Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Data
Data Breach Data Stolen Facebook Facebook Scams Social Media. User Data

1.5 Billion Facebook Users Data Breach or a Scam?

 

Facebook, Messenger, Instagram, and WhatsApp were all down for 7 hours worldwide meanwhile unknown hackers allegedly stole 1.5 billion Facebook users’ data and sold it on the dark web, the Russian Privacy Affairs agency confirmed in its recent findings. The data includes user names, email addresses, addresses, locations, and phone numbers, as per RPA's findings. 

“It’s the biggest and most significant Facebook data dump to date– about three times greater than the April leak of 533 million phone numbers,” the publication noted. 

However, while responding to the security incident, Facebook siad that “this was old data and the security vulnerability responsible had been patched back in 2019”. 

At present, it is yet to be confirmed if the RPA's findings are legitimate or not. However, some people reported that they tried to buy Facebook users’ data. However, after paying $5,000 amount to the hackers in exchange for data, the buyers got nothing, hence the probability of a scam underneath is on the cards. 

The fact that the buyers who paid the hackers in an attempt to buy the stolen data got nothing could be proof that the group's claims of having stolen data are baseless. However, security experts still suggest all Facebook users stay vigilant for unusual activities on their accounts. 

At a Senate subcommittee hearing with a Facebook whistle-blower on Tuesday, Senator Marsha Blackburn from Tennessee said, “News broke yesterday that the private data of over 1.5 billion — that’s right, 1.5 billion — Facebook users are being sold on a hacking forum.” “That’s its biggest data breach to date,”  the subcommittee’s ranking Republican member further added. 

Although many believe that data has been breached, there is no solid proof of it yet. Aric Toler, a researcher with Bellingcat, an investigative journalism group, made a statement and added that someone claimed to have paid for the hacked data and they found out that it was a scam so it has to be confirmed as of yet. 
Read more »
Website Attack
Computer servers Conti Ransomware Cyber Attacks Market Ransomware Website Attack

Ransomware Attack Hits Sandhills Online Machinery Market

 

Sandhills Global, a leading industry publication, has been hit by a ransomware assault, resulting in hosted websites being unavailable and affecting their company operations. 

Sandhills Global is a trade publishing and hosting firm headquartered in the United States that serves the transportation, agriculture, aircraft, heavy machinery, and technology industries. 

The firm offers a variety of printed and online trade magazines that include industry news as well as a marketplace for dealers to sell relevant new and old machinery. 

Sandhills Global's website and all of their hosted publications went offline on October 1, and their phones stopped working. Users are presented with a Cloudflare Origin DNS error page while attempting to access websites hosted on Sandhills' platform, suggesting that Cloudflare is unable to connect to Sandhills' servers. 

Several sources have informed BleepingComputer that the disruptions are the result of a Conti ransomware assault. This attack reportedly happened in the early morning on Thursday, leading the firm to take down all of its IT systems to stop the escalation of the attack.

Over the years, the Conti ransomware group has been involved in a large number of attacks, including high-profile operations targeting JVCKenwood, the City of Tulsa, Ireland's Health Service Executive (HSE), and Advantech. 

When carrying out assaults, the Conti group generally steals files before encrypting devices to use them as extra leverage during extortion operations. They then demand multi-million dollar ransom payments in order to receive a decryptor and not leak stolen data. 

It's unclear how much the Conti seeks from Sandhills, or whether they acquired data during the attack. Sandhills has been contacted by BleepingComputer with questions regarding the assault but didn't receive any response. 

While Sandhills Global has not responded to the email, a customer shared an email with BleepingComputer which confirmed the ransomware assault. 

The email stated, “Sandhills Global is currently responding to a ransomware attack that impacted our operations. Systems and operations have been temporarily shut down to protect data and information, and we have retained cybersecurity experts to assist us with the investigation, which is ongoing. We are working actively and diligently with the assistance of our retained experts to fully restore operations. At this time, we are continuing to investigate whether any of our client's information has been accessed or impacted by this incident. 

At this time, we have not discovered evidence that confirms that customer information has been compromised. Please know that our clients are our number one priority and we are working diligently to restore operations and remediate the attack. At this time, our ability to respond to your messages may be delayed. 

We appreciate your patience and deeply regret any inconvenience this may cause. We will provide updates regarding this matter and the status of our services as soon as possible.”
Read more »
Outage
Cyber Risk Cyber Security Digital Security Facebook Facebook Security Outage

Facebook Outage Caused Agitation in Nations And Highlighted Risks Of Social Networking

 

The global breakdown of Facebook Inc. highlighted the dangers of depending on its social networking platforms, supporting European regulators' efforts to limit the company's influence just as a whistle-testimony blower's in the United States threatened to draw even more undesirable attention at home. 

While Europe awakened to find Facebook, Instagram, WhatsApp, and Messenger back online and running, the extent of Monday's shutdown drew immediate and extensive outrage. Margrethe Vestager, the European Union's antitrust director and digital czar, said the Facebook failure will bring attention to the company's dominance. 

The networking issue that caused operations to go down for almost 2.75 billion people couldn't have happened at a worse moment. Following a Sunday television interview in the United States, whistle-blower Frances Haugen will testify before a Senate panel on Tuesday, telling legislators the "frightening truth" about Facebook. As Facebook services were offline, Haugen's charges that the business prioritized profit ahead of user safety were still making the headlines. 

“It’s always important that people have alternatives and choices. This is why we work on keeping digital markets fair and contestable,” Vestager said. “An outage as we have seen shows that it’s never good to rely only on a few big players, whoever they are.” 

The disclosures caused United States Representative Alexandria Ocasio-Cortez to call attention to the dangers that nations that depend on these services face. In New York, Facebook rose as high as 1.3 percent to $330.33, reversing a 4.9 percent drop on Monday. 

Facebook has increasingly been the subject of multiple antitrust and privacy probes in Europe, as well as intensive scrutiny of even minor transactions, such as its planned acquisition of a customer-service software company. Last month, the firm was fined 225 million euros ($261 million) for data privacy violations, and it is currently under investigation by the European Commission and the German competition agency Bundeskartellamt. 

In the next few months, EU lawmakers will decide on new legislation limiting the capacity of strong Internet platforms like Facebook to expand into new services. According to Rasmus Andresen, a German Green member of the European Parliament, the service outage demonstrated the "serious consequences" of relying on one firm for crucial channels of communication, and that Facebook should have never been permitted to buy Instagram and WhatsApp. 

Further, facing a political fallout - Turkish President Recep Tayyip Erdogan, who has a low tolerance for political criticism on social networking sites, has called for a new digital "order" as a result of the incident. According to Fahrettin Altun, his presidential communications director, the closure demonstrated how "fragile" social networks are, and urged the speedy development of "domestic and national" alternatives. 

“The problem we have seen showed us how our data are in danger, how quickly and easily our social liberties can be limited,” Altun said in a series of Twitter posts. 

President Muhammadu Buhari's communications staff, government officials, and governors in 36 Nigerian states were all silenced for six hours as a result of the outage. After Twitter's services were banned in Africa's most populous country on June 5th, the administration has become increasingly dependent on Facebook to keep the people informed. 

Facebook is “for us opposition politicians one of the last media outlets where we can talk to you and which isn’t dominated by” Fidesz, Orban’s political party, Budapest Mayor Gergely Karacsony said in a video posted on Tuesday. 

“This outage does show the over-dependence we have on a single company, and the need for diversity and greater competition,” Jim Killock, executive director of the Open Rights Group in London, said in an interview. “Their reliance on data-driven, attention-optimizing products is dangerous and needs to be challenged through interventions enabling greater competition.” 

Some telecommunications companies were forced to intervene as a result of the shutdown. In a blog post on its website, the Polish Play unit of Paris-based telecommunications operator Iliad SA reported an eightfold surge in the number of calls as of its customer service. To avoid overloading, it had to modify its network.
Read more »
User Security
Data Breach Gaming User Data User Privacy User Security

Twitch Admits to a Major Data Breach

 

Twitch, Amazon's livestreaming service for video games, has revealed that it has suffered a data security breach. The attack is said to have resulted in the loss of information on live streamer’s pay-out amounts, Twitch source code, and details about a putative Steam competitor from Amazon Game Studios. In a tweet Wednesday morning, Twitch said, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.” 

Twitch was founded in 2011 by the co-founders of Justin.tv, one of the earliest livestreaming websites. Twitch was purchased by Amazon in 2014 for $970 million. 

On the 4chan message board, an anonymous poster has released a 125GB torrent claiming to contain the entirety of Twitch and its commit history. The breach is said to be intended to "promote further disruption and competition in the online video streaming industry," according to the poster. 

The leak includes 3 years’ worth of details regarding creator pay-outs on Twitch, the entirety of twitch.tv, “with commit history going back to its early beginnings,” source code for the mobile, desktop, and video game console Twitch clients, code related to proprietary SDKs and internal AWS services used by Twitch, an unreleased Steam competitor from Amazon Game Studios, data on other Twitch properties like IGDB and CurseForge, Twitch’s internal security tools. 

The leak has been labeled as “part one,” implying that there may be more to come. While personal information such as creator payments is included, it does not appear that passwords, addresses, or email accounts of Twitch users are included in this initial breach. Instead of publishing code that would contain personal accounts, the leaker appears to have focused on sharing Twitch's own company tools and information. 

Malware authors might potentially utilize the leaked Twitch code to infect the platform's userbase by exploiting software vulnerabilities. According to Quentin Rhoads-Herrera, director of professional services at cybersecurity company Critical Start, any return the attackers would obtain would be modest and not worth their effort. 

“This is more of a way to publicly humiliate Twitch and potentially lower the trust the Twitch users may have in the platform and company,” Rhoads-Herrera said.
Read more »
User Privacy
data steal Data Stolen malware Trojans Ursnif User Data User Privacy

Ursnif Trojan Steals Personal User Data, Proofpoint Report Says

 

Researchers at Proofpoint have found a a latest Ursnif banking malware used by a hacking group called TA544 which is attacking companies in Italy. Cybersecurity experts found 20 major campaigns providing harmful messages directed towards Italian organizations. 

TA544 is a threat actor working for financial purposes, it has been active since 2017, the group targets attacks on banking users, aggravating banking trojans and different payloads to compromise companies across the world, primarily in Italy and Japan. Experts observed that from the time period between January and August 2021, total number of identified Ursnif campaigns affecting Italian companies, was almost equal to the number of Ursnif campaigns attacks in Italy in 2020. 

"Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk," suggests concludes Proofpoint. 

TA544 threat actor uses social engineering techniques and phishing to attract victims into clicking macro present in weaponized docs. Once the macro is enabled, the malware process starts. If we look into recent attacks against Italian companies, the threat actor impersonated an energy company or an Italian courier, scamming victims via payments. 

These spams use weaponized office docs to deploy Ursnif banking malware in the last stage. While investigating these campaigns, TA544 used geofencing methods to find if we're targeted in geographic areas before attacking them with the malware. If the user wasn't in the target area, the malware C2C would direct it to an adult site. As of now in 2021, experts have found around five lakhs messages related with the malware campaigns. The threat actor used file injectors to deploy malicious codes used to steal personal user data like login credentials and banking details. 

The research of web injections used by hacking groups reveals that hackers were also trying to steal website credentials with related to major sellers. 

Proofpoint reports "recent TA544 Ursnif campaigns included activity that targeted multiple sites with web injects and redirections once the Ursnif payload was installed on the target machine. Web injects refer to malicious code injected to a user’s web browser that attempts to steal data from certain targeted websites. The list included dozens of targeted sites."
Read more »
LockBit 2.0 ransomware
Dark Web Data Breach Data Leak data security data steal Data Stolen Isreal LockBit 2.0 ransomware

LockBit 2.0 Ransomware Hit Israeli Defense Firm E.M.I.T. Aviation Consulting

 

LockBit 2.0 ransomware operators have reportedly hit the Israeli aerospace and defense firm E.M.I.T. in a new campaign of attacks. According to Aviation Consulting Ltd, hackers claim to have accessed the internal system and also have stolen credential data from the company. 

Post attack, the group is threatening to publish the stolen data which includes sensitive information, invoices, employees, and possibly payment data, onto their dark web leak site in case the company is not ready to pay the ransom. Although the group of attackers is yet to leak the stolen data as proof of the attack, the countdown will end on 07 October 2021. 

Currently, it has not been disclosed how the attackers' group acquired access to the system of the company and when the incident took place. Similar to other ransomware attacks, LockBit 2.0 has also executed a ransomware-as-a-service model and maintains a network of affiliates. 

According to the technical data, the ransomware operation group LockBit ransomware has been in action since September 2019, in June the group announced the LockBit 2.0 RaaS. After ransomware ads were banned on the hacking forums, the group of LockBit operators came with their own leak site and also promoting the latest model and advertising the LockBit 2.0 affiliate program. 

At present, the LockBit gang is highly active targeting numerous organizations including Riviana, Anasia Group, Wormington & Bollinger, Vlastuin Group, DATA SPEED SRL, SCIS Air Security, Peabody Properties, Island independent buying group, Buffington Law Firm Day Lewis, and many others worldwide. 

A few months, the Australian Cyber Security Centre (ACSC) had warned its Australian organizations against LockBit 2.0 ransomware attacks. E.M.I.T. Aviation Consulting Ltd was established in 1986, the company is involved in designing and assembling complete aircraft, tactical and sub tactical UAV systems, and mobile integrated reconnaissance systems.
Read more »
User Security
Breach Data Breach Data hack Telecom Firm User Privacy User Security

Global Telecom Firm Syniverse Secretly Reveals 5-Year Data Breach

 

Telecom giant Syniverse secretly revealed to the Securities and Exchange Commission last week that attackers have been inside its systems over the past five years, impacting hundreds of business clients and potentially millions of users globally. 

Syniverse handles nearly 740 billion text messages every year, and some of its customers include major firms such as Airtel, China Mobile, AT&T, Verizon, Vodafone, and T-Mobile. 

The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations, and connections [daily],” Syniverse wrote in a recent press release. 

Syniverse disclosed in a filing on September 27 with the U.S. Security and Exchange Commission that hackers had access to its data for years. The private records of more than 200 customers were compromised due to a security flaw that impacted its database. 

Following the discovery, the telecom giant started an internal investigation in order to determine the scope of the attack. The investigation revealed that that unauthorized access to the company’s system has been ongoing since May 2016; the breach went undetected until May 2021. 

“The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers,” the company stated in its SEC filing.

According to a source who works at Syniverse, the attackers could have gained access to call records and message data, such as call length and cost, caller and receiver’s numbers, the location of the calling parties, the content of SMS text messages, and more. 

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other. So, it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers,” an industry insider told Motherboard.
Read more »
Russian Hacker
Cyber Attacks DDOS Attacks Russian Hacker

Russian hacker: a DDoS attack could be the reason for the decline of social networks

Earlier, Facebook said that a large-scale failure did not lead to a leak of user data. Facebook's representatives assured that there is no such evidence. The company also confirmed that unsuccessful software configuration changes led to the failure.

According to Varskoy, the reason why the version about an external attack on the service is excluded is quite obvious. The hacker believes that the company does not want to lose the trust of customers and money.

“All the journalists were waiting for what Facebook itself would say, and the company gave them an answer that would satisfy them. All other versions after that will look like just versions. I am almost sure that we are dealing with a common technical phenomenon, but I would not rule out the attack version one hundred percent,” Varskoy added.

The hacker is convinced that Facebook quickly came to the conclusion that the leak did not occur, since it takes more time to detect the leak or its absence.

The expert noted that if this is really an attack, then its authors have the strongest resources, consisting of many machines. According to Varsky, in this way, hackers could simply demonstrate their strength.

Recall that on the evening of October 4, thousands of users around the world complained about disruptions in the messenger WhatsApp, as well as the social networks Facebook and Instagram. Following this large-scale failure, users reported problems in the work of Twitter, Google and Amazon.

In addition, it became known that the data of more than one and a half billion Facebook users got into the network and are sold on a popular hacker site. The names, email addresses, phone numbers, gender, or even the identity card of the users are available for purchase. According to the Telegram channel Mash, this is the largest and most significant leak of Facebook data in history.

Read more »
United States
Cyber Crime France Hacker Hackers Arrested Kyiv Ukraine United States

25-Yr Old Hacker Detained by Ukraine Police

 

Following a collaborative international law enforcement investigation, two ransomware syndicates were apprehended in Ukraine. On Sept. 28, police investigators from Ukraine, the United States, and France arrested a 25-year-old hacker in Kyiv to put an end to a large cybercrime incident that cost more than $150 million worldwide. 

According to authorities, the suspect allegedly sought a ransom in turn of the victims' stolen information as of Oct. 4. The hacker is thought to have obtained this information by sending malware-infected phishing emails to workers of the organizations he targeted. 

As per the authorities, the cybercriminal, who hadn't been recognized, attacked over 100 enterprises in Europe and the United States, including world-famous energy and tourism companies. Europol noted that the hacker had a co-conspirator who assisted him in withdrawing funds from victims. 

Law enforcement investigators discovered and seized $375,000 in cash, two luxury automobiles, computers, and smartphones in the suspect's Scandinavian-styled Kyiv flat. 

Since virtual transactions are difficult to track, hackers frequently demand ransom in cryptocurrencies. Following inspections of the criminal's flat, authorities discovered that the Ukrainian cyber-criminal had over $1.3 million in cryptocurrencies in his possession. According to the authorities, he might face up to twelve years behind bars for breaching cybercrime and money laundering rules. 

"As a result, computer equipment, mobile phones, vehicles, and more than 360 thousand dollars in cash were seized. In addition, $1.3 million was blocked on the attacker's cryptocurrencies," the police said. 

Hackers from Ukraine and Russia rarely attack systems and networks in their nations, instead preferring to infect computers in Western Europe and the United States. Ukrainian cybercriminals are typically young, between the ages of 15 and 30, with no criminal history as well as a strong command of computer technology and mathematics. Their monthly income starts at $5,000, which is significantly higher than the $2,000 that tech experts in Ukraine might earn. 

Authorities all across the world are attempting to reverse the trend of ransomware assaults, which have become a lucrative business in recent years. Hackers, who are mostly from Eastern Europe, attack international companies, universities, government agencies, and even crucial infrastructures such as hospitals and gas stations.
Read more »
Vulnerabilities and Exploits
Credentials Leak Data Leak Misconfiguration Open Source Software Vulnerabilities and Exploits

Misconfigured Apache Airflow Servers Expose Thousands of Credentials

 

Researchers from the security firm Intezer uncovered a slew of misconfigured Apache Airflow servers that were exposing sensitive information, including credentials, from a number of IT organizations. 

Apache Airflow is an open-source workflow management software that is used by numerous businesses across the world to automate business and IT activities. 

The post published by Intezer stated, “These unsecured instances expose sensitive information of companies across the media, finance, manufacturing, information technology (IT), biotech, e-commerce, health, energy, cybersecurity, and transportation industries. In the vulnerable Airflows, we see exposed credentials for popular platforms and services such as Slack, PayPal, AWS and more.” 

Researchers examined the dangers of misconfiguration for companies and their customers, as well as the most frequent reasons for data leakage from vulnerable cases. According to Intezer researchers, the majority of the stolen credentials are disclosed due to unsafe coding techniques, with many of the compromised instances having hardcoded passwords inside the Python DAG Code. 

Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys. 

Malicious actors may potentially alter the settings, resulting in unforeseen behaviour. Other misconfigured installations examined by Intezer included a publicly available configuration file (airflow.cfg) containing confidential information such as passwords and keys.  

Threat actors may also alter the settings, resulting in unforeseen behaviour. The credentials might likewise be exposed via the Airflow "variables" used in DAG scripts. 

As per experts,  it is quite common to find hardcoded passwords stored in these variables. Threat actors could also exploit Airflow plugins or features to execute malware that could be injected into variables. 

“There is also the possibility that Airflow plugins or features can be abused to run malicious code. An example of how an attacker can abuse a native “Variables” feature in Airflow is if any code or images placed in the variables form is used to build evaluated code strings.” 

“Variables are able to be edited by any visiting user which means that malicious code could be injected. One entity we observed was using variables to store internal container image names to execute. These container image variables could be edited and swapped out with an image containing and running unauthorized or malicious code.” 

The research focused on earlier versions of Apache Airflow and emphasised the hazards associated with using out-of-date software. The majority of the problems highlighted in the study were affected servers using Airflow v1.x; however, subsequent versions of Airflow incorporate security measures that address the aforementioned concerns. 

“In light of the major changes made in version 2, it is strongly recommended to update the version of all Airflow instances to the latest version. Make sure that only authorized users can connect.” concludes the report. “Exposing customer information can also lead to violation of data protection laws and the possibility of legal action.” 

The security firm advised, "Disruption of clients' operations through poor cybersecurity practices can also result in legal action such as class action lawsuits."
Read more »
Vulnerabilties
Confluence servers malware Security Flaws Security patches Vulnerabilties

Confluence Servers are Being Targeted by the New Atom Silo Malware

 

A new ransomware operator is targeting Confluence servers, gaining initial access to susceptible systems by exploiting a recently reported vulnerability. According to Sean Gallagher and Vikas Singh of Sophos, the new threat actors, called Atom Silo, are exploiting the flaw in the hopes that Confluence server owners have yet to apply the essential security patches to fix the vulnerability. 

Atlassian Confluence is a web-based virtual workspace for businesses that allows teams to collaborate on projects and communicate. Atom Silo recently launched a two-day cyberattack, according to Sophos. The attackers were able to get initial access to the victim's corporate environment due to a vulnerability identified as CVE-2021-08-25. 

Atlassian released security fixes on August 25 to address a Confluence remote code execution (RCE) vulnerability that had been exploited in the wild and was tracked as CVE-2021-26084. They also discovered that the ransomware utilized by this new gang is nearly comparable to LockFile, which is quite similar to the LockBit malware.

Several innovative approaches that made it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries targeted to disrupt endpoint protection software, according to Atom Silo operators. Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to execute a second-stage stealthier backdoor on the compromised machine. 

"The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago," said Sean Gallagher, a senior threat researcher at Sophos. "In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware." 

According to Sophos, ransomware operators and other malware authors are becoming increasingly competent at exploiting these flaws, latching on publicly available proof-of-concept exploits for freshly discovered vulnerabilities and weaponizing them quickly to benefit from them. 

"To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks," they added.
Read more »
Subscribe to: Comments (Atom)