Ride-Hailing Company operating in Iran exposes data of Iranian Drivers

Security researcher discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online containing over 6.7M records.

Security researcher Bob Diachenko discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online without protection.

The MongoDB instance named ‘doroshke-invoice-production‘ contained over 6.7 million records of Iranian drivers.

Exposed records include driver first name and last name, SSN (10-digits Iranian ID number in plain text), phone number, and invoice date.

The expert discovered the database using the BinaryEdge search engine that indexes data available on the internet.

Security researcher Bob Diachenko discovered the database named ‘doroshke-invoice-production’ using BinaryEdge search engine that allows
to scan the entire internet space and acquiring data.

“On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers.” reads a blog post published by the expert.

The database included two collections with invoices split by year:

  • invoice95 (all the invoices from year 1395, which corresponds to 2017 in Gregorian calendar), with total number of records: 740,952
  • invoice96 (all the invoices from year 1396, which corresponds to 2018 in Gregorian calendar), with total number of records: 6,031,317
Iranian Ride-Hailing App data leak

The MongoDB contained a large number of duplicates, the researcher estimates that the unique number of entries is between one and two million.

At the time of writing the owner of the archive is still unknown, fortunately, it has secured the instance.

Diachenko reported its discovery to the Iranian CERT and also attempt to alert researchers in Iran to discover the owner.

“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin. ” concludes Diachenko.

“While I did not receive an official confirmation or comment from either company, we can only guess if this data was part of their infrastructure. However, no matter who owned it, the fact alone that such highly sensitive PII (personally identifiable information) was available in the wild for at least 3 days, is scary.”

Pierluigi Paganini

(SecurityAffairs – data leak,ride-hailing company)

The post Ride-Hailing Company operating in Iran exposes data of Iranian Drivers appeared first on Security Affairs.

Security Affairs newsletter Round 210 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

60 Million records of LinkedIn users exposed online

Researcher discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Researcher Sanyam Jain at GDI foundation discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Most of the data are publicly available, the databases also include the email addresses of the users. The databases also contain internal data, such as the type of LinkedIn subscription a circumstance that suggests that the source could be a data breach.

Records include LinkedIn public profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated.

The archives contain 229 GB of data, each one containing between 25 GB and 32 GB of information. 

The researcher noticed that the huge trove of data was disappearing and reappearing online under different IP addresses every day.

Finally, the database was no more accessible likely because it was secured.

The mystery behind this discovery is that some users claim to have had
LinkedIn privacy setting configured to avoid publicly displaying some personal details.

“Included in the profile was also my email address that I used when registering my LinkedIn account. It is not known how they gained access to this information as I have always had the LinkedIn privacy setting configured to not publicly display my email address.” reads the post published by BleepingComputer.

“After reviewing the data that was sent to me, I found all of the information to be accurate.”

LinkedIn data leaked

At the time it is not clear who is the owner of the database, as of Monday, the databases were no longer accessible online.

Paul Rockwell, head of Trust & Safety at LinkedIn, told BleepingComputer that the databases do not belong to them, anyway he confirmed that the company is aware of third-party databases containing scraped LinkedIn data.

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

The post 60 Million records of LinkedIn users exposed online appeared first on Security Affairs.

INPIVX hidden service, a new way to organize ransomware attacks

A new service called Inpivx represents the evolution of the ransomware-as-a-service making it very easy for wannabe crooks to develop their malware and build a management panel.

A new Tor hidden service called Inpivx evolves the concept of the ransomware-as-a-service making it very easy for crooks without technical skills to develop their own malware and build a management panel.

Operators behind the service offer for sale the source code for the ransomware and for the management dashboard. The availability of the source code allows crooks to customize their ransomware.

Watch out, Inpivx is not a RaaS and for this reason, it does not supply hosting services.

The ransomware is written in C++ and supports almost any Windows OS version, from Windows XP through Windows 10, while the dashboard is coded in PHP.

The package goes for $500, it also includes the decryption tool, operators also provide a detailed tutorial.

“If the client has no skill, we provide a tutorial based on our own ransomware dashboard each line of code has an explanation,” an Inpivx member told BleepingComputer.

The dashboard provides infection data in real time, it includes the total number of encrypted files, number of infections, the operating systems of the infected machines and their geographical distribution.

It also implements a chat that allows operators to communicate with the victims.

A specific clients section includes information on infected machines, such as the victim IDs, the operating system, the ransom price, the decryption key, and the payment status.

“Inpivx approach is highly likely to attract to the ransomware game individuals with expertise in other areas of the crime business.” wrote Ionut Ilascu from BleepingComputer. “With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.”

Pierluigi Paganini

(SecurityAffairs – Tor, Inpivx)

The post INPIVX hidden service, a new way to organize ransomware attacks appeared first on Security Affairs.

Marcus Hutchins pleads guilty to two counts of banking malware creation

British malware researcher Marcus Hutchins has pleaded guilty to developing and sharing the banking malware between July 2014 and July 2015.

The popular British cybersecurity expert Marcus Hutchins has pleaded guilty to developing and sharing the Kronos banking malware
between July 2014 and July 2015.

Marcus Hutchins, also known as MalwareTech, made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. In August 2017, he was arrested in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

In August 2017, Marcus Hutchins pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.
The court decided to relax the expert bail terms, allowing him to access the Internet and continues his ordinary working activities. The only restriction on Hutchins is that the expert cannot visit the Wannacry server domain.

The decision is unusual because computer crime suspects are not allowed to stay online.

The court allowed him to live in Los Angeles, where the company that hired him is located, but he was obliged to surrender his passport and he must wear a tracking device until his trial in October.

On Friday, Hutchins accepted a plea deal and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” reads a statement published by the expert.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Marcus Hutchins would face with a maximum penalty of five years in prison a $250,000 fine and a year of probation.

According to the Federal law enforcement, the researchers told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Pierluigi Paganini

(Security Affairs – Marcus Hutchins, cybercrime)

The post Marcus Hutchins pleads guilty to two counts of banking malware creation appeared first on Security Affairs.

Avast, Avira, Sophos and other antivirus solutions show problems after

Antivirus solutions from different vendors are having malfunctions after the installation of Windows security patches released on April 9, including McAfee, Avast and Sophos.

Antivirus solutions from different vendors are showing malfunctions after the installation of Windows security patches released on April 9.

Antivirus solutions from Sophos, Avira, ArcaBit, Avast, and recently McAfee reported security issues after the installation of the fixes released by Microsoft.

Microsoft is aware of the problems reported by its users with their antivirus solutions and already included several antivirus software to the list of known issues.

Users of the affected machines are observing sudden system freezes and performance degradation.

In some cases, users of systems running Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 reported that they were able to log in, but the process takes more than ten hours.

antivirus

Experts observed that safe mode is not affected by the issues, experts suggest to run in safe mode to disable the antivirus and allow the machines to boot without problems.

“Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.” reported ArsTechnica.

“Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.”

Update for Sophos, Avira, and ArcaBit users, have been blocked by Microsoft. McAfee is investigating the issue, while ArcaBit and Avast already released updates that address the problem.

According to experts at Avast and McAfee, the root cause of the problem is the change that Microsoft made to CSRSS (“client/server runtime subsystem”) component that manages Win32 applications. The experts believe that antivirus solutions are blocked while attempting to access some resource.

At the time it was difficult to understand what has happened and if the problem could definitively be solved by applying antivirus updates of fixes of the operating system.

Pierluigi Paganini

(SecurityAffairs – hacking, antivirus)

The post Avast, Avira, Sophos and other antivirus solutions show problems after appeared first on Security Affairs.

Google is going to block logins from embedded browsers against MitM phishing attacks

Google this week announced that it is going to block login attempts from embedded browser frameworks to prevent man-in-the-middle (MiTM) phishing attacks.

Phishing attacks carried out by injecting malicious content in legitimate traffic are difficult to detect when attackers use an embedded browser framework or any other automated tool for authentication.

For example, the embedded browser framework Google offers Chromium Embedded Framework (CEF) that allows embedding Chromium-based browsers in other applications.

Google announced that starting from June, it will block sign-ins from these frameworks.

“However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in.” reads a blog post published by Google. “Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Google security MiTM

Google suggests developers currently using CEF for authentication to switch to the browser-based OAuth authentication.

The browser-based OAuth authentication also allows users to see the full URL of the page where they are entering their credentials, this could help them to avoid phishing websites mimicking legit ones.

“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” continues Google.

“If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.”

Pierluigi Paganini

(SecurityAffairs – hacking, MiTM phishing attack)

The post Google is going to block logins from embedded browsers against MitM phishing attacks appeared first on Security Affairs.

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians.
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).

It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using
@gouv.fr or @elysee.fr email accounts) can sign-up for an account.

The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.

Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.

News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.

tchap

The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.

“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to fs0c131y@protonmail.com@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.

“So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account! “

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.

After he logged as an Elysée employee, he was able to access to the public rooms.

tchap app

Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

Pierluigi Paganini

(SecurityAffairs – hacking, Tchap app)

The post Hacker broke into super secure French Government’s Messaging App Tchap hours after release appeared first on Security Affairs.

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.

“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Other problems for Facebook that admitted to have stored millions of Instagram users’ passwords in plaintext

Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

In March, Facebook admitted to have stored the passwords of hundreds of millions of users in plain text, including “tens of thousands” passwords belonging to Instagram users as well.

Unfortunately the issue was bigger than initially reported, the company updated the initial press release confirming that millions of Instagram users were affected by the problem.

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and notified the affected users.

Now Facebook confirmed to have discovered “additional logs of Instagram passwords” stored in a readable format. The social network giant pointed out that the passwords were never “abused or improperly accessed” by any of its employees.

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).” reads the updated statement.

instagram

Summarizing, millions of Instagram users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

Let me suggest to change your password using strong ones and enable the
two-factor authentication.

Pierluigi Paganini

(SecurityAffairs – Instagram, privacy)

The post Facebook admitted to have stored millions of Instagram users’ passwords in plaintext appeared first on Security Affairs.