As always, I hope this e-mail finds you well. Some interesting stories to share, and unfortunately quite a few breaches. Also it turns out that airfryers can have vulnerabilities these days, because of course.
Meanwhile I'm continuing work on scanyourstuff.app, and having a blast. It's almost ready to receive its first users, let me know if you want to be one of them.
Breaches and leaks
- Logins for 1.3 million Windows RDP servers collected from hacker market: link.
- HashiCorp is the latest victim of Codecov supply-chain attack: link.
- Six million male members may have been exposed after hack of gay dating service: link.
- Geico data breach exposed customers' driver's license numbers: link.
- Hacker leaks 20 million alleged BigBasket user records for free: link.
- Malvertisers hacked 120 ad servers to load malicious ads: link.
- Eversource Energy data breach caused by unsecured cloud storage: link.
When a password manager gets hacked, one has to pay attention. I hadn't heard of this one yet, but apparently it's an on-prem password manager used by 29,000 companies. If you're one of them, drop everything and go look in to this. Their update mechanism was hijacked to deliver malware that siphened off password and system data.
Well, yesterday really, on the 25th. Good riddens.
If you have a QNAP NAS you'll want to look into this. This ransomware campaign is taking advantage of recently disclosed issues to remotely use 7zip to password protect all the files. More on the vulnerabilities here.
The Linux kernel team has banned the University of Minnesota from contributing patches after they've repeatedly offered bad ones as part of a research experiment.
The post shares some lessons learned, like how vital the participation of private companies was, and says that the emergency coordination groups for both events are standing down, with further responses going through standard procedures.
The 2020 MITRE ATT&CK vendor evaluation results have been released! This is the first time the evaluation has focused on financially motivated criminal groups, in this case Carbanak and FIN7, which heavily target retail and financial services industries. Uptycs was among 30 vendor participants in this round and this blog breaks down the simulation and evaluation process. (Sponsored)
The surveillanceware apparently didn't require any jailbreaks to run on standard iOS devices. Although it did install jailbreaks when possible once present on the system.
The article describes an SEO technique called "cloaking", which I didn't know about yet. It's when a website displays different content to human visiters than to search engine spiders.
This is just a great read. Signal's founder Moxie Marlinspike showed vulnerabilities in the data extraction tools from Cellebrite. For example, one can add files to Signal that screws up any past and future reporting. It sounds like Signal will start adding such files too.
I haven't read the whole interview yet, but this sounds like an awesome initiative all around. It's definitely worth remembering sometimes that a lot of (cyber)crime happens because some people have few alternatives.
Sure, that might as well be a thing. Enjoy that facepalm.
This is interesting. 1Password is opening up a feature where you can store secrets like API tokens and private certificates, and use them directly in your infrastructure through a private REST API provided by a 1Password Connect server. Worth checking out. (Sponsored)