image
The Biden administration has declared a state of emergency that covers 17 states and Washington D.C. in the wake of the ransomware attack on the Colonial Pipeline Co., and is working with Colonial to restart operations. On Monday morning, FireEye also confirmed to Threatpost that it’s been called in to help with the investigation, but it wasn’t at liberty to say anything more. The news came as security researchers mulled possible perpetrators of the attack, and warned that the incident could be a harbinger of things to come. 05102021 14:24 UPDATE: Shortly after this article was posted, in a terse statement, the FBI confirmed that DarkSide ransomware is behind the attack. The Biden declaration, which the government made on Sunday following Friday’s attack and pipeline shutdown, covers Alabama, Arkansas, D.C., Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia. The government is working to keep the supply of gasoline, diesel, jet fuel and other refined petroleum products flowing to those states and the capital. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. As well, the Cybersecurity & Infrastructure Agency (CISA) has posted ransomware guidance and resources, saying that it’s engaged with Colonial…

Source

image
The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers. That’s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it’s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. Lemon Duck targets victims’ computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it “one of the more complex” mining botnets, with several interesting tricks up its sleeve. For instance, Lemon Duck has at least 12 different initial-infection vectors – more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; targeting internet-of-things devices with…

Source

image
How much is your payroll data worth? Probably a lot more than you think. One financial startup that's targeting the gig worker market is offering up to $500 to anyone willing to hand over the payroll account username and password given to them by their employer, plus a regular payment for each month afterwards in which those credentials still work. This ad, from workplaceunited[.]com, promised up to $500 for people who provided their payroll passwords, plus $25 a month for each month those credentials kept working. New York-based Argyle.com says it's building a platform where people who work multiple jobs and/or side hustles can improve their credit and employment options by pooling all of their gig work data in one place. "Consumers’ access to financial security and upward mobility is dependent on their access to and control over their own employment records and how easily they can share those records with financial institutions," Argyle explained in a May 3 blog post. "We enable access to a dataset that, for too long, has gone unstandardized, unregulated, and controlled by corporations instead of consumers, contributing to system-wide inequalities." Argyle's app flow. Image: Argyle.com. In that sense, Argyle is making a play for a discrete chunk of a much larger employment data market dominated by the major credit bureaus, which have been hoovering up and selling access to employment data for years. The 800-lb. gorilla there is Equifax, whose The Work Number product has…

Source

image
A ransomware attack is being blamed for halting pipeline activities for the Colonial Pipeline Company, which supplies the East Coast with roughly 45 percent of it liquid fuels. In a statement released Saturday, the Colonial Pipeline Company said it temporarily halted pipeline operations in response to a cyberattack impacting the company on Friday. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware,” the company wrote in a Saturday statement. As a precaution the company proactively took key systems offline to avoid further infections. “In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” the company stated. “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing.” The company, which delivers gasoline and diesel fuel to the East Coast, said it has also contacted law enforcement and other federal agencies. “Colonial Pipeline is taking steps to understand and resolve this issue. At this time, our primary focus is the safe…

Source

image
In 2019, a Chinese security researcher working with the internet security and antivirus company Qihoo 360 unveiled an intricately woven exploit: One that would allegedly let a remote attacker easily jailbreak an iPhone X iOS 12.1. The researcher, Qixun Zhao, dubbed the exploit Chaos, for good reason. As this proof-of-concept video allegedly shows, a successful exploit would allow a remote attacker to jailbreak an iPhoneX, with the targeted user none the wiser, allowing the intruder to gain access to a victim’s data, processing power and more. It worked as a drive-by malware download, only requiring that the iPhone user visit a web page containing Qixun’s malicious code. It would have made a superb spying tool, seeing how it would let an attacker easily take control of even the newest, most up-to-date iPhones, enabling a snooper to read a victim’s messages and passwords and to track their location in near-real time. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. According to a report published by MIT Technology Review on Thursday, that’s exactly what happened: “Virtually overnight,” Chinese intelligence allegedly used the exploit as a weapon before Apple could fix the problem. The publication said that, according to its sources, the U.S. has amassed details of how the Chaos exploit was used to hack China’s…

Source

image
Broadband providers and a 19-year-old college student were among those who successfully hijacked public comments during a crucial decision-making process in 2017 to overturn net neutrality by flooding the Federal Communications Commission (FCC) with fraudulent comments indicating their position on the move, according to a new report. A secret campaign by the broadband industry to offer support to roll back net neutrality resulted in fake comments comprising more than 40 percent of those sent to the FCC during the public comments phase of its decision, according to the report by the New York State Office of the Attorney General. The industry also sent more than half a million fake letters to Congress to “create the appearance of widespread grassroots opposition to existing net neutrality rules, which as described in an internal campaign planning document would help provide ‘cover’ for the FCC’s proposed repeal,” according to the report “Fake Comments: How U.S. Companies and Partisans Hack Democracy to Undermine Your Voice”, published online Thursday. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. On the other side of the debate, a 19-year-old college student who opposed the repeal of net neutrality managed to file more than 7.7 million pro-neutrality comments with the FCC by fabricating people’s names and…

Source

image
John Bernard, a pseudonym used by a convicted thief and con artist named John Clifton Davies who’s fleeced dozens of technology startups out of an estimated $30 million, appears to have reinvented himself again after being exposed in a recent investigative series published here. Sources tell KrebsOnSecurity that Davies/Bernard is now posing as John Cavendish and head of a new "private office" called Hempton Business Management LLP. John Davies is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared of murdering his wife on their honeymoon in India. Davies' fraud convictions stemmed from a series of U.K. companies he set up supposedly to help troubled companies reorganize their debt and turn things around. Davies ended up looting what little money his clients had left and spending it on lavish cars, home furnishings, vacations and luxury watches. In a three-part series published last year, KrebsOnSecurity exposed how Davies — wanted by authorities in the U.K. — had fled the country, taken on the surname Bernard, remarried, and moved to his new (and fourth) wife's hometown in Ukraine. The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015. After eluding justice in the U.K., Davies reinvented himself as The Private Office of John Bernard, pretending to be a billionaire Swiss investor who made his…

Source

image
A vulnerability in a 5G modem data service could allow mobile hackers to remotely target Android users by injecting malicious code into a phone’s modem – gaining the ability to execute code, access mobile users’ call histories and text messages, and eavesdrop on phone calls. That’s according to Check Point Research, which said that the bug (CVE-2020-11292) exists in the Qualcomm Mobile Station Modem (MSM) Interface, which is known as QMI for short. MSMs are systems on chips (SoCs) designed by Qualcomm, and QMI is a proprietary protocol used to communicate between software components in the modem and other peripheral subsystems. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine. The impact of the bug could be far-reaching: MSMs have been used since the pre-mobile internet 2G era of mobile devices, and QMI is used in roughly 30 percent of the globe’s handsets, according to Check Point, including Google Pixels, LG models, OnePlus devices, Samsung’s flagship Galaxy line and Xiaomi phones. As for attack vector, essentially, attackers can exploit the bug to attack a mobile device remotely, via a malicious or trojanized Android application, a Check Point spokesperson told Threatpost. “The vector involves a target installing a malicious application,” he said. “Assuming a malicious application is running on the phone, it can…

Source

image
Cisco has addressed two critical security vulnerabilities in the SD-WAN vManage Software, one of which could allow an unauthenticated attacker to carry out remote code execution (RCE) on corporate networks or steal information. The networking giant also disclosed a denial-of-service issue in vManage; and locally exploitable bugs that would allow an authenticated attacker to escalate privileges or gain unauthorized access to applications. Separately, Cisco patched two vulnerabilities in the Cisco HyperFlex HX platform, one of them rated critical. Critical vManage Security Bugs vManage is a centralized network management system that provides a GUI interface to easily monitor, configure and maintain all devices and links in the overlay SD-WAN. According to Cisco’s Wednesday advisory, there are five security holes in the software, the first four only exploitable if the platform is running in cluster mode: CVE-2021-1468: Critical Unauthorized Message-Processing Vulnerability (RCE) CVE-2021-1505: Critical Privilege-Escalation Vulnerability CVE-2021-1508: High-Severity Unauthorized-Access Vulnerability CVE-2021-1506: High-Severity Unauthorized Services-Access Vulnerability CVE-2021-1275: High-Severity Denial-of-Service Vulnerability The issue tracked as CVE-2021-1468 is the most severe of the five, carrying a CVSS vulnerability-severity score of 9.8 out of 10. It exists in messaging service used by vManage, and is due to improper authentication checks on user-supplied input to…

Source

image
A European biomolecular research institute involved in COVID-19 research lost a week’s worth of research data, all thanks to a Ryuk ransomware attack traced back to a student trying to save money by buying unlicensed software. Security researchers at Sophos described the attack in a report published on Thursday, after the security firm’s Rapid Response team was called in to mop up the mess. Hey, everybody makes mistakes, the researchers said. That frugal student made a few of them. But the student’s goof-ups advanced to a full-fledged ransomware attack because there weren’t security measures in place to stop those missteps from happening, the researchers said. Remote-Access Slipups As so many organizations do, the institute allows outsiders to access its network via their personal computers. They can do so by using remote Citrix sessions that don’t require two-factor authentication (2FA). The lack of required 2FA should raise red flags right there, never mind the fact that Citrix is one of the most widely used platforms that threat actors are actively looking to exploit so as to steal credentials. In April, the U.S. National Security Agency (NSA) issued an alert warning that nation-state actors were exploiting vulnerabilities that affect VPNs, collaboration-suite software and virtualization technologies. Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this…

Source