All about Security, News, Events and Incidents

SECURITY
Secret backdoor discovered in Zyxel firewall and AP controllers bleepingcomputer.com |
JANUARY 02, 2021

Over 100,000 Zyxel devices are potentially vulnerable to a secret backdoor caused by hardcoded credentials used to update firewall and AP controllers' firmware....

 

Zyxel backdoor (CVE-2020-29583) is actively exploited
Posted on 2021-01-07 bnorncity.de

​

In late December 2020, I had blogged about an undocumented user in Zyxel products (CVE-2020-29583), see my the blog post Undocumented User in Zyxel Products (CVE-2020-29583). The vendor has provided an update to remove this undocumented user that’s a backdoor. Now I read that cyber criminals are actively scanning the Internet for vulnerable Zyxel products to exploit the backdoor....

 

NVIDIA Patches Several High Risk Security Flaws In Windows And Linux GeForce Drivers, Update Now hothardware.com | Sunday, January 10, 2021

For as long as developers have been writing software code, they've been inadvertently creating bugs. It's when those bugs can compromise the security of a PC that a bug goes from an annoyance to a potential real danger. Security issues with apps can be worked around in the interim, even if it means uninstalling it, but what about when the security vulnerability is in the driver for some critical piece of hardware; say a video adapter? When that happens, developers have to isolate the cause and act quickly to plug the holes, or else risk any PC with that hardware being open to attack. Such was the case for NVIDIA this week.

The GeForce, Quadro, and AI accelerator maker has issued a series of driver updates this week to prevent ten years of graphics hardware from being susceptible to attacks. This is a big deal is because like video drivers from all major vendors, NVIDIA's drivers run in kernel mode with additional unrestricted access in the name of better performance. That's true of the oldest hardware on the market up to and including the latest Ampere GPUs from the GeForce RTX 30 Series....

 

Signal Vs Telegram, WhatsApp, Facebook Messenger: What Data Dose Each App Collect from your phone?

 

Ransomware Malware on the rise be careful what you do on Internet

 

Makers of Cyberpunk 2077 game hit by ransomware hack

 

SMH!

 

Bloomberg Doubles Down on Supermicro Hack

 

Allegation: Microsoft made a mistake in the security of the SolarWinds hack borncity.de February 26, 2021
[German] Security experts and the US Senator Ron Wyden raise serious allegations and accuse industry top dog Microsoft of failures. Microsoft failed to fix known problems with its cloud software and to warn users. That was only made possible by the massive SolarWinds hack, which compromised at least nine federal agencies. An attack vector known as "golden SAML" plays a role here. Time to shed some light on the whole thing....

 

"The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,"

https://www.bleepingcomputer.com/ne...ion-allowed-hackers-to-hijack-gmail-accounts/

 

FireEye finds new malware likely linked to SolarWinds hackers bleepingcomputer.com | 4 March 2021

FireEye discovered a new "sophisticated second-stage backdoor" on the servers of an organization compromised by the threat actors behind the SolarWinds supply-chain attack.

 

Details about the Microsoft Exchange Server hack.

"At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software"
https://krebsonsecurity.com/2021/03...acked-via-holes-in-microsofts-email-software/
Edit:
Microsoft hack: White House warns of 'active threat'
https://www.bbc.com/news/world-us-canada-56304379

(Everything normal folks, it's just standard MS swiss cheese software in action)

 

That's a real disaster.

 

MICROSOFT, SECURITY
Microsoft releases one-click Exchange On-Premises Mitigation Tool bleepingcomputer.com

Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily mitigate the recently disclosed ProxyLogon vulnerabilities.




SECURITY
Hackers hide credit card data from compromised stores in JPG file bleepingcomputer.com

Hackers have come up with a sneaky method to steal payment card data from compromised online stores that reduces the suspicious traffic footprint and helps them evade detection.

 

SECURITY
Malware hidden in game cheats and mods used to target gamers bleepingcomputer.com
Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems.

 

Huge Zoom flaw lets hackers completely take over your Mac or PC tomsguide.com | Today

There's a brand-new flaw in Zoom that lets a hacker completely take over your PC or Mac while you just sit by and watch — but so far, only a handful of people know how it works.

Two of those people are Dutch security researchers Daan Keuper and Thijs Alkemade, who demonstrated a working exploit of the security flaw yesterday (April 7) as part of the twice-yearly Pwn2Own hacking competition.

What you can do
If you want to play it safe for now, then use the Zoom browser interface instead of the Zoom desktop client. (Zoom will nudge you to install the desktop app when joining a meeting online, but you can ignore that.)

The Pwn2Own competition, now run by Trend Micro's Zero Day Initiative team, has been running since 2007.

White-hat hackers are given stock machines and software, all fully patched, and must demonstrate their exploits in real-time before a live audience. Winners must share their methods privately with the developers of the software they've hacked.


SECURITY
Windows 10 hacked again at Pwn2Own, Chrome and Zoom also fall bleepingcomputer.com

Contestants hacked Microsoft's Windows 10 OS twice during the second day of the Pwn2Own 2021 competition, together with the Google Chrome web browser and the Zoom video communication platform....


Data leak: 500 million LinkedIn user data for sale in underground forum borncity.de Posted on 2021-04-07

​

New data leak – in an underground forum, the user data of 500 million LinkedIn users is being offered for sale. A hacker has probably extracted them from the social network belonging to Microsoft and has already published two million user records as proof that the data is real.


Facebook will not notify the 500 million users affected by the latest data breach neowin.com · 2 hours ago

Facebook has acknowledged the latest data breach, but the company has confirmed that it won't notify users who were affected by the breach because it's not sure which users would need to be notified.

The silver lining here is that Troy Hunt managed to secure the database and he made it available to everyone. This way users can check if their personal details were leaked in the latest Facebook breach. Hunt also managed to secure the list of phone numbers that were leaked in the breach, giving users an easy way of checking if their phone numbers were leaked. You can take a look at our guide on how to check if your personal information was leaked during the breach. The Irish Data Protection Commission (DPC) has also taken note of the latest breach and is reviewing the details of the hack.

 

"Dutch supermarkets run out of cheese after ransomware attack"

- Last week, Bakker Logistiek suffered a ransomware attack that encrypted devices on their network and disrupted food transportation and fulfillment operations.

- "And in our warehouses we no longer knew where products were. These are very large warehouses, you don't just go looking for a pallet. We also couldn't plan our transports anymore. We have hundreds of trucks, which was not done by hand either."

- This disruption led to a shortage of certain food products, especially cheese, at the Netherland's largest supermarket chain, Albert Heijn.

https://www.bleepingcomputer.com/ne...ts-run-out-of-cheese-after-ransomware-attack/

---

That's hitting below the belt!

 

"NVIDIA releases Morpheus framework to detect security threats"

- NVIDIA has announced the release of its Morpheus framework that uses AI to detect and prevent security threats.

- It can detect leaks of unencrypted sensitive data, phishing attacks, and malware

- When used along with BlueField DPUs, it enables every compute node in a network to be used as a security sensor.

https://www.itopstimes.com/itops/nvidia-releases-morpheus-framework-to-detect-security-threats/

---

Green Goblin delving into AI Security nodes. Interesting!

 

Cybersecurity
Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta
Apple (AAPL) Targeted in $50 Million Ransomware Hack of Supplier Quanta - Bloomberg

Apple supplier is the latest target of a $50 million ransomware hack
The attackers are threatening to leak blueprints.
Apple supplier is the latest target of a $50 million ransomware hack | Engadget

Apple product data leaked as part of $50M ransomware attack (cnbc.com)

 

How come the thugs always knows much more about exploitation of possible vulnerabilities than the makers of os, apps, programs & software, who eternally have to play catch-up after damage is done?

Quite a package:
Using this malware, threat actors can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.

In addition to stealing passwords, the developer claims the malware can steal over fifteen cryptocurrency wallets, steal documents, and take screenshots of the active applications running on victims' computers.

https://www.bleepingcomputer.com/ne...e-spotify-sites-spread-info-stealing-malware/

 

"FragAttacks" - WLAN vulnerability affects all WIFI devices (routers, smartphones, etc.) deskmodder.de |Today

The Federal Office for Information Security made a vulnerability in WLAN devices public on Wednesday. It is about the term "FragAttacks" which should stand for "fragmentation and aggregation attacks". Both WiFi routers, as well as smartphones, tablets and smart home devices are affected by the vulnerability. It is a design-related gap in the WiFi standard.

 

Great. Any workarounds?

 

Some more info here...



SECURITY
All Wi-Fi devices impacted by new FragAttacks vulnerabilities bleepingcomputer.com
Newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) are impacting all Wi-Fi devices (including computers, smartphones, and smart devices) going back as far as 1997.

 

"Tracking One Year of Malicious Tor Exit Relay Activities"

"The tor network usually consists of less than 1 500 tor exit relays. In early May 2021 over 1 000 new unnamed tor exit relays without ContactInfo joined the tor network within less than 24 hours"
"on 2021–02–02 they managed more than 27% of tor’s exit relay capacity"
"As of 2021–05–08 I estimate their exit fraction between 4-6% of the tor network’s exit capacity."

https://nusenu.medium.com/tracking-...or-exit-relay-activities-part-ii-85c80875c5df

 

Criminal group originating from Russia believed to be behind pipeline cyberattack - CNNPolitics

 

How to Protect Your Wi-Fi From FragAttacks Ghack.com

How Do You Protect Yourself?
Thankfully, standard best practices for keeping your devices and network safe will also help protect you against FragAttacks. Here are the top three tips:

First, ensure the devices you’re using are getting security updates. If you’re still using a Windows 7 PC or an old version of macOS that isn’t getting updates, it’s time to upgrade. If your router is getting long in the tooth and your manufacturer never plans on updating it again, it’s time for a new router. If you have smart plugs or other old devices that aren’t getting firmware updates and likely have security flaws, you should replace them with something new.

Second, install those security updates. Modern devices will generally automatically install updates for you. However, on some devices—like routers—you have still have to click an option or tap a button to agree to install that update.

Third, use secure encryption. When signing in online, make sure you’re on an HTTPS site. Try to use HTTPS whenever possible—a browser extension like HTTPS Everywhere can help, but it’s much less necessary now that most websites you visit likely automatically use HTTPS if it’s available. Firefox can even be configured to warn you before loading websites that aren’t encrypted with HTTPS. Also, try using secure encryption everywhere: Even if you’re just transferring files between devices on your local network, use an application that offers encryption to secure that transfer. This will protect you from FragAttacks and other potential future flaws that could bypass your Wi-Fi encryption to spy on you.​

Of course, a VPN can route all your traffic through an encrypted connection, so it gives you extra protection against FragAttacks if you have to access an HTTP website (or another unencrypted service) and you’re concerned about the network you’re currently using.

 

Interesting calculations & predictions.

"The recent closure of Colonial Pipeline's natural gas distribution infrastructure from a ransomware attack brings up a question: What economic damage could be caused by a cyberattack that would render the internet unusable for an hour, 10 hours, or a day? "

https://www.zdnet.com/article/how-m...-done-if-a-cyberattack-took-out-the-internet/

 

It would have to be a major, major event. I cannot say about other countries, but in the US, the internet backbone has so many redundancies, there will be minor hiccups (like when a backhoe took out my companies block by accidentally cutting the fiber), but the way ARPANET was designed, I just don't know if this would be a reality where it affects more than 5000-10,000 ppl max.

 

Russia steadily moving towards implementing Chinese-like internet situation.

https://www.neowin.net/news/russia-gives-google-24-hours-to-delete-illegal-content-or-be-throttled/

 

It's a democratic decision of the people.

 

Updated my Asus RT-3200 with latest firmware...


https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RTAC3200/HelpDesk_BIOS/

------------------------------------------------------------------

Your router's security stinks: Here's how to fix it tomsguide.com
By Paul Wagenseil 3 days ago

Is it time to throw out that old router, or just make it safer?

Finally, use Gibson Research Corp.'s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.

Some of you may remember the name Gibson Research Corporation from before. Yeah, it's the author for Inspectre tool.

 

A bunch of major news and government websites including cnn.com are down. Allegedly linked to the cloud computing service Fastly.

 

Ransomware + crypto money, what a combination

https://www.zdnet.com/article/ransomware-meat-firm-jbs-says-it-paid-out-11m-after-attack/


"closes shop" lol. btw, very good customer support:
"The Avaddon threat actors are also said to offer their victims 24/7 support and resources on purchasing Bitcoin, testing files for decryption, and other challenges that may hinder victims from paying the ransom," the report said.

https://www.zdnet.com/article/avadd...all-2934-decryption-keys-to-bleepingcomputer/

 

Millions of Dell PCs can be hacked remotely — here's what you need to know tomsguide.com | June 24, 2021

More than 100 Dell models are vulnerable to firmware-update flaws

Severe flaws in more than 100 Dell laptop and desktop models could let hackers remotely take over the machines, security researchers revealed today (June 24). Up to 30 million devices may be affected.

The flaws, four in all, have to do with the BIOSConnect function in the Dell SupportAssist tool built into most recent Dell machines. They permit an attacker with access to the local network to modify a machine's startup firmware (commonly called the BIOS) and take complete control.

If this sounds a bit familiar, it's similar to a set of BIOS-update flaws disclosed in Dell machines just about six weeks ago. However, those five flaws appear to involve a different update process than the one revealed today.

Dell told ZDNet that the BIOS firmware updates would be automatically installed as long as users had auto-updates turned on. But given that the flaws are in the BIOSConnect automatic-update process itself, you may want to perform the BIOS update manually.

"We recommend that users not use BIOSConnect to perform this firmware update," the Eclypsium report noted.

Eclypsium specializes in finding firmware and hardware flaws and revealed several such flaws in Dell, HP and Lenovo machines in early 2020.


Yep, Dell lock everything in bios as etc "advanced power settings" to stop people from tampering with their own computers. But prefer instead let the hackers have full access to the machine over internet, LOOL


@tilleroftheearth @Mr. Fox @Spartan@HIDevolution @Normimb

-------------------------------------------------------------------------------

Equal disgusting as above....

WD My Book NAS devices are being remotely wiped clean worldwide bleepingcomputer.com

Western Digital My Book NAS owners worldwide are finding that their devices have been mysteriously factory reset and all of their files deleted....

 

Showing Microsoft's real capacity and ability in securing privacy & security :O)

"Data from 700 million LinkedIn users has been put up for sale online, making this one of the largest LinkedIn data leaks to date \ this would mean that 92% of all LinkedIn users can be found in these records"

https://restoreprivacy.com/linkedin-data-leak-700-million-users/

 

Scary Western Digital My Book Live Hack Reportedly Involved Two Dueling Security Exploits hothardware.com | Jun 29, 2021

Last week, hundreds if not thousands of My Book Live customers awoke to their devices being wiped and, in some cases, unrecoverable. At that time, it was simply thought that Western Digital had not patched a critical vulnerability from 2018 that allowed attackers to do this, but it seems there is more to the story....

In short...
It is speculated that the mass-device wiping that occurred “could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.” Whatever the case is, there are still 55,348 WD My Book Live devices across the internet that Censys has detected, many of which are still being compromised by malware and may be wiped soon after. Thus, Western Digital My Book Live owners need to be incredibly careful with their devices and pull them offline, as they are now caught in the destructive crossfire of hackers. Moreover, Western Digital needs to make a move before this spirals out of control entirely, if it has not already.

 

Some more info about the WD Security Exploits and a statement from WD offering a trade in program for affected models. Either way, this event just goes to show that the My Book Live storage devices aren't as secure as anybody would like at this point. And people need to learn that backups need to be saved in more than one basket. As brother @tilleroftheearth say, multiple backups and put them in different places.

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated] arstechnica.com

Western Digital removed code that would have prevented the wiping of petabytes of data. But why bother if you can push out new models and say it is more secure?

Recommended Security Measures for WD My Book Live and WD My Book Live Duo westerndigital.com

Advisory Summary
Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks.

For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.

 

Microsoft Discloses Serious Security Flaws With Netgear WiFi Routers, See If You're Affected hothardware.com

As cybersecurity solutions tighten up and prevent many attacks, threat actors are looking for new and innovative ways to attack systems. This has led to a rise in attacks that start “outside and below the operating system layer,” such as firmware attacks and ransomware attacks through VPN devices or other internet-facing devices, as Microsoft explains. Thus, it is critical to secure software that runs things like routers, as the Redmond-based company has now discovered....

 

Google, ms, apple, fb etc -as usual full speed ahead towards total tech vs privacy madness, over the years creating norms by gradual (hidden) implementation & stepwise acceptance, fully mining population's ignorance and apathy. "I've got nothing to hide", what a sad & deeply scary phrase...
-----------------

"the Google team admitted that sometimes audio was recorded by the Google Assistant on a smartphone or smart speaker even when a user had not triggered the AI by saying Ok Google"

"Google states clearly that audio recordings between users and their Google smart speakers and Google Assistant devices are recorded and stored. But the terms do not mention that its employees can listen to excerpts from these recordings "

https://www.indiatoday.in/technolog...o-some-okay-google-queries-1820975-2021-06-30

 

Microsoft suggests workarounds for critical, unpatched PrintNightmare exploit betanews.com


When security researchers inadvertently published technical details of a remote execution vulnerability in Windows Print Spooler thinking (wrongly) that it had been patched, there was concern about the implications.

And rightly so. Microsoft has confirmed people's worst fears, saying that the PrintNightmare security flaw is already being exploited. There is a little good news, however. The company also suggests some workarounds that can be used to protect systems until a patch is produced.

 

US companies hit by 'colossal' cyber-attack

About 200 US businesses have been hit by a "colossal" ransomware attack, according to a cyber-security firm.

Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software.

Kaseya said in a statement on its own website that it was investigating a "potential attack".

 

Yep, @tilleroftheearth It seems WD now let the hackers install a permanent backdoor, so that they could access the device again without re-exploiting those previous security vulnerabilities. Where is the trust in this company? Maybe they should stop making backup solutions for people and instead use their resources on produce and sell ordinary ssd's and old spinning HDD for the consumers/enterprise?



Western Digital MyCloud And MyBook Users Slammed By New Alarming 0-Day Security Flaw hothardware.com | Jul 03, 2021

Just last week, many Western Digital MyBook Live owners lamented the fact that their personal cloud was being attacked and wiped remotely. Those storage devices were older and hadn't been supported since 2015. As a result, those NAS products proved to be a lesson in not putting unsecured and unpatched devices on your network. Much more alarming appears to be another zero-day, unpatched bug, this time in the WD's current lineup, and any supported device that hasn't already been updated is vulnerable.

Two security researchers, Radek Domanski and Pedro Rebeiro, published a YouTube video demonstrating a series of vulnerabilities that ultimately led to uninhibited access as root to a WD MyCloud OS 3 device. This allowed them to install a permanent backdoor, so that they could access the device again without re-exploiting those security vulnerabilities. The pair say they notified Western Digital of their discovery, but did not receive a response from the company.

Because WD seemingly has not fixed this in its older firmware, the security researchers have released their own patch that will fix the configuration within MyCloud OS 3. This shell script re-launches the httpd service at startup, and needs to be re-run each time the device is rebooted. Users running devices stuck on the older firmware may want to head over to GitHub and check it out.

Western Digital’s Woes Continue as Researchers Find Vulnerabilities In Newer Products reviewgeek.com

If you own a NAS device running Cloud OS 3, you should probably bite the bullet, upgrade to the new OS, and create an extra backup for your data just in case something bad happens. Western Digital clearly can’t be trusted to take device security seriously, and hackers are likely searching for new ways to gain control over Western Digital NAS units.

 

WD, great NAS drives. Not one product that is a real NAS.

I'm literally just disposing of another 2 WD My Book Live 'nas' units and replacing them with 2 QNAP models. This client was informed of the issues involved with wannabe NAS units like the My Book Live, five years ago. They still think they've been smart and got 5 years extra life from them.

They discount the fact that I made them turn off the units over a week ago when I first found out.

$10K later, they have a real NAS along with a real backup. Some people get lucky.

Them there are a few clients that don't even return calls to know to take their WD toys offline.

 

BTW when I type cmd in Win 10 I see "Command Prompt (1)". What the hell?

 

LOOL

 

Actually checked the dupe shortcuts, there was nothing wrong with them or the originals. I guess a Windows Update gone wrong.

Doesn't Windows just constantly ooze massive confidence in security?

 

Wiping out cloud data is mind boggling! Damn! Looks like those 14TB HDDs are helpful for onsite backups/archiving.

Ouch! $10K...

 

If the Data is important, it needs to be done right.

5 years ago it would cost them less than half...