Category: security

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn’t be classified as a vulnerability given that attackers with write access to a target’s device can also obtain the information contained within the KeePass database through other means. In fact, a “Security Issues” page on the KeePass Help Center has been describing the “Write Access to Configuration File” issue since at least April 2019 as “not really a security vulnerability of KeePass.” If the user has installed KeePass as a regular program and the attackers have write access, they can also “perform various kinds of attacks.” Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain. “These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.” If the KeePass devs don’t release a version of the app that addresses this issue, BleepingComputer notes “you could still secure your database by logging in as a system admin and creating an enforced configuration file.”

“This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.”

News of the takedown first leaked on Thursday morning when Hive’s website was replaced with a flashing message that said: “The Federal Bureau of Investigation seized this site as part of coordinated law enforcement action taken against Hive Ransomware.” Hive’s servers were also seized by the German Federal Criminal Police and the Dutch National High Tech Crime Unit. The undercover infiltration, which started in July 2022, went undetected by the gang until now.

The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 different countries, and has collected more than $100 million in ransomware payments. Although there were no arrests announced on Wednesday, Garland said the investigation was ongoing and one department official told reporters to “stay tuned.”

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads. “At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

After detecting the attack, DraftKings reset the affected accounts’ passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims’ linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.
“After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working,” adds the report.

“The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests.”

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles. After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation. They found that validation of the owner is done based on the user’s email address, which was included in the JSON body of POST requests. Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target’s email address with an additional control character at the end. Finally, they sent an HTTP request to Hyundai’s endpoint containing the spoofed address in the JSON token and the victim’s address in the JSON body, bypassing the validity check. To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked. The multi-step attack was eventually baked into a custom Python script, which only needed the target’s email address for the attack.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. They inspected the network traffic from Nissan’s app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target’s vehicle identification number (VIN). The response to the unauthorized request contained the target’s name, phone number, address, and vehicle details. Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle’s history. In addition to information disclosure, the requests can also carry commands to execute actions on the cars. […] Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

Mr Schonbohm had come under scrutiny after his potential links to a Russian company through a previous role were highlighted by Jan Bohmermann, the host of one of Germany’s most popular late-night TV shows. Before leading the BSI, Mr Schonbohm had helped set up and run the Cyber Security Council Germany, a private association which advises business and policymakers on cybersecurity issues. He is said to have maintained close ties to the association and attended their 10th anniversary celebrations in September. One of the association’s members was a cybersecurity company called Protelion, which was a subsidiary of a Russian firm reportedly established by a former member of the KGB honored by President Vladimir Putin. Protelion was ejected from the association last weekend, and Cyber Security Council Germany says the allegations of links to Russian intelligence are untrue.

SMS Protect is a security feature that has two purposes: to keep players accountable for what Blizzard calls “disruptive behavior,” and to protect accounts if they’re hacked. It requires all Overwatch 2 players to attach a unique phone number to their account. Blizzard said SMS Protect will target cheaters and harassers; if an account is banned, it’ll be harder for them to return to Overwatch 2. You can’t just enter any old phone number — you actually have to have access to a phone receiving texts to that number to get into your account.

Overwatch 2 lead software engineer Bill Warnecke told Forbes that, even if accounts are no longer tied to Overwatch’s box price — because the game is now free-to-play — Blizzard still wants players to make an “investment” in upholding a safe game. “The key idea behind SMS Protect is to have an investment on behalf of the owner of that account and add some limitations or restrictions behind how you might have an account,” Warnecke said. “There’s no exclusions or kind of loopholes around the system.” The report notes that Blizzard has refunded one player after they contacted customer support and said they didn’t have a mobile phone, but it’s unclear if this policy will apply more broadly.

The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk. But its limited findings raise serious doubts about the intelligence agency’s handling of safety measures. Using just a single website and publicly available material, Citizen Lab said it identified a network of 885 websites that it attributed “with high confidence” as having been used by the CIA. It found that the websites purported to be concerned with news, weather, healthcare and other legitimate websites. “Knowing only one website, it is likely that while the websites were online, a motivated amateur sleuth could have mapped out the CIA network and attributed it to the US government,” Citizen Lab said in a statement.

The websites were active between 2004 and 2013 and were probably not used by the CIA recently, but Citizen Lab said a subset of the websites were sill linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. Citizen Lab added: “The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behavior.” CIA spokesperson Tammy Kupperman Thorp said: “CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false.”

In response to DataBreaches, the user who posted the database — Data — explained that initial access was gained via a vulnerability in Safety Center. The server was first accessed in 2019, and the database was obtained on 2020-03-14. Data also suggested that Ask.FM knew about the breach as early as back in 2020. While the breach has not been confirmed, the seller called “Data” says he will “vouch all day and night for” listed user data from Ask.FM (ASKfm), the social networking site. “I’m selling the users database of Ask.fm and ask.com,” Data wrote. “For connoisseurs, you can also get 607 repositories plus their Gitlab, Jira, Confluence databases.”

China’s National Computer Virus Emergency Response Center (CVERC) recently published a report attributing the hack to the Tailored Access Operations group (TAO) — an elite team of NSA hackers which first became publicly known via the Snowden Leaks back in 2013, helps the U.S. government break into networks all over the world for the purposes of intelligence gathering and data collection. [CVERC identified 41 TAO tools involved in the case.] One such tool, dubbed ‘Suctionchar,’ is said to have helped infiltrate the school’s network by stealing account credentials from remote management and file transfer applications to hijack logins on targeted servers. The report also mentions the exploitation of Bvp47, a backdoor in Linux that has been used in previous hacking missions by the Equation Group — another elite NSA hacking team. According to CVERC, traces of Suctionchar have been found in many other Chinese networks besides Northwestern’s, and the agency has accused the NSA of launching more than 10,000 cyberattacks on China over the past several years.

On Sunday, the allegations against the NSA were escalated to a diplomatic complaint. Yang Tao, the director-general of American affairs at China’s Ministry of Foreign Affairs, published a statement affirming the CVERC report and claiming that the NSA had “seriously violated the technical secrets of relevant Chinese institutions and seriously endangered the security of China’s critical infrastructure, institutions and personal information, and must be stopped immediately.”

Now, cybersecurity company Group-IB says the attack on Twilio was part of a wider campaign by the hacking group it’s calling “0ktapus,” a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff. The attackers have stolen at least 9,931 user credentials since March, according to Group-IB’s findings, with more than half containing captured multi-factor authentication codes used to access a company’s network.