Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Side Channel Attacks
AMD CPU vulnerabilities CVE vulnerability CVEs Cyber Security Side Channel Attacks

Researchers Devise New Time And Power-Based Side-Channel Attacks that Affect AMD CPUs

 

A team of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security. developed a novel side-channel exploit that targets AMD CPUs. 

Moritz Lipp and Daniel Gruss of the Graz University of Technology, along with Michael Schwarz of the CISPA Helmholtz Center for Information Security, established the new attack technique. They were first to uncover the Meltdown and Spectre vulnerabilities, which opened the door for numerous additional side-channel attack methods targeting commonly used chips. 

These side-channel exploits generally permit a malicious program installed on the targeted system to leverage CPU flaws to access potentially sensitive information in memory linked with other apps, such as credentials and encryption keys. 

Several of the side-channel assaults revealed in recent years have targeted Intel processors, but systems powered by AMD processors are not protected, as per the recently published research. 

“In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information,” the researchers explained in the abstract of their paper. 

The study presented numerous attack scenarios, one of which researchers used a Spectre attack to disclose confidential material from the operating system and provided a novel way for building a covert channel to steal information. 

In addition, the research suggests having discovered the first "full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major operating systems." KASLR is an attack mitigation method, and the experts demonstrated how an intruder might defeat it on laptops, desktop PCs, and cloud virtual machines. 

AMD was notified about the results in mid-and late 2020, the vendor recognized them and gave a response in February 2021; the flaws have been assigned the CVE identifier CVE-2021-26318 and a medium severity grade by AMD. 

The chipmaker acknowledged that perhaps the problem affects all of its processors, but it isn't suggesting any additional mitigations since "the attacks discussed in the paper do not directly leak data across address space boundaries." 

Lipp feels that their most recent study covers several intriguing features of AMD CPUs that might spur further investigation into side-channel assaults. 

He further explained, “For instance, we use RDPRU as a timing primitive as the typically used rdtsc instruction has a lower resolution on AMD. This allows to distinguish events with only a slight timing difference. On the other hand, we use the reported energy consumption of the AMD driver to mount an attack. While this driver has now been removed from the Linux kernel, using this energy source could be interesting to mount other power side-channel attacks as we have shown on Intel with the PLATYPUS attacks.”
Read more »
User Security
Data Breach Data Leak Game Streaming Payment Data Source Code leak Streaming Platform User Data User Privacy User Security

Amazon-owned Twitch Says Source Code Disclosed in Data Breach

 

Twitch, which is owned by Amazon.com Inc (AMZN.O), announced on Friday that last week's data breach at the live streaming e-sports platform includes documents from its source code. 

The streaming platform said in a statement that the users' passwords, login credentials, complete credit card numbers, or bank data were not accessed or disclosed in the breach. The platform, which is used by video gamers to communicate with users while live streaming content, attributed the breach to an issue in server configuration modification. 

During server maintenance, modifications to the server's configuration are made. A flawed configuration can allow unauthorized access to the data stored on the servers. 

Twitch said it was "confident" the incident affected only a small number of users and that it was contacting those who had been directly impacted. The platform has more than 30 million average daily visitors. 

Video Games Chronicle had reported that about 125 gigabytes of data was leaked in the breach.  Data includes details on Twitch's highest-paid video game streamers since 2019 such as a $9.6 million payout to the voice actors of the popular game "Dungeons & Dragons" and $8.4 million to Canadian streamer xQcOW. 

About the breach

On October 6, Twitch confirmed that it has suffered a major data breach and that a hacker accessed the company’s servers due to a misconfiguration change. 

A Twitch spokesperson stated on Twitter, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.” 

The leaked Twitch data reportedly includes: 
  • The entirety of Twitch’s source code with commit history “going back to its early beginnings” 
  • Creator payout reports from 2019 
  • Mobile, desktop, and console Twitch clients 
  • Proprietary SDKs and internal AWS services used by Twitch 
  • “Every other property that Twitch owns” including IGDB and CurseForge 
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios 
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers) 
It is advised that Twitch users use two-factor authentication, which implies that even if the password is hacked, the user will still need to use the phone to confirm the identity via SMS or an authenticator app.
Read more »
TrickBot
BazarLoader Conti Ransomware DDOS Attacks malware TrickBot

Trickbot Uses New Distribution Mechanisms to Disseminate Malware

 

The creators of the harmful TrickBot malware have emerged with new tricks aimed at widening the malware's dissemination routes, eventually culminating to the deployment of ransomware like Conti. According to a report by IBM X-Force, the threat actor known as ITG23 and Wizard Spider has been discovered to collaborate with other cybercrime gangs known as Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are relying on to deliver proprietary malware. 

TrickBot is a well-known banking Trojan that has been operating since October 2016, and its creators have kept it updated by adding new features. The botnet is still available via a multi-purpose malware-as-a-service (MaaS) model. Threat actors use the botnet to spread malware like Conti and Ryuk, which steals personal information and encrypts it. More than a million computers have been compromised by the Trickbot botnet so far. 

"These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond said. 

Microsoft's Defender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division Symantec teamed forces in October to launch a concerted effort to shut down the infamous TrickBot botnet's command and control infrastructure. Despite the fact that Microsoft and its allies pulled the TrickBot infrastructure down, its operators sought to restart operations by bringing new command and control (C&C) servers online. 

In a malware campaign aimed at corporate users earlier this year, the cybercrime group used email campaigns to send Excel documents and a call center ruse known as "BazaCall." The gang formed a collaboration with two notable cybercrime affiliates in June 2021, which included the use of hijacked email threads and bogus website consumer inquiry forms.

"This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever," the researchers said. 

The Hive0107 affiliate is said to have adopted a new tactic in one infection chain observed by IBM in late August 2021, which involves sending email messages to target companies informing them that their websites have been performing distributed denial-of-service (DDoS) attacks on its servers, and urging the recipients to click on a link for more evidence. When the link is clicked, a ZIP archive containing a malicious JavaScript (JS) downloader is downloaded, which then contacts a remote URL to download the BazarLoader malware, which drops Cobalt Strike and TrickBot.
Read more »
User Data Leak
3D Printing Data Breach Thingiverse User Data User Data Leak

Thingiverse, 3D Printing Site Suffered Data Breach

 

The Thingiverse website has suffered a data breach which resulted in the email addresses of nearly 228,000 users surfacing on black-hat crime websites. 

Have I Been Pwned (HIBP), whose administrator Troy Hunt was informed off to the breach's dissemination on the forums, published the 228,000 hacked email addresses to the site, which led to the news coming to notice. 

The 36 GB data cache, which was first disclosed in October 2020, is reported to contain unique email addresses as well as other information that might be used to identify people. Whereas these details have been floating around the internet for over a year, data breach notification service provider 'Have I Been Pwned' has now discovered proof that they are "extensively circulating within the hacking community." 

On Twitter, Hunt said that the leak had exposed more than two million email addresses. He clarified that the bulk of the email addresses were webdev+$username@makerbot[.]com, which looked to be generated by Thingiverse itself based on their structure. 

Thingiverse that hosts free-to-use 3D printer designs is managed by Makerbot, a 3D printing company that was previously featured on these web pages in 2015 when it announced layoffs despite failing to fulfill "ambitious goals" 

Hunt stated on Twitter that Makerbot was unresponsive to his private overtures, prompting him to go public in the hopes of persuading someone that the source of the hack should be closed down. 

"We became aware of and have addressed an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users. We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure. We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management," Thingiverse told The Register. 
Read more »
Vulnerabilities and Exploits
Application Security DevSecOps Malicious Codes Vulnerabilities and Exploits

Newly Discovered Flaw in GitHub Actions Allows Code to Bypass Review Mechanism

 

A newly uncovered security vulnerability in GitHub Actions allows software code to bypass the required reviews mechanism to a secured branch, allowing it into the pipeline to production. 

Omer Gil and his team of researchers at security startup Cider Security discovered the flaw in GitHub actions during research into novel attack vectors in the arena of DevSecOps, which evades security protections and exists even in the installations of companies that have not enabled the recently introduced feature.

"An attacker compromising a GitHub user account, or simply a developer that wants to bypass this restriction, can simply push code to a protected branch. Since code in protected branches is usually used in production systems by many users or by other systems, the impact is high," Gil explained.

Vulnerability in GitHub Actions 

GitHub Actions is GitHub's continuous integration/continuous delivery offering, which offers a mechanism to automate, customize and implement software development workflows right in the repository from development to production systems, Cider Security explained in a blog post on Medium. 

Furthermore, the GitHub Actions is installed by default on any GitHub organization, and on all of its repositories, and any user who has the privilege to push code to the repositories can design a workflow that operates when code is pushed. 

“Anyone with write access to a repository can modify the permissions granted to the GITHUB_TOKEN, adding or removing access as required, by editing the permissions key in the workflow file,” Cider Security explained.

“As the PR is created, it cannot be merged since approval is required. However, the workflow immediately runs and the PR is approved by the GitHub-actions bot, which the GITHUB_TOKEN belongs to. It’s not an organization member, but counts as PR approval, and effectively allows the attacker to approve their own PR, basically bypassing the branch protection rules.,” Cider Security further said.

"The issue is not fixed. GitHub said they'll work on fixing it. I believe adversaries can definitely take advantage of this issue in their attempts to reach production systems and expand their hold in their victims' assets," Gil noted. 

To mitigate the risks, Cider Security has advised organizations to consider disabling GitHub Actions across their whole enterprise or for particular (more sensitive) repositories. Additionally, the issue can be solved by requiring the approval of Code Owners, or by requiring two or more approvals to merge a pull request.
Read more »
Wordpress Vulnerability
Flaws Plugins Security Flaws Vulnerabilities and Exploits Web security Website Takeover Website vulnerability WordPress Plugin Wordpress Vulnerability

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.
Read more »
User Credentials
Coinbase Cyber Crime One Time Password Phishing Campaign User Credentials

Phishers Steal One-Time Passwords from Coinbase Users

 

Crooks are growing smarter about phishing one-time passwords (OTPs) needed to complete the login process, as seen by a recent phishing campaign targeting Coinbase customers. It also reveals that phishers are attempting to create millions of new Coinbase accounts in order to find email addresses that are already associated with current accounts. 

With over 68 million users from over 100 countries, Coinbase is the world's second-largest cryptocurrency exchange. Coinbase.com.password-reset[.]com was the now-defunct phishing domain, and it was aimed towards Italian Coinbase users (the site's default language was Italian). According to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security, it was a success. Holden's team was able to go inside some of the phishing site's poorly concealed file directories, including the administrator page. Before the site was taken down, the phishing attacks collected at least 870 sets of credentials, according to that panel. 

According to Holden, the phishing gang appears to have identified Italian Coinbase customers by attempting to create new accounts using more than 2.5 million Italian email addresses. His team was also able to recover the username and password information that victims had supplied to the site, as well as nearly all of the email addresses that had been submitted ending in ".it." 

According to Holden's research, this phishing group attempted hundreds of thousands of half-hearted account signups per day. On Oct. 10, for example, the scammers ran over 216,000 email addresses through Coinbase's servers. They attempted to register 174,000 new Coinbase accounts the next day.

Coinbase revealed last month that malicious hackers stole cryptocurrency from 6,000 clients after exploiting a flaw in the company's SMS multi-factor authentication security tool. This phishing attempt is another example of how criminals are devising ever-more clever ways to get around popular multi-factor authentication alternatives like one-time passwords. 

In an emailed statement, Coinbase said, “Like all major online platforms, Coinbase sees attempted automated attacks performed on a regular basis. Coinbase is able to automatically neutralize the overwhelming majority of these attacks, using a mixture of in-house machine learning models and partnerships with industry-leading bot detection and abuse prevention vendors. We continuously tune these models to block new techniques as we discover them." 

Researchers say the simplest way to avoid phishing scams is to avoid clicking on links that appear unexpectedly in emails, text messages, or other forms of media. They also advised that you should never give out personal information in response to an unsolicited phone call.
Read more »
Russia
Data Leakage Database Dumped Moscow Moscow Cyber Security Russia

Experts reported a possible data leak from the Mosgortrans website

According to their data, more than 1,000 phone numbers with names and more than 30,000 email addresses could have been leaked into the network.

Files containing names, email addresses, phone numbers, as well as usernames and passwords of the Mosgortrans (a state-owned company operating bus and electrical bus networks in Moscow and Moscow region) website users were publicly available. In total, the hacker posted about 1.1 thousand phone numbers and 31 thousand email addresses on the Internet.

The fact that the data appeared on the Network was reported by the Telegram channel “Information Leaks” on Thursday, October 14.

A representative of Kaspersky Lab confirmed that the company's employees found a message on one of the forums about a data leak, which presumably relates to the Mosgortrans website.

“According to a post on the forum, among the leaked data there are a number of configuration files: group, hosts, motd, my.cnf, networks, passwd, protocols, services, sshd_config, as well as files containing presumably user data: mails.txt , mostrans_admins.txt , Names.txt , phones.txt ", reported in the company.

Alexander Dvoryansky, Communications Director of Infosecurity, said that the company has not yet been able to confirm the authenticity of the database. But if the database is still real, the attackers can use the received data for phishing and targeted advertising.

It is noted that there is no possibility to create a personal account on the Mosgortrans website, where users could specify personal data, but there is a feedback form.

The company itself denies the fact of data leakage. “The published documents contain the standard contact information of employees, which is available in any bus depot, branch and office. In fact, this is a phone book, and most of the information is outdated. There was no hacking of the website and the internal database, this was already checked by our IT -specialists“, said the representative of the company.

Read more »
User Privacy
Brazil Data Breach Data Leak E-commerce Firm User Privacy

Brazilian E-commerce Giant Hariexpress Leaks 1.75 billion Records

 

Cybersecurity researchers at SafetyDetectives uncovered that Brazilian marketplace integrator platform Hariexpress exposed nearly 1.8 billion records-worth of the private customer and seller data, after misconfiguring an Elasticsearch server. 

Earlier this year in June, SafetyDetectives researchers unearthed exposed data and were able to trace the leak back to Hariexpress. Hariexpress is a firm that allows vendors to manage and automate their activity across several marketplaces such as Facebook, Amazon, Magazine Luiza, and Mercado Livre.

According to researchers, the company’s Elasticsearch server was left unencrypted with no password protection in place. It contained 610GB of data, including users’ full names, home, and delivery addresses, contact numbers, and billing details including billing addresses. Also leaked were vendors’ full names, CPF numbers, billing details, contact numbers, email and business/home addresses, and CNPJ numbers (National Register of Brazilian business).

However, SafetyDetectives could not estimate the total number of victims due to the size of the trove and the potential for fake email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” SafetyDetectives stated. 

Additionally, it is not possible to know if another party has accessed the data, according to researchers. Experts have warned that datasets containing information that directly identifies customers in the marketplace integrated by the firm could be used in phishing and social engineering attacks. The report also includes the purchase of intimate products, so the exposed data includes residence and company addresses, blackmail, and other types of crimes such as robbery are possible. 

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach,” researchers added. 

According to security experts, victims can cover up their damage because Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently provide regulators the power to fine companies a maximum of 2% of the previous year’s revenue for violating the law, up to 50 million Brazilian reals ($10m). Due to the scale of the problem, Safety Detectives also recommends ecommerce users double their awareness of phishing attempts and particularly social engineering frauds.
Read more »
Russian Federation
Cyber Attacks Russia Russian Cyber Security Russian Federation

The Consulate General of the Russian Federation in Ukraine called the hacking of its accounts an information provocation

 The Consulate General of Russia in Kharkiv (Ukraine) considers the hacking of its pages on social networks as an information provocation. “The issue regarding this incident will be resolved between Ukraine and Russia at the diplomatic level,” Igor Demyanenko, the head of the Consulate General, said on Thursday.

“We took it as an informational provocation that does not show Ukraine's compliance with the Vienna Convention on Consular Relations,” he said, adding that “the issue will be resolved through diplomatic channels between the Russian Foreign Ministry and the Ukrainian Foreign Ministry.”

Mr. Demyanenko said that such a situation had developed for the first time, and confirmed that access to the accounts of the Consulate General in social networks had already been restored. And the official website of the diplomatic mission posted a message stating that the information previously published by the attackers on the pages of the Consulate General is invalid.

At the same time, he noted that after the incident, the number of subscribers on the pages of the Consulate General increased fivefold.

Earlier on Thursday, it became known about the hacking of the accounts of the Consulate General of the Russian Federation in Kharkov on social networks Instagram and Facebook: congratulations on the Day of Defenders of Ukraine (October 14) appeared on the consulate's page, the record also contained provocative statements addressed to the Russian leadership allegedly on behalf of the consulate staff. After the hacker attack, the Consulate General lost access to account management. The Embassy of the Russian Federation in Kiev sent a note verbale to the Ministry of Foreign Affairs of Ukraine with a request to launch an investigation by the Ukrainian competent authorities.

Read more »
User Security
Data Breach Data Leak Data Privacy REvil Server Server Hack User Data User Privacy User Security

Acer Confirms Breach After Cyber Attack on Indian Servers

 

A hacker group has claimed to have hacked Acer India's servers, with about 60GB of confidential information belonging to several million of the company's customers. 

According to a post on a prominent hacker site noticed by Privacy Affairs researchers, the group known as Desordern claimed to have acquired consumer information, business data, financial data, and information linked to recent company audits. 

According to the hackers, the breach includes information on several million Acer customers, the majority of which are from India. It appears to have happened on October 5, according to the most current date stated in the leaked databases. Desordern also stated that it will provide Acer with access to the database in order to substantiate the data and show the breach is legitimate. 

A sample of the data released for free which included information on over 10,000 people, was confirmed to be accurate and real by Privacy Affairs researchers, who were able to contact some of those impacted. Data belonging to millions more Acer customers will be available for a fee at a later date, as per the group. 

An Acer spokesperson told IT Pro, “We have recently detected an isolated attack on our local after-sales service system in India.” 

“Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India.” 

The issue has been reported to local law enforcement and the Indian Computer Emergency Response Team, according to the spokesman, and there has been no substantial impact on the company's activities or business continuity. 

In March of this year, Acer was the victim of a $50 million ransomware assault carried out by the notorious ransomware group REvil. The group disclosed the Acer breach on its website, where it displayed photos of allegedly stolen information such as financial spreadsheets, bank communications, and bank balances. The vulnerability was thought to be connected to a Microsoft Exchange cyber-attack conducted by at least 10 hacker groups.
Read more »
Subscribe to: Comments (Atom)