image
North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems. The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged. Similarities to Previous Malware The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said. However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized. Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET. The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:[//]concrecapital[.]com/%user%[.]jpg, which did not…

Source

image
Earlier this month, the administrator of the cybercrime forum Breached received a cease-and-desist letter from a cybersecurity firm. The missive alleged that an auction on the site for data stolen from 10 million customers of Mexico's second-largest bank was fake news and harming the bank's reputation. The administrator responded to this empty threat by purchasing the stolen banking data and leaking it on the forum for everyone to download. On August 3, 2022, someone using the alias "Holistic-K1ller" posted on Breached a thread selling data allegedly stolen from Grupo Financiero Banorte, Mexico's second-biggest financial institution by total loans. Holistic-K1ller said the database included the full names, addresses, phone numbers, Mexican tax IDs (RFC), email addresses and balances on more than 10 million citizens. There was no reason to believe Holistic-K1ller had fabricated their breach claim. This identity has been highly active on Breached and its predecessor RaidForums for more than two years, mostly selling databases from hacked Mexican entities. Last month, they sold customer information on 36 million customers of the Mexican phone company Telcel; in March, they sold 33,000 images of Mexican IDs — with the front picture and a selfie of each citizen. That same month, they also sold data on 1.4 million customers of Mexican lending platform Yotepresto. But this history was either overlooked or ignored by Group-IB, the Singapore-based cybersecurity firm apparently…

Source

image
A U.K. water supplier suffered a disruption in its corporate IT systems Monday as a result of a cyber-attack but claims that its water supply was not affected. Meanwhile, the alleged attack perpetrator—the Clop ransomware group—claimed the attack was on another, larger water utility, which for its part indignantly called the claim a “cyber hoax.” The lack of disruption in water supply was “in thanks to the robust systems and controls over water supply and quality we have in place at all times as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,” the company said in its statement. South Staffordshire’s IT teams were working to resolve the disruption to the corporate network on Monday, while customer service remained unaffected, the company said. Victim Misidentified The Clop ransomware gang took responsibility for an attack on a U.K. water supplier on its dark web site, but said the victim was Thames Water and not South Staffordshire, according to a report posted on Bleepingcomputer. Thames Water is the United Kingdom’s largest water supplier, serving 15 million customers in Greater London and other areas on the river that runs through the city. Thames Water quickly took to its website to let all of its customers know that any media report claiming it suffered a cyber-attack was completely bogus. In its post, the Clop gang claimed it accessed the company’s SCADA systems. “We…

Source

image
Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack. Researchers at Check Point Research revealed last week in a report released at DEF CON that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it or create and sign their own forged transactions. He said, the Check Point study marks the first time Xiaomi’s trusted applications have been reviewed for security issues. WeChat Pay is a mobile payment and digital wallet service developed by a firm of the same name, which is based in China. The service is used by over 300 million customers and allows Android users to make mobile payments and online transactions. The Flaw It’s unclear how long the vulnerability existed or if it was exploited by attackers in the wild. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June and has a CVSS severity rating of high. “A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service,” according to the NIST common vulnerability and exposure description of the bug. While details of the bug’s impact were limited at the time Xiaomi disclosed the vulnerability in June, researchers at Check Point have outlined in its postmortem of…

Source

image
There was nothing typical this year at BSides LV, Black Hat USA and DEF CON – also known collectively as Hacker Summer Camp. The weeklong collection of cybersecurity conferences featured an eclectic mix of attendees to learn, network, hack and have fun. The week even included a rare Las Vegas flash flood (not a new DDoS technique) on Thursday creating chaos in one casinos. Research of Note Video conferencing darling Zoom was highlighted at DEF CON by Patrick Wardle, founder of the Objective-See Foundation, for a hacking technique that allowed him, using the macOS version of Zoom, to elevated privileges and gain access to the entire macOS operating system. Pen Test Partners revealed a flaw in the Electronic Flight Bag tablets used by some Boeing aircraft pilots that could have allowed an adversary to modify data “and cause pilots to make dangerous miscalculations,” according to a Reuters report. Starlink, the satellite operated by SpaceX that provides internet access to over 36 countries, was shown vulnerable to a hack via a $25 modchip. Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a user terminal used to manage the satellite. Researcher James Kettle debuted a new class of HTTP request smuggling attack that allowed him to compromise Amazon and Akamai, break TLS, and exploit Apache servers, according to reporting from Portswigger’s The Daily Swig. Journalist Eduard Kovacs reported on a high-severity Realtek bug…

Source

image
Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning. Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday. “This results in the victim needing several unique decryption keys,” according to the advisory. The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said. Targets and Tactics Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance. Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States. The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense…

Source

image
The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system. A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine. The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals. "I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer," Pyle said in an interview with KrebsOnSecurity. "But nothing ever happened. I decided I wasn't going to tell anyone about it yet because I wanted to give people time to fix it." Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021. "I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,"'…

Source

image
Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software. Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers. Meta’s Use of a JavaScript Injection “The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote. A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the PCM.JS can be found here. Meta responded to Krause’s research with a statement published by The Guardian: “We intentionally developed this code to honour people’s…

Source

image
Image: Shutterstock. A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm's analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn't theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company. Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file on a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called "dbfull," and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million unique SSNs. There are no passwords in the database. Hold Security founder Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending in "att.net" accounted for 13.7 percent of all addresses in the database, with addresses from SBCGLobal.net and Bellsouth.net — both AT&T companies — making up another seven percent. In contrast, Gmail users made up more than 30 percent of the data set, with Yahoo addresses accounting for 24 percent. More than 10,000 entries in the database list "none@att.com" in the email field. Hold Security found these email domains…

Source

image
A Belgian security researcher has successfully hacked the SpaceX operated Starlink satellite-based internet system using a homemade circuit board that cost around $25 to develop, he revealed at Black Hat. Lennert Wouters revealed a voltage fault injection attack on a Starlink User Terminal (UT)—or satellite dish people use to access the system – that allowed him to break into the dish and explore the Starlink network from there, he revealed in a presentation called “Glitched on Earth by Humans” at the annual ethical hacker conference this week. Wouters physically stripped down a satellite dish he purchased and created the custom board, or modchip, that can be attached to the Starlink dish, according to a report on Wired about his presentation on Wednesday. He developed the tool using low-cost, off-the-shelf parts and was able to use it to obtain root access by glitching the Starlink UT security operations center bootrom, according to a tweet previewing the presentation that he said was sent through a rooted Starlink UT. To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. He soldered the modchip—comprised of a Raspberry Pi microcontroller, flash storage, electronic switches and a voltage regulator–to the existing Starlink PCB and connected it using a few wires, according to the report. ‘Unfixable Compromise’ Once attached to the Starlink dish, the tool launched a fault injection attack to temporarily short…

Source