Feed aggregator

Security Affairs newsletter Round 395

Security Affairs - Sun, 11/27/2022 - 08:45
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breachesDevices from Dell, HP, and Lenovo used outdated OpenSSL versionsGoogle fixed the eighth actively exploited #Chrome #zeroday this yearExperts investigate WhatsApp data leak: 500M user records for saleAn international police operation dismantled the spoofing service iSpoofUK urges to disconnect Chinese security cameras in government buildingsRansomExx Ransomware upgrades to Rust programming languageAn aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta RansomwareThreat actors exploit discontinues Boa web servers to target critical infrastructure
Pro-Russian group Killnet claims responsibility for DDoS attack that has taken down the European Parliament site
Ducktail information stealer continues to evolveExperts claim that iPhone’s analytics data is not anonymousMicrosoft releases out-of-band update to fix Kerberos auth issues caused by a patch for CVE-2022-37966Exclusive – Quantum Locker lands in the Cloud5 API Vulnerabilities That Get Exploited by CriminalsResearcher warns that Cisco Secure Email Gateways can easily be circumventedAurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystemTwo Estonian citizens arrested in $575M cryptocurrency fraud schemeEmotet is back and delivers payloads like IcedID and Bumblebee
Expert published PoC exploit code for macOS sandbox escape flaw
Google won a lawsuit against the Glupteba botnet operatorsGoogle provides rules to detect tens of cracked versions of Cobalt StrikeOctocrypt, Alice, and AXLocker Ransomware, new threats in the wildPoC exploit code for ProxyNotShell Microsoft Exchange bugs released online

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 395 appeared first on Security Affairs.

Categories: Cyber Security News

US FCC bans the import of electronic equipment from Chinese firms

Security Affairs - Sun, 11/27/2022 - 07:16
The U.S. Federal Communications Commission announced it will completely ban the import of electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua.

The U.S. Federal Communications Commission (FCC) announced the total ban for telecom and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua due to an “unacceptable” national security threat.

The US government has already added the companies to the Covered List and the new rules aims at protecting the Americans from national security threats involving telecommunications.

“The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks.” reads the announcement published by FCC. “In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.”

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”

The new rules implement the directive in the Secure Equipment Act of 2021, which was signed by President Biden in November.

Chinese firms Hytera, Hikvision, and Dahua have to provide details about the safeguards they have implemented on the sale of their devices for government use and the surveillance of critical infrastructure facilities.

In September, the U.S. Federal Communications Commission (FCC) has added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited, to the Covered List.

The FCC explained that the above companies are subject to the exploitation, influence and control of the Chinese government, and the national security risks associated with such exploitation, influence, and control.

This week, the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.

The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Federal Communications Commission)

The post US FCC bans the import of electronic equipment from Chinese firms appeared first on Security Affairs.

Categories: Cyber Security News

Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches

Security Affairs - Sat, 11/26/2022 - 16:11
The massive data breach suffered by Twitter that exposed emails and phone numbers of its customers may have impacted more than five million users.

At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform.

The threat actor offered for sale the stolen data on the popular hacking forum Breached Forums. In January, a report published on Hacker claimed the discovery of a vulnerability that can be exploited by an attacker to find a Twitter account by the associated phone number/email, even if the user has opted to prevent this in the privacy options.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibitted this action in the privacy settings. The bug exists due to the proccess of authorization used in the Android Client of Twitter, specifically in the procces of checking the duplication of a Twitter account.” ” reads the description in the report submitted by zhirinovskiy via bug bounty platform HackerOne. “This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities”

The seller claimed that the database was containing data (i.e. emails, phone numbers) of users ranging from celebrities to companies. The seller also shared a sample of data in the form of a csv file.

In August, Twitter confirmed that the data breach was caused by the now-patched zero-day flaw submitted by the researchers zhirinovskiy via bug bounty platform HackerOne and that he received a $5,040 bounty.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account.” reads the Twitter’s advisory. “In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm.

“This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.”

This week, the website 9to5mac.com claimed that the data breach was word than initially reported by the company. The website reports that multiple threat actors exploited the same flaw and the data available in the cyberscrime underground have differed sources.

“A massive Twitter data breach last year, exposing more than five million phone numbers and email addresses, was worse than initially reported. We’ve been shown evidence that the same security vulnerability was exploited by multiple bad actors, and the hacked data has been offered for sale on the dark web by several sources.” reads the post published by 9to5mac.com

Source: Twitter account @sonoclaudio

9to5Mac‘s claims are based on the availability of the dataset that contained the same information in a different format offered by a different threat actor. The source told the website that the database was “just one of a number of files they have seen.” It seems that the impacted accounts are only those having the “Discoverability | Phone option (which is hard to find within Twitter’s settings)” enabled in late 2021.

The archive seen by 9to5Mac includes data belonging to Twitter users in the UK, almost every EU country, and parts of the US.

“I have obtained multiple files, one per phone number country code, containing the phone number <-> Twitter account name pairing for entire country’s telephone number space from +XX 0000 to +XX 9999.” the source told 9to5Mac. “Any twitter account which had the Discoverability | Phone option enabled in late 2021 was listed in the dataset.”

The experts speculate that multiple threat actors had access to the Twitter database and combined it with data from other security breaches.

The security researcher behind the account @chadloder (Twitter after the disclosure of the news) told 9to5Mac that the “email-twitter pairings were derived by running existing large databases of 100M+ email addresses through this Twitter discoverability vulnerability.”

The researcher told the website that they would reach out to Twitter for comment, but the entire media relations team left the company.

UPDATE:

Update: After discussing with my colleague @sonoclaudio, we noticed that the post on the popular breach forum reports that 1.4 accounts were suspended. Now the question is, why months after the accounts were suspended, the data were still present in the database? Which is the retention period for Twitter? Does Twitter violate the GDPR for European users?

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter)

The post Data from 5.4M Twitter users obtained from multiple threat actors and combined with data from other breaches appeared first on Security Affairs.

Categories: Cyber Security News

Weekendowa Lektura: odcinek 495 [2022-11-26]. Bierzcie i czytajcie

ZaufanaTrzeciaStrona.pl - Sat, 11/26/2022 - 14:27

Zapraszamy do nowego wydania Weekendowej Lektury. Dzisiejsze wydanie jest bardzo zróżnicowane – brak było jednego tematu przewodniego, dzięki czemu lektura może być jeszcze ciekawsza. Życzymy zatem udanej lektury.

W dzisiejszym wydaniu szczególnie polecamy w części fabularnej wydany w tym tygodniu poradnik zakupowy CERT Polska (pkt 3), informacje o nowych uprawnieniach do cenzurowania internetu, które może dostać ABW (pkt 7) oraz ciekawe ustalenia dot.… Czytaj dalej

The post Weekendowa Lektura: odcinek 495 [2022-11-26]. Bierzcie i czytajcie first appeared on Zaufana Trzecia Strona.

All You Need to Know About Emotet in 2022

The Hacker News - Sat, 11/26/2022 - 06:49
For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it. Why is everyone scared of Emotet? Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.
Categories: Cyber Security News

U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk

The Hacker News - Fri, 11/25/2022 - 23:52
The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an "unacceptable" national security threat. All these Chinese telecom and video surveillance companies were previously included in the Covered List as of March 12, 2021. "The FCC is committed to protecting our national
Categories: Cyber Security News

Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations

The Hacker News - Fri, 11/25/2022 - 23:28
Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain RansomBoggs, said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is
Categories: Cyber Security News

Devices from Dell, HP, and Lenovo used outdated OpenSSL versions

Security Affairs - Fri, 11/25/2022 - 19:35
Researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

Binarly researchers discovered that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.

The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The researchers discovered the issue by analyzing firmware images used devices from the above manufacturers.

The experts analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.

The main EDKII repository is hosted on Github and is frequently updated.

The experts first analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.

Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018.

“Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years.” reads the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip. This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.”

One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL version 0.9.8zb that was released on August 4, 2014.

The researchers discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to the summer of 2021.

The following image reports for each vendor all the versions of OpenSSL detected by the Binarly Platform in the wild:

The experts pointed out that the same device firmware code often rely on different versions of OpenSSL. 

The reason for this design choice is that the supply chain of third-party code depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an extra layer of supply chain complexity.

“Most of the OpenSSL dependencies are linked statically as libraries to specific firmware modules that create compile-time dependencies which are hard to identify without deep code analysis capabilities.” continues the report. “Historically the problem within third-party code dependencies is not an easy issue to solve at the compiled code level.”

The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009.

Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w that dates back 2012.

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” concludes the report. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, firmware)

The post Devices from Dell, HP, and Lenovo used outdated OpenSSL versions appeared first on Security Affairs.

Categories: Cyber Security News

Google fixed the eighth actively exploited #Chrome #zeroday this year

Security Affairs - Fri, 11/25/2022 - 08:50
Google on Thursday released security updates to address a new zero-day vulnerability, tracked as CVE-2022-4135, impacting the Chrome web browser.

Google rolled out an emergency security update for the desktop version of the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4135, that is actively exploited.

The CVE-2022-4135 vulnerability is a heap buffer overflow issue in GPU. The vulnerability was reported Clement Lecigne of Google’s Threat Analysis Group on November 22, 2022.

As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations.

“Google is aware that an exploit for CVE-2022-4135 exists in the wild.” reads the advisory published by Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

An attacker can exploit the heap buffer overflow to potentially gain arbitrary code execution on systems running vulnerable versions of the browser.

Google fixed the zero-day with the release of version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, which the company plans to roll out over the coming days/weeks.

The CVE-2022-4135 vulnerability is the eighth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:

  • CVE-2022-3723 – (October 28) – type confusion issue that resides in the V8 Javascript engine
  • CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
  • CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
  • CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
  • CVE-2022-1364 (April 14) –  type confusion issue that resides in the V8 JavaScript engine
  • CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine
  • CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.

Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Google fixed the eighth actively exploited #Chrome #zeroday this year appeared first on Security Affairs.

Categories: Cyber Security News

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

The Hacker News - Fri, 11/25/2022 - 08:12
Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be 
Categories: Cyber Security News

Experts investigate WhatsApp data leak: 500M user records for sale

Security Affairs - Fri, 11/25/2022 - 07:20
Cybernews investigated a data sample available for sale containing up-to-date mobile phone numbers of nearly 500 million WhatsApp users.

Original post published by Cybernews: https://cybernews.com/news/whatsapp-data-leak/

On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.

The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.

Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.

Such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages.

WhatsApp is reported to have more than two billion monthly active users globally.

Upon request, the seller of WhatsApp’s database shared a sample of data with Cybernews researchers. There were 1097 UK and 817 US user numbers in the shared sample.

Cybernews investigated all the numbers included in the sample and managed to confirm that all of them are, in fact, WhatsApp users.

The seller did not specify how they obtained the database, suggesting they “used their strategy” to collect the data, and assured Cybernews all the numbers in the instance belong to active WhatsApp users.

Cybernews reached out to WhatsApp’s parent company, Meta, but received no immediate response. We will update the article as soon as we learn more.

The information on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service.

This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping.

Meta itself, long criticized for letting third parties scrape or collect user data, saw over 533 million user records leaked on a dark forum. The actor was sharing the dataset practically for free.

Days after a massive Facebook data leak made the headlines, an archive containing data purportedly scraped from 500 million LinkedIn profiles had been put for sale on a popular hacker forum.

Leaked phone numbers could be used for marketing purposes, phishing, impersonation, and fraud.

“In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data,” head of Cybernews research team Mantas Sasnauskas said. “We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”

If you want to know how to prevent data leaks, read the original post published by CyberNews.

About the author: Jurgita Lapienytė Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

The post Experts investigate WhatsApp data leak: 500M user records for sale appeared first on Security Affairs.

Categories: Cyber Security News

Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

The Hacker News - Fri, 11/25/2022 - 06:15
An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk. EFI Development Kit, aka EDK, is an open source implementation of the Unified Extensible Firmware Interface (UEFI), which functions as an interface between the operating system and the firmware embedded in
Categories: Cyber Security News

An international police operation dismantled the spoofing service iSpoof

Security Affairs - Fri, 11/25/2022 - 05:27
An international law enforcement operation has dismantled an online phone number spoofing service called iSpoof.

An international law enforcement operation that was conducted by authorities in Europe, Australia, the United States, Ukraine, and Canada, with the support of Europol, has dismantled online phone number spoofing service called iSpoof. The iSpoof service allowed fraudsters to impersonate trusted corporations or contacts in an attempt to gain access to sensitive information from victims.

Threat actors used the service to trick victims into disclosing financial or private information or transferring money.  

“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords.” reads the announcement published by Europol. “The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims.”

The ‘spoofing’ service is believed to have caused an estimated worldwide loss in excess of GBP 100 million (EUR 115 million).

“According to the police, some victims have seen their savings or pension pot disappear within hours.” reported the Dutch Police.

The investigation, dubbed Operation Elaborate, was launched in October 2021 at the request of the UK authorities. The iSpoof was launched in December 2020 and authorities estimated it had 59,000 users.

“The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century. Together with the support of partners across UK policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands.” London’s Metropolitan Police Commissioner Sir Mark Rowley stated. “By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people.”

In the coordinated effort led by the United Kingdom, 142 suspects have been arrested, including the administrator of the iSpoof website (ispoof[.]me and ispoof[.]cc).

The police seized the servers behind the service and two days later Ukrainian and U.S. agencies took them offline.

“The arrests today send a message to cybercriminals that they can no longer hide behind perceived international anonymity. Europol coordinated the law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target the criminals wherever they are located.” Europol’s Executive Director Ms Catherine De Bolle said. “Together with our international partners, we will continue to relentlessly push the envelope to bring criminals to justice.”

“As cybercrime knows no borders, effective judicial cooperation across jurisdictions is key in bringing its perpetrators to court. Eurojust supports national authorities in their efforts to protect citizens against online and offline threats, and to help see that justice gets done.” Eurojust President Mr Ladislav Hamran said.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, iSpoof)

The post An international police operation dismantled the spoofing service iSpoof appeared first on Security Affairs.

Categories: Cyber Security News

UK urges to disconnect Chinese security cameras in government buildings

Security Affairs - Fri, 11/25/2022 - 01:35
The British government banned the installation of Chinese-linked security cameras at sensitive facilities due to security risks.

Reuters reports that the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing them.

“The decision comes after a review of “current and future possible security risks associated with the installation of visual surveillance systems on the government estate,” cabinet office minister Oliver Dowden said in a written statement to parliament.” states Reuters.

The security cameras of the two Chinese firms are widely adopted by a number of government departments, including the interior and business ministries.

Dowden pointed out that the surveillance cameras must be carefully scrutinized because of their capability and connectivity of these systems.

“The review has concluded that, in light of the threat to the UK and the increasing capability and connectivity of these systems, additional controls are required,” Dowden said. “Departments have therefore been instructed to cease deployment of such equipment onto sensitive sites, where it is produced by companies subject to the National Intelligence Law of the People’s Republic of China.”

The risk is related to the use of security cameras manufactured by Chinese-owned companies Dahua and Hikvision. Both companies are also on the Covered List maintained by the the U.S. Federal Communications Commission (FCC).

The Covered List, published by Public Safety and Homeland Security Bureau published, included products and services that could pose an unacceptable risk to the national security of the United States or the security and safety of United States persons.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, security cameras)

The post UK urges to disconnect Chinese security cameras in government buildings appeared first on Security Affairs.

Categories: Cyber Security News

U.K. Police Arrest 142 in Global Crackdown on 'iSpoof' Phone Spoofing Service

The Hacker News - Fri, 11/25/2022 - 01:06
A coordinated law enforcement effort has dismantled an online phone number spoofing service called iSpoof and arrested 142 individuals linked to the operation. The websites, ispoof[.]me and ispoof[.]cc, allowed the crooks to "impersonate trusted corporations or contacts to access sensitive information from victims," Europol said in a press statement. Worldwide losses exceeded €115 million ($
Categories: Cyber Security News

Interpol Seized $130 Million from Cybercriminals in Global "HAECHI-III" Crackdown Operation

The Hacker News - Thu, 11/24/2022 - 23:58
Interpol on Thursday announced the seizure of $130 million worth of virtual assets in connection with a global crackdown on cyber-enabled financial crimes and money laundering. The international police operation, dubbed HAECHI-III, transpired between June 28 and November 23, 2022, resulting in the arrests of 975 individuals and the closure of more than 1,600 cases. This comprised two fugitives
Categories: Cyber Security News

RansomExx Ransomware upgrades to Rust programming language

Security Affairs - Thu, 11/24/2022 - 16:19
RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language.

The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language.

The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language.

The main reason to rewrite malware in Rust is to have lower AV detection rates, compared to malware written in more common languages.

RansomExx2 was developed to target Linux operating system, but experts believe that ransomware operators are already working on a Windows version.

RansomExx operation has been active since 2018, the list of its victims includes government agencies, the computer manufacturer and distributor GIGABYTE, and the Italian luxury brand Zegna. RansomExx is operated by the DefrayX threat actor group (Hive0091), the group also developed the PyXie RAT, Vatet loader, and Defray ransomware strains.

The functionality implemented in RansomExx2 is very similar to previous RansomExx Linux variants.

“RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.” reads the analysis published by IBM Security X-Force.

The ransomware iterates through the specified directories, enumerating and encrypting files. The malware encrypts any file greater than or equal to 40 bytes and gives a new file extension to each file.

The RansomExx2 encrypts files using the AES-256 algorithm, it drops a ransom note in each encrypted directory.

“RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat).” concludes the report. “While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group,  and continued attempts to evade detection.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, RansomExx ransomware)

The post RansomExx Ransomware upgrades to Rust programming language appeared first on Security Affairs.

Categories: Cyber Security News

New RansomExx Ransomware Variant Rewritten in the Rust Programming Language

The Hacker News - Thu, 11/24/2022 - 08:25
The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat, Hive, and Luna. The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it's expected that a Windows version will
Categories: Cyber Security News

Millions of Android Devices Still Don't Have Patches for Mali GPU Flaws

The Hacker News - Thu, 11/24/2022 - 06:17
A set of five medium-severity security flaws in Arm's Mali GPU driver has continued to remain unpatched on Android devices for months, despite fixes released by the chipmaker. Google Project Zero, which discovered and reported the bugs, said Arm addressed the shortcomings in July and August 2022. "These fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung,
Categories: Cyber Security News

Boost Your Security with Europe's Leading Bug Bounty Platform

The Hacker News - Thu, 11/24/2022 - 06:03
As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti. Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. Join the likes of Intel,
Categories: Cyber Security News

Pages