Chinese network behind one of world’s ‘largest online scams’
https://www.theguardian.com/money/article/2024/may/08/chinese-network-behind-one-of-worlds-largest-online-scams

Exclusive: Vast web of fake shops touting designer brands took money and personal details from 800,000 people in Europe and US, data suggests
Carmen Aguilar García, Sarah Marsh and Philip McMahon
Wed 8 May 2024 06.00 CEST
Last modified on Wed 8 May 2024 08.09 CEST

More than 800,000 people in Europe and the US appear to have been duped into sharing card details and other sensitive personal data with a vast network of fake online designer shops apparently operated from China.

An international investigation by the Guardian, Die Zeit and Le Monde gives a rare inside look at the mechanics of what the UK’s Chartered Trading Standards Institute has described as one of the largest scams of its kind, with 76,000 fake websites created.

A trove of data examined by reporters and IT experts indicates the operation is highly organised, technically savvy – and ongoing.

https://www.ft.com/content/b21c9eba-54c4-46c6-bd99-e9554c4660d9

University System of Georgia says Social Security numbers and bank account numbers were compromised in the May 2023 MOVEit hack.

University System of Georgia is notifying 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack.

The data breach occurred after the Russia-linked Cl0p ransomware group exploited a vulnerability in Progress Software’s MOVEit Transfer managed file transfer (MFT) software and stole data from organizations using it.

To date, more than 2,000 organizations have disclosed impact from the MOVEit hack, including roughly 900 schools in the United States. Over 60 million individuals are believed to have been affected.

University System of Georgia (USG), which was using MOVEit to “transfer and store sensitive data”, is the latest education entity to disclose impact from the attack.

Although the data breach report has been listed on the Maine AGO’s website only this week, USG started sending the notification letters in mid-April, when it also posted an incident notice on its website.

Tieturvayritys Leviathan Security kertoo, että DHCP-protokollaan sisäänrakennettuja ominaisuuksia hyödyntäen voi hyökkääjä pakottaa dataliikenteen pois suojatusta VPN-tunnelista. Yhtiön mukaan aukko on ollut olemassa jo vuodesta 2002 lähtien.

VPN eli virtuaalinen privaattiverkko toimii luomalla salatun ja turvatun yhteyden käyttäjän laitteen ja VPN-palvelimen välille. Tämä tapahtuu käyttäen VPN-protokollia, kuten IPSec, SSL/TLS tai OpenVPN. Kun käyttäjä muodostaa yhteyden VPN-palvelimeen, kaikki käyttäjän tietoliikenne kulkee salattuna VPN-tunnelissa, joka suojaa sitä ulkopuolisilta silmiltä.

Leviathan Securityn mukaan heidän äskettäin tunnistamansa verkkotekniikka ohittaa VPN-kapseloinnin. Hyökkääjä voi käyttää tätä tekniikkaa pakottaakseen kohdekäyttäjän liikenteen pois VPN-tunnelistaan ​​käyttämällä DHCP:n (Dynamic Host Configuration Protocol) sisäänrakennettuja ominaisuuksia. Tämän seurauksena käyttäjä lähettää paketteja, joita VPN ei koskaan salaa, ja hyökkääjä voi tiedustella tätä liikennettä.

Yhtiö arvioi, että tekniikka on voinut olla mahdollinen jo vuonna 2002, ja se on voitu jo havaita ja mahdollisesti sitä on käytetty hyökkäyksissä. Linux-pohjaisissa käyttöjärjestelmissä ongelmaa on yritetty korjata. Tutkijat muistuttavat, että ongelmaa ei voida korjata yksinkertaisesti poistamalla tuki DHCP-ominaisuudesta, koska tämä voi katkaista Internet-yhteyden myös laillisissa tapauksissa.

Leviathan kertoo blogissaan tarkempia tietoja haavoittuvuudesta, jolle on annettu nimeksi TunnelVision (CVE-haavoittuvuutunnus on 2024-3661).

TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
https://www.leviathansecurity.com/blog/tunnelvision

Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic. We are using the term decloaking to refer to this effect. Importantly, the VPN control channel is maintained so features such as kill switches are never tripped, and users continue to show as connected to a VPN in all the cases we’ve observed.

We’ve spent extensive time exploring this capability and attempting to notify as many affected parties as possible. We also know it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat. We also believe this technique may have been possible as far back as 2002 and could have already been discovered* and potentially used in the wild. For that reason, we believe it is critical for us to disclose publicly because notifying every VPN provider, operating system maintainer, self-hosted VPN admin, and VPN user is far beyond the capacity of our small research team.

UniSuper private cloud outage caused by Google Cloud issues
https://www.datacenterdynamics.com/en/news/unisuper-private-cloud-outage-caused-by-google-cloud-issues/
Google problems resulting in an inadvertent misconfiguration of UniSuper’s systems

Biden signs bill to protect children from online sexual abuse and exploitation
https://techcrunch.com/2024/05/07/biden-signs-bill-to-protect-children-from-online-sexual-abuse-and-exploitation/

As cyber threats grow more sophisticated, America cannot afford complacency. The time for decisive action and enhanced cyber resilience is now.

https://www.securityweek.com/from-warnings-to-action-preparing-americas-infrastructure-for-imminent-cyber-threats/

The UK Ministry of Defense said a breach at a third-party payroll system exposed as many as 272,000 armed forces personnel and veterans.

https://www.securityweek.com/the-uk-says-a-huge-payroll-data-breach-by-a-malign-actor-has-exposed-details-of-military-personnel/

The names and bank details of thousands of serving British soldiers, sailors and air force members have been exposed in a data breach by a “malign actor” who may have had state help, defense officials said Tuesday.

The Ministry of Defense said the breach occurred at a third-party payroll system holding bank details of as many as 272,000 serving armed forces personnel and recent veterans. In a few cases, addresses may also have been exposed.

Defense Secretary Grant Shapps said officials had “immediately taken the system offline” and launched an investigation into the breach and possible failings by the contractor, SSCL, which describes itself as “the largest provider of critical business support services for government.”

“We cannot rule out state involvement,” Shapps told lawmakers in the House of Commons, though he said the government did not yet have evidence to make that conclusion.

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

https://www.securityweek.com/mitre-hack-china-linked-group-breached-systems-in-december-2023/