image
The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers. Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security. Click to Register “CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,” according to a Monday CISA advisory. “Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.” No further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities – allowing them to compromise federal government and commercial entities, according to CISA. The first is a vulnerability (CVE-2020-5902) in F5’s Big-IP Traffic Management User Interface, which allows cyber threat actors to execute…

Source

image
Users of 70 different adult dating and e-commerce websites have had their personal information exposed, thanks to a misconfigured, publicly accessible Elasticsearch cloud server. In all, 320 million individual records were leaked online, researchers said. All of the impacted websites have one thing in common: They all use marketing software from Mailfire, according to researchers at vpnMentor. The data kept on the server was connected to a notification tool used by Mailfire’s clients to market to their website users and, in the case of dating sites, notify website users of new messages from potential matches. The data – totaling 882.1GB – comes from hundreds of thousands of individuals, vpnMentor noted; the affected people stretch across the globe, in more than 100 countries. Click to register. Interestingly, some of the impacted sites are scam sites, the company found, “set up to trick men looking for dates with women in various parts of the world.” The majority of the impacted sites are however legitimate, including a dating site for meeting Asian women; a premium international dating site targeting an older demographic; one for people who want to date Colombians; and other “niche” dating destinations. The impacted data includes notification messages; personally identifiable information (PII); private messages; authentication tokens and links; and email content. The PII includes full names; age and dates of birth; gender; email addresses; location data; IP addresses;…

Source

image
Most of us automatically put our guard up when someone we don't know promises something too good to be true. But when the too-good-to-be-true thing starts as our idea, sometimes that instinct fails to kick in. Here's the story of how companies searching for investors to believe in their ideas can run into trouble. Nick is an investment banker who runs a firm that helps raise capital for its clients (Nick is not his real name, and like other investment brokers interviewed in this story spoke with KrebsOnSecurity on condition of anonymity). Nick's company works primarily in the mergers and acquisitions space, and his job involves advising clients about which companies and investors might be a good bet. In one recent engagement, a client of Nick's said they'd reached out to an investor from Switzerland — The Private Office of John Bernard — whose name was included on a list of angel investors focused on technology startups. "We ran into a group that one of my junior guys found on a list of data providers that compiled information on investors," Nick explained. "I told them what we do and said we were working with a couple of companies that were interested in financing, and asked them to send some materials over. The guy had a British accent, claimed to have made his money in tech and in the dot-com boom, and said he'd sold a company to Geocities that was then bought by Yahoo." But Nick wasn't convinced Mr. Bernard's company was for real. Nick and his colleagues couldn't…

Source

image
Researchers have disclosed four high-severity flaws in the Android version of TikTok that could have easily been exploited by a seemingly benign third-party Android app. If successful, an attacker could fully compromise the target’s TikTok account. Public disclosure of the vulnerabilities was Friday and all bugs have since been patched. Oversecured researchers said they found the arbitrary code execution flaws and one arbitrary file theft vulnerability in TikTok. Disclosure of the flaws come just as the owner of social-media platform have reportedly chosen Oracle as an American tech partner that could help keep the app running in the U.S.,on the heels of U.S. president Donald Trump threatening to ban the app over spying concerns. Click to Register If exploited, the arbitrary code execution flaws could allow attackers to access victims’ private messages and videos within the app. They could also gain control over the app’s permissions – giving them access to victims’ pictures and videos stored on the device, web browser downloads, audio and video record functions and contacts. “All these vulnerabilities could have been exploited by a hacker if a user had installed a malicious app onto their Android device,” according to researchers with Oversecured, who discovered the flaws, in a Friday post. “All the vulnerabilities have been removed. Users should update to the latest version on Google Play to enjoy the best experience.” TikTok Android Flaws Researchers scanned the app and…

Source

image
One of the largest known Magecart campaigns to date took place over the weekend, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks have impacted tens of thousands of customers, who had their credit-card and other information stolen, researchers said. According to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials. If a compromise is successful, merchant websites are then injected with a web skimmer, which surreptitiously exfiltrates personal and banking information entered by customers during the online checkout process. The firm’s telemetry picked up “1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page,” the firm said in a posting on Monday. “On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today….Most stores were running Magento version 1, which was announced end-of-life last June. However, some stores were running Magento 2.” Click to register. In delving into the campaign, Sansec researchers were able to determine that many victimized stores had no prior history of security incidents; and, they speculated that the attacks may be linked to a $5,000 Magento exploit that went up for sale in August in underground forums. The zero-day allows a brand-new avenue to gaining…

Source

image
Researchers have uncovered a phishing attack using a new technique: Attackers are making use of authentication APIs to validate victims’ Office 365 credentials – in real time – as they enter them into the landing page. Authentication APIs are used by apps and services running on the users’ behalf to access their data, Prashanth Arun, head of Data Science at Armorblox, told Threatpost. Office 365 requires app registrations to use APIs – but registrations require only an email address, making them seamless for attackers to leverage. Some additional configuration for the app also requires users to specify a website to “receive” authentication info, Arun added. In a phishing attack recently spotted by researchers, the attacker used the authentication APIs to cross check the credentials of a senior executive at a large enterprise firm with the organization’s Azure Active directory. Active Directory (AD) is Microsoft’s proprietary directory service, which allows administrators to manage permissions and access to network resources. The authentication APIs use Azure AD to provide authentication services. In the phishing attack, access to this immediate feedback “allows the attacker to respond intelligently during the attack,” researchers with Armorblox said on Thursday. “The attacker is also immediately aware of a live compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation.” The Phishing Email The attack was first…

Source

image
The Russia-linked threat group known as APT28 has changed up its tactics to include Office 365 password-cracking and credential-harvesting. Microsoft researchers have tied APT28 (a.k.a. Strontium, Sofacy or Fancy Bear) to this newly uncovered pattern of O365 activity, which began in April and is ongoing. The attacks have been aimed mainly at U.S. and U.K. organizations directly involved in political elections. The APT often works to obtain valid credentials in order to mount espionage campaigns or move laterally through networks – in fact, Microsoft telemetry shows that the group launched credential-harvesting attacks against tens of thousands of accounts at more than 200 organizations between last September and June. Between August 18 and September 3, the group (unsuccessfully) targeted 6,912 O365 accounts belonging to 28 organizations. Click to Register “Not all the targeted organizations were election-related,” the firm explained, in a blog posted on Friday. “However, we felt it important to highlight a potential emerging threat to the 2020 U.S. Presidential Election and future electoral contests in the U.K.” The activity dovetails with other recent Microsoft findings that, just months before the U.S. presidential election, hackers from Russia, China and Iran are ramping up phishing and malware attacks against campaign staffers. It should be noted that APT28 is widely seen as responsible for election-meddling in 2016 and the attack on the Democratic National Committee…

Source

image
Sometimes vulnerability disclosure goes well — and sometimes it doesn’t. Security researchers still face legal action for “hacking” when reporting the bugs they find — as is the case with a flaw recently reported to the Giggle social network. However — while the vendor-researcher relationship is still fraught with pitfalls, the good news is that things are slowly starting to get better, say experts. Notably, the Giggle news (detailed below) comes as releases of vulnerability-disclosure policies (VDPs) have snowballed, with names like Facebook and the U.S. government embracing transparent guidelines for ethical bug-hunting. Giggle: No Laughing Security Matter In a blog post on Thursday, Saskia Coplans, a founder at a majority-female security firm called Digital Interruption (DI), described a disclosure effort in which the company reached out to Giggle about a privacy flaw. Giggle, which bills itself as a social network “for girls,” offers various female-specific topic areas and communities, including those for victims of abuse and for sex workers. The down side is, according to its privacy policy, Giggle collects all kinds of information about users, including geolocation, personal preferences, demographic data and answers to surveys. That’s a problem given that the bug that DI found would allow unverified attackers to trivially access this personal information on the platform from anywhere. To boot, the researchers found that the information was still accessible/stored even…

Source

image
More than 100,000 WordPress websites are affected by a high-severity flaw in a plugin that assists websites in sending out emails and newsletters to subscribers. The vulnerability exists in the Email Subscribers & Newsletters plugin by Icegram, which enables users to collect leads, send automated new blog post notification emails. A remote, unauthenticated attacker can exploit the flaw to send forged emails to all recipients from the available lists of contacts or subscribers – with complete control over the content and subject of the email. To fix the flaw, users must “upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher,” according to researchers at Tenable, who discovered the flaw, in an advisory on Thursday. Click to Register The flaw (CVE-2020-5780 ) ranks 7.5 out of 10 on the CVSS scale, making it high severity. It affects versions 4.5.6 and earlier of the WordPress Email Subscribers & Newsletters plugin. The issue stems from an email forgery/spoofing vulnerability in the class-es-newsletters.php class. “Unauthenticated users are able to send an ajax request to the admin_init hook,” Alex Pena, research engineer at Tenable, told Threatpost. “This triggers a call to the process_broadcast_submission function.” By manipulating the request parameters, Pena said an attacker could then schedule a new broadcast to an entire list of contacts, due to a lack of an authentication mechanism in place. “An unauthenticated user should not be…

Source

image
The U.S. election campaigns of both Donald Trump and Joe Biden have been targeted in a slew of recent cyberattacks, Microsoft said on Thursday. With the U.S. presidential election a mere two months away, in recent weeks cyberattacks targeting people and organizations involved in it have ramped up — including numerous attempts against Trump and Biden staffers, Microsoft said. The tech giant has associated the unsuccessful attacks with threat groups linked to Russia, China and Iran. “What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers, but also those they consult on key issues,” said Tom Burt, corporate vice president of customer security and trust with Microsoft, in a Thursday post. “The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported.” Click to Register One threat group, which Microsoft dubs Zirconium, was spotted launching thousands of attacks between March and September, resulting in nearly 150 compromises. Microsoft said the group is operating from China. Among those that have been targeted by Zirconium include high-profile individuals associated with the election – such as staffers on the “Joe Biden for President” campaign -and prominent leaders in the international affairs community. The threat actors, for instance, targeted…

Source