Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Hackers Gaining Powe ...

 Ne'er-Do-Well News

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and   show more ...

then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death. In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena. Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name. But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents. It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately. In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person. “We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice. “And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately,” Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.” To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account. THE LAPSUS$ CONNECTION The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone. In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization. “Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$. The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ allegedly hail. Researchers from security firms Unit 221B and Palo Alto Networks say that prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” This group specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request. Everlynn advertising a warrant/subpoena service based on fake EDRs. Image: Ke-la.com. “Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.” A month prior on Cracked, Everlynn posted a sales thread, “1x Government Email Account || BECOME A FED!,” which advertised the ability to send email from a federal agency within the government of Argentina. “I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on SnapChat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.” Last week, the BBC reported that authorities in the United Kingdom had detained seven individuals aged 16 to 21 in connection with LAPSUS$. TAKING ON THE DOXBIN It remains unclear whether White or Everlynn were among those detained; U.K. police declined to name the suspects. But White’s real-life identity became public recently after he crossed the wrong people. The de-anonymization of the LAPSUS$ leader began late last year after he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people. Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database. White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced. KrebsOnSecurity recently interviewed the past and current owner of the Doxbin — an established hacker who goes by the handle “KT.” According to KT, it is becoming more common for hackers to use EDRs for stalking, hacking, harassing and publicly humiliating others. KT shared several recent examples of fraudulent EDRs obtained by hackers who bragged about their success with the method. “Terroristic threats with a valid reason to believe somebody’s life is in danger is usually the go-to,” KT said, referring to the most common attestation that accompanies a fake EDR. One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year. The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request. “Discord replies to EDRs in 30 minutes to one hour with the provided information,” KT claimed. Asked about the validity of the unauthorized EDR shared by KT, Discord said the request came from a legitimate law enforcement account that was later determined to have been compromised. “We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” Discord said in a written statement. “We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.” KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization. In other cases, KT said, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously. “A lot of governments overseas are using WordPress, and I know a kid on Telegram who has multiple shells on gov sites,” KT said. “It’s near impossible to get U.S. dot-govs nowadays, although I’ve seen a few people with it. Most govs use [Microsoft] Outlook, so it’s more difficult because theres usually some sort of multi-factor authentication. But not all have it.” According to KT, Everlynn and White recently had a falling out, with White paying KT to publish a dox on Everlynn and to keep it pinned to the site’s home page. That dox states that Everlynn is a 15-year-old from the United Kingdom who has used a variety of monikers over the past year alone, including “Miku” and “Anitsu.” KT said Everlynn’s dox is accurate, and that the youth has been arrested multiple times for issuing fake EDRs. But KT said each time Everlynn gets released from police custody, they go right back to committing the same cybercrimes. “Anitsu (Miku, Everlynn), an old staff member of Doxbin, was arrested probably 4-5 months ago for jacking government emails used for EDR’ing,” KT said. “White and him are not friends anymore though. White paid me a few weeks ago to pin his dox on Doxbin. Also, White had planned to use EDRs against me, due to a bet we had planned; dox for dox, winner gets 1 coin.” A FUNDAMENTALLY UNFIXABLE PROBLEM? Nicholas Weaver, a security specialist and lecturer at the University of California, Berkeley, said one big challenge to combating fraudulent EDRs is that there is fundamentally no notion of global online identity. “The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?” It’s not clear that the FBI would be willing or able to take on such a task. In November 2021, KrebsOnSecurity broke the news that hackers sent a fake email alert to thousands of state and local law enforcement entities through the FBI’s Law Enforcement Enterprise Portal (LEEP). In that attack, the intruders abused a fairly basic and dangerous coding error on the website, and the fake emails all came from a real fbi.gov address. The phony message sent in November 2021 via the FBI’s email system. KrebsOnSecurity asked the FBI whether it had any indication that its own systems were used for unauthorized EDRs. The FBI declined to answer that question, but confirmed it was aware of different schemes involving phony EDRs targeting both the public and the agency’s private sector partners. “We take these reports seriously and vigorously pursue them,” reads a written statement shared by the FBI. “Visit this page for tips and resources to verify the information you are receiving. If you believe you are a victim of an emergency data request scheme, please report to www.ic3.gov or contact your local FBI field office.” Rasch said while service providers need more rigorous vetting mechanisms for all types of legal requests, getting better at spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States. “One of the problems you have is there’s no validated master list of people who are authorized to make that demand,” Rasch said. “And that list is going to change all the time. But even then, the entire system is only as secure as the least secure individual police officer email account.” The idea of impersonating law enforcement officers to obtain information typically only available via search warrant or subpoena is hardly new. A fictionalized example appeared in the second season of the hit television show Mr. Robot, wherein the main character Elliot pretends to be a police officer to obtain location data in real time from a cellular phone company. Weaver said what probably keeps fraudulent EDRs from being more common is that most people in the criminal hacking community perceive it as too risky. This is supported by the responses in discussion threads across multiple hacking forums where members sought out someone to perform an EDR on their behalf. “It’s highly risky if you get caught,” Weaver said. “But doing this is not a matter of skill. It’s one of will. It’s a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale.” The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology. “Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill. The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.

 Trends, Reports, Analysis

Part of the problem appears to be user friction in existing security measures. Less than half (44%) of those polled said they find it easy to securely access their IT equipment within minutes.

 Malware and Vulnerabilities

SunCrypt, a ransomware-as-a-service (RaaS) operation that reached prominence in mid-2020, is reportedly still active, even if barely, as its operators continue to work on giving its strain new capabilities.

 Malware and Vulnerabilities

Researchers have detected a new conversation hijacking campaign that exploits unpatched Exchange servers to deliver IcedID trojan within the energy, healthcare, pharmaceutical, and legal sectors. It’s been almost a year since the disclosure of ProxyShell vulnerabilities in Exchange servers but not many organizations, apparently, couldn't apply the patch.

 Malware and Vulnerabilities

A new wave of JSSLoader infections, operated by the FIN7 threat group, was observed using XLL files to deliver the malware via malicious Microsoft Excel add-ins. The latest variant comes with some new layers of obfuscation to keep itself hidden from security analysts. Organizations need to have intrusion detection   show more ...

systems or intrusion prevention systems as a part of their security and protection strategy to thwart such threats.

 Malware and Vulnerabilities

A new study by Splunk has found that modern-day ransomware, such as LockBit, is capable of encrypting around 25,000 files in just one minute. The time window is so small that before an organization realizes the effect, the ransomware would have done its job.

 Trends, Reports, Analysis

Active since 2020, the campaign is a work of cybercriminal gangs from China. According to Seguranca Informatica, the campaign has targeted around 617 online stores located in Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others.

 Feed

Red Hat Security Advisory 2022-1102-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include an HTTP request smuggling vulnerability.

 Feed

Red Hat Security Advisory 2022-1106-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1107-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1112-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

 Feed

Red Hat Security Advisory 2022-1104-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1110-01 - Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that   show more ...

logic available to the entire business. This release of Red Hat Decision Manager 7.12.1 serves as an update to Red Hat Decision Manager 7.12.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, information leakage, and traversal vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1103-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1108-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This   show more ...

release of Red Hat Process Automation Manager 7.12.1 serves as an update to Red Hat Process Automation Manager 7.12.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, information leakage, and traversal vulnerabilities.

 Feed

Ubuntu Security Notice 5313-2 - USN-5313-1 fixed vulnerabilities and added features in OpenJDK. Unfortunately, that update introduced a regression in OpenJDK 11 that could impact interoperability with some popular HTTP/2 servers making it unable to connect to said servers. This update fixes the problem.

 Feed

Red Hat Security Advisory 2022-1021-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.26. Issues addressed include bypass and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2022-1091-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

 Feed

Ubuntu Security Notice 5353-1 - It was discovered that the IPsec implementation in the Linux kernel did not properly allocate enough memory when performing ESP transformations, leading to a heap-based buffer overflow. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

 Feed

Red Hat Security Advisory 2022-1083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.3.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private   show more ...

cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include an information leakage vulnerability.

 Feed

Ubuntu Security Notice 5351-1 - Jan Schejbal discovered that Paramiko incorrectly handled permissions when writing private key files. A local attacker could possibly use this issue to gain access to private keys.

 Feed

When the filter_var function is used in conjunction with the flags FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME, there is a vulnerability in PHP that allows the filter to be bypassed. A patch has been included by the researcher as the PHP security team seems to have ignored this concern.

 Feed

A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. "Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks," Israeli security company Checkmarx said. "As it seems this time, the attacker has fully-automated the process

 Feed

An independent security researcher has shared what's a detailed timeline of events that transpired as the notorious LAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January 2022. In a set of screenshots posted on Twitter, Bill Demirkapi published a two-page "intrusion timeline" allegedly prepared by Mandiant, the cybersecurity firm hired by

 Feed

A threat actor of likely Pakistani origin has been attributed to yet another campaign designed to backdoor targets of interest with a Windows-based remote access trojan named CrimsonRAT since at least June 2021. "Transparent Tribe has been a highly active APT group in the Indian subcontinent," Cisco Talos researchers said in an analysis shared with The Hacker News. "Their primary targets have

 Feed

A group of academics has designed a new system known as "Privid" that enables video analytics in a privacy-preserving manner to combat concerns with invasive tracking. "We're at a stage right now where cameras are practically ubiquitous. If there's a camera on every street corner, every place you go, and if someone could actually process all of those videos in aggregate, you can imagine that

 Feed

Cybersecurity firm Sophos on Monday warned that a recently patched critical security vulnerability in its firewall product is being actively exploited in real-world attacks. The flaw, tracked as CVE-2022-1040, is rated 9.8 out of 10 on the CVSS scoring system and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and older. It relates to an authentication bypass vulnerability in the User Portal

 Feed

An unidentified threat actor has been observed employing a "complex and powerful" malware loader with the ultimate objective of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens. "The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines,"

 Feed

Cybersecurity researchers have shed more light on a malicious loader that runs as a server and executes received modules in memory, laying bare the structure of an "advanced multi-layered virtual machine" used by the malware to fly under the radar. Wslink, as the malicious loader is called, was first documented by Slovak cybersecurity company ESET in October 2021, with very few telemetry hits

2022-03
Aggregator history
Tuesday, March 29
TUE
WED
THU
FRI
SAT
SUN
MON
MarchAprilMay