Maharashtra BJP’s Twitter handle ‘hacked’
On Sunday, the verified Twitter handle of the Maharashtra Bharatiya Janata Party (BJP) “criticised” the government of Chief Minister Devendra Fadnavis over its employment policy. Hours later, the BJP told the cyber police station that it did not post the “mischievous tweet” and asked them to investigate the matter. According to sources, the party has asked the police to investigate if it was a case of hacking or if someone was tampering with the state BJP’s Twitter handle. The cyber police are investigating the matter. The unusual tweet, now deleted, by @BJP4Maharashtra, the verified Twitter handle of the state BJP, was put up around 10.15 am on Sunday. The tweet criticised the Fadnavis government for “unemployment” in Maharashtra. Taking a jibe at the BJP over the tweet from the account, senior Congress leader Radhakrishna Vikhe-Patil tweeted saying the BJP may have finally agreed with what the Congress has been pointing out for two-and-a-half years. Later in the day, the BJP spokesperson released a statement they had approached the cyber police station to find out who was behind the tweet. The statement, released by party spokespersons in Marathi, stated that in the backdrop of the assembly elections in Gujarat, it is suspected that there may have been some mischief in this case. “The BJP’s Twitter handle has been misused and is possibly hacked,” the party statement said.
PayPal’s TIO data breach: 1.6 million customers’ personal details stolen by hackers
While we apologise for any inconvenience this suspension may cause, the security of TIO’s systems and the protection of TIO’s customers are our highest priorities,” PayPal had said at the time. At this point, TIO cannot provide a timeline for restoring bill pay services and continues to recommend that you contact your biller to identify alternative ways to pay your bills,” TIO said. On November 10, PayPal announced that it suspended TIO’s operations after it discovered security vulnerabilities in the firm’s platform and issues with its data security program that “did not adhere to PayPal’s information security standards. TIO systems are completely separate from the PayPal network and PayPal’s customers’ data remains secure,” the company said. 6 million users, including locations that stored personal data of TIO customers and customers of TIO billers. PayPal has revealed that its recently acquired company TIO Networks has suffered a data breach compromising the personal information of 1. TIO is currently working with the companies it services to notify affected customers. It added that TIO’s services “will not be fully restored until we are confident in the security of the TIO systems and network. On Friday, 1 December, PayPal said a review of TIO’s network showed evidence of a breach that may have compromised the details of about 1. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring,” PayPal said.
Barclays bank ends Kaspersky anti-virus product offer to online customers as a ‘precaution’
Barclays bank has stopped offering free Kaspersky anti-virus products to new online banking customers following an official UK government warning about Russian software. In an email to 290,000 online banking customers on Saturday (2 December), Barclays said: “The UK government has been advised to remove any Russian products from all highly sensitive systems classified as secret or above. “We’ve made the precautionary decision to no longer offer Kaspersky software to new users. However, there’s nothing to suggest that customers need to stop using Kaspersky. “Barclays said it treated the security of its customers “very seriously”. The offer was available at the point of use to internet banking customers to boost their security via a free 12-month free trial. A spokesman for Kaspersky told IBTimes UK the company was very “disappointed” that Barclays had discontinued its offer to its customers. Earlier in the day, it was revealed that the UK National Cyber Security Centre – the country’s authority on cybersecurity and part of GCHQ – is writing to all government departments telling them Russian security software could be exploited by Moscow. Ciaran Martin, head of the National Cyber Security Centre, said: “Russia is acting against the UK’s national interest in cyberspace. “It seeks to target UK central government and the UK’s critical national infrastructure.” He advised that “a Russia-based provider should never be used” for systems that deal with issues related to national security. However, the agency did note it is not advising the public at large against using Kaspersky’s popular antivirus products.
Malware displays fake Blue Screen of Death to sell phoney Windows antivirus
Security researchers have discovered a new strain of malware that displays the fake Blue Screen of Death and tricks a panicky user into buying phoney Windows antivirus software. Researchers at Malwarebytes, the malware called “Troubleshooter” infect a targeted device and displays the infamous, nerve-rattling BSOD (Blue Screen of Death) to users. The name of the purported security software is actually a combination of two legitimate products from Microsoft – Windows Defender and Security Essentials. However, this one prompts users to purchase a phoney Microsoft security tool called ‘Windows Defender Essentials’ for $25 (£18. The malware also disables short keys such as “Ctrl-Alt-Del” to prevent users from closing the pop-up window. It can also take a screenshot of the user’s desktop and sends it over to a remote IP address. Hackers usually use malware to swipe personal and financial data, hold files for ransom or spy on users. Should a user attempt to do so, users are met with another popup that reads: “The application was unable to start correctly (0xc0000142. However, users can fix the issue themselves by rebooting the PC into Safe Mode and removing the malicious file. If a user does shell out $25, they are redirected to a “thank you” webpage and the malware is supposedly removed.
July Systems data leak: Massive trove of sensitive information exposed online via unsecured database
A massive trove of sensitive data was left freely exposed online by San Francisco-based July Systems. Diachenko told IBTimes UK that Kromtech “first spotted two July System related buckets and one Cisco-related bucket on November 20,” adding that all of the databases were being updated in real time. There have been numerous massive leaks caused by unsecured S3 buckets over the past year which have exposed incredibly large troves of data from various organisations. The company’s cloud-based location intelligence and engagement platform called “Proximity MX”, which contains proprietary information belonging to the firm and its clients, were exposed via unsecured Amazon S3 databases. The real issues are that the discovery is part of a much bigger network and exposed passwords that could have been used by cybercriminals to gain access to secured areas of their data infrastructure,” Diachenko said in a blog. According to Kromtech security researcher Bob Diachenko, the data exposed includes security credentials for iPhone and Android apps, repository credentials (that could have potentially allowed anyone access to sensitive client data or tracking data), internal builds and development tools for various clients including NFL, CBS, Amex, NBA, FOX, PGA and more. Most recently, classified US Army and NSA data was also left exposed, thanks to an unsecured S3 bucket. According to security researchers at Kromtech, who discovered the three leaky S3 buckets, July System’s platform is used by several high-profile companies, including CNN, ESPN, Intel, Toys”R” Us, CBS, Fox, and NBC Universal. Diachenko told us that two of the S3 buckets were secured within a couple of days of July Systems being notified about the breach. However, the Cisco-related server remained exposed for another week before it too was secured.
Satori botnet: Mirai successor awakens with zero-day powers and over 280,000 bots in 12 hours
A new massive IoT (Internet of Things) botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time. Although it is still unclear if the same hacker operates both botnets, Li reportedly said that both Satori and the other Mirai-based botnet share file names, some C2 protocols and other features. According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm. Bleeping Computer reported that instead of using a scanner to search for vulnerable routers, the botnet uses two exploits that attempt to connect to devices on ports 37215 and 52869. Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month. Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw. By reportedly abusing the zero-day vulnerability in Huawei Home Gateway routers, Satori was able to infect even routers secured with strong passwords. Satori, which reportedly means “awakening” in Japanese, is actually the infamous Mirai botnet’s successor. Meanwhile, Drew reportedly warned that Satori botnet’s operators could launch an Internet-crippling DDoS attack at any time. At the moment, security researchers appear to be still gathering more information about the botnet by tracking its activities, in efforts to block any new control channels it may leverage.
Type data leak: 31 million users’ personal data exposed due to MongoDB cloud configuration error
Based in Tel Aviv, Israel, the company behind Ai. The exposed records included highly sensitive and identifiable information of millions of users such as owners’ names, phone numbers, device names and model, mobile networks, Android version, IMSI and IMEI numbers, user languages enabled, country of residence data linked with social media accounts, location details and in some cases IP addresses. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or data mined from their phone or tablet. Type were shocked to find out that users must allow “Full Access” to all of their data stored on their testing iPhone, including past and present keyboard data. Type accidentally exposed highly personal and sensitive data of more than 31 million customers on an unsecured MongoDB database online. Type virtual keyboard on their phone has had all of their phone data exposed publicly online,” Bob Diachenko, head of communications at Kromtech Security Center, said. MongoDB is a common platform used by many well-known companies and organisations to store data, but a simple misconfiguration could allow the database to be easily exposed online. More than six million records contained data collected from users’ contact books including names, phone numbers and contacts saved or linked to Google account, researchers found. Cybersecurity firm Kromtech Security Center discovered that a 577MB Mongo-hosted database containing the details of 31,293,959 users was exposed to anyone with an internet connection. Type claims to have over 40 million users worldwide and offers both an Android and iOS version of its app.
Ashley Madison is leaking users’ private and explicit photos yet again
Ashley Madison users’ private and explicit photos are leaking once again. Security researchers at Kromtech, working with independent security researcher Matt Svensson, found that the site’s security setting designed to share private photos has a major issue. The researchers conducted a test to determine how many users actually opted to change the default security settings and found that 64% of Ashley Madison accounts that had private photos would automatically share keys. According to Kromtech communications head Bob Diachenko, the Ashley Madison site’s flawed security settings not only expose users’ private photos but also leave them vulnerable to blackmailers. Ashley Madison provides a “key” to users – using this key is the only way that users can view private photos. Although users can opt out of automatically sending their private keys, the security researchers found that most users likely do not opt out. Researchers say that this is because most people are more likely to maintain the default security settings –which the security experts called the “tyranny of the default. Ashley Madison (AM) users were blackmailed last year, after a leak of users’ email addresses and names and addresses of those who used credit cards. Svensson warned that Ashley Madison users could likely be hit yet another Fappening-like leak. Ashley Madison was reportedly made aware of the issue by the security researchers but is choosing not to implement security experts’ recommendations.
Security bug that let hackers steal banking passwords put 10 million app users at risk
A critical security bug was discovered in major banking apps used by HSBC, NatWest and Co-op which could let hackers steal usernames and passwords, new research has revealed. The vulnerability, if exploited, could have let hackers connect to the same network as the victim – such as a public Wi-Fi network in a workplace or coffee shop – to perform a so-called Man in the Middle (MitM) attack and retrieve usernames, passwords or pin codes. Experts found “in-app phishing attacks” in apps offered by Santander and the Allied Irish bank. Spinner found that nine apps had a major flaw, including those operated by two of the largest banks in the world, Bank of America and HSBC. In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed,” said Dr Tom Chothia, a University of Birmingham researcher at its Security and Privacy Group. The team found the bugs after developing a tool called “Spinner”, which was able to perform “semi-automated security testing” of mobile apps. It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network,” he added. The findings were published in the journal ACSAC 2017 and presented at a meeting during the 33rd Annual Computer Security Applications Conference. These would have let an attacker “take over part of the screen while the app is running and use this to phish for the victim’s login credentials. BankBot This technique is commonly used in Android-based hacks and is known as an overlay attack.
New spyware takes over for the infamous FinFisher in watering hole operations
Like FinFisher the new campaign also uses HTTP redirects for “on-the-fly” browser redirection to set up a man-in-the-middle attack and distribute StrongPity2 spyware Reuters Security researchers have found that the notorious FinFisher malware has been replaced by a new spyware. Like FinFisher, the new campaign also uses HTTP redirects for “on-the-fly” browser redirection to set up a man-in-the-middle attack and distribute StrongPity2 spyware. ESET researcher Tomas Kafka reported that a new spyware dubbed StrongPity2 seems to have taken over for the infamous spyware and uses similar techniques as FinFisher. Named after the group StrongPity, researchers said Win32/StrongPity2 has been used in man-in-the-middle attacks and exploits a number of popular websites to help install and spread the malware. The StrongPity group was observed performing such watering hole attacks in the summer of 2016, targeting mostly Italian and Belgian users of encryption software. As we reported in September, in campaigns we detected in two different countries, Man-in-the-Middle (MitM) attacks had been used to spread FinFisher, with the “man” in both cases most likely operating at the ISP level,” Kafka wrote in a blog post on Friday (8 December. The first similarity is the attack scenario – users trying to download a software installation package were being redirected to a fake website serving a trojanized version of the expected installation package,” ESET said. Finfisher, also known as FinSpy, is sold to governments, nation states and intelligence agencies for extensive surveillance purposes and can be used for keystroke logging, snooping on webcams, microphones and web browsing as well as exfiltration of files. Researchers noted that some parts of StrongPity2’s code are exactly the same as that of FinFisher while others were still notably similar. Both StrongPity 2 and FinFisher used the same uncommon obfuscation algorithm and libcurl version 7.45. They even exfiltrated files the same way.