The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing

New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for

A malicious Android SMS application found on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp. The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.

The French data protection watchdog on Tuesday fined electricity provider Électricité de France €600,000 for violating the European Union General Data Protection Regulation (GDPR) requirements. The Commission nationale de l'informatique et des libertés (CNIL) said the electric utility breached European regulation by storing the passwords for over 25,800 accounts by hashing them using the MD5

The Australian government has passed a bill that markedly increases the penalty for companies suffering from serious or repeated data breaches. To that end, the maximum fines have been bumped up from the current AU$2.22 million to AU$50 million, 30% of an entity's adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information,

Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an

A threat actor with a suspected China nexus has been linked to a set of espionage attacks in the Philippines that primarily relies on USB devices as an initial infection vector. Mandiant, which is part of Google Cloud, is tracking the cluster under its uncategorized moniker UNC4191. An analysis of the artifacts used in the intrusions indicates that the campaign dates as far back as September

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines. Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G. The PC maker described the vulnerability as

Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The trend, called Invisible Challenge, involves applying a filter called Invisible Body that just leaves behind a silhouette of the person's body. But the fact that individuals filming such videos could be undressed has led to a

When the headlines focus on breaches of large enterprises like the Optus breach, it’s easy for smaller businesses to think they’re not a target for hackers. Surely, they’re not worth the time or effort?  Unfortunately, when it comes to cyber security, size doesn’t matter.  Assuming you’re not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple

Ireland's Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a "collated

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0.

Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources. The issue relates to a confused deputy problem, a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. The shortcoming was reported

It's not news that phishing attacks are getting more complex and happening more often. This year alone, APWG reported a record-breaking total of 1,097,811 phishing attacks. These attacks continue to target organizations and individuals to gain their sensitive information.  The hard news: they're often successful, have a long-lasting negative impact on your organization and employees, including:

Over a dozen security flaws have been discovered in baseboard management controller (BMC) firmware from Lanner that could expose operational technology (OT) and internet of things (IoT) networks to remote attacks. BMC refers to a specialized service processor, a system-on-chip (SoC), that's found in server motherboards and is used for remote monitoring and management of a host system, including

Twitter chief executive Elon Musk confirmed plans for end-to-end encryption (E2EE) for direct messages on the platform. The feature is part of Musk's vision for Twitter 2.0, which is expected to be what's called an "everything app." Other functionalities include longform tweets and payments, according to a slide deck shared by Musk over the weekend. The company's plans for

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breachesDevices from Dell, HP, and Lenovo used outdated OpenSSL versionsGoogle fixed the eighth actively exploited #Chrome #zeroday this yearExperts investigate WhatsApp data leak: 500M user records for saleAn international police operation dismantled the spoofing service iSpoofUK urges to disconnect Chinese security cameras in government buildingsRansomExx Ransomware upgrades to Rust programming languageAn aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta RansomwareThreat actors exploit discontinues Boa web servers to target critical infrastructure
Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament siteDucktail information stealer continues to evolveExperts claim that iPhone’s analytics data is not anonymousMicrosoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966Exclusive – Quantum Locker lands in the Cloud5 API Vulnerabilities That Get Exploited by CriminalsResearcher warns that Cisco Secure Email Gateways can easily be circumventedAurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystemTwo Estonian citizens arrested in $575M cryptocurrency fraud schemeEmotet is back and delivers payloads like IcedID and Bumblebee
Expert published PoC exploit code for macOS sandbox escape flawGoogle won a lawsuit against the Glupteba botnet operatorsGoogle provides rules to detect tens of cracked versions of Cobalt StrikeOctocrypt, Alice, and AXLocker Ransomware, new threats in the wildPoC exploit code for ProxyNotShell Microsoft Exchange bugs released online

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 395 appeared first on Security Affairs.

The U.S. Federal Communications Commission announced it will completely ban the import of electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua.

The U.S. Federal Communications Commission (FCC) announced the total ban for telecom and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua due to an “unacceptable” national security threat.

The US government has already added the companies to the Covered List and the new rules aims at protecting the Americans from national security threats involving telecommunications.

“The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks.” reads the announcement published by FCC. “In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.”

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”

The new rules implement the directive in the Secure Equipment Act of 2021, which was signed by President Biden in November.

Chinese firms Hytera, Hikvision, and Dahua have to provide details about the safeguards they have implemented on the sale of their devices for government use and the surveillance of critical infrastructure facilities.

In September, the U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List.

The FCC explained that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.

This week, the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.

The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Federal Communications Commission)

The post US FCC bans the import of electronic equipment from Chinese firms appeared first on Security Affairs.

The massive data breach suffered by Twitter that exposed emails and phone numbers of its customers may have impacted more than five million users.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

This week, the website 9to5mac.com claimed that the data breach was word than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.

“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.com

Source: Twitter account @sonoclaudio

9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.

The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.

“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”

The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.

The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”

The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.

UPDATE:

Update: After discussing with my colleague @sonoclaudio, we noticed that the post on the popular breach forum reports that 1.4 accounts were suspended. Now the question is, why months after the accounts were suspended, the data were still present in the database? Which is the retention period for Twitter? Does Twitter violate the GDPR for European users?

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter)

The post Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches appeared first on Security Affairs.

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.