FreshRSS

🔒
☐ ☆ ✇ WIRED

London Underground Is Testing Real-Time AI Surveillance Tools to Spot Crime

By Matt Burgess — February 8th 2024 at 17:55
In a test at one station, Transport for London used a computer vision system to try and detect crime and weapons, people falling on the tracks, and fare dodgers, documents obtained by WIRED show.
☐ ☆ ✇ The Hacker News

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

By Newsroom — February 8th 2024 at 13:05
The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern
☐ ☆ ✇ WIRED

I Stopped Using Passwords. It's Great—and a Total Mess

By Matt Burgess — February 8th 2024 at 12:00
Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.
☐ ☆ ✇ WIRED

2054, Part IV: A Nation Divided

By Elliot Ackerman, Admiral James Stavridis — February 8th 2024 at 11:00
“The people are in the streets. We can’t ignore them any longer. Really, we have little choice. Either we heal together, or we tear ourselves apart.” An exclusive excerpt from 2054: A Novel.
☐ ☆ ✇ The Hacker News

HijackLoader Evolves: Researchers Decode the Latest Evasion Methods

By Newsroom — February 8th 2024 at 10:28
The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,"
☐ ☆ ✇ The Hacker News

Google Starts Blocking Sideloading of Potentially Dangerous Android Apps in Singapore

By Newsroom — February 8th 2024 at 10:17
Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data. "This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts
☐ ☆ ✇ The Hacker News

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

By Newsroom — February 8th 2024 at 06:53
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll
☐ ☆ ✇ The Hacker News

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

By Newsroom — February 8th 2024 at 05:10
Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an
☐ ☆ ✇ The Hacker News

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

By Newsroom — February 7th 2024 at 15:11
The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese
☐ ☆ ✇ WIRED

Ransomware Payments Hit a Record $1.1 Billion in 2023

By Andy Greenberg — February 7th 2024 at 14:00
After a slowdown in payments to ransomware gangs in 2022, last year saw total ransom payouts jump to their highest level yet, according to a new report from crypto-tracing firm Chainalysis.
☐ ☆ ✇ The Hacker News

Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros

By Newsroom — February 7th 2024 at 13:33
The maintainers of shim have released version 15.8 to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances. Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been&
☐ ☆ ✇ WIRED

2054, Part III: The Singularity

By Elliot Ackerman, Admiral James Stavridis — February 7th 2024 at 11:00
“You’d have an incomprehensible level of computational, predictive, analytic, and psychic skill. You’d have the mind of God.” An exclusive excerpt from 2054: A Novel.
☐ ☆ ✇ The Hacker News

New Webinar: 5 Steps to vCISO Success for MSPs and MSSPs

By The Hacker News — February 7th 2024 at 10:38
2024 will be the year of the vCISO. An incredible 45% of MSPs and MSSPs are planning to start offering vCISO services in 2024. As an MSP/MSSP providing vCISO services, you own the organization’s cybersecurity infrastructure and strategy. But you also need to position yourself as a reliable decision-maker, navigating professional responsibilities, business needs and leadership
☐ ☆ ✇ The Hacker News

Global Coalition and Tech Giants Unite Against Commercial Spyware Abuse

By Newsroom — February 7th 2024 at 09:45
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
☐ ☆ ✇ The Hacker News

Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network

By Newsroom — February 7th 2024 at 06:29
Chinese state-backed hackers broke into a computer network that's used by the Dutch armed forces by targeting Fortinet FortiGate devices. "This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD) said in a statement. "Because this system was self-contained, it did not lead to any damage to the
☐ ☆ ✇ The Hacker News

Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover - Patch Now

By Newsroom — February 7th 2024 at 05:05
JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated
☐ ☆ ✇ WIRED

WhatsApp Chats Will Soon Work With Other Encrypted Messaging Apps

By Matt Burgess — February 6th 2024 at 16:53
New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.
☐ ☆ ✇ The Hacker News

Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services

By Newsroom — February 6th 2024 at 14:02
Three new security vulnerabilities have been discovered in Azure HDInsight's Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. "The new vulnerabilities affect any authenticated user of Azure HDInsight services such as Apache Ambari and Apache Oozie," Orca security
☐ ☆ ✇ WIRED

2054, Part II: Next Big Thing

By Elliot Ackerman, Admiral James Stavridis — February 6th 2024 at 11:00
“If molecules really were the new microchips, the promise of remote gene editing was that the body could be manipulated to upgrade itself.” An exclusive excerpt from 2054: A Novel.
☐ ☆ ✇ The Hacker News

How a $10B Enterprise Customer Drastically Increased their SaaS Security Posture with 201% ROI by Using SSPM

By The Hacker News — February 6th 2024 at 10:53
SaaS applications are the darlings of the software world. They enable work from anywhere, facilitate collaboration, and offer a cost-effective alternative to owning the software outright. At the same time, the very features that make SaaS apps so embraced – access from anywhere and collaboration – can also be exploited by threat actors. Recently, Adaptive Shield commissioned a Total Economic
☐ ☆ ✇ The Hacker News

Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data

By Newsroom — February 6th 2024 at 10:14
Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data. Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65
☐ ☆ ✇ The Hacker News

Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation

By Newsroom — February 6th 2024 at 06:58
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
☐ ☆ ✇ The Hacker News

U.S. Imposes Visa Restrictions on those Involved in Illegal Spyware Surveillance

By Newsroom — February 6th 2024 at 05:00
The U.S. State Department said it's implementing a new policy that imposes visa restrictions on individuals who are linked to the illegal use of commercial spyware to surveil civil society members. "The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association," Secretary of State Antony Blinken said. "Such targeting has been
☐ ☆ ✇ The Hacker News

Combined Security Practices Changing the Game for Risk Management

By The Hacker News — February 5th 2024 at 13:18
A significant challenge within cyber security at present is that there are a lot of risk management platforms available in the market, but only some deal with cyber risks in a very good way. The majority will shout alerts at the customer as and when they become apparent and cause great stress in the process. The issue being that by using a reactive, rather than proactive approach, many risks
☐ ☆ ✇ The Hacker News

Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

By Newsroom — February 5th 2024 at 13:18
The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy. Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between
☐ ☆ ✇ The Hacker News

Hands-On Review: SASE-based XDR from Cato Networks

By The Hacker News — February 5th 2024 at 11:12
Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their game up a notch to get around those blocks. Part of the challenge is to coordinate the defensive abilities of disparate security tools, even as organizations have limited resources and a dearth of
☐ ☆ ✇ WIRED

2054, Part I: Death of a President

By Elliot Ackerman, Admiral James Stavridis — February 5th 2024 at 11:00
“They had, quite swiftly, begun an algorithmic scrub of any narrative of the president suffering a health emergency, burying those stories.” An exclusive excerpt from 2054: A Novel.
☐ ☆ ✇ Troy Hunt

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

By Troy Hunt — February 5th 2024 at 07:36
How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes:

Last week, someone reached out to me with what they claimed was a Spoutible data breach obtained by exploiting an enumerable API. Just your classic case of putting someone else's username in the URL and getting back data about them, which at first glance I assumed was another scraping situation like we recently saw with Trello. They sent me a file with 207k scraped records and a URL that looked like this:

https://spoutible.com/sptbl_system_api/main/user_profile_box?username=troyhunt

But they didn't send me my account, in fact I didn't even have an account at the time and if I'm honest, I had to go and look up exactly what Spoutible was. The penny dropped as I read into it: Spoutible emerged in the wake of Elon taking over Twitter, which left a bunch of folks unhappy with their new social overlord so they sought out alternate platforms. Mastodon and Bluesky were popular options, Spoutible was another which was clearly intended to be an alternative to the incumbent.

In order to unravel this saga in increasing increments of "no way!" reactions, let's just start with the basics of what that API endpoint was returning:

{
  err_code: 0,
  status: 200,
  user: {
    id: 735525,
    username: "troyhunt",
    fname: "Troy",
    lname: "Hunt",
    about: "Creator of Have I Been Pwned. Microsoft Regional Director. Pluralsight author. Online security, technology and “The Cloud”. Australian.",

Pretty standard stuff and I'd expect any of the major social platforms to do exactly the same thing. Name, username, bio and ID are all the sorts of data attributes you'd expect to find publicly available via an API or rendered into the HTML of the website. These fields, however, are quite different:

email: "[redacted]",
ip_address: "[redacted]",
verified_phone: "[redacted]",
gender: "M",

Ok, that's now a "no way!" because I had no expectation at all of any of that data being publicly available (note: phone number is optional, I chose to add mine). It's certainly not indicated on the pages where I entered it:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data
How Spoutible’s Leaky API Spurted out a Deluge of Personal Data
How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

But it's also not that different to previous scraping incidents; the aforementioned Trello scrape exposed the association of email addresses to usernames and the Facebook scrape of a few years ago did the same thing with phone numbers. That's not unprecedented, but this is:

password: "$2y$10$B0EhY/bQsa5zUYXQ6J.NkunGvUfYeVOH8JM1nZwHyLPBagbVzpEM2",

No way! Is it... real? Is that genuinely a bcrypt hash of my own password? Yep, that's exactly what it is:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

The Spoutible API enabled any user to retrieve the bcrypt hash of any other user's password.

I had to check, double check then triple check to make sure this was the case because I can only think of one other time I've ever seen an API do this...

<TangentialStory>

During my 14 years at Pfizer, I once reviewed an iOS app built for us by a low-cost off-shored development shop. I proxied the app through Fiddler, watched the requests and found an API that was returning every user record in the system and for each user, their corresponding password in plain text. When quizzing the developers about this design decision, their response was - and I kid you not, this isn't made up - "don't worry, our users don't use Fiddler" 🤦‍♂️

</TangentialStory>

I cannot think of any reason ever to return any user's hashed password to any interface, including an appropriately auth'd one where only the user themselves would receive it. There is never a good reason to do this. And even though bcrypt is the accepted algorithm of choice for storing passwords these days, it's far from uncrackable as I showed 7 years ago now after the Cloudpets breach. Here I used a small dictionary of weak, predictable passwords and easily cracked a bunch of the hashes. Weak passwords like... "spoutible". Wondering just how crazy things would get, I checked the change password page and found I could easily create a password of 6 or more characters (so long as it didn't exceed 20 characters) with no checks on strength whatsoever:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Strong hashing algorithms like bcrypt are weakened when poor password choices are allowed and strong password choices (such as having more than 20 characters in it), are blocked. For exactly the same reason breached services advise customers to change their passwords even when hashed with a strong algorithm, all Spoutible users are now in the same boat - change you password!

But fortunately these days many people make use of 2 factor authentication to protect against account takeover attacks where the adversary knows the password. Which brings us to the next piece of data the API returned:

2fa_secret: "7GIVXLSNKM47AM4R",
2fa_enabled_at: "2024-02-03 02:26:11",
2fa_backup_code: "$2y$10$6vQRDRDHVjyZdndGUEKLM.gmIIZVDq.E5NWTWti18.nZNQcqsEYki",

Oh wow! Why?! Let's break this down and explore both the first and last line. The 2FA secret is the seed that's used to generate the one time password to be used as the second factor. If you - as an attacker - know this value then 2FA is rendered useless. To test that this was what it looked like, I asked Stefán to retrieve my data from the public API, take the 2FA secret and send me the OTP:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

It was a match. If Stefán could have cracked my bcrypted password hash (and he's a smart guy so "spoutible" would have definitely been in his word list), he could have then passed the second factor challenge. And the 2FA backup code? Thinking that would also be exactly what it looked like, I'd screen grabbed it when enabling 2FA:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Now, using the same bcrypt hash checker as I did for the password, here's what I found:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

What I just don't get is if you're going to return the 2FA secret anyway, why bother bcrypting the backup code? And further, it's only a 6 digit number, do you know how long it takes to crack a bcrypted 6 digit number? Let's find out:

570075, 2m59s

— Martin Sundhaug (@sundhaug92@mastodon.social) (@sundhaug92) February 4, 2024

Many other people worked it out in single-digit minutes as well, but Martin did it fastest at the time of writing so he gets the shout-out 😊

You know how I said you'd keep leaning in further and further? Yeah, we're not done yet because then I found this:

em_code: "c62fcf3563dc3ab38d52ba9ddb37f9b1577d1986"

Maybe I've just seen too many data breaches before, but as vague as this looks I had a really good immediate hunch of what it was but just to be sure, I logged out and went to the password reset page:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Leaning in far enough now, anticipating what's going to happen next? Yep, it's exactly what you thought:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data
How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

NO WAY! Exposed password reset tokens meant that anyone could immediately takeover anyone else's account 🤯

After changing the password, no notification email was sent to the account holder so just to make things even worse, if someone's account was taken over using this technique they'd have absolutely no idea until they either realised their original password no longer worked or their account started spouting weird messages. There's also no way to see if there are other active sessions, for example the way Twitter shows them:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Further, changing the password doesn't invalidate existing sessions so as best as I can tell, if someone has successfully accessed someone else's Spoutible account there's no way to know and no way to boot them out again. That's going to make recovering from this problematic unless Spoutible has another mechanism to invalidate all active sessions.

The one saving grace is that the token was rotated after reset so you can't use the one in the image above, but of course the new one was now publicly exposed in the API! And there's no 2FA challenge on password reset either but of course even if there was, well, you already read this far so you know how that could have been easily circumvented.

There's just one more "oh wow!" remaining, and it's the ease with which the vulnerable API was found. Spoutible has a feature called Pods and when you browse to that page, people listening to the pod are displayed with the ability to hover over their profile and display further information. For example, here's Rosetta and if we watch the request that's made in the dev tools...

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

By design, all the personal information including email and IP address, phone number, gender, bcrypt hashed password, 2FA secret and backup code and the code that can be immediately used to reset the password is returned to every single person that uses this feature. How many times has this API spouted troves of personal data out to people without them even knowing? Who knows, but I do know it wasn't the only API doing that because the one that listed the pods also did it:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Because the vulnerable APIs was requested organically as a natural part of using the service as it was intended, Spoutible almost certainly won't be able to fully identify abuse of it. To use the definition of the infamous Missouri governor who recently attempt to prosecute a journalist for pressing F12, everyone who used those features inadvertently became a hacker.

Just one last finding and I've not been able to personally validate it so let's keep it out of "oh wow!" scope: the individual that sent me the data and details of the vulnerability said that the exposed data includes access tokens for other platforms. A couple of months ago, Spoutible announced cross-posting to Mastodon and Bluesky and my own data does have a "cross_posting_auth" node, albeit set to null. I couldn't see anywhere within the UI to enable this feature, but there are profiles with values in there. During the disclosure process (more on that soon), Spoutible did say that those value were encrypted and without evidence of a private key compromise, they believe they're safe.

Here's my full record as it was originally returned by the vulnerable API:

To be as charitable as possible to Spoutible, you could argue that this is largely just the one vulnerability that is the inadvertent exposure of internal data via a public API. This is data that has a legitimate purpose in their system and it may simply be a case of a framework automatically picking all entity attributes up from the data tier and returning them via the UI. But it's the circumstances that allowed this to happen and then exacerbated the problem when it did that concern me more; clearly there's been no security review around this feature because it was so easily discoverable (at least there certainly wasn't review whilst it was live), nor has been any thought put in to notifying people of potential account takeovers or providing them with the means to invalidate other sessions. Then there are periphery issues such as very weak password rules that make cracking bcrypt so much easier, weak 2FA backup codes and pointless bcrypting of them. Not major issues in and of themselves, but they amplify the problems the exposed data presents.

Clearly this required disclosure before publication, unfortunately Spoutible does not publish a security.txt file so I went directly to the founder Christopher Bouzy on both Twitter and email (obviously I could have reached out on Spoutible, but he's very active on Twitter and my profile has more credibility there than a brand new Spoutible account). Here's the timeline, all AEST:

  1. 4 Feb, 15:30: Initial outreach asking for security contact
  2. 4 Feb, 17:27: Response from Spoutible
  3. 4 Feb, 18:31: Full details provided to Spoutible
  4. 4 Feb, 19:48 (or earlier): API is fixed
  5. 5 Feb 01:28 (or earlier): Announcement made about the incident
  6. 5 Feb 07:52: Spoutible confirmed all em_code values have been rotated

To give credit where it's due, Spoutible's response time was excellent. In the space of only about 4 hours, the data returned by the API had a huge number of attributes trimmed off it and now aligns with what I'd expect to see (although the 207k previously scraped records obviously still contain all the data). I'll also add that Christopher's communication with me commendable; he's clearly genuinely passionate about the platform and was dismayed to learn of the vulnerability. I've dealt with many founders of projects in the past that had suffered data breaches and it's especially personal for them, having poured so much of themselves into it.

Here's their disclosure in its entirety:

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

The revised API is now returning over 80% less data and looks like this:

If you're a detail person, yes, the forward slashes are no longer escaped and the remaining fields are ordered slightly differently so it looks like the JSON encoder has changed. In case you're interested, here's a link to a diff between the two with a little bit of manipulation to make it easier to see precisely what's changed.

As to my own advice to Spoutible users, here are the actions I'd recommend:

  1. Change your Spoutible password and change any other account you reused that password on
  2. If you had 2FA turned on for Spoutible, turn it off then back on again so that it generates a different secret
  3. If you enabled cross-posting to Mastodon or Bluesky, out of an abundance of caution you should invalidate the keys on those platforms
  4. Recognise that your email address, IP address, phone number if you added it and any intentionally publicly visible data associated to your profile may have been exposed

The 207k exposed email addresses that were sent to me are now searchable in Have I Been Pwned and my impacted subscribers have received email notifications.

☐ ☆ ✇ The Hacker News

New Mispadu Banking Trojan Exploiting Windows SmartScreen Flaw

By Newsroom — February 5th 2024 at 03:45
The threat actors behind the Mispadu banking Trojan have become the latest to exploit a now-patched Windows SmartScreen security bypass flaw to compromise users in Mexico. The attacks entail a new variant of the malware that was first observed in 2019, Palo Alto Networks Unit 42 said in a report published last week. Propagated via phishing mails, Mispadu is a Delphi-based information stealer
☐ ☆ ✇ WIRED

China’s Hackers Keep Targeting US Water and Electricity Supplies

By Matt Burgess, Dhruv Mehrotra — February 3rd 2024 at 14:00
Plus: Russia was likely behind widespread GPS outages, Vault 7 leaker was sentenced, police claim to trace Monero cryptocurrency, and more.
☐ ☆ ✇ The Hacker News

U.S. Sanctions 6 Iranian Officials for Critical Infrastructure Cyber Attacks

By Newsroom — February 3rd 2024 at 07:33
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against six officials associated with the Iranian intelligence agency for attacking critical infrastructure entities in the U.S. and other countries. The&nbsp;officials&nbsp;include Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin
☐ ☆ ✇ The Hacker News

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

By Newsroom — February 3rd 2024 at 06:51
The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as&nbsp;CVE-2024-23832, has a severity rating of 9.4 out of
☐ ☆ ✇ The Hacker News

AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset

By Newsroom — February 3rd 2024 at 02:55
Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems. The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities. "We have revoked all security-related certificates and systems have been remediated or replaced
☐ ☆ ✇ The Hacker News

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

By Newsroom — February 2nd 2024 at 13:17
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe. The agency&nbsp;attributed&nbsp;the campaign to a threat actor it calls&nbsp;UAC-0027. DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March
☐ ☆ ✇ The Hacker News

Former CIA Engineer Sentenced to 40 Years for Leaking Classified Documents

By Newsroom — February 2nd 2024 at 10:40
A former software engineer with the U.S. Central Intelligence Agency (CIA) has been sentenced to 40 years in prison by the Southern District of New York (SDNY) for transmitting classified documents to WikiLeaks and for possessing child pornographic material. Joshua Adam Schulte, 35, was originally charged in June 2018. He was&nbsp;found guilty&nbsp;in July 2022. On September 13, 2023, he was&
☐ ☆ ✇ The Hacker News

Cloudzy Elevates Cybersecurity: Integrating Insights from Recorded Future to Revolutionize Cloud Security

By The Hacker News — February 2nd 2024 at 10:30
Cloudzy, a prominent cloud infrastructure provider, proudly announces a significant enhancement in its cybersecurity landscape. This breakthrough has been achieved through a recent consultation with Recorded Future, a leader in providing real-time threat intelligence and cybersecurity analytics. This initiative, coupled with an overhaul of Cloudzy's cybersecurity strategies, represents a major
☐ ☆ ✇ The Hacker News

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

By Newsroom — February 2nd 2024 at 06:21
Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code. The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out "with the goal of
☐ ☆ ✇ WIRED

The Mystery of the $400 Million FTX Heist May Have Been Solved

By Andy Greenberg — February 1st 2024 at 21:48
An indictment against three Americans suggests that at least some of the culprits behind the theft of an FTX crypto fortune may be in custody.
☐ ☆ ✇ WIRED

A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship—and Now the Backlash

By Andy Greenberg — February 1st 2024 at 17:30
A loose coalition of anti-censorship voices is working to highlight reports of one Indian company’s hacker-for-hire past—and the legal threats aimed at making them disappear.
☐ ☆ ✇ The Hacker News

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

By Newsroom — February 1st 2024 at 13:36
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called&nbsp;Commando Cat. "The campaign deploys a benign container generated using the&nbsp;Commando project," Cado security researchers Nate Bill and Matt Muir&nbsp;said&nbsp;in a new report published today. "The attacker&nbsp;escapes this container&nbsp;and runs multiple payloads on the
☐ ☆ ✇ The Hacker News

Why the Right Metrics Matter When it Comes to Vulnerability Management

By The Hacker News — February 1st 2024 at 11:40
How’s your vulnerability management program doing? Is it effective? A success? Let’s be honest, without the right metrics or analytics, how can you tell how well you’re doing, progressing, or if you’re getting ROI? If you’re not measuring, how do you know it’s working? And even if you are measuring, faulty reporting or focusing on the wrong metrics can create blind spots and make it harder to
☐ ☆ ✇ The Hacker News

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

By Newsroom — February 1st 2024 at 11:37
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed&nbsp;KV-botnet, was&nbsp;first disclosed&nbsp;by the Black Lotus Labs team at
☐ ☆ ✇ The Hacker News

HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

By Newsroom — February 1st 2024 at 11:22
Cybersecurity researchers have detailed an updated version of the malware&nbsp;HeadCrab&nbsp;that's known to target Redis database servers across the world since early September 2021. The development, which comes exactly a year after the malware was first&nbsp;publicly disclosed&nbsp;by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and
☐ ☆ ✇ The Hacker News

Warning: New Malware Emerges in Attacks Exploiting Ivanti VPN Vulnerabilities

By Newsroom — February 1st 2024 at 07:43
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of&nbsp;LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
☐ ☆ ✇ The Hacker News

CISA Warns of Active Exploitation Apple iOS and macOS Vulnerability

By Newsroom — February 1st 2024 at 05:02
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday&nbsp;added&nbsp;a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, tracked as&nbsp;CVE-2022-48618&nbsp;(CVSS score: 7.8), concerns a bug in the kernel component. "An attacker with
☐ ☆ ✇ WIRED

YouTube, Discord, and ‘Lord of the Rings’ Led Police to a Teen Accused of a US Swatting Spree

By Dhruv Mehrotra, Andrew Couts — February 1st 2024 at 01:28
For nearly two years, police have been tracking down the culprit behind a wave of hoax threats. A digital trail took them to the door of a 17-year-old in California.
☐ ☆ ✇ The Hacker News

RunC Flaws Enable Container Escapes, Granting Attackers Host Access

By Newsroom — January 31st 2024 at 20:00
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed&nbsp;Leaky Vessels&nbsp;by cybersecurity vendor Snyk. "These container
☐ ☆ ✇ The Hacker News

Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

By Newsroom — January 31st 2024 at 13:38
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888&nbsp;(CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
☐ ☆ ✇ The Hacker News

Telegram Marketplaces Fuel Phishing Attacks with Easy-to-Use Kits and Malware

By Newsroom — January 31st 2024 at 12:21
Cybersecurity researchers are calling attention to the "democratization" of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230. "This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and
☐ ☆ ✇ WIRED

Apple and Google Just Patched Their First Zero-Day Flaws of the Year

By Kate O'Flaherty — January 31st 2024 at 12:00
Plus: Google fixes dozens of Android bugs, Microsoft rolls out nearly 50 patches, Mozilla squashes 15 Firefox flaws, and more.
☐ ☆ ✇ The Hacker News

Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

By Newsroom — January 31st 2024 at 11:00
A financially motivated threat actor known as&nbsp;UNC4990&nbsp;is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy. Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics. "UNC4990 operations generally involve widespread USB infection followed by the deployment of the
☐ ☆ ✇ The Hacker News

The SEC Won't Let CISOs Be: Understanding New SaaS Cybersecurity Rules

By The Hacker News — January 31st 2024 at 11:00
The SEC isn’t giving SaaS a free pass. Applicable public companies, known as “registrants,” are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them.&nbsp; The new cybersecurity mandates&nbsp;make no distinction between data exposed in a breach that was stored on-premise, in the
☐ ☆ ✇ The Hacker News

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

By Newsroom — January 31st 2024 at 05:44
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246 (CVSS score: 7.8), the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by&nbsp;syslog() and vsyslog()&nbsp;for system logging purposes. It's said to have
☐ ☆ ✇ The Hacker News

URGENT: Upgrade GitLab - Critical Workspace Creation Flaw Allows File Overwrite

By Newsroom — January 30th 2024 at 16:18
GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a&nbsp;workspace. Tracked as&nbsp;CVE-2024-0402, the vulnerability has a CVSS score of 9.9 out of a maximum of 10. "An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to
☐ ☆ ✇ The Hacker News

China-Linked Hackers Target Myanmar's Top Ministries with Backdoor Blitz

By Newsroom — January 30th 2024 at 13:45
The China-based threat actor known as&nbsp;Mustang Panda&nbsp;is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans. The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the
☐ ☆ ✇ WIRED

Robots Are Fighting Robots in Russia's War in Ukraine

By Matt Burgess — January 30th 2024 at 12:00
Aerial drones have changed the war in Ukraine. Now, both Russia’s and Ukraine’s militaries are deploying more unmanned ground robots—and the two are colliding.
☐ ☆ ✇ The Hacker News

Top Security Posture Vulnerabilities Revealed

By The Hacker News — January 30th 2024 at 10:49
Each New Year introduces a new set of challenges and opportunities for strengthening our cybersecurity posture. It's the nature of the field – the speed at which malicious actors carry out advanced persistent threats brings a constant, evolving battle for cyber resilience. The excitement in cybersecurity lies in this continuous adaptation and learning, always staying one step ahead of potential
☐ ☆ ✇ The Hacker News

Juniper Networks Releases Urgent Junos OS Updates for High-Severity Flaws

By Newsroom — January 30th 2024 at 05:01
Juniper Networks has released out-of-band updates to&nbsp;address high-severity flaws&nbsp;in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems. The vulnerabilities, tracked as&nbsp;CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-
☐ ☆ ✇ WIRED

US Lawmakers Tell DOJ to Quit Blindly Funding ‘Predictive’ Police Tools

By Dell Cameron — January 29th 2024 at 16:19
Members of Congress say the DOJ is funding the use of AI tools that further discriminatory policing practices. They're demanding higher standards for federal grants.
☐ ☆ ✇ The Hacker News

Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

By Newsroom — January 29th 2024 at 13:31
A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file. The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its&nbsp;Patch Tuesday updates&nbsp;for December 2023. "In an email attack scenario, an attacker could exploit the
❌