image
A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework. Security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday. “Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.” Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet. However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included. As of the time of publication, a Chrome update had not yet been released and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update. Not Fully Weaponized Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the exploit code for a type mismatch bug…

Source

image
Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that's popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses. KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data. Included in the data were my email address and phone number, as well as license plate numbers for four different vehicles we have used over the past decade. Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about "a cybersecurity incident linked to a vulnerability in a third-party software that we use." "In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident," the notice reads. "Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time." The statement continues: "Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional…

Source

image
Clubhouse, the startup invitation-only chat app, is the latest social-media platform to see mammoth troves of user data collected and posted in underground forums. An SQL file containing the personal data of 1.3 million Clubhouse users has been posted in a hacker forum for free. Names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app are among the information contained in the database, according to CyberNews, giving threat actors key information which can be used against victims in phishing and other socially engineered scams. For its part, Clubhouse said that its users’ data being public isn’t a bug, it’s just how the platform is built: This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API. https://t.co/I1OfPyc0Bo — Clubhouse (@joinClubhouse) April 11, 2021 The company isn’t supplying any other details and Clubhouse didn’t respond to Threatpost’s request for additional comment. Clubhouse followers on Twitter were quick to note the statement points out a difference without any distinction to its exposed users. “I fail to see what is false … ” user Benjamin Maynard responded to the Clubhouse statement. Leaky APIs Plague Social Media Clubhouse’s terms of service prohibit data scraping, yet its API, by its own admission,…

Source

image
A Texas man has been charged with plotting a bombing of Amazon Web Services in a quest to allegedly “kill off the internet.” Seth Aaron Pendley was arrested in Ft. Worth after allegedly attempting to get an explosive device from an undercover FBI employee in a sting. The feds were alerted to Pendley after a concerned citizen contacted them on Jan. 8 about posts from Pendley on MyMilitia.com, a forum dedicated to organizing militia groups. According to an announcement from the Department of Justice issued Friday, “a user who went by the screenname ‘Dionysus’ stated he was planning to ‘conduct a little experiment,’ that he said would ‘draw a lot of heat’ and could be ‘dangerous.’ When another user asked what outcome Dionysus desired, he responded, ‘death.'” The concerned citizen provided the FBI with that user’s email address, which law enforcement traced back to Pendley. The news comes as conversations and headlines are ongoing about privacy, and the role of forums and social media in spreading disinformation and enabling crime or domestic terrorism. For instance, in February researchers from the Digital Citizens Alliance (DCA) and the Coalition for a Safer Web (CSW) found multiple sellers, based both in the U.S. and internationally, offering to illegally sell COVID-19 vaccines [PDF] on Facebook and Telegram. According to authorities, in late January, Pendley started sending messages to another confidential source using the Signal encrypted service. Allegedly, he told the…

Source

image
After embarking on a second unforeseen year of mass remote work, everyone is now accessing corporate resources through the cloud. To help enable this, organizations are introducing new technologies into their standard workflows. The COVID-19 pandemic presented a new realm of unmarked territory as businesses quickly, and almost haphazardly, shifted all employees offsite. Corporate networks were unprepared to handle this new caliber of remote access, and significant security gaps were created along the way. But, organizational and individual data access to corporate and personal information began to evolve long before the pandemic. We want access to anything, from anywhere, on any device. To securely enable that desire, security teams already needed visibility into every device that accessed their corporate infrastructure and data. However, the pandemic catapulted this need to the top of every business leader’s mind, and the ability to block unhealthy devices that put an organization’s security at risk has never been more necessary. Now, with operations shifting almost entirely to the cloud for many, mobile workers have access to much more than just email. This access, however, comes with significant risks. Zero trust, which is rooted in the idea that no device is secure until proven otherwise, has become a widely accepted technical framework as businesses strive to monitor and maintain networks’ health with widely distributed endpoints. This philosophy should be applied to…

Source

image
Website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft. Attackers are using “contact us” forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said. The messages consistently mention a copyright infringement by a photographer, illustrator or designer, and they contain a link to purported “evidence” for these legal infractions. But the link in actuality leads to a Google page that downloads IcedID (a.k.a. BokBot), which is an information-stealer and loader for other malware. “As attackers fill out and submit the web-based form, an email message is generated to the associated contact-form recipient or targeted enterprise, containing the attacker-generated message,” according to Microsoft’s recent posting. “The message uses strong and urgent language (‘Download it right now and check this out for yourself’), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.” Researchers found that attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format for their fake email addresses that include “m,” words associated with photography and three-digit numbers; i.e., mphotographer550@yahoo.com or megallery736@aol.com. The links take victims to a sites.google.com page, which asks them to sign in. Once a person signs in, the page automatically downloads a…

Source

image
A former track-and-field coach who worked at several universities has been arrested and is facing up to five years in prison for attempting to solicit nude photos of his athletes through sham social-media accounts and cyberstalking. The Department of Justice alleged that Steve Waithe, while coaching at Northeastern University, would often ask his athletes to give him their phones during competition and practices, ostensibly, so he could film their form, the U.S. Attorney for the District of Massachusetts said. While he had access, Waithe would steal their photos. Witnesses told law enforcement they saw him “scrolling through” the devices. Asked for Nudes to ‘Help’ Recover Photos Waithe then contacted those same college athletes through fake social-media accounts in Feb. 2020 and told them he had discovered the photos online — and offered to “help” recover them, the U.S. Attorney’s office added. Posing as a “privacy protector,” or operating under the name “Katie Janovich” he would tell the girls the stolen photos could be scraped from the internet if they sent nude or semi-nude pictures, which would help with a “reverse image search” on the internet. Feeling a lack of options, they complied. But that wasn’t Waithe’s only alleged scam. From last June to Oct. 2020, he used fake social-media accounts and an anonymized phone number to cyberstalk one of his athletes, even breaking into her Snapchat account, the U.S. Attorney said. A check of his internet search history turned up…

Source

image
The Swarmshop cyber-underground “card shop” has been hit by hackers, who lifted the site’s database of stolen payment-card data and leaked it online. That’s according to researchers at Group-IB, who said that the database was posted on a rival underground forum. Card shops, are online cybercriminal forums where stolen payment-card data is bought and sold. Researchers said the database in question contains 623,036 payment-card records from card-issuers in Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the U.K. and the U.S. The lion’s share of the ill-gotten card data came from the U.S., they noted (63 percent). The database also has 498 sets of online banking account credentials and 69,592 sets of U.S. Social Security Numbers and Canadian Social Insurance Numbers, according to Group-IB. And finally, there are 12,344 sets of data for card shop admins, sellers and buyers, including user names, hashed passwords, contact details, sales activity and current balances, researchers said. The firm’s analysis of the database found that the information was new, judging by the latest user activity timestamps. “Hackers have been hacking other hackers for decades. What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place,” said Tyler Shields, CMO at JupiterOne, said via email. “It comes as no surprise that there have been multiple…

Source

image
Last year, Gartner published a market guide on network detection and response (NDR). Formerly known as network-traffic analytics, which I’ve spoken about in the past at length, NDR has adapted to not only play a major role in helping network and security teams identify threats, but it has enabled these teams to respond to them too. This change in name means that network data is becoming more and more important in stopping threats and is a key component to a multi-layered security posture. With this in mind, what does NDR mean for the future of cybersecurity as we prepare for the rest of 2021? Cybercriminals Still Hack Humans While technology evolves, and network and security professionals develop more sophisticated techniques to stop attacks, one thing remains true: Humans are still a big problem in the equation. Truthfully, humans are still the biggest problem (check out this article nearby on how to deal with some of these problems when you have fewer resources). A recent post by Fortinet shows that social engineering and phishing are still major contributors to attacks. Specifically, timely attacks are often extremely effective at exposing individual’s vulnerability and enables cybercriminals to take advantage of people. This is so much the case that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) posted a “Verify Your Valentine” notice ahead of Valentine’s Day to help reduce the number of people that fall victim to cybercriminals. And, another article…

Source

image
Personal data from more than 500 million LinkedIn users has been posted for sale online in yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse. Hackers posted an archive containing data they said includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers and other personally identifiable information (PII) on a popular hacker forum, according to a report in CyberNews on Tuesday. The LinkedIn leak comes on the heels of another substantial leak of personal data from more than 533 million Facebook users last weekend. The data set also includes links to LinkedIn profiles and other social-media profiles, according to the report. Moreover, to prove the authenticity of the info and provide a teaser of the data inside, the hackers responsible also leaked another 2 million records as a proof-of-concept sample, the report said. Users on the forum can view the leaked samples for about $2 worth of forum credits. However, the threat actor also appears to be auctioning off the crown jewel of the leak — the 500-million-user database — for at a sum that is at least in the four-digit range, most likely in a Bitcoin equivalent, according to the report. “As the leaked data contains no payment card details and no passwords, it’s of less value to attackers and won’t sell for much on the Dark Web anyway,” Candid Wuest, Acronis vice president of cyber-protection research, said via email….

Source