*** The Security News Thread ***

[TTraveler]

Bejaysus what a mess.

The good news: they found it.
But one must wonder how many more strains are in the system that haven't been found.

[harrybarracuda]

The good news: they found it.
But one must wonder how many more strains are in the system that haven't been found.

I got invited to an InfoBlox presentation yesterday. I sort of mentioned that spending six figures on a package that didn't detect shitloads of outbound DNS exfiltration wasn't really my thing.

[TTraveler]

Millions of Social Profiles Leaked by Chinese Data-Scrapers

More than 400GB of public and private profile data for 214 million social-media users from around the world has been exposed to the internet – including details for celebrities and social-media influencers in the U.S. and elsewhere.

The leak stems from a misconfigured ElasticSearch database owned by Chinese social-media management company SocialArks, which contained personally identifiable information (PII) from users of Facebook, Instagram, LinkedIn and other platforms, according to researchers at Safety Detectives.

The server was found to be publicly exposed without password protection or encryption during routine IP-address checks on potentially unsecured databases, researchers said. It contained more than 318 million records in total.

Millions of Social Profiles Leaked by Chinese Data-Scrapers | Threatpost

[harrybarracuda]

Built-in backdoors and vulnerabilities and straight away you think of one country...

Multiple backdoors and vulnerabilities discovered in FiberHome routers

At least 28 backdoor accounts found in FiberHome FTTH ONT routers.

At least 28 backdoor accounts and several other vulnerabilities have been discovered in the firmware of a popular FTTH ONT router, widely deployed across South America and Southeast Asia.


FTTH ONT stands for Fiber-to-the-Home Optical Network Terminal. These are special devices fitted at the end of optical fiber cables. Their role is to convert optical signals sent via fiber optics cables into classic Ethernet or wireless (WiFi) connections.


FTTH ONT routers are usually installed in apartment buildings or inside the homes or businesses that opt for gigabit-type subscriptions.


In a report published last week, security researcher Pierre Kim said he identified a large collection of security issues with FiberHome HG6245D and FiberHome RP2602, two FTTH ONT router models developed by Chinese company FiberHome Networks.


The report describes both positive and negative issues with the two router models and their firmware.

For example, the positive issues are that both devices do not expose their management panel via the IPv4 external interface, making attacks against its web panel impossible via the internet. Furthermore, the Telnet management feature, which is often abused by botnets, is also disabled by default.

However, Kim says that FiberHome engineers have apparently failed to activate these same protections for the routers' IPv6 interface. Kim notes that the device firewall is only active on the IPv4 interface and not on IPv6, allowing threat actors direct access to all of the router's internal services, as long as they know the IPv6 address to access the device.

Multiple backdoors and vulnerabilities discovered in FiberHome routers | ZDNet

[TTraveler]

Built-in backdoors and vulnerabilities and straight away you think of one country...

Couldn't possibly be the country that hoards its researchers and the vulnerabilities they discover...

They say you don't notice something good until it's gone. With China's decision to restrict its information security researchers from participating in global hacking competitions, we're about to see what that looks like on the global "zero day" stage.

For over a decade Pwn2Own ... brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con.

China's hackers routinely win, sweeping the board -- notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed.

But (since 2018), China is no longer allowing its researchers to compete.

https://www.engadget.com/2018-03-16-chinese-hackers-pwn2own-no-go.html

[harrybarracuda]

I bet you can't guess whose dodgy, backdoor-infested shit this is aimed at.

On January 20th President Biden signed an Executive Order that in part suspended the implementation of President Trump's May 1, 2020 order halting the use of components produced by hostile foreign states in the Bulk Power System:

Sec 7 (c) Executive Order 13920 of May 1, 2020 (Securing the United States Bulk-Power System), is hereby suspended for 90 days. The Secretary of Energy and the Director of OMB shall jointly consider whether to recommend that a replacement order be issued.

[harrybarracuda]

A strangely targeted attack...

A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.
The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.
ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company's official API (api.bignox.com) and file-hosting servers (res06.bignox.com).
Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server in order to deliver malware to NoxPlayer users.
"Three different malware families were spotted being distributed from tailored malicious updates toselected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities," ESET said in a report shared today with ZDNet.
Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn't target all of the company's users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users.
Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.

Hacker group inserted malware in NoxPlayer Android emulator | ZDNet

[harrybarracuda]

Check if your photos were used to develop facial recognition systems with this free tool

[TTraveler]

Finally some good news.

U.S. and Bulgarian authorities this week seized the darkweb site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims. In connection with the seizure, a Canadian national suspected of extorting more than $27 million through the spreading of NetWalker was charged in a Florida court.

Chainalysis has traced more than $46 million worth of funds in NetWalker ransoms since it first came on the scene in August 2019

Sebastien Vachon-Desjardins was living his best life between Miami and Ottawa, Canada, after pulling in at least $27.6 million from ransomware operation NetWalker. Appears his expertise was targeting healthcare organizations. He gets extra scumbag points for doing so during a pandemic.
Arrest, Seizures Tied to Netwalker Ransomware — Krebs on Security

[harrybarracuda]

I look forward to a massive jail sentence for this PoS.

[OhOh]

hopefully those two leaders can deliver it.

ameristani leaders "delivering".

[harrybarracuda]

ameristani leaders "delivering".

HooHoo is quite happy to see chinky government spies destroying livehoods.

He is quite spiteful.

[Backspin]

Lol now they are telling us it was China that did the Solarwinds hack.


Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources | Financial Post


First Russia did the Afganstan bounties. Then China did the Afganistan bounties

Intel on China bounties called ‘less' credible than Russia payments - POLITICO

[TTraveler]

"An online community promoting female escorts and reviews of their services has suffered a data breach after a hacker downloaded the site's database."

"EscortReviews.com is an adult online vBulletin forum community that allows US and Mexico-based escorts to promote their services, share profile pictures, contact information, and biographies to prospective clients. Clients can then post reviews about their experiences with the particular escort."

Backspin will be happy no one is blaming China. Yet.


http://Female escort review site dat...70,000 members

[harrybarracuda]

"An online community promoting female escorts and reviews of their services has suffered a data breach after a hacker downloaded the site's database."

"EscortReviews.com is an adult online vBulletin forum community that allows US and Mexico-based escorts to promote their services, share profile pictures, contact information, and biographies to prospective clients. Clients can then post reviews about their experiences with the particular escort."

Backspin will be happy no one is blaming China. Yet.


http://Female escort review site dat...70,000 members

Hmmm

"She wanted Bt500. I tried to borrow the money off some stranger outside a shop, but he only lent me Bt100 and he made me buy him a beer with it. I think he was mocking me. 0/5 do not recommend - S. Mark, Thailand)"

[harrybarracuda]

Shit's getting real.

Hackers breach, attempt to poison Florida city's water supply

Hackers breach, attempt to poison Florida city's water supply | TheHill

[harrybarracuda]

A quite good write-up on Microsoft Defender, the free antivirus client built into Windows.

It's worth noting that it's a decent a/v tool in its own right, but there is a downloadable Configuration Tool that exposes all the hidden settings, and the article makes some sensible suggestions as to which ones to enable.

Link here:

Decoding Microsoft Defender’s hidden settings | Computerworld

[jabir]

A quite good write-up on Microsoft Defender, the free antivirus client built into Windows.

It's worth noting that it's a decent a/v tool in its own right, but there is a downloadable Configuration Tool that exposes all the hidden settings, and the article makes some sensible suggestions as to which ones to enable.

Link here:

Decoding Microsoft Defender’s hidden settings | Computerworld

Had a look, fortunately my system seems to be working ok so I won't be fiddling with stuff that I don't understand, esp without Butterfly to save the day. Took a couple of decades to sink in, but my pioneer 'what happens if I click this' days often ended in a full reinstall, lost data and other shit.

[harrybarracuda]

I won't be fiddling with stuff that I don't understand, esp without Butterfly to save the day.

Well that's fucking hilarious.

[TTraveler]

Remember the recent North Korea sponsored attack on security researchers? This article has a screenshot of one of the actual Phishing messages.

https://safernet.it/state-sponsored-hackers-cybersecurity/

[harrybarracuda]

They have been busy little bees.

CISA, the Federal Bureau of Investigation, and the Department of the Treasury have released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”
The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
CISA encourages users and administrators to review the following resources for more information.

• Joint Cybersecurity Advisory: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware
• MAR-10322463-1.v1: AppleJeus – Celas Trade Pro
• MAR-10322463-2.v1: AppleJeus – JMT Trading
• MAR-10322463-3.v1: AppleJeus – Union Crypto
• MAR-10322463-4.v1: AppleJeus – Kupay Wallet
• MAR-10322463-5.v1: AppleJeus – CoinGoTrade
• MAR-10322463-6.v1: AppleJeus – Dorusio
• MAR-10322463-7.v1: AppleJeus – Ants2Whale
• North Korean Malicious Cyber Activity page

https://us-cert.cisa.gov/ncas/curren...vity-applejeus

[TTraveler]

The big guy can't feed his own people but has plenty of cash to train and/or hire some of the world's best hackers. Piece of work.

[harrybarracuda]

I don't normally post tweets but Microsoft don't normally use the word "rampant".

We’re tracking a rampant phishing attack that uses DGA domains, free email services, and even compromised email accounts to send massive numbers of phishing emails. These emails are linked by open redirector URLs that begin with a distinct pattern: hxxps://t[.]domain[.]tld/r/?

https://twitter.com/MsftSecIntel/sta...62191304019968

[harrybarracuda]

A user on a popular hacker forum is selling three databases that purportedly contain user credentials and device data stolen from three different Android VPN services – SuperVPN, GeckoVPN, and ChatVPN – with 21 million user records being sold in total.

https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/?web_view=true

[harrybarracuda]

So stay away from Xerox multifunction printers then....

A legal demand has allegedly prevented a security conference speaker from holding a talk on Xerox printers.

On February 18, a copy of a notice published by Infiltrate security conference organizers was posted to Twitter. The statement revealed that a planned talk by Raphaël Rigo, a security researcher from Airbus Security Lab, was canceled.

The presentation was due to happen on February 18 at 11:00 EST. However, with what appeared to be less than an hour to go, Infiltrate said the event was canceled and “apologized for the inconvenience”.

“I regret to inform you that we received notification this morning that ‘pending legal action’ we cannot present Raphaël’s Xerox research,” the notice from Infiltrate reads.

“Sadly, we must cancel the event today. We must cease and desist publication, presentation, and discussions related to the content of Raphaël’s talk.”
https://portswigger.net/daily-swig/xerox-legal-threat-reportedly-silences-researcher-at-infiltrate-security-conference