Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Transatlantic Cable ...

 News

To kick off the 253rd edition of the Kaspersky Transatlantic Cable podcast, Ahmed, Jag and I discuss our most recent whipping-boy topic – NFTs. In particular, we discuss how Seth Greens new project may already be in jeopardy because he clicked on a phishing link. This, in turn, saw the actor lose a number of the   show more ...

NFTs in his digital wallet to thieves that were then resold. From there, we discuss security issues related to app-enabled automobiles. There is some debate as to whether or not these apps are even needed. We then sit down with a member of our product team to discuss the latest in cloud security. The third story on the docket discusses the latest with hackers claiming that they have stolen a database of Verizon employee numbers. To close out the pod, we talk about the weird new ransomware group in India that is requiring people to conduct acts of kindness or goodwill to get their data unlocked. These actions range from paying for medicine to buying kids food – yeah, as you can see, kinda a weird flex. If you liked what you heard, please consider subscribing and sharing with your friends. For more information on the stories we covered, see the links below: Someone Stole Seth Greens Bored Ape, Which Was Supposed To Star In His New Show Whats wrong with automotive mobile apps? Hacker Steals Database of Hundreds of Verizon Employees Ransomware group forces victims to pick any 5 poor children and buy them KFC

image for How phishers prey on ...

 Threats

Attackers often send phishing e-mails in the name of well-known companies to extract credentials for users personal accounts, phone numbers and other information that can be useful for scams or account takeovers. Of course, among the most attractive targets for phishers are clients of financial organizations such as   show more ...

banks, cryptoexchanges, payment systems and the like. This time we detected phishing exploiting the online financial service Wise (until recently — TransferWise), which is used by millions. Here we analyze the setup and explain how not to fall victim to fraud and data theft. A word about Wise Why Wise in particular? Its not just that people entrust their money to it. Until recently, the company was known as TransferWise, and its main business was low-cost cross-border money transfers. In 2021, it expanded its range of services to include not only international transfers, but multi-currency accounts and debit cards (among others), too. As part of a rebranding, Wise dropped the Transfer from its name. Enter cybercriminals — who decided to exploit some initial confusion connected with the name change. How the scheme works An attack begins with a phishing e-mail purporting to be from the Wise support team. The e-mail informs the victim that due to the rebranding they need to migrate their account to the new platform. E-mail supposedly from TransferWise about moving the users account to a new platform The inattentive user could easily mistake it as genuine, since wise.com appears in the line with the senders name, and the message body contains the company logo with the trademark blue flag. A closer look, however, reveals a couple of more-red-than-blue flags: the senders address consists of a random string of numbers along with words totally unrelated to Wise, and for some reason the domain belongs to… Moringa School in Kenya! The text itself is full of errors and typos, which a reputable company wouldnt permit. There are two links in the e-mail: one supposedly pointing to the new site, the other to contact the senders. In actual fact, both lead to the same page, which automatically redirects the victim to another — phishing — website. The phishing site looks far more convincing than the e-mail, with the same welcome message and design as the real Wise site. The only difference is the image on the left of the page, and also the URL. The latter unexpectedly displays the name of an obscure app for finding restaurants and discounted services. At this point, the cybercriminals ask the user to enter their e-mail and password for account login. Phishing version of Wise login page However, credentials are not the only personal information collected: having accepted the e-mail and password (whether real or not, there are no checks), the site asks for the victims phone number. Incidentally, you dont need to enter your phone number to login to the real Wise site. Lastly, the attackers ask for the Wise users phone number When the user clicks the Continue button, the site seems to freeze: while the data is sent to the cybercriminals, the victim sees just a spinning logo with the word loading. The phishing page lost in thought The impatient user who clicks the Continue button is again redirected to the official Wise site. The idea here is that even if the user senses something amiss and checks the URL at this point, they wont realize their data has fallen into cybercriminal hands and will just continue to go about their business. The user is eventually redirected to the official Wise website Where does the data go Most likely, its phone numbers that cybercriminals want most of all. They probably collect them in databases and sell them to phone scammers. And from compromised accounts they can get additional information about users, in particular, first name, surname and home address. Armed with such information, the phone scammers can sound far more convincing. How to stay safe To avoid the trap and protect your data, follow some basic cybersecurity rules. When you receive an e-mail seemingly from a well-known company, start with checking where it really came from. If the senders address includes a meaningless jumble of numbers and letters, random words or an unusual domain, its more than likely a scam. Dont follow links in e-mails and notifications, even if you think you know the sender; its always better to open sites from your bookmarks or a search engine, or to enter URLs manually if you know them by heart. If you suspect phishing, contact the support team of the company the e-mail supposedly came from, and theyll tell you for sure whether its real or fake. If necessary, theyll take action and alert other users. Install reliable antivirus with antiphishing and online fraud protection, which will warn you in a timely manner about the threat.

image for What Counts as “Go ...

 A Little Sunshine

The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who   show more ...

operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution. In a statement about the changes, Deputy Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good-faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” What constitutes “good faith security research?” The DOJ’s new policy (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Digital Millennium Copyright Act (DMCA), a similarly controversial law that criminalizes production and dissemination of technologies or services designed to circumvent measures that control access to copyrighted works. According to the government, good faith security research means: “…accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” “Security research not conducted in good faith — for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services — might be called ‘research,’ but is not in good faith.” The new DOJ policy comes in response to a Supreme Court ruling last year in Van Buren v. United States (PDF), a case involving a former police sergeant in Florida who was convicted of CFAA violations after a friend paid him to use police resources to look up information on a private citizen. But in an opinion authored by Justice Amy Coney Barrett, the Supreme Court held that the CFAA does not apply to a person who obtains electronic information that they are otherwise authorized to access and then misuses that information. Orin Kerr, a law professor at University of California, Berkeley, said the DOJ’s updated policy was not unexpected given the Supreme Court ruling in the Van Buren case. Kerr noted that while the new policy says one measure of “good faith” involves researchers taking steps to prevent harm to third parties, what exactly those steps might constitute is another matter. “The DOJ is making clear they’re not going to prosecute good faith security researchers, but be really careful before you rely on that,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported], but also the line as to what is legitimate security research and what isn’t is still murky.” Kerr said the new policy also gives CFAA defendants no additional cause for action. “A lawyer for the defendant can make the pitch that something is good faith security research, but it’s not enforceable,” Kerr said. “Meaning, if the DOJ does bring a CFAA charge, the defendant can’t move to dismiss it on the grounds that it’s good faith security research.” Kerr added that he can’t think of a CFAA case where this policy would have made a substantive difference. “I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered under good faith security research that they’re saying they won’t prosecute, and it will be interesting to see what happens there,” he said. The new policy also clarifies other types of potential CFAA violations that are not to be charged. Most of these include violations of a technology provider’s terms of service, and here the DOJ says “violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.” Some examples include: -Embellishing an online dating profile contrary to the terms of service of the dating website; -Creating fictional accounts on hiring, housing, or rental websites; -Using a pseudonym on a social networking site that prohibits them; -Checking sports scores or paying bills at work. ANALYSIS Kerr’s warning about the dangers that security researchers face from civil prosecution is well-founded. KrebsOnSecurity regularly hears from security researchers seeking advice on how to handle reporting a security vulnerability or data exposure. In most of these cases, the researcher isn’t worried that the government is going to come after them: It’s that they’re going to get sued by the company responsible for the security vulnerability or data leak. Often these conversations center around the researcher’s desire to weigh the rewards of gaining recognition for their discoveries with the risk of being targeted with costly civil lawsuits. And almost just as often, the source of the researcher’s unease is that they recognize they might have taken their discovery just a tad too far. Here’s a common example: A researcher finds a vulnerability in a website that allows them to individually retrieve every customer record in a database. But instead of simply polling a few records that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server. Not infrequently, there is also concern because at some point the researcher suspected that their automated activities might have actually caused stability or uptime issues with certain services they were testing. Here, the researcher is usually concerned about approaching the vulnerable website or vendor because they worry their activities may already have been identified internally as some sort of external cyberattack. What do I take away from these conversations? Some of the most trusted and feared security researchers in the industry today gained that esteem not by constantly taking things to extremes and skirting the law, but rather by publicly exercising restraint in the use of their powers and knowledge — and by being effective at communicating their findings in a way that maximizes the help and minimizes the potential harm. If you believe you’ve discovered a security vulnerability or data exposure, try to consider first how you might defend your actions to the vulnerable website or vendor before embarking on any automated or semi-automated activity that the organization might reasonably misconstrue as a cyberattack. In other words, try as best you can to minimize the potential harm to the vulnerable site or vendor in question, and don’t go further than you need to prove your point.

 Identity Theft, Fraud, Scams

Discord a public chat application designed for gamers has grown popular among crypto owners all over the world. Attackers are targeting the Discord servers of several popular nonfungible token (NFT) projects.

 Trends, Reports, Analysis

Global healthcare organizations (HCOs) experienced a 94% year-on-year surge in ransomware attacks last year, with almost twice as many electing to pay their extorters, according to new data from Sophos.

 Breaches and Incidents

Iranian state media said earlier that the internal computer system of the municipality of Tehran was targeted in a "deliberate" shutdown Thursday in the latest apparent cyberattack in the country.

 Threat Actors

The SideWinder APT has launched more than 1,000 attacks while leveraging over 400 domains and subdomains, with additional stealth mechanisms. The threat group is maintaining a large C2 infrastructure comprising more than 400 domains and subdomains that were used to host malicious payloads and manage them. Please check   show more ...

IOCs that could help organizations update their defenses for better detection and protection against such threats.

 Breaches and Incidents

Secureworks spotted a new campaign targeting vulnerable Elasticsearch databases to replace their indexes with a ransom note; a total ransom of $280,000 has been demanded. The attackers have used an automated script to parse unprotected databases, wipe out their data, and add the ransom note. Admins should set up MFA for authorized users and limit access to only those who need it.

 Malware and Vulnerabilities

Europol, along with law enforcement agencies from Finland, Austria, Belgium, Ireland, Spain, Sweden, Hungary, the U.S., the Netherlands, and Switzerland, took down FluBot's infrastructure. The Dutch Police claimed to have disconnected 10,000 victims from the FluBot network and stopped over 6.5 million spam SMS from reaching potential victims.

 Feed

NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health data. nv-hostengine is a daemon that by default listens on the loopback interface, but can also listen on the network for requests coming in on port 5555 (remote mgmt). A native client named DCGMI allows users to make requests to the   show more ...

daemon to support a variety of functions. Malformed packets can cause the daemon (running as root or user account) to crash or potentially result in code execution. Versions less than 2.3.5 are affected.

 Feed

Red Hat Security Advisory 2022-1166-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.47.

 Feed

Ubuntu Security Notice 5459-1 - Aurélien Aptel discovered that cifs-utils invoked a shell when requesting a password. In certain environments, a local attacker could possibly use this issue to escalate privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that cifs-utils   show more ...

incorrectly used host credentials when mounting a krb5 CIFS file system from within a container. An attacker inside a container could possibly use this issue to obtain access to sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

 Feed

The Player application and the Recording Manager of Real Player versions 20.1.0.312 and 20.0.3.317 are prone to a remote DLL hijack (binary planting) issue because of an unsafe search for non-existent DLLs. To exploit the issue attackers would have to convince the target to open a media file from a WebDAV or SMB share.

 Feed

Red Hat Security Advisory 2022-4582-01 - The gzip packages contain the gzip data compression utility. gzip is used to compress regular files. It replaces them with files containing the .gz extension, while retaining ownership modes, access, and modification times.

 Feed

Red Hat Security Advisory 2022-4592-01 - The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.

 Feed

IIPImage is distributed with a server that enables advanced, high-performance image manipulation for web-based streaming and viewing of high resolution images. The server component called iipsrv.fcgi processes requests from users and passes them to command handlers. Several crashes including an integer overflow were   show more ...

discovered by sending malformed requests to the server, allowing remote users without authentication to perform denial-of-service attacks or potentially crafted for remote code execution as the server's running user. Versions at least up to 1.1 may be affected.

 Feed

It was discovered that a race condition existed in the network scheduling subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups   show more ...

implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. Various other issues were also addressed.

 Feed

Red Hat Security Advisory 2022-4590-1 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.9.0 ESR. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-4588-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 6.0.105 and .NET Core Runtime 6.0.5. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2022-4671-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a spoofing vulnerability.

 Feed

Red Hat Security Advisory 2022-1357-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.10.

 Feed

Red Hat Security Advisory 2022-4589-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.9.0. Issues addressed include a bypass vulnerability.

 Feed

Red Hat Security Advisory 2022-0737-01 - This release of Red Hat build of Eclipse Vert.x 4.2.5 GA includes security updates. For more information, see the release notes listed in the References section.

 Feed

Red Hat Security Advisory 2022-4591-01 - Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes.

 Feed

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a

 Feed

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive

 Feed

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research. Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites. Parrot TDS was documented in

 Feed

GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. The security flaw affects all versions of GitLab Enterprise Edition (EE) starting from 11.10 before 14.9.5, all versions starting from 14.10

 Feed

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. "This groundbreaking development allows the actor to modify network traffic   show more ...

in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report.

2022-06
Aggregator history
Friday, June 03
WED
THU
FRI
SAT
SUN
MON
TUE
JuneJulyAugust