, the largest debut in Prime Video history, and is closing in on 100 million viewers to date, according to the company's latest Q3 earnings call. It also kicked off Prime Video's inaugural season as the exclusive home of NFL Thursday Night Football with over 15 million viewers for its first game.

TikTok has Grown Into a Global Giant, United States has Threatened to Rein it in

 

This summer was a period of economic uncertainty for much of the tech industry, resulting in a drop in bitcoin prices, hundreds of layoffs, and a hiring freeze. It was also the summer that US regulators crossed the aisle to reach an agreement: it was time for stricter rules for the video platform TikTok. 

TikTok has been the focus of rare bipartisan calls for regulation and investigation since Buzzfeed reported in June that employees of TikTok's Chinese parent company ByteDance had access to US consumer data. When the FBI director, Christopher Wray, called Chinese espionage the "greatest long-term threat to our nation's... economic vitality" in July, those inquiries became more pressing.

“If you are an American adult, it is more likely than not that China has stolen your personal data,” Wray said. “We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours.”

The China question

TikTok is a relatively new player in the arena of massive global social media platforms, but it has already piqued the interest of European regulators. New laws in the UK and the EU concerning child safety and general internet safety have compelled the company to become more transparent about how it operates and how content spreads on its platform.

In the United States, efforts to rein in the video platform have only recently gained traction, though there is little doubt that the round of regulatory pressure is warranted. With 1 billion users, the platform, which uses an algorithmic feed to push short-form videos to users, has had its fair share of misinformation, data privacy concerns, and child safety concerns.

The app's connection to China is one of the issues that US lawmakers are most publicly focused on.   TikTok has consistently stated that the data of its US users is stored in Virginia data centers and backed up in Singapore. In June, the company announced that all US user data would be routed through Oracle servers in the United States.

However, recordings of TikTok executives obtained by BuzzFeed News indicate that ByteDance employees based in China accessed US user data multiple times between September 2021 and January 2022. “Everything is seen in China,” one TikTok employee reportedly said in a meeting.

On June 23, a bipartisan group of five senators proposed a new bill that would prohibit companies from sending American users' data to "high risk foreign countries." In July, Senators Mark Warner and Marco Rubio asked the Federal Trade Commission (FTC) to investigate TikTok.

“TikTok, their parent company ByteDance, and other China-based tech companies are required by Chinese law to share their information with the Communist party,” Warner said. “Allowing access to American data, down to biometrics such as face prints and voiceprints, poses a great risk to not only individual privacy but to national security.”

Brendan Carr, the FCC's senior Republican commissioner, said the BuzzFeed News story marked a watershed moment in lawmakers' thinking about TikTok. “What really changed things was it wasn’t people theorizing or government officials saying stuff in talking points that you weren’t really sure if there was any there, there. This was a report that had internal communications and leaked audio of internal meetings … that just blew the doors off of all of [TikTok’s] representations about how it handled data and showed it to be gaslighting.”

Carr, who has advocated for Google and Apple to remove TikTok from their stores, said the revelations made TikTok's national security concerns more real than ever before and brought people from different political parties together.

TikTok claims that US lawmakers' concerns about national security are exaggerated and that the platform does not share user data with the Chinese government. "Neither would we if asked," company spokesperson Maureen Shanahan said.

Shanahan stated that the company has been open about its efforts to limit employees' access to US user data, and the BuzzFeed News report demonstrates that TikTok is "doing what it said it would do."

“In 2021, TikTok engaged consultants to help assess how to limit data access to US user data,” Shanahan said in a statement. “In the 80 leaked meetings, there were 14 statements indicating that engineers in China had access to US data … It is unfortunate that BuzzFeed cherry-picked quotes from meetings about those very efforts and failed to provide adequate context.”

“Like many global companies, TikTok has engineering teams around the world,” Shanahan said. “We employ access controls like encryption and security monitoring to secure user data, and the access approval process is overseen by our US-based security team.”

Bigger than China

Experts contacted by the Guardian did not question China's cybersecurity threat to the US. However, some expressed concern that regulators' focus on TikTok's China connection would divert attention away from other pressing issues, such as TikTok's algorithm and how much user data the company collects, stores, and shares with other US entities.

There is little information available about the amount of user data TikTok collects and shares with entities in the United States. Even Oracle, the company TikTok hired to audit its algorithms and data privacy policies in order to reassure lawmakers that the platform is free of Chinese influence, has been accused of keeping dossiers on 5 million people worldwide. There are currently no federal regulations in place to safeguard such information.

“The China question to me is almost a red herring because there’s so little being done to protect user privacy generally in the US,” said Sara Collins, a senior policy counsel at the non-profit public interest group Public Knowledge. “The thing I would be concerned about is the same stuff that we’re concerned about with Facebook or with Google. It’s their data privacy practices, what they’re doing with that data, how they’re monetizing it, and what adverse effects are there on users.”

A federal privacy bill currently being debated in Congress could begin to address these concerns. According to Collins, whose employer Public Knowledge works on content moderation and regulation issues, the American Data Privacy and Protection Act (ADPPA) would "actually create a privacy framework for all these companies that would affect TikTok and its business model." (TikTok has made donations to Public Knowledge.)
 
In the meantime, states are taking control of the situation. California passed a landmark child-only safety bill that would require platforms like TikTok and Instagram to vet any products geared toward children before releasing them, as well as to implement privacy safeguards for younger users by default.

Marc Faddoul, co-director of Tracking Exposed, an organization that tracks how TikTok's algorithm works, believes that congressional leaders' focus on the platform's China connections misses the mark when it comes to pressing for more information about the app's algorithm.

“To me, what’s missing from regulators’ radars is that the biggest leverage point in disseminating content online is the mechanics of algorithmic promotion and algorithmic demotion because taking down an individual piece of content, especially if it has already been spread, does little to mitigate the potential harm,” Faddoul said. Those opaque mechanisms, he argued, pose “the biggest threat in terms of interference in internal politics or popular opinion”.

There isn't much information available about how the algorithm decides which content to promote to the top of each person's For You Page. However, in many cases, that content has proven to have real-world implications. Domestic extremists, for example, used TikTok to promote violence and call on their followers to bring guns to the US Capitol in the run-up to the January 6 riots, according to a Department of Homeland Security intelligence document. According to the document, the platform is also rife with violent extremist content.

TikTok says it uses “a combination of technology and thousands of safety professionals” to identify and remove videos that violate its policies. AB Obi-Okoye, a spokesman for the company, said TikTok will continue those efforts, factchecking content in over 30 languages.

“Factchecking is just one component of how we moderate content,” Obi-Okoye continued. “We use a combination of publicly available information as well as the information we receive from our factchecking partners to help us assess content.”

It's also critical to understand how TikTok's algorithm works, according to Faddoul. As the Guardian first reported, the company has previously directed its moderators to censor certain posts, including those mentioning Tiananmen Square or Tibetan independence, according to Faddoul. Obi-Okoye stated that those policies were outdated and no longer in use.  “Today, we take a nuanced approach to moderation, including building out a global team with deep industry experience and working with external content and safety advisory councils,” Obi-Okoye said.

Is there too much or too little oversight?

While experts and lawmakers agree that more regulation is needed, there is significant disagreement about how much regulatory scrutiny TikTok has historically received, especially in comparison to players such as Facebook, Twitter, and Google.

Carr, the FCC commissioner, attributes some of the apparent lack of focus on TikTok to a politicization of the debate after Donald Trump signed an executive order in 2020 requiring ByteDance to sell or spin off its US TikTok business. (That order has since been revoked by Joe Biden.)

Because of TikTok's ties to China, he believes the threats it poses are in a different category than those posed by Facebook and Google. And, in comparison to other Chinese-based tech companies like Huawei and ZTE, TikTok has "largely skated and avoided having to account for some very serious national security concerns," according to Carr.

The TommyLeaks and SchoolBoys Ransomware Gangs Share a Common Enemy

 



New extortion gangs, TommyLeaks and SchoolBoys, have emerged out of China attacking companies around the world with dangerous extortion threats. Even though they are both connected, there is one catch - both are part of the same ransomware gang. 

Earlier this month, security researcher MalwareHunterTeam warned of a new extortion gang called TommyLeaks that was trying to extort companies. 

As a result of the hacking group's activity, companies claim it has breached their networks, stolen data, and demanded a ransom not to leak this data. In a recent report, BleepingComputer reported that ransom demands ranged from $400,000 to $700,000. 

MalwareHunterTeam discovered yet another ransomware extortion gang in October, dubbed 'SchoolBoys Ransomware Gang'. They claim to use ransomware to steal data from victims and encrypt their devices as part of their attacks as part of their ransomware extortion campaigns.

Threat actors steal data during their attacks. However, as of yet, no site with public data leaks is known to have been used by threat actors to leak that data. 

Even though there was nothing that connected the two groups at the time, they both used the same Tor chat system to negotiate over the privacy of their members.

What is even more suspicious about the use of this particular chat system is that it had only ever before been used by the Karakurt extortion group.

BleepingComputer reported this week that TommyLeaks and SchoolBoys Ransomware Gang are both part of the same extortion group called the SchoolBoys Ransomware Gang, also called TommyLeaks.

During a SchoolBoys negotiation chat that BleepingComputer saw, the threat actors appeared to address their victim as TommyLeaks in their attempt to coerce a ransom payment from him. 

Even though it is not entirely clear why they are using two different names as part of their operation, they may be trying to take a similar approach to Konti and Karakurt in terms of the operation. 

As previously reported by BleepingComputer, AdvIntel CEO Vitali Kremez has revealed that Karakurt is a member of the Conti cybercrime syndicate and a member of the DefConti crime family. 

During attacks on Conti's ransomware encryptor, the malware's hackers blocked Conti's encryptor. They then extorted the victim using data that was already stolen under the Karakurt name rather than the Conti brand to gain access to the data. 

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Cyber-Attackers Claim to Have Accessed Customer Data at Medibank Australia

 


According to Medibank, which covers one in six Australians, an unidentified person notified the company that some 200 gigabytes of data had been stolen. This included medical diagnoses and medical treatments, as part of a theft that began a week earlier when the company disclosed a theft of 200 gigabytes of data.

As far as the number of its 4 million customers who may have been affected, the company did not provide information. However, it warned that the number is likely to rise as the issue unfolds. It was announced by the Australian Federal Police that they had opened an investigation into the breach, but that they had no further comments to make.

An Australian newspaper report has warned that the data of at least 10 million customers may have been stolen. This adds a heightened layer of intrigue to a wave of cyberattacks on the country's largest companies since No. 2 Telco Optus, owned by Singapore Telecommunications Ltd, revealed a month ago that the data of ten million customers may have been stolen. 

The majority of public commentary has so far focused on the possibility that hackers could gain access to bank accounts if they steal data or used identity theft to gain access to personal information. An article in the Sydney Morning Herald stated that it received a message from a person claiming to be the Medibank hacker threatening to publish medical records for high-profile individuals without receiving any payment until the hacker has been paid for his or her work.

Currently, the Melbourne-based security company is working with several cyber-security firms and has also contacted the Australian Cyber Security Centre (ACSC), which is the government's lead agency for cyber security.

"This is a situation where we have very sensitive information regarding healthcare and that information, if made public by itself, could cause severe harm to Australians, and that is why we at the Australian Broadcasting Corporation are so actively involved with this," said Cybersecurity Minister Clare O'Neill in an exclusive interview with the ABC.

As cyber security experts pointed out, it was unclear whether the three disclosures on data breaches were related to a single incident. This is because these attacks were diverse. However, the perceived publicity generated by the Optus attack may have drawn public attention to the hacker networks created by this company.

"When there is the highly visible breach, such as what happened to Optus in Australia, then hackers take notice of it and think they are planning to try to see what I can get away with down there," said the executive editor Jeremy Kirk for Information Security Media Group, one of the leading cybersecurity specialist magazines out there.

Interestingly, more than 2.2 million shoppers get their bargains on a bargain website that is used by Optus rival Telstra Corp Ltd. which on Tuesday disclosed an issue with employee data breaches, while Woolworths Group Ltd on Thursday said an unidentified party gained unauthorized access to the customer database of that site.

It has been well documented that high-profile data breaches demonstrate how crucial it is to use multi-factor authentication at every level of a company's network - i.e. when the person uses an authentication code sent to a separate device to log in - to prevent data breaches, according to Sanjay Jha, chief scientist at the University of New South Wales Institute for Cybersecurity.

Jha told Reuters over the phone that, although they have implemented such controls for end users, they should have even tougher controls for internal servers, since server security is a major concern.

"Continuous authentication is necessary for people not to log in and leave after logging in and leave forever, allowing attackers to access your computer and compromise it." Jha continued.

Founder and chief intelligence officer of F5, Dan Woods, a former FBI cyberterrorism investigator, commented that Australia had "undoubtedly endured its most difficult few weeks from a cybercrime perspective, but on the positive side, it's been a wake-up call for the country, one that it may have needed." 

Warning to iPhone and Android Users: 400 Apps Could Leak Data to Hackers

 


Android and iPhone users are being told to delete specific apps from their mobile phones because they could potentially steal their data. 

According to reports, Facebook has issued a warning after discovering an apparent data hack. This appears to have infected more than 400 apps and appears to have been stealing sensitive login information from smartphones. Because these apps offer popular services such as photo editors, games, and VPNs, they can easily remain unnoticed. This is because they tend to advertise themselves as popular services.

The scam apps are designed to obtain sensitive consumer information by asking users to sign in via their Facebook account once the apps have been installed. Hull Live reported that this is being done for them to be able to access their features.

It has been reported that Facebook published a post on its newsroom about a malicious app that asks users to sign in with their Facebook account. This is before they can use its advertised features. If they enter their credentials, the malware steals their usernames and passwords, which is a serious security risk.

In this case, there are official Google Play Store and Apple App Store marketplaces where these applications are available for download. This means that thousands of devices could potentially have been installed on them.

Apple and Google have already removed these apps from their application stores, however, they can still be found on third-party marketplaces, so anyone who had already downloaded the apps could still be targeted if they had done so previously.

According to Facebook, this year, they have identified more than 400 malicious Android and iOS apps that target people across the internet to steal their login information. This is in a bid to gain access to their Facebook accounts.

Apple and Google have been informed of the findings. It is working to assist those who might be affected by these results in learning more about how to remain safe and secure with their online accounts.

According to Facebook, users should take the following steps to fix the problem:

• Reset and create new, stronger passwords. Keep your passwords unique across multiple websites so that you, do not have to reuse them.

• To further protect your account, you should be able to use two-factor authentication. Preferably by using the Authenticator app as a secondary security measure.

• Make sure that you enable log-in alerts in your account settings so you are notified if anyone attempts to gain access to your account.

• Facebook also outlined some red flags that Android and iPhone users should be aware of when choosing an app that is likely to be, fraudulent.

• Users must log in with social media to use the app and, it will only function once they have completed this step.

A Facebook spokesperson added that looking at the number of downloads, ratings, and reviews may help determine whether a particular app is trustworthy.

Australia's Medibank Drops After Ransomware Attack in IT Network

 

Medibank has provided additional details about a cyber incident that occurred last week, stating that it detected precursor activity consistent with a ransomware attack. 

CEO David Koczkar stated that no customer data was taken and that the insurer had since brought its customer-facing systems back online. It had taken some systems offline immediately after monitoring systems detected "unusual activity."

“We have contained the ransomware threat but remain vigilant and will take the necessary steps in the future to protect our operations and customer data," Koczkar said.

According to a brief timeline, Medibank discovered "unusual activity" on its servers on Wednesday last week, prompting its cyber security team to launch an incident response with the assistance of partners.

“Later that evening, we identified the unusual activity was focused on the IT infrastructure we use to support our ahm and international student customer policy management systems.”

Medibank decided to temporarily block and isolate access to the two systems and halt trading while the activity was investigated, according to Koczkar. The customer-facing systems "were restored on new IT infrastructure," allowing business to resume as usual by last Friday.

He continued On Thursday, Medibank began communicating with its customers via emails and texts to keep them updated on the incident. In response to investor questions, Koczkar stated that Medibank is aware of how attackers gained access to its systems.

“We believe ... one [set] of our credentials was compromised, but we've got an ongoing investigation into exactly what happened," he said.

"We've taken all necessary steps to address this.

He stated that the company found no evidence of unauthorised access to customer data, "but that is subject to our ongoing forensic analysis." Added that, while Medibank is "very happy with how we sit in terms of our ability to respond to a cyber incident," the incident will result in "some learnings."

According to Koczkar, no significant costs are expected as a result of the incident. He thanked the Australian Cyber Security Centre (ACSC), regulators, and government agencies for "contributing to and supporting our response and working so effectively with us."

Further concluded, “We will also share technical information with our peers as part of our commitment to helping others understand this incident and allow them to bolster their own defences."

Binance Bridge Hit by $560 Million Hack

A group of threat actors exploited a cross-chain bridge to transfer $560 million worth of cryptocurrency from the world’s biggest exchange Binance Bridge. The hack is deemed to have been perpetrated by a bug within the bridge. It enabled the hacker to breach the safety proofs of the BNB Chain. 

Following the incident, Binance BNB/USD fell greater than 3% on Friday. A single-day hack on the BNB Chain led to a lack of at least $100 million. However, BNB Chain estimates the determination at $7 million, with about $560 million initially focused. 

Binance is a cryptocurrency exchange designed to help with the transfer of information and assets between blockchains, it is the largest exchange in the world in terms of the daily trading volume of cryptocurrencies. 

The information about the hack was delivered to the public on Thursday by Binance CEO Changpeng Zhao. He announced on Twitter that the threat actors exploited vulnerability in the BSC (BNB Chain) Token Hub cross-chain bridge. 

“An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly,” he added. 

According to Zhao, the overall loss that the platform has to bear because of the attack is around $100 million worth of BNB. However, the threat actors’ wallet reportedly received two transactions of 1,000,000 BNB each, which is worth more than $560 million. 

However, the platform assured its customers that their funds are safe and secure. When the platform learned about the heck it worked with validators to temporarily suspend BSC, to freeze transfers. Additionally, the platform reported that it has already recovered some of the stolen funds. 

“We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly…” the platform reported. “…Initial estimates for funds taken off BSC are between $100M - $110M. However, thanks to the community and our internal and external security partners, an estimated $7M has already been frozen,” 

Former Uber CSO Convicted for Covering up 2016 Data Breach

 

Uber's former chief security officer, Joe Sullivan, has been found guilty of illegally trying to cover up a 2016 data breach in which threat actors accessed 57 million Uber drivers' and customers' sensitive credentials. 

Sullivan is a former cybercrime prosecutor officer of the US Department of Justice. A federal jury in San Francisco convicted him of obstructing justice and misprision – concealing a felony from law enforcement. 

On November 21, 2017, Uber CEO Dara Khosrowshahi released a statement in which he acknowledged that miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. As a result of it Sullivan, along with legal director of security and law enforcement Craig Clark was fired. 

"Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber," the U.S. attorney's office said. 

Sullivan’s trial began days before when the news broke that Uber had been hacked again. Uber said the group of hackers LAPSUS$  is running a campaign against Uber. 

The group accessed and stole data of an employee’s login credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, Google Workspace admin dashboard for managing the Uber email accounts, VMware vSphere/ESXi virtual machines, Slack server, and bug bounty program portal. However, Uber confirmed that the hackers did not gain access to the sensitive data of customers. 

In the case of the 2016 data breach, Uber had to make two $50,000 payments to the intruders in December 2016. A month later, after managing to identify one of the attackers from the group, an Uber representative met the man in Florida and had him sign a confidentiality agreement. 

"Technology companies in the Northern District of California collect and store vast amounts of data from users. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” U.S. Attorney Stephanie M. Hinds said in a statement.

Trojanized Comm100 Live Chat App Installer Distributed a JavaScript Backdoor

Cybersecurity platform CrowdStrike reported a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The application suffered an attack from 27 September to 29, 2022. 

Additionally, the malicious group actively attacked other sectors of the organizations with the same installer including the industrial, technology, healthcare, manufacturing, telecommunications sectors, and insurance in North America and Europe. 

Canadian application Comm100 facilitates over 200,000 businesses with its customer service and communication products. With more than 15,000 clients, the Comm100 company offers chat and customer engagement applications to businesses in 51 countries. However, the company did not report anything on how many customers got affected by the attack. 

According to the Cybersecurity firm CrowdStrike, the malware was proliferated using a Comm100 installer that was downloadable from the company’s website. On September 26, the installer was signed with legitimate information on the Comm100 desktop agent app. 

“CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at hxxps[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win[.]exe that was available until the morning of September 29 was a trojanized installer.”, Crowdstrike confirmed. 

Also, a malicious loader DLL called MidlrtMd[.]dll has been used as part of the post-exploitation action. It starts an in-memory shellcode to inject an embedded payload into a new Notepad process (notepad[.]exe). The CrowdStrike believed that the China nexus threat actor is behind the attack because the group previously targeted several Asian online gambling organizations. 

“Furthermore, CrowdStrike Intelligence assesses with moderate confidence that this actor likely has a China nexus. This assessment is based on the presence of Chinese-language comments in the malware, the aforementioned tactics, techniques, and procedures (TTPs), and the connection to the targeting of online gambling entities in East and Southeast Asia — a previously established area of focus for China-nexus targeted intrusion actors”, CrowdStrike Intelligence customers reported.

Data Theft: Employees Steal Company Data After Getting Fired


Employees taking personal data with them

Around 47 Million Americans left their jobs in 2021, and some took away personal information with them.

The conclusion comes from the latest report by Cyberhaven Inc, a data detection and response firm. It studied 3,72,000 cases of data extraction, and unauthorized transferring of critical info among systems- it involves 1.4 over a six-month period. Cyberhaven Inc found that 9.% of employees took data during that time frame. 

Over 40% of the compromised data was customer or client details, 13.8% related to source code, and 8% was regulated by personally identifiable information. The top 1% of guilty actors are accountable for around 8% of cases and the top 10% of guilty parties are responsible for 35% of cases. 

Reason for data extraction

As expected, the prime time for data extraction was between notice submissions by employees and their last day at work. Cyberhaven calculated around a 38% rise in cases during the post-notice period and an 83% rise in two weeks prior to an employee's resignation. The Cases bounced to 109% on the day the employees were fired from the company. 

Cyberhaven Inc blog says:

"While external threats capture headlines, our report proves that internal leaks are rampant – costing millions (sometimes billions) in IP loss and reputational damage. High-profile recent examples include Twitter, TikTok, and Facebook, but for the most part, this trend has flown under the radar."

The scale of the incident

If you look at the threat on a per-person basis, the risk is not significant, however, it intensifies with scale. Companies experience a mere average of 0.045% data extraction cases/per employee every month, however, it piles up to 45 monthly events at 1,000-employee organizations. 

A general way an employee usually takes out information is through cloud storage accounts, these were used in 27.5% of cases, then 19% belonging to personal webmail, with 14.4% incidents having corporate email messages sent to personal accounts. Removable storage drives amount to one in seven cases. 

Most incidents caused due to accident

Howard Ting (Chief Executive) warned not to jump to any conclusions, thinking many employees are criminals. He believes that the first and foremost cause of data exfiltration is an accident, one shouldn't assume every user is guilty. He said that users are generally unaware they aren't able to upload critical info on drives. 

Most organizations fail to clearly mention policies regarding data ownership. People in sales may believe they can keep account details they have, and developers may keep their code as a personal achievement. Organization mails having internal contact details are casually forwarded to personal accounts without ill intent and critical information can be stored in local hard drives, just a few clicks away. Cyberhaven inc comments:

"Our data suggests employees often sense their impending dismissal and decide to collect sensitive company data for themselves, while others quickly siphon away data before their access is turned off."





New York tax Fraudster Sentenced to 12 years in Prison for Child Data Theft Ring

 

A court in the United States has sentenced New York resident Ariel Jimenez to 12 years in prison for stealing the identities of thousands of children on welfare and using those identities to falsely claim tax credits on behalf of his customers. 

The clients of Jimenez exploited the stolen identity data which included names, dates of birth, and social security numbers to add the children fraudulently as dependents on their tax returns to receive a refund when they filed their taxes. 

Ariel Jimenez, 38, of the Bronx, New York started the fraud ring in 2007 and is believed to have made millions of dollars. With the assistance of his co-conspirators, Jimenez began to sell the identities of hundreds of vulnerable children (siphoned by a New York City's Human Resources Administration fraud investigator) to thousands of people profiting from this fraudulent operation. 

"While working at the HRA, CW-1 obtained children's names and identifying information from the Welfare Management System and sold those names to [..] the defendant," court documents explained. The investigation by IRS-CI has revealed that the defendants engaged in large-scale identity theft and tax fraud schemes through which (a) identifying information of minors, including names, dates of birth, and SSNs, was obtained, including through payments to a corrupt New York City employee." 

The fraudster demanded a cash fee, on top of tax preparation charges, to "prepare and file tax returns that falsely claimed that the individual taxpayer had one or more minor dependents, to take fraudulent advantage of at least one tax credit, thereby inflating the refund paid to the taxpayer." 

He used the profits from his tax fraud operation to acquire millions of dollars of real estate and fund his lavish lifestyle. By his own admission, JIMENEZ spent more than $5.5 million to buy worldwide real estate, cars, jewelry, and in gambling. 

The defendant was first arrested in November 2018 along with multiple co-conspirators, including his sisters Evelin Jimenez and Ana Yessenia Jimenez. He was convicted in February this year of aggravated identity theft, fraud, and money laundering crimes following a two-week jury trial. 

The judge in charge of this case sentenced the fraudster to 12 years in prison on Monday and ordered him to pay $14M in damages, turn over numerous properties, and pay over $44M in restitution. 

"Ariel Jimenez's tax and identity theft crimes cruelly forced his victims to endure bureaucratic snafus and agonizing delays for their much-needed tax refunds," U.S. Attorney Damian Williams stated earlier this year in February. 

"Today's sentence holds Jimenez accountable for brazenly selling the identities of children to his customers for his own profit," Williams further added.

Samsung Announces Second Customer Data Breach

The industry leader in technology, electronics, and smartphone producer, Samsung reported a data breach in its system. Earlier, the company was hit by a cyberattack in late July 2022. In August, the company discovered that a group of threat actors accessed its systems and breached customer personal data. 

The hackers had access to Samsung customers’ personal details including contacts, product registration data, dates of birth, and demographic information. However, the company said that the Social Security or credit card numbers were safe from the security breach. 

“In late July 2022, an unauthorized third party acquired information from some of Samsung’s U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that the personal information of certain customers was affected. We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement...” 

“…We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information,” reads a notice published by the company. 

The company further added that the information exposed for each relevant customer may vary, however, the company has started notifying impacted customers, and also advised them to remain cautious of any unrecognized and illegal communications that ask for their personal credentials or refer them to a web page asking for personal information. Customers must also review their accounts for suspicious and unsolicited activity. Besides, they should avoid clicking on links or downloading attachments from unrecognized and suspicious emails

The company has become one of the most recognizable names in technology and produces industry electronics, including appliances, digital media devices, memory chips, semiconductors, and integrated systems. The company produces a fifth of South Korea's total exports. 

Furthermore, Samsung claims to have detected the vulnerability in the system caused by the attack and to have taken measures to secure the impacted systems. Also, the company hired a leading cybersecurity firm to investigate the matter and report it to law enforcement.