image
Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning. Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday. “This results in the victim needing several unique decryption keys,” according to the advisory. The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said. Targets and Tactics Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance. Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States. The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense…

Source

image
The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system. A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine. The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals. "I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer," Pyle said in an interview with KrebsOnSecurity. "But nothing ever happened. I decided I wasn't going to tell anyone about it yet because I wanted to give people time to fix it." Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021. "I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,"'…

Source

image
Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software. Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers. Meta’s Use of a JavaScript Injection “The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote. A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the PCM.JS can be found here. Meta responded to Krause’s research with a statement published by The Guardian: “We intentionally developed this code to honour people’s…

Source

image
Image: Shutterstock. A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm's analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn't theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company. Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file on a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called "dbfull," and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million unique SSNs. There are no passwords in the database. Hold Security founder Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending in "att.net" accounted for 13.7 percent of all addresses in the database, with addresses from SBCGLobal.net and Bellsouth.net — both AT&T companies — making up another seven percent. In contrast, Gmail users made up more than 30 percent of the data set, with Yahoo addresses accounting for 24 percent. More than 10,000 entries in the database list "none@att.com" in the email field. Hold Security found these email domains…

Source

image
A Belgian security researcher has successfully hacked the SpaceX operated Starlink satellite-based internet system using a homemade circuit board that cost around $25 to develop, he revealed at Black Hat. Lennert Wouters revealed a voltage fault injection attack on a Starlink User Terminal (UT)—or satellite dish people use to access the system – that allowed him to break into the dish and explore the Starlink network from there, he revealed in a presentation called “Glitched on Earth by Humans” at the annual ethical hacker conference this week. Wouters physically stripped down a satellite dish he purchased and created the custom board, or modchip, that can be attached to the Starlink dish, according to a report on Wired about his presentation on Wednesday. He developed the tool using low-cost, off-the-shelf parts and was able to use it to obtain root access by glitching the Starlink UT security operations center bootrom, according to a tweet previewing the presentation that he said was sent through a rooted Starlink UT. To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. He soldered the modchip—comprised of a Raspberry Pi microcontroller, flash storage, electronic switches and a voltage regulator–to the existing Starlink PCB and connected it using a few wires, according to the report. ‘Unfixable Compromise’ Once attached to the Starlink dish, the tool launched a fault injection attack to temporarily short…

Source

image
A new hacker forum is taking a unique political stance to support Ukraine in its war with Russia, entertaining only topics and threat activity focused against Russia and Belarus, researchers have found. The Russian-language site, DUMPS Forum, has been around since late May, and at first glance seemed like “every other run-of-the-mill Russian language cybercriminal forum,” researchers from the Photon Research Team of Digital Shadows, a ReliaQuest Company, said in a blog post published Wednesday. The forum—which currently has about 100 members–has sections for trading illicit material, carding, malware, and establishing accesses to targeted networks, with an open invite for anyone to join. A closer look at the forum revealed its unique ideology to take a firm political stance to support Ukraine as it defends itself against Russia’s invasion, “the only forum we’re aware of that is taking such a stance,” researchers wrote. While most of the specific activity sections remained empty at the time researchers viewed the forum, the section most populated so far was the one focused on leaks, researchers noted. Users already have shared data stolen from Russia-based government and private institutions, including several well known and important government entities as well as utilities providers, they said. Indeed, much of the activity currently discussed on the site is geared toward sharing data leaks, researchers observed. Other top topics advertise DDoS attack services, forged and…

Source

image
Cisco Systems revealed details of a May hack by the Yanluowang ransomware group that leveraged a compromised employee’s Google account. The networking giant is calling the attack a “potential compromise” in a Wednesday post by the company’s own Cisco Talos threat research arm. “During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized,” wrote Cisco Talos in a lengthy breakdown of the attack. Forensic details of the attack lead Cisco Talos researchers to attribute the attack to the Yanluowang threat group, which they maintain has ties to both the UNC2447 and the notorious Lapsus$ cybergangs. Ultimately, Cisco Talos said the adversaries were not successful at deploying ransomware malware, however were successful at penetrating its network and planting a cadre of offensive hacking tools and conducting internal network reconnaissance “commonly observed leading up to the deployment of ransomware in victim environments.” Outsmarting MFA for VPN Access The crux of the hack was the attackers ability to compromise the targeted employee’s Cisco VPN utility and access the corporate network using that VPN software. “Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their…

Source

image
There is no question that companies are in the sights of would-be criminals looking to exploit them. While companies look at solutions and training to help keep the perimeter secure, the biggest fail point is often the employees, AKA the human element. In this Threatpost podcast, sponsored by Egress, we sit down with Jack Chapman to discuss the steps and tactics that companies can take to stay one step ahead of their adversaries. During our conversation, we discuss: – Weaknesses that attackers look to exploit – Evolution of toolkits – Securing MFA and more An abridged transcript is available below. Jeff Esposito: Hello, everyone, and welcome to the latest edition of the Threatpost Podcast. Today we are joined by Jack Chapman of Egress. He is the VP of threat intelligence at Egress and is tasked with deeply understanding the evolving cyber threat landscape to remain one step ahead of cybercriminals. Leveraging these insights and his extensive r&d skill set, Jack oversees threat intelligence for Egress. Jack previously co-founded anti-phishing company Aquila AI and served as its chief technology officer, working closely with the UK intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquila AI was acquired by Egress in 2021. Jack, welcome to the podcast. How are you doing today? Jack Chapman: Good, Jeff. Pleased to be here. JE: It’s always good to see you. Hopefully, everything’s going well over in the UK today. So in looking at your background, I…

Source

image
One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address — followed by a notation specific to the site you're signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here's a look at the pros and cons of adopting a unique alias for each website. What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a "+" sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called "Example," along with a new filter that sends any email addressed to that alias to the Example folder. Importantly, you don't ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a…

Source

image
Microsoft is urging users to patch a zero-day vulnerability dubbed Dogwalk that is actively being exploited in the wild. The bug (CVE-2022-34713) is tied to a Microsoft Windows Support Diagnostic Tool and allows a remote attacker to execute code on a vulnerable system. “The volume of fixes released this month is markedly higher than what is normally expected in an August release. It’s almost triple the size of last year’s August release, and it’s the second largest release this year,” wrote Dustin Childs, Zero Day Initiative manager, in a Tuesday blog post. Dogwalk Flaw Was Over Two-Years Old The actively exploited Dogwalk bug was first reported to Microsoft in January 2020 by researcher Imre Rad. However, it wasn’t until a separate researchers began tracking the exploitation of a flaw dubbed Follina (CVE-2022-30190) that the Dogwalk bug was rediscovered. That renewed interest in Dogwalk appears to have motivated Microsoft to add the patch to this month’s round of fixes, according to a Tenable Patch Tuesday roundup report. Microsoft states that CVE-2022-34713 is a “variant of” Dogwalk, but different. Microsoft scored the vulnerability as Important and warns that the exploitation of the bug can only be preformed by an adversary with physical access to a vulnerable computer. However, researchers at Zero Day Initiative outline how a remote attack might occur. “There is an element of social engineering to this as a threat actor would need to convince a user to click a link or…

Source