image
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me. In a letter to FTC Chair Lina Khan, the Senators charge that ID.me's CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance. The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver's license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches. Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.): "While one-to-one recognition involves a one-time comparison of two images in order to…

Source

image
On Monday, the U.S. Attorney’s Office for the Eastern District of New York revealed criminal charges against 55 year-old cardiologist Moises Luis Zagala Gonzalez of Cuidad Bolivar, Venezuela accusing him of being the mastermind behind the prolific Thanos malware. The inditement alleges he “designed multiple ransomware tools—malicious software that cybercriminals use to extort money from companies, nonprofits and other institutions, by encrypting those files and then demanding a ransom for the decryption keys. Zagala sold or rented out his software to hackers who used it to attack computer networks..” According to a DOJ press release, beginning in late 2019, Gonzalez took to online cybercrime forums to market a new product he’d built. It was a ransomware builder – software that helps other cybercriminals more easily design their own, custom ransomware programs. Gonzalez called it “Thanos.” Thanos came with a bevy of handy features: a data stealer, a self-delete function, a field for writing custom ransom messages, and an anti-virtual machine tool designed to outsmart the testing environments security researchers might use to analyze such malware. Cybercriminals could purchase a subscription to this malware or participate in an “affiliate program.” Under that model, customers would receive free access. In exchange, they’d share a portion of their earnings with Gonzalez. Gonzalez – who went by the handles “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – is part of a growing…

Source

image
Most advanced persistent threat groups (APTs) use known vulnerabilities in their attacks against organizations, suggesting the need to prioritize faster patching rather than chasing zero-day flaws as a more effective security strategy, new research has found. Security researchers at the University of Trento in Italy did an assessment of how organizations can best defend themselves against APTs in a recent report published online. What they found goes against some common security beliefs many security professionals and organizations have, they said. The team manually curated a dataset of APT attacks that covers 86 APTs and 350 campaigns that occurred between 2008 to 2020. Researchers studied attack vectors, exploited vulnerabilities–e.g., zero-days vs public vulnerabilities–and affected software and versions. One belief the research debunked is that all APTs are highly sophisticated and prefer attacking zero-day flaws rather than ones that have already been patched. “Contrary to common belief, most APT campaigns employed publicly known vulnerabilities,” they wrote in the report. Indeed, of the 86 APTs that researchers investigated, only eight–Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus and Rancor—exploited vulnerabilities that others didn’t, researchers found. This demonstrates that not all the APTs are as sophisticated as many think, as the groups “often reuse tools, malware, and vulnerabilities,” they wrote in the report. Faster Updates Reduce…

Source

image
Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability. Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month. “Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda. VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions. The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges. The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and…

Source

image
Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example. A sample Common Access Card (CAC). Image: Cac.mil. KrebsOnSecurity recently heard from a reader — we'll call him "Mark" because he wasn't authorized to speak to the press — who works in IT for a major government defense contractor and was issued a Personal Identity Verification (PIV) government smart card designed for civilian employees. Not having a smart card reader at home and lacking any obvious guidance from his co-workers on how to get one, Mark opted to purchase a $15 reader from Amazon that said it was made to handle U.S. government smart cards. The USB-based device Mark settled on is the first result that currently comes up one when searches on Amazon.com for "PIV card reader." The card reader Mark bought was sold by a company called Saicoo, whose sponsored Amazon listing advertises a "DOD Military USB Common Access Card (CAC) Reader" and has more than 11,700 mostly positive ratings. The Common Access Card (CAC) is the standard identification for active duty uniformed service…

Source

image
Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware. The botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that posted a thread on Twitter revealing details of the botnet variant. We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers. — Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022 The Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java. The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the VMware and Oracle products and it has been marked as critical by both the vendors. Working of Sysrv-K The Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path…

Source

image
Attackers can target iPhones even when they are turned off due to how Apple implements standalone wireless features Bluetooth, Near Field Communication (NFC ) and Ultra-wideband ( UWB) technologies in the device, researchers have found. These features—which have access to the iPhone’s Secure Element (SE), which stores sensitive info–stay on even when modern iPhones are powered down, a team of researchers from Germany’s Technical University of Darmstadt discovered. By compromising these wireless features, attackers can then go on to access secure info such as a user’s credit card data, banking details or even digital car keys on the device, researchers Jiska Classen, Alexander Heinrich, Robert Reith and Matthias Hollick of the university’s Secure Mobile Networking Lab disclosed in the paper. Though the risk is real, exploiting the scenario is not so straightforward for would-be attackers, researchers acknowledged. Threat actors would still need to load the malware when the iPhone is on for later execution when it’s off, they said. This would require system-level access or remote code execution (RCE), the latter of which they could gain by using known flaws, such as BrakTooth, researchers said. Root of the Issue The root cause of the issue is the current implementation of low power mode (LPM) for wireless chips on iPhones, researchers detailed in the paper. The team differentiated between the LPM that these chips run on versus the power-saving app that iPhone users can enable…

Source

image
Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue. The warning comes amid shared reports of multiple services and policies failing after installing the security update. “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.” posted an admin to a Reddit thread on the topic. According to Microsoft, the issue has been caused after installing the updates released on May 10, 2022. “After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft reported. “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft added. The domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users. Microsoft…

Source

image
Cybercriminals are promoting a new, modular malware-as-a-service offering that allows would-be attackers to choose from a cornucopia of threats via a Telegram channel that to date has more than 500 subscribers, researchers have found. The new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules they can buy for prices ranging from $90 to $490, researchers from security firm Cyble wrote in a blog post published Thursday. Eternity—which researchers discovered on a TOR website, where the malware-as-a-service also is for sale—demonstrates the “significant increase in cybercrime through Telegram channels and cybercrime forums,” researchers wrote in the post. This is likely because threat actors can sell their products without any regulation, they said. Each module is sold individually and has different functionality that researchers suspect is being repurposed from code in an existing Github repository, which project developers are then modifying and selling under a new name, according to Cyble. “Our analysis also indicated that the Jester Stealer could also be rebranded from this particular Github project which indicates some links between the two threat actors,” they wrote. Specific Modules and Functionality Threat actors are selling the Eternity Stealer for $260 as an annual subscription. The module steals passwords, cookies, credit cards…

Source

image
On April 23rd, 2022, a Discord user with the handle “Portu” began advertising a new password-stealing malware builder. Malware builders are programs which so-called script kiddie hackers can craft their own executables on top of. Script kiddie is cybersecurity parlance for a novice hacker who uses a preexisting code to slightly modify it for their own nefarious purposes. Four days later, threat analysts from Uptycs discovered the first sample of a Portu-inspired malware sample in the wild researchers dubbed “KurayStealer.” According to researchers, the malware has been used to target Discord users. How KurayStealer Works The author behind KurayStealer has clearly taken inspiration – and code – from those other attacks. “We have seen several other similar versions floating around in public repositories like github,” the researchers noted, concluding that “the KurayStelaer builder has several components of different password stealers.” When it’s first executed, KurayStealer runs a check to determine if the malicious user is running the free or “VIP” (paid) version. Next, it attempts to replace the string “api/webhooks” with “Kisses” in BetterDiscord – an extended version of the Discord app, with greater functionality for developers. If this action is successful, the hacker can undermine the app in order to set up webhooks. Webhooks are a mechanism by which webpages and applications can send real-time data to one another over HTTP. They’re like APIs, the key difference being…

Source