• Scammers are selling 3.2 million payment records stolen from Indian cardholders
    India now ranks third internationally when it comes to the number of stolen records for sale on the dark web, following the U.S. and U.K. “Criminals continuously search for payment cards from specific banks that provide the highest return on investment, and largely spend money only when confident that they stand to make a profit,” researchers said in a report. Many payment breaches go unreported in India, meaning banks are slow to stop cards from being used for fraudulent purposes, said Stas Alforov, Gemini Advisory’s director of research and development. The median price of the stolen card data in India jumped from roughly $7 in 2017 to $17 last year, Gemini Advisory found. “The rising cost of Indian compromised payment cards and the demand for such cards suggests that criminals have identified multiple reliable ways of monetizing such data,” Alforov said.Read More
  • Report Finds More than Half of Ransomware Victims Would Pay the Ransom
    Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available. The Report also found that the number of ransomware attacks on Australian businesses was relatively higher than other developed countries such as the United Kingdom, Germany and France. Thirty two per cent of the Australian respondents indicated that their business had been interrupted ‘on a weekly or monthly basis’ from ransomware attacks.Read More
  • Millions of records about Middle Eastern drivers left in an insecure database
    Written by Jeff Stone Apr 18, 2019 | CYBERSCOOP Records containing sensitive information on perhaps millions of Iranian drivers was left unsecured in a publicly available database for days, according to security research published Thursday. More than 6.7 million records from 2017 and 2018 were estimated to be exposed in a database discovered by researcher Bob Diachenko. Information included drivers’ first and last names, their Iranian ID numbers stored in plain text, their phone numbers, and other data such as invoice information. ]” Diachenko says he was able to contact some of the drivers included in the database, and that he has notified Iran’s Computer Emergency Response Team about the data exposure. Researchers previously have discovered numerous vulnerabilities in MongoDB databases, which allow users to store vast quantities of information in a single place. Diachenko previously found personal data belonging to 202 million Chinese job seekers and, later, 24 million financial records.Read More
  • Hacking Team’s New Owner: ‘We’re Starting From Scratch’
    At the beginning of April, Swiss-Italian company InTheCyber announced that it had acquired a majority stake into Hacking Team, and that it was merging the two companies into a new one called Memento Labs. Lezzi, who’s worked in the cybersecurity industry for years, was adamant that Memento Labs needs to “get the company back on its feet.” That means revamping the product and rewriting the code almost from the ground up. David Vincenzetti, one of the founders of Hacking Team, is out, according to Lezzi. Vincenzetti’s role, as of now, is of informal advisor to Lezzi, who was quick to point out that Vincenzetti has no formal role in the new company. When asked about the Saudi investors, who own 20 percent of the company, Lezzi was less forthcoming, saying he’s never met them. Lezzi said that, for now, the new company will keep Hacking Team’s customers.Read More
  • Shopify API flaw offered access to revenue data of thousands of stores
    A security flaw in a Shopify API endpoint has been discovered by a researcher which can be exploited to leak the revenue and traffic data of thousands of stores. This API was meant to be used to internally fetch sales data for graph presentations, but the system was found to be leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform. The researcher set up a new store and used $storeName on the same API endpoint to test whether or not the system was vulnerable to an Insecure Direct Object Reference (IDOR) bug. A further test of these records using a Bash script was then implemented, resulting in a list of vulnerable stores which were leaking the "sales data of Shopify merchants that includes a monthly breakdown of revenue in USD of thousands of stores from 2015 until today." "We have a list of vulnerable stores, so if we query any of them, we would get a breakdown of monthly revenue data in USD of the current store during its lifetime," the researcher added.Read More
  • Cyberwar against NATO: Who are Earworm and APT28?
    This practice has meant that the group has been able to steal confidential, sensitive data from several of the most important institutions and governments in the world. Evidence seems to suggest that the members of Earworm, also known as Zebocracy, are linked to APT28 (also known as Fancy Bear), a cybercriminal group that has been stealing government intelligence for years, especially from countries it considers to be enemies. The UK’s National Cyber Security Centre has also accused Earworm and Russia intelligence of carrying out attacks on several countries’ institutional cybersecurity. This software was installed on the computer, and was able to automatically download other malware tools. This software was installed on the computer, and was able to automatically download other malware tools. Wherever possible, an institution’s most sensitive and confidential information should be stored in systems with no Internet connection.Read More
  • DLL Cryptomix Ransomware Variant Installed Via Remote Desktop
    The DLL Cryptomix Ransomware Variant In this variant, the ransom note continues to be named _HELP_INSTRUCTIONS_.TXT, but now uses the dllteam@protonmail.com, dllteam1@protonmail.com, dllpc@mail.com, dllpc@tuta.io, laremohan@tuta.io, claremohan@yandex.com, and mohanclare@yandex.com email addresses for a victim to contact for payment information. DLL CryptoMix Ransom Note With this version, when a file is encrypted by the ransomware it will modify the filename and then append the .DLL extension to encrypted file's name. How to protect yourself from Ransomware In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.  You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet.Read More
  • Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks
    Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-service according to a DHS/CISA alert and a CERT/CC vulnerability note. Quarkslab's intern Hugues Anguelkov was the one who reported five vulnerabilities he found in the "Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets" while reversing engineering and fuzzing Broadcom WiFi chips firmware. As he discovered, "The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow." The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, stating that they can lead to system crashes or the impacted software going into an infinite loop, while also allowing attackers "to execute arbitrary code, which is usually outside the scope of a program's implicit security policy" and bypassing security services.Read More
  • Network DoS Attack on PLCs Can Disrupt Physical Processes
    A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device. The researchers have demonstrated that specially crafted network traffic aimed at a PLC can influence this timing, which can cause disruptions to the real-world physical process controlled by the PLC. Other researchers previously theorized that network traffic can influence the processes controlled by industrial control systems (ICS) and the experiments conducted by the Hochschule Augsburg and Freie Universität Berlin experts on 16 devices from six vendors have demonstrated it to work in practice. An attack can be launched either from the internet (if the targeted device is exposed to the internet) or from a compromised device on the same network as the targeted PLC (including another PLC). The experts pointed out that the attacker does not need to have specific knowledge of the actual process controlled by the PLC or the program running on it.Read More
  • Chipotle customers are saying their accounts have been hacked
    A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars. Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option. (Screenshot: TechCrunch) When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.Read More