This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
341 Comments
Tomi Engdahl says:
Jättimäinen huijausaalto pyyhkii Suomea Varo tekstiviestejä!
https://www.iltalehti.fi/tietoturva/a/ffdd91fc-4435-4ce8-ab6a-6a47d69bc1d4
Nyt Kyberturvallisuuskeskus varoittaa uusista huijausviesteistä, jotka liittyvät todennäköisesti samaan haittaohjelmaan. Kotimaisista numeroista lähtee nyt tekstiviestitse linkkejä, jotka voivat liittyä liikkeellä olevaan Android-haittaohjelmaan, Kyberturvallisuuskeskus tiedottaa Twitter-tilillään. Lisäksi:
https://twitter.com/CERTFI/status/1402586666217480192
Tomi Engdahl says:
Hackers breach gaming giant Electronic Arts, steal game source code https://www.bleepingcomputer.com/news/security/hackers-breach-gaming-giant-electronic-arts-steal-game-source-code/
Hackers have breached the network of gaming giant Electronic Arts (EA) and claim to have stolen roughly 750 GB of data, including game source code and debug tools. EA confirmed the data breach in a statement sent to BleepingComputer saying that this “was not a ransomware attack, that a limited amount of code and related tools were stolen, and we do not expect any impact to our games or our business.”. Lisäksi:
https://arstechnica.com/gadgets/2021/06/data-thieving-hackers-strike-again-stealing-ea-source-code-and-police-data/
Tomi Engdahl says:
Hackers can exploit bugs in Samsung pre-installed apps to spy on users https://www.bleepingcomputer.com/news/security/hackers-can-exploit-bugs-in-samsung-pre-installed-apps-to-spy-on-users/
Samsung is working on patching multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of the system. The bugs are part of a larger set discovered and reported responsibly by one security researcher through the company’s bug bounty program.
Tomi Engdahl says:
Ransomware: Meat firm JBS says it paid out $11m after attack https://www.zdnet.com/article/ransomware-meat-firm-jbs-says-it-paid-out-11m-after-attack
Global meatpacker JBS USA has paid $11 million in Bitcoin to cyberattackers that encrypted its files and disrupted operations in the US and Australia with ransomware, the company has said. JBS USA chief Andre Nogueira confirmed the company had made the payment to the attackers.
Tomi Engdahl says:
Emerging Ransomware Targets Dozens of Businesses Worldwide https://thehackernews.com/2021/06/emerging-ransomware-targets-dozens-of.html
An emerging ransomware strain in the threat landscape claims to have breached 30 organizations in just four months since it went operational, riding on the coattails of a notorious ransomware syndicate. First observed in February 2021, “Prometheus” is an offshoot of another well-known ransomware variant called Thanos, which was previously deployed against state-run organizations in the Middle East and North Africa last year.
Tomi Engdahl says:
Steam Gaming Platform Delivering Malware https://threatpost.com/steam-gaming-delivering-malware/166784/
Emerging malware is lurking in Steam profile images. Look out for SteamHide, an emerging loader malware that disguises itself inside profile images on the gaming platform Steam, which researchers think is being developed for a wide-scale campaign.
Tomi Engdahl says:
Researchers create an ‘un-hackable’ quantum network over hundreds of kilometers using optical fiber https://www.zdnet.com/article/researchers-created-an-un-hackable-quantum-network-over-hundreds-of-kilometers-using-optical-fiber/
Researchers from Toshiba have successfully sent quantum information over 600-kilometer-long optical fibers, creating a new distance record and paving the way for large-scale quantum networks that could be used to exchange information securely between cities and even countries.
Tomi Engdahl says:
Avaddon ransomware shuts down and releases decryption keys https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/
The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com. This morning, BleepingComputer received an anonymous tip pretending to be from the FBI that contained a password and a link to a password-protected ZIP file. This file claimed to be the “Decryption Keys Ransomware Avaddon,” and contained the three files shown below…. Also:
https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/
Tomi Engdahl says:
7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html
A seven-year-old privilege escalation vulnerability discovered in the polkit system service could be exploited by a malicious unprivileged local attacker to bypass authorization and escalate permissions to the root user. Tracked as CVE-2021-3560 (CVSS score: 7.8), the flaw affects polkit versions between 0.113 and 0.118 and was discovered by GitHub security researcher Kevin Backhouse, who said the issue was introduced in a code commit made on Nov. 9, 2013.
Tomi Engdahl says:
Foodservice supplier Edward Don hit by a ransomware attack https://www.bleepingcomputer.com/news/security/foodservice-supplier-edward-don-hit-by-a-ransomware-attack/
Foodservice supplier Edward Don has suffered a ransomware attack that has caused the company to shut down portions of the network to prevent the attack’s spread. Edward Don and Company is one of the largest distributors of foodservice equipment and supplies, such as kitchen supplies, bar supplies, flatware, and dinnerware. Today, BleepingComputer has learned that Edward Don suffered a ransomware attack earlier this week that has disrupted their business operations, including their phone systems, network, and email.
Tomi Engdahl says:
Ransom DDoS Extortion Actor Fancy Lazarus Returns https://www.proofpoint.com/us/blog/threat-insight/ransom-ddos-extortion-actor-fancy-lazarus-returns
As of May 12, 2021, Proofpoint researchers are tracking renewed distributed denial of service (DDoS) extortion activity targeting an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail by the threat actor Fancy Lazarus.. Proofpoint researchers have observed the activity primarily at U.S. companies or those with a global footprint.
The actor took over a month-long break from April to May 2021 before returning with new campaigns that include some changes to the groups tactics, techniques, and procedures.
Tomi Engdahl says:
REvil Hits US Nuclear Weapons Contractor: Report https://threatpost.com/revil-hits-us-nuclear-weapons-contractor-sol-oriens/166858/
Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service
(RaaS) gang. The Albuquerque, N.M. companys website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.
Tomi Engdahl says:
Google fixes actively exploited Chrome zeroday https://www.welivesecurity.com/2021/06/10/google-fixes-actively-exploited-chrome-zero-day/
Google has rolled out an update for its Chrome web browser to fix a bunch of security flaws, including a zero-day vulnerability that is known to be actively exploited by threat actors. The bugs affect the Windows, macOS, and Linux versions of the browser. Google is aware that an exploit for CVE-2021-30551 exists in the wild, reads Googles security update describing the newly disclosed zero-day vulnerability that stems from a type confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers.. Digitoday:
https://www.is.fi/digitoday/tietoturva/art-2000008047674.html
Tomi Engdahl says:
Network security firm COO charged with medical center cyberattack https://www.bleepingcomputer.com/news/security/network-security-firm-coo-charged-with-medical-center-cyberattack/
The former chief operating officer of Securolytics, a network security company providing services for the health care industry, was charged with allegedly conducting a cyberattack on Georgia-based Gwinnett Medical Center (GMC). 45-year-old Vikas Singla supposedly disrupted the health provider’s Ascom phone service and network printer service and obtained information from a Hologic R2 Digitizer digitizing device in September 2018.
Tomi Engdahl says:
Pankkitilit vaarassa poliisi varoittaa kahdesta huijauksesta: Kerro ilmiöstä läheisillesi https://www.is.fi/digitoday/tietoturva/art-2000008046670.html
Suomessa on meneillään tekstiviesteihin perustuva huijauskampanja sekä pankkitunnusten kalastelua. Huijaussivuille saattaa päätyä jopa hakukoneen kautta. POLIISI varoittaa kahdesta käynnissä olevasta huijauskampanjasta. Ensimmäinen niistä on Flubot-haittaohjelmakampanja, joka leviää Android-puhelimiin tekstiviestein. Seuraa lähetystäsi -tyyppisessä tekstiviestissä on verkkolinkki, jonka toisessa päässä oleva verkkosivu yrittää istuttaa puhelimeen haittaohjelman..
https://poliisi.fi/-/poliisi-varoittaa-kahdesta-suomessa-aktiivisesta-huijauksesta
Tomi Engdahl says:
CD Project Red does an about-face, says ransomware crooks are leaking data https://arstechnica.com/gadgets/2021/06/cd-projekt-red-says-its-data-is-likely-circulating-online-after-ransom-attack/
CD Projekt Red, the maker of The Witcher series, Cyberpunk 2077, and other popular games, said on Friday that proprietary data taken in a ransomware attack disclosed four months ago is likely circulating online. Today, we have learned new information regarding the breach and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet, company officials said in a statement.
Tomi Engdahl says:
Big airline heist
https://blog.group-ib.com/colunmtk_apt41
APT41 likely behind massive supply chain attack. On March 4, 2021, SITA, an international provider of IT services for the air transport industry worldwide, said it had suffered a security incident. The announcement, however, was not getting the attention it deserved until Air India, one of SITA’s customers, reported a massive passenger data breach on May 21 caused by an earlier attack against SITA. Between March and May, various airline companies, including Singapore Airlines, Malaysia Airlines, and others, disclosed data breaches. All of those companies were SITA customers. After Air India revealed the details of its security breach, it became clear that the carriers were most likely dealing with one of the biggest supply chain attacks in the airline industry’s history.
Tomi Engdahl says:
Hackers Stole a Ton of EA DataIncluding Valuable Source Code https://www.wired.com/story/ea-hack-fifa-frostbite-source-code/
TODAY, ELECTRONIC ARTS confirmed that hackers stole a massive amount of data from the video game publisher. A dark web forum poster claimed to have obtained 780 gigabytes of data in the attack, including the source code for FIFA 21 and EAs Frostbite game engine, used by FIFA, Madden, Battlefield, Star Wars: Squadrons and Anthem. We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen, an EA representative said in a statement.
Tomi Engdahl says:
Authorities Seized The Largest Stolen Login Marketplace On The Dark Web https://www.forbes.com/sites/leemathews/2021/06/11/authorities-seized-the-largest-stolen-login-marketplace-on-the-dark-web/
The Department of Justice announced this week that Slilpp, an infamous Dark Web marketplace where stolen credentials and identities are bought and sold, had been seized. In its press release, the DoJ revealed that Slilpp listings offered more than 80 million user credentials. That user data was harvested from around 1,400 service providers that had been victimized by hackers..
https://www.justice.gov/opa/pr/slilpp-marketplace-disrupted-international-cyber-operation
Tomi Engdahl says:
Audi, Volkswagen data breach affects 3.3 million customers https://www.bleepingcomputer.com/news/security/audi-volkswagen-data-breach-affects-33-million-customers/
Audi and Volkswagen have suffered a data breach affecting 3.3 million customers after a vendor exposed unsecured data on the Internet.
Volkswagen Group of America, Inc. (VWGoA) is the North American subsidiary of the German Volkswagen Group. It is responsible for US and Canadian operations for Volkswagen, Audi, Bentley, Bugatti, Lamborghini, and VW Credit, Inc.. According to data breach notifications filed with the California and Maine Attorney General’s office, VWGoA disclosed that a vendor left unsecured data exposed on the Internet between August 2019 and May 2021.. Also:
https://therecord.media/volkswagen-discloses-data-breach-impacting-3-3-million-audi-drivers/
Tomi Engdahl says:
Intuit notifies customers of hacked TurboTax accounts https://www.bleepingcomputer.com/news/security/intuit-notifies-customers-of-hacked-turbotax-accounts/
Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks. In a breach notification letter sent to affected customers earlier this month, the company said that this was not a “systemic data breach of Intuit.” In account takeover attacks, cybercriminals gain access to their victims’ accounts using credentials stolen from other online services following past data breaches.
Tomi Engdahl says:
Interpol shuts down thousands of fake online pharmacies https://www.bleepingcomputer.com/news/security/interpol-shuts-down-thousands-of-fake-online-pharmacies/
The Interpol (International Criminal Police Organisation) has taken down thousands of online marketplaces that posed as pharmacies and pushed dangerous fake and illicit drugs and medicine. This record number of illicit online pharmacies was shut down during Operation Pangea XIV, which targeted online sellers of counterfeit and illegal pharmaceuticals and medical devices.
Tomi Engdahl says:
Volkswagen America Discloses Data Breach Impacting 3.3 Million
https://www.securityweek.com/volkswagen-america-discloses-data-breach-impacting-33-million
Tomi Engdahl says:
Wray: FBI Frowns on Ransomware Payments Despite Recent Trend
https://www.securityweek.com/wray-fbi-frowns-ransomware-payments-despite-recent-trend
The FBI’s director told lawmakers Thursday that the bureau discourages ransomware payments to hacking groups even as major companies in the past month have participated in multimillion-dollar transactions aimed at getting their systems back online.
“It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” Christopher Wray testified under questioning from members of the House Judiciary Committee.
Besides the fact that such payments can encourage additional cyberattacks, victims may not automatically get back their data despite forking over millions, “and that’s not unknown to happen,” Wray said.
Tomi Engdahl says:
McDonald’s Says Hackers Breached Data in Taiwan, South Korea
https://www.securityweek.com/mcdonalds-says-hackers-breached-data-taiwan-south-korea
Tomi Engdahl says:
RSA Spins Out Fraud and Risk Intelligence Unit as Standalone Company Outseer
https://www.securityweek.com/rsa-spins-out-fraud-and-risk-intelligence-unit-standalone-company-outseer
Tomi Engdahl says:
GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability
https://www.securityweek.com/github-discloses-details-easy-exploit-linux-vulnerability
GitHub this week disclosed the details of an easy-to-exploit Linux vulnerability that can be leveraged to escalate privileges to root on the targeted system.
The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorization service that is present by default in many Linux distributions.
The security hole was discovered by Kevin Backhouse of the GitHub Security Lab. On Thursday, the researcher published a blog post detailing his findings, as well as a video showing the exploit in action.
Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
Linux local privilege escalation using authentication bypass vulnerability in polkit CVE-2021-3560
https://www.youtube.com/watch?v=QZhz64yEd0g
Tomi Engdahl says:
“More than 50 hackers from nine different countries participated in the 10-day virtual event to identify vulnerabilities across some of Amazon’s core assets. ”
Best statement I heard yet,
”
..according to HackerOne’s Tucker. “The shared experiences of a live hacking event always creates new and deeper relationships, and the Amazon security team was able to collaborate with both top hackers on their program and new talent. Security is stronger when we’re working together,” Tucker said.”
Amazon Hackers Made $832,135 In Just 10 Days—Here’s How
https://www.forbes.com/sites/daveywinder/2021/06/12/amazon-hackers-made-832135-in-just-10-days-heres-how/
Tomi Engdahl says:
It took hackers $10 worth of stolen cookies and some lies to breach EA’s systems https://www.neowin.net/news/it-took-hackers-10-worth-of-stolen-cookies-and-some-lies-to-breach-eas-systems/
Reports broke yesterday of a massive data breach at Electronic Arts that resulted in the theft of close to 780GB worth of data containing FIFA 21 and Frostbite engine source code. While the code itself isnt being made available on the web, hackers have reportedly posted screenshots of some of the stolen content as proof of possession. The hackers claim that they started off by purchasing stolen cookies for
$10 from the web. These cookies possibly containing Slack login details of EA employees were then used to gain access to a Slack channel, with the hackers likely masquerading as internal employees.
Tomi Engdahl says:
Malware hosting domain Cyberium fanning out Mirai variants https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants
AT&T Alien Labs has observed the Mirai variant botnet, known as Moobot, scanning for known but uncommon vulnerabilities in Tenda routers, resulting in a considerable peak in our internal telemetry.
The research associated with this peak resulted in the discovery of a malware hosting domain, providing several different Mirai variants, like Moobot and Satori.
Tomi Engdahl says:
This data and password-stealing malware is spreading in an unusual way https://www.zdnet.com/article/this-data-and-password-stealing-malware-is-spreading-in-an-unusual-way/
Attackers behind the malware known as SolarMarker are using PDF documents filled with search engine optimization (SEO) keywords to boost their visibility on search engines in order to lead potential victims to malware on a malicious site that poses as Google Drive.
According to Microsoft, SolarMarker is a backdoor malware that steals data and credentials from browsers.
Tomi Engdahl says:
Microsoft: SEO poisoning used to backdoor targets with malware https://www.bleepingcomputer.com/news/security/microsoft-seo-poisoning-used-to-backdoor-targets-with-malware/
Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan (RAT) capable of stealing the victims’ sensitive info and backdooring their systems. The malware delivered in this campaign is SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.
Tomi Engdahl says:
Apple: WebKit Bugs Exploited to Hack Older iPhones
https://www.securityweek.com/apple-webkit-bugs-exploited-hack-older-iphones
Apple late Monday shipped an out-of-band iOS update for older iPhones and iPads alongside a warning that a pair of WebKit security vulnerabilities may have been actively exploited.
As is customary, Apple did not provide details on the zero-day attacks, which appear to be aimed at a range of older models of Apple flagship iPhone devices.
The latest iOS 12.5.4 patch covers at least three documented security holes that expose unpatched devices to arbitrary code execution attacks.
Tomi Engdahl says:
CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack
https://www.securityweek.com/codecov-kills-bash-uploader-blamed-supply-chain-hack
Following a major software supply chain compromise that exposed data for several major companies, developer tools startup CodeCov plans to kill off the Bash Uploader tool that was responsible for the breach.
CodeCov, a little-known startup considered the vendor of choice for measuring code coverage in the tech industry, has shipped an entirely new Uploader using NodeJS to replace the Bash Uploader dev tool that was compromised in a recent software supply chain attack.
“We initiated this project because, as usage of Codecov has grown and our development velocity has increased, the Bash Uploader has become increasingly complex to properly maintain,” CodeCov said.
The company said that Bash Uploader, over time, added many “magic features” that were difficult to reason through and support against an ever-increasing number of use cases and warned that the distribution mechanism of choice [curl pipe to bash] “is notoriously problematic from a security perspective.”
Tomi Engdahl says:
Researchers Attribute SITA Cyberattack to Chinese Hackers
https://www.securityweek.com/researchers-attribute-sita-cyberattack-chinese-hackers
The cyberattack on SITA that impacted multiple airlines around the world was orchestrated by a Chinese nation-state threat actor tracked as APT41, security researchers at detection and prevention firm Group-IB say.
Codenamed ColunmTK and disclosed in early March 2021, the attack affected airlines such as Air India, Air New Zealand, Finland’s Finnair, Singapore Airlines, Malaysia Airlines, and Jeju Air in South Korea. SITA has roughly 2,500 customers and provides services in over 1000 airports worldwide.
One of the affected airlines was Air India, which announced in May that approximately “4,500,000 data subjects globally,” were affected. Compromised data includes names, dates-of-birth, passport information, contact information, and additional data.
Air India revealed that the attack was related to SITA PSS, which processes personally identifiable information (PII).
Tomi Engdahl says:
Microsoft Disrupts Large-Scale BEC Campaign
https://www.securityweek.com/microsoft-disrupts-large-scale-bec-campaign
Microsoft today announced it disrupted a large-scale business email compromise (BEC) campaign in which the attackers used forwarding rules to access messages related to financial transactions.
The campaign, which had its infrastructure hosted on multiple web services, involved the use of phishing emails with voice message lures. The emails carried an HTML attachment with JavaScript code designed to imitate the Microsoft sign-in page, to steal victims’ login credentials.
Once access to the mailbox was obtained, the attackers added email forwarding rules that would send messages containing information related to financial transactions (keywords such as invoice, payment, and statement) to attacker-controlled email addresses. Additionally, the forwarded emails were deleted from the sent box, to avoid detection.
The attackers used a large cloud-based infrastructure for the campaign, to automate operations at scale, including the monitoring of compromised mailboxes, the creation of forwarding rules, identifying valuable victims, and processing the forwarded emails.
Tomi Engdahl says:
G7 Tells Russia to Crack Down on Ransomware, Other Cybercrime
https://www.securityweek.com/g7-tells-russia-crack-down-ransomware-other-cybercrime
At the latest Group of Seven (G7) summit, held June 11-13 in the UK, Western leaders called on Russia to take action against those who conduct ransomware attacks and other cybercrimes from within its borders.
In a communiqué issued after the conclusion of the summit, G7 countries vowed to work together to “further a common understanding of how existing international law applies to cyberspace” and collaborate to “urgently address the escalating shared threat from criminal ransomware networks.”
The G7 called on all states to “urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”
However, they singled out Russia, and called on Moscow to halt its “destabilising behaviour and malign activities, including its interference in other countries’ democratic systems” and to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”
Tomi Engdahl says:
Andrew Chung / Reuters:
SCOTUS throws out a lower court ruling that had allowed 3rd-party scraping of LinkedIn users’ public profiles, sending the dispute back to federal appeals court — The U.S. Supreme Court on Monday gave Microsoft Corp’s (MSFT.O) LinkedIn Corp another chance to try to stop rival hiQ Labs Inc …
https://www.reuters.com/technology/us-supreme-court-revives-linkedin-bid-shield-personal-data-2021-06-14/
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
In a week-long operation, Interpol took down ~113K web links to fake pharmacies, and in another recent operation it recovered ~$83M for victims of online crime
Interpol shuts down thousands of fake online pharmacies
https://www.bleepingcomputer.com/news/security/interpol-shuts-down-thousands-of-fake-online-pharmacies/
The Interpol (International Criminal Police Organisation) has taken down thousands of online marketplaces that posed as pharmacies and pushed dangerous fake and illicit drugs and medicine.
This record number of illicit online pharmacies was shut down during Operation Pangea XIV, which targeted online sellers of counterfeit and illegal pharmaceuticals and medical devices.
Law enforcement agencies, customs, and health regulatory authorities from 92 countries coordinated by Interpol took down “113,020 web links including websites and online marketplaces being closed down or removed.”
Tomi Engdahl says:
Microsoft Confirms Serious Windows 10 Update Warning
https://www.forbes.com/sites/gordonkelly/2021/06/12/microsoft-issues-windows-10-update-warning-zero-day-security-vulnerability-free-windows-10-upgrade/
Windows 10’s one billion users need to listen up because Microsoft has confirmed seven serious threats to the operating system and warned users to upgrade.
Microsoft used its Windows 10 June ‘Patch Tuesday’ release to reveal the vulnerabilities, all of which are ‘zero day’ threats. That means they are actively being used by hackers to break into Windows 10 computers in targeted attacks.
Tomi Engdahl says:
Wall Street Journal:
Alibaba’s Taobao was clandestinely scraped by a web crawler for 8 months, leading to a leak of 1.1B pieces of user data, including user IDs and phone numbers
Alibaba Falls Victim to Chinese Web Crawler in Large Data Leak
https://www.wsj.com/articles/alibaba-falls-victim-to-chinese-web-crawler-in-large-data-leak-11623774850?mod=djemalertNEWS
A Chinese software developer trawled Alibaba Group Holding Ltd. ’s popular Taobao shopping website for eight months, clandestinely collecting more than 1.1 billion pieces of user information before Alibaba noticed the scraping, a Chinese court verdict said.
The software developer began using web-crawling software he designed on Taobao’s site starting in November 2019, gathering information including user IDs, mobile-phone numbers and customer comments, according to a verdict released this month by a district court in China’s central Henan province. When Alibaba noticed the data leaks from Taobao, one of China’s most-visited online retail sites, the company informed the police, the court said.
A spokeswoman said Alibaba proactively discovered and addressed the incident and was working with law enforcement to protect its users. She wouldn’t elaborate on how many people were affected. No user information was sold to a third party and no economic loss occurred, she said. About 925 million people use Alibaba’s Chinese retail platforms at least once a month, according to the company.
Software developer scrapes 1.1 billion pieces of user data, including IDs and phone numbers, over eight months
Tomi Engdahl says:
Fujifilm Restores Services Following Ransomware Attack
https://www.securityweek.com/fujifilm-restores-services-following-ransomware-attack
Japanese multinational corporation Fujifilm on Monday reported that it has restored operations following a recent ransomware attack.
Founded in 1934 and headquartered in Tokyo, the company operates in a broad range of areas, including photography, office and medical electronics, optics, biotechnology, and chemicals.
On June 4, the company announced that it had fallen victim to a ransomware attack that forced it to shut down its network.
Immediately, Fujifilm launched an investigation into the attack, which revealed that impact was “limited to specific networks in the country.” Thus, servers and computers deemed to be safe were brought back online.
Tomi Engdahl says:
Poland Target of ‘Unprecedented’ Cyber Attacks: Govt
https://www.securityweek.com/poland-target-unprecedented-cyber-attacks-govt
Poland’s parliament said it will hold a closed-door session Wednesday to discuss a wave of cyber attacks against the EU member that the government called “unprecedented”.
“We’ll listen to explanations and information from the prime minister (Mateusz Morawiecki),” Deputy Speaker Malgorzata Kidawa-Blonska told reporters on Tuesday.
Morawiecki, who had requested the session, plans to present secret documents concerning the “wide scale” of the attacks, according to government spokesman Piotr Muller.
Tomi Engdahl says:
Google Workspace Gets Client-Side Encryption
https://www.securityweek.com/google-workspace-gets-client-side-encryption
Tomi Engdahl says:
Reality Winner, NSA Contractor in Leak Case, Out of Prison
https://www.securityweek.com/reality-winner-nsa-contractor-leak-case-out-prison
Tomi Engdahl says:
Critical Entities Targeted in Suspected Chinese Cyber Spying
https://www.securityweek.com/critical-entities-targeted-suspected-chinese-cyber-spying
A cyberespionage campaign blamed on China was more sweeping than previously known, with suspected state-backed hackers exploiting a device meant to boost internet security to penetrate the computers of critical U.S. entities.
The hack of Pulse Connect Secure networking devices came to light in April, but its scope is only now starting to become clear. The Associated Press has learned that the hackers targeted telecommunications giant Verizon and the country’s largest water agency. News broke earlier this month that the New York City subway system, the country’s largest, was also breached.
Tomi Engdahl says:
Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices
https://www.securityweek.com/vulnerabilities-allow-hackers-disrupt-hijack-schneider-powerlogic-devices
Vulnerabilities discovered in some older Schneider Electric PowerLogic products can allow hackers to remotely take control of devices or disrupt them.
Schneider informed customers earlier this month that its PowerLogic EGX100 and EGX300 communication gateways are affected by six types of vulnerabilities that could be exploited to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. The impacted products are part of the company’s power monitoring and control offering, but they have reached end of life.
Five of the security holes have been rated critical or high severity, and they are caused by improper input validation. They can be exploited for DoS attacks or remote code execution using specially crafted HTTP packets.
Tomi Engdahl says:
Ukrainian Police Nab Six Tied to CLOP Ransomware https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/
Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOPs victims this year alone include Stanford University Medical School, the University of California, and University of Maryland. According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.. Also:
https://nakedsecurity.sophos.com/2021/06/16/clop-ransomware-suspects-busted-in-ukraine-money-and-motors-seized/.
https://www.bleepingcomputer.com/news/security/ukraine-arrests-clop-ransomware-gang-members-seizes-servers/.
https://thehackernews.com/2021/06/ukraine-police-arrest-cyber-criminals.html.
https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/.
https://www.theregister.com/2021/06/16/clop_ransomware_gang_arrests_ukraine/.
https://www.forbes.com/sites/leemathews/2021/06/16/police-bust-ransomware-operation-alleged-to-have-caused-500-million-in-damage/
Tomi Engdahl says:
US convicts Russian national behind Kelihos botnet crypting service https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/
Russian national Oleg Koshkin was convicted for charges related to the operation of a malware crypter service used by the Kelihos botnet to obfuscate malware payloads and evade detection. Koshkin has been detained since he was arrested in California in September 2019, and he is facing a maximum penalty of 15 years in prison after September 20, 2021, when his sentencing is due. Pavel Tsurkan, his co-defendant, was also indicted with conspiring to cause damage to protected computers, and for aiding and abetting Peter Levashov, Kelihos botnet main operator, in damaging protected computers.
Tomi Engdahl says:
New IoT Security Risk: ThroughTek P2P Supply Chain Vulnerability https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/
Today we announced the discovery and responsible disclosure of a new security camera vulnerability, the latest in a series of Nozomi Networks research discoveries regarding IoT security. This particular vulnerability affects a software component from a company called ThroughTek. The component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its solution is used by several million connected devices.