Category: security

“Dark web report started rolling out in March 2023 to members across all Google One plans in the United States, providing a simple way to get notified when their personal information was discovered on the dark web. “Google One’s dark web report helps you scan the dark web for your personal info — like your name, address, email, phone number and Social Security number — and will notify you if it’s found,” said Google One Director of Product Management Esteban Kozak in March when the feature was first announced. The company says all the personal info added to the profile can be deleted from the monitoring profile or by removing the profile in the dark web report settings.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then “reflected” back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person’s view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That’s a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report. The outfit added that “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

“The new generation of botnets uses a fraction of the amount of devices, but each device is substantially stronger,” explains Cloudflare in the report. “Cloud computing providers offer virtual private servers to allow start ups and businesses to create performant applications. The downside is that it also allows attackers to create high-performance botnets that can be as much as 5,000x stronger.” Cloudflare has been working with key cloud computing providers and partners to crack down on these emerging VPS-based threats and says it has succeeded in taking down substantial portions of these novel botnets.

“In most cars on the road today, these internal messages aren’t protected: the receivers simply trust them,” [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor’s RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota — which among other things allows you to inspect the data logs of your vehicle — helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, “Ian’s car dropped a lot of DTCs.” Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn’t failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

In an update on Monday about the incident sent to the Regulatory News Service, the company confirmed it “experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications.” The nature of the incident has not been disclosed. While financially motivated ransomware attacks remain a prevalent threat for organizations in Britain, Capita also provides services to the British government that may be of interest to state-sponsored espionage groups.

Capita’s numerous contracts include several with the Ministry of Defence. Last year, a consortium it leads took control over engineering and maintenance support of training simulators for the Royal Navy’s nuclear-powered ballistic missile submarines used as part of the U.K.’s nuclear deterrent. In its statement, Capita said: “Immediate steps were taken to successfully isolate and contain the issue,” which was “limited to parts of the Capita network.”

Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet. The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organization.

One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks. Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia’s command, and also enables disinformation via fake social media profiles. A third Vulkan-built system — Crystal-2V — is a training program for cyber-operatives in the methods required to bring down rail, air and sea infrastructure. A file explaining the software states: “The level of secrecy of processed and stored information in the product is ‘Top Secret’.”

“Is there any firewall or router or some other device that can adequately protect an old and no longer supported computer?”

I have at least two of those that come to mind, and I might use them more often if there was a safe way to connect them to the Internet.

The specifics probably matter, though that’s like opening a can of worms, but… One is a little old machine running an old and no longer supported version of Linux. Another is a Windows XP box that’s too customized at a low level to run Linux.

But the big concern involves a couple of old boxes that are only alive now because Windows 10 saved them from the end-of-service of Windows 7. Right now it looks like they might outlive Windows 10, too, but two of them are not suitable for Windows 11. Plus my spouse has an old Windows 8 box now running under 10…

What happens when you combine missed security updates with internet connectivity? Share your best thoughts in the comments.

Can you use an unsafe computer safely?

The intrusion took place on the morning of Feb. 23, the same day the company reported its fourth-quarter earnings. “This morning, we experienced an internal outage that’s continuing to affect our internal servers and IT telephony,” Dish CEO W. Erik Carlson said at that time. “We’re analyzing the root causes and any consequences of the outage, while we work to restore the affected systems as quickly as possible.” According to Bleeping Computer, the Black Basta ransomware gang is behind the attack, first breaching Boost Mobile and then the Dish corporate network.

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer’s home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee’s personal computer. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company said. “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass confirmed. LastPass originally disclosed the breach in August 2022 and warned that “some source code and technical information were stolen.”

SecurityWeek adds: “In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

CHS hasn’t said what types of data were exposed and a spokesperson has not yet responded to TechCrunch’s questions. This is CHS’ second-known breach of patient data in recent years. The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra’s file-transfer technology — including CHS. While CHS has been quick to come forward as a victim, Clop’s claim suggests there could be dozens more affected organizations out there — and if you’re one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it. Security researcher Brian Krebs first flagged the zero-day vulnerability in Fortra’s GoAnywhere software on February 2.

“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said in its hidden advisory. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”