New Bezop Cryptocurrency (BEZ) leaks Personal details for 25k users
Security researchers at cybersecurity firm Kromtech have discovered a MongoDB database containing the personal details of over 25,000 Bezop (BEZ) cryptocurrency users. John Mcafee, who is Bezop advisor, described Bezop as “a distributed version of Amazon.com,” but it also implements cryptocurrency based on Ethereum, The database contained personal details information such as full names, home addresses, email addresses, encrypted passwords, wallet information, and scanned passports, driver’s licenses, or IDs. Further analysis revealed that the database contained information relative a “bounty programme” launched by the Bezop development team launched early 2018. One of the tables in the MongoDB database left exposed online was named “Bounty”, so the archive contained the information for the people who invested and participated in this part of the program. Bezop team gave Tokens in exchange for promoting Bezop via online social media sites and forums or by writing blog posts about the cryptocurrency. “On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors of the newly created Bezop.” reads the blog post published by Kromtech. “Around the time of their ICO, which finished January 10, 2018. Bezop launched their first bounty program, in which people would earn Bezop Tokens in exchange for promoting Bezop via online social media sites like Facebook, posting to forums while using an approved Bezop signature on sites such as bitcointalk, moderation of forums, or by writing articles about Bezop.” Bezop team confirmed the data leak and explained that the data were exposed while the dev team faced a DDoS attack on January 8. “Bezop sent out a notice back on Jan. 8 during the ICO (initial coin offering), reporting both a DDoS attack and security holes exposing that data,” Deryck Jones, who is listed as Bezop.io’s CTO online, told Threatpost. “The Bezop notice went to all investors including me. It was an unfortunate incident and very disappointing.” According to a Bezop spokesperson, the database contained details on around 6,500 ICO investors, while the remaining records were related to users who participated in the public bounty program. The MongoDB was left exposed online without authentication until March 30, when Kromtech found it. The MongoDB was promptly taken offline after Kromtech reported the discovery to the Bezop team.
Oops … Why is Facebook interested in my culinary tastes on the Faasos portal?
So, let’s start from the beginning of the story, you will be aware with the “Cambridge Analytica” case, after its public disclosure Facebook launched “Data Abuse Bounty Program” – 9th April 2018. Well, we all are aware that we have been tracked for years! Whatever we search on the Internet no matter what object it is, in a day or hours it will be on your suggestion or an advertisement banner. This is the most recent example: Google is always listening: Live Test I really love eating veg warps from Faasos and it was a normal day when I did a checkout and ordered few of them, however, I have a very bad habit of capturing packets. What I observed was, there were few `GET` & `POST` request of Facebook as well in between checkout of Faasos at that time I didn’t pay much attention to it. On the same day, I created a test account on Faasos to dig more and clicked on some random wraps, went until checkout and guess what I was still able to see those Facebook request. I cleared all my history, cookies etc. for the entire day, and thought of doing again, All the request start from login to Faasos, and browsing your items in it. Goes only to `*faasos.io` based asset but as soon as you press checkout a `GET` request goes to Facebook which carries my juicy information of Faasos which also include my ordering details. (Strange) Apart from that, I start getting suggestions on my Facebook wall regarding Faasos. Okay, then I thought of reporting it to Facebook under Data Abuse Bounty Program and we had a long discussion about this, they (Facebook Security Team) also told me to connect with Faasos Security team and I did the same. However, Faasos security team are not much active, they finally replied me after 4-5 days saying: “Hey Dhiraj, This tool helps us understand the customer better and show them more appropriate adverts.” I asked them specifically about a tool and where it is been deployed and what all it collects – No reply yet, that’s bad I “personally” feel Faasos been a data-broker over here. While collecting such info Faasos don’t even take user’s consent. I have seen many application’s which take users consent for such things. And they also offer you to Opt-out of not been tracking. Pheewww! Now, I understand how all these things work!
How to use weaponized PDF documents to steal Windows credentials
According to Check Point researchers, rather than exploiting the vulnerability in Microsoft Word files or Outlook’s handling of RTF files, attackers take advantage of a feature that allows embedding remote documents and files inside a PDF file. When a victim would open the PDF document it would automatically contact a remote SMB server controlled by the attacker, but don’t forget that SMB requests include the NTLM hash for the authentication process. “The NTLM details are leaked through the SMB traffic and sent to the attacker’s server which can be further used to cause various SMB relay attacks. Baharav explained that attackers could take advantage of features natively found in the PDF standard to steal NTLM hashes, rather than exploiting a flaw in Microsoft Word files or RTF files. Using this trick the attacker can obtain the NTLM hash and use tools available online to recover the original password. Weaponized PDF files can be used by threat actors to steal Windows credentials, precisely the associated NTLM hashes, without any user interaction. “The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes. Office documents, shared folders authentication, Outlook) According to Check Point, almost any Windows PDF-viewer is affected by this security flaw and will reveal the NTLM credentials. Adobe experts are referring to Microsoft Security Advisory ADV170014, released in October 2017 that implements a mechanism and provides instructions on how users could disable NTLM SSO authentication on Windows operating systems. According to a research published by Assaf Baharav, a security expert at Check Point, the attackers just need to trick victims into opening a file.
90% of the SAP customers exposed to hack due to 13-Year-Old configuration flaw
The SAP Message Server implements a protection mechanism, also known as ACL or access control list, to check which IP addresses can register an application server and which ones cannot. An attacker can exploit improper configuration of a secure Message Server ACL to register a fake Application Server that could be abused to gain full control of the SAP install. Every time a new app is created, the sysadmin must register the new app (Application Server) with the SAP Message Server, the registration is performed via internal port 39 (3900 by default. ’ “Nevertheless, this parameter is set with a default configuration, as well as the ACL contents open, allowing any host with network access to the SAP Message Server to register an application server in the SAP system. The SAP Message Servers implements an access control list (ACL) mechanism for the access to the registration port. This parameter should contain a path to a file with the following format: HOST=[*| ip-adr | hostname | Subnet-mask | Domin ] [, …]” SAP published details on how to properly configure this access file in 2005 through SAP Security Note #8218752 ‘security settings in the message server. according to the security firm Onapsis, 90 percent SAP systems were impacted by the vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system. ” The configuration relates to how components of the SAP infrastructure communicate, with a specific focus on Application Servers, SAP Message Servers, and the SAP Central Instance. It affects all SAP Netweaver versions and still exists within the default security settings on every Netweaver-based SAP product such as the SAP ERP, including the latest versions such as S/4HANA. SAP Netweaver installations, if not properly secured, could be compromised by a remote unauthenticated attacker who has network access to the system.
SamSam operators switch tactic and are more focused on targeted organizations
Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools. Once infected the largest number of systems in the targeted organization, SamSam operators attempt to offer a complete clean up of the infected systems for a special price. SamSam ransomware made the headlines, according to malware researchers at Sophos, its operators are now spreading thousands of copies of the ransomware at once into individual organizations. “Instead of spam campaigns, the cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP. When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts. ” The operators behind the recently discovered SamSam campaign attempt to exploit known vulnerability to compromise networks of targeted organizations. Once compromised a system inside the targeted organization, the SamSam search for other machine to infect while stealing credentials. The experts warn of targeted attacks, this means that the organizations are carefully selected by the crooks. For all we know, that number was picked because it’s below certain reporting thresholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. The Bitcoin ransom seems to be adjusted, based on the BTC-to-US$ exchange rate at the time of the infection of the organization.
FacexWorm targets cryptocurrency users and spreads through Facebook Messenger
Security researchers from Trend Micro have spotted a malicious Chrome extension, dubbed FacexWorm, which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials and run cryptocurrency mining scripts. FacexWorm implements several features, including stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to rogue cryptocurrency sites, injecting cryptocurrency miners, and redirecting victims to the attacker’s referral link for cryptocurrency-related referral programs. “Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger. The user is encouraged to download a malicious Chrome extension as a codec extension to continue playing the video and to grant all extended permissions to complete the installation, with this trick malware can have full control for any websites the user visits. The following image shows the FacexWorm’s infection chain: FacexWorm propagates by links over Facebook Messenger to the friends of an affected Facebook account to redirect users to fake versions of popular video streaming websites, including YouTube. Currently the malicious extension only Chrome users, when the malware detects a different browser it redirects the user to an innocuous-looking advertisement. Once FacexWorm Chrome extension is installed on the victim’s PC, it downloads more modules from its command and control server to perform other malicious activities. According to the experts, FacexWorm was first detected in late April and appears to be linked to two other Facebook Messenger spam campaigns, one that occurred in August 2017 and a second one that was launched in December 2017 to spread the Digmine cryptocurrency miner. “FacexWorm is a clone of a normal Chrome extension but injected with shortcode containing its main routine. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website.” continues the report.
Provident Fund Portal Hacked, 2.7 Crore People Face Data Theft
The data leak also revealed details such as a person’s Aadhaar number, account number, father’s name, etc. “The IB has advised adhering to the best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers,” the letter said. As news buzzed across social media, EPFO took upon itself to release a statement to state that there has been “no confirmed data leakage”. It clarified that “As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks. While Aadhaar and Facebook continue to create questions on data security, the latest data breach has come from EPFO (Employees’ Provident Fund Organisation. Amid harsh stance shown during Facebook-Cambridge Analytica debacle, the continuous Aadhaar leaks should have provoked action as well as criticism of weak data security, however, all Indians have got till now is “Aadhaar is safe”. The breach came to light through a letter circulated on Twitter which was titled ‘Secret’ dated March 23 and was addressed to the CEO of Common Service Centre which claimed that hackers exploited vulnerabilities through aadhaar. ” Inc42 had recently reported that an Aadhaar whistleblower Srinivas Kodali published the screenshots of Aadhaar data details of MNREGA (Mahatma Gandhi National Rural Employment Guarantee Act) beneficiaries. The breaches have been in direct contrast to UIDAI’s statements in the court where one of the clarifications was that the Aadhaar data is protected by 13 Ft high and 5 Ft thick walls. As per a report by The Wire, possible data that has been leaked includes the unique identity numbers, demographic information and employment details of millions of formal sector employees.
GitHub urged some users to reset their passwords after a problem caused internal logs to record passwords in plain text.
Some users published on Twitter the communication received via email by the company, the incident was discovered during a regular internal audit. The company immediately clarified that its systems were not hacked and that users’ data are not at risk. According to GitHub, only a “small number” of users are affected, the company forced them a password reset for their accounts and confirmed to have fixed the problem. The mail provides details on the problems and explained that user passwords were stored in a secure way. “GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset,” GitHub said. The company added that the plaintext passwords were only accessible through internal log files accessible to a small portion of its IT staff, they were not publicly available. Back in June 2016, the company adopted a similar measure forcing password reset for its customers after it became aware of unauthorized attempts to access a large number of its accounts. GitHub accounts could represent a mine of information for attackers, in March 2017 threat actors targeted developers having repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots, the attackers were searching something of interest among the huge number of projects hosted on the platform.
Andhra Pradesh government site goes offline, data of millions freely available on Mee Kosam
Even as vulnerabilities in the state government’s websites get exposed one after the other each passing day, TNIE has learnt that private information AP’s residents is freely available on the ‘Mee Kosam’ portal. Since ranking would be better if a government or a research website endorses their products, vulnerabilities in government portals are usually exploited by hackers,” he observed. Most of the state government’s websites don’t follow the ‘Guidelines for Indian Government Websites’ (GIGW) that are formulated by the Ministry of Electronics and Information Technology. Despite gaps in the portal being exposed at a hackathon held in Visakhapatnam on April 26, the state government is yet to plug them. In the wake of a series of reports on data leak, IT Minister Nara Lokesh reportedly said an audit was underway to identify vulnerabilities in 33 government websites. That is why it is easy to make a data tampering attack on state government websites,” he observed. Satish explained that data could be protected if the state government applied patches to vulnerabilities without further ado. Meanwhile, the state government has begun an audit of all government websites to ‘sanitise and monitor’ leaks. A college student who participated in the hackathon revealed his team had exposed vulnerabilities in the website, and easily at that. It may be noted that the survey was an exercise undertaken by the AP government in which the socio-economic data of every citizen of the state was integrated with his/her Aadhaar number.
Microsoft addressed a critical flaw in Windows Host Compute Service Shim library
To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host. html Microsoft announced that it has issued a security update to address a critical remote code execution vulnerability in the Windows Host Compute Service Shim library (hcsshim. “A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image. Microsoft addressed critical flaw in Windows Host Compute Service Shim library securityaffairs. The Windows Host Compute Service Shim wrapper, introduced in January 2017, allows the launch of Windows Server containers from the Go language. com/microsoft/hcsshim“ The security expert Michael Hanselmann discovered that hcsshim fails to properly validate input when importing a container image, the vulnerability, tracked as CVE-2018-8115, could be exploited by a remote attacker to execute arbitrary code on the host operating system. The Windows Host Compute Service (HCS) is a low-level container management API in Hyper-V, Microsoft implemented two open source wrappers to invoke HCS functions using higher level programming languages. co/wordpress/72086/security/windows-host-compute-service-library-flaw. Microsoft addressed the vulnerability with the out-of-band update hcsshim 0. ” While US-CERT has released an alert urging to update the library, Microsoft tried to downplay the problem explaining that it is unlikely that the flaw could be exploited in attacks in the wild.